SNAT persistance with Outbound Load Balancing

Question

Hi all,
I need some help with what seems to be a quite straight forward outbound persistance request.
We use the F5 to load-balance our outbound traffic equally between our two 
ISP connections. An irule assigns a SNAT address to outgoing requests in a round robin fashion.
First outbound request gets a SNAT IP Address of ISP-A and the second request gets a SNAT IP address of ISP-B The irule then forwards the packet to the correct ISP router depending on the SNAT address.
The problem is that certain websites do not accept requests that change ip addresses constantly.
The question is how can I ensure that the outgoing traffic persists? I have tried using persist dest_addr but it does not work with this rule.
  
when RULE_INIT {
 set ::gl_gw_isp_vb "x.x.x.x"
 set ::gl_gw_isp_nc "x.x.x.x"
  if { [info exists ::gl_snat_isp_vb ] }
 {
    unset ::gl_snat_isp_vb
 }
 if { [info exists ::gl_snat_isp_nc ] }
 {
    unset ::gl_snat_isp_nc
 }
 
 set ::gl_snat_isp_vb(x.x.x.x) "a.a.a.a"
  set ::gl_snat_isp_nc(x.x.x.x) "b.b.b.b"
 
}
when LB_SELECTED {
 
     Find internal servers with Static SNAT defined and
  change the SNAT address based on the gateway selected
  automatically by the pool
 
 log local0. "Event : LB_SELECTED, client_addr is [IP::client_addr]"
     We assume that if the client_addr is in
  gl_snat_isp_vb, it is in gl_snat_isp_nc too.
 if { [info exists ::gl_snat_isp_vb([IP::client_addr])] }
 {
   log local0. "SNAT found for [IP::client_addr]"
   if { [LB::server addr] eq $::gl_gw_isp_vb }
   {
      log local0. "SNAT [IP::client_addr] natt'ed to $::gl_snat_isp_vb([IP::client_addr]), via ISP VB"
      snat $::gl_snat_isp_vb([IP::client_addr])
      persist dest_addr
   }
   elseif { [LB::server addr] eq $::gl_gw_isp_nc }
   {
      log local0. "SNAT [IP::client_addr] natt'ed to $::gl_snat_isp_nc([IP::client_addr]), via ISP NC"
       snat $::gl_snat_isp_nc([IP::client_addr])
        persist dest_addr
   }
   else
   {
      log local0. "Error : unknown LB Server : [LB::server addr], for Client : [IP::client_addr]"
   }
 }
 else
 {
   log local0. "SNAT NOT found for [IP::client_addr]"
 }
}
when CLIENT_ACCEPTED {
 
     Find internal ip address for which we "force" the pool
  unless this ip address must be snat'ed

log local0. "Event CLIENT_ACCEPTED, client_addr is [IP::client_addr]"
     We assume that if the client_addr is in
  gl_snat_isp_vb, it is in gl_snat_isp_nt too.
 if { ![info exists ::gl_snat_isp_vb([IP::client_addr])] }
 {
   log local0. "client_addr ([IP::client_addr]) must not be natt'ed, check if we must force the outbound pool"
   
   if { [matchclass [IP::client_addr] equals $::network_force_pool_isp_vb] }
   {
      log local0. "Force Pool ISP VB for IP [IP::client_addr]"
      pool VB_default_pool
   } elseif { [matchclass [IP::client_addr] equals $::network_force_pool_isp_nc] }
   {
      log local0. "Force Pool ISP NC for IP [IP::client_addr]"
      pool NC_default_pool
   } else
   {
       log local0. "No Need to force Pool for IP [IP::client_addr]"
   }
 }
 else
 {
   log local0. "client_addr ([IP::client_addr]) must be natt'ed, nothing to do on event CLIENT_ACCEPTED"
 }
  persist dest_addr
}

nicolas_menant · Answer

Hi,&nbsp;
&nbsp;With your iRule, do you see any entry in statistics &gt; Persistence records  through the GUI ? &nbsp;
&nbsp;If it doesn't work with the dest_addr you may try to use this command:&nbsp;
&nbsp;persist uie [serverside {IP::remote_addr}]&nbsp;
&nbsp;That should do the same thing (you should see some entries in statistics &gt; Persistence records  through the GUI)&nbsp;
&nbsp;Morover do you need the persistence to be applied among several vs ? if yes you'll need to add some data : &nbsp;
&nbsp;persist uie {[serverside {IP::remote_addr}] any virtual}&nbsp;
&nbsp;HTH &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;

crouch_62389 · Answer

Hi,&nbsp;
&nbsp;With the dest_addr command I did not view any statistics.&nbsp;
&nbsp;However when I used &nbsp;
&nbsp;persist uie {[serverside {IP::remote_addr}] any virtual}&nbsp;
&nbsp;I saw stats but I did not get the required result. So i changed to client;&nbsp;
&nbsp;persist uie {[clientside {IP::client_addr}] any virtual}&nbsp;
&nbsp;and this appears to be working. 
&nbsp;For example whenIgo to whatsmyaddress.com it returns the same IP address when I perform a constant refresh.&nbsp;
&nbsp;Whereas,  before it would give an alternating address on a constant refresh.&nbsp;
&nbsp;Thanks for your help&nbsp;
&nbsp;Mark&nbsp;&nbsp;

nicolas_menant · Answer

Hi,&nbsp;
&nbsp;Yes it should work too. The thing here is that a client will always use the same outbound link with this persistence&nbsp;
&nbsp;If it's fine for you then it's cool!

Forum Discussion

SNAT persistance with Outbound Load Balancing

3 Replies

Recent Discussions

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Related Content

SSL Orchestrator Advanced Use Cases: Outbound SNAT Persistence

Active/Active load balancing examples with F5 BIG-IP and Azure load balancer

Recommended Persistence for F5 working as ISP-LB ( ISP Load Balancing )

NGINXaaS for Azure: Load Balancing

Deploying F5 BIG-IP with Azure Cross-region load balancer