NimbostratusF5 LTM - SNAT fails in a /23 subnet
Hello all. We have installed a couple of BIG-IP LTM 1600 v11.3.0 (Build 3138.0) in active-passive mode. This cluster balances servers in two different DMZ (using Route Domains). Now the business asked also to balance servers in the internal LAN that is a /23 subnet (10.39.16.0/23 - VLAN 16 - DGW 10.39.16.250 a cisco router - F5 floating IP: 10.39.16.220 ). To reach that goal I configured all these objects: * New Route Domain creation (ID 16) * Interface configuration (on both devices) for self and floating IP in the new network (with the %16 suffix) * new Default Route (GW: 10.39.16.250 a Cisco Nexus switch) * A Forwarding IP virtual server And then I created a test farm to balance. As the balanced servers are in the LAN, most of the connections will come from the same LAN, so I configured the SNAT feature. And here I found the problem. The strange behavior is related to the SNAT IP, I hope to be able to explain what happen.
I said before the LAN is a /23 network. All the servers and all the devices have the /23 netmask configured. For this example let's split that subnet in two segments: one with a 10.39.16 prefix and the other with 10.39.17 prefix
If the SNAT IP reside in the same segment of the balanced servers the balancing DOES NOT WORK. If the SNAT IP reside in a different segment from the balanced servers the balancing WORKS FINE.
For example: * servers in the 10.39.17 segment * SNAT IP 10.39.17.195 ==> NOT WORKING
- servers in the 10.39.17 segment
-
SNAT IP 10.39.16.195 ==> OK
-
servers in the 10.39.16 segment
-
SNAT IP 10.39.16.195 ==> NOT WORKING
-
servers in the 10.39.16 segment
- SNAT IP 10.39.17.195 ==> OK
So it seems that the selected host does not know how to reach a SNAT IP in its segment, instead if the SNAT IP is in the other segment it is able to reach it. I'm talking on "segment" because the subnet is configured as /23 for all the servers and devices (unless I'll discover something different) It seems a netmask problem but I'm not able to find it...
Does anyone exeprieced something like this? Thanks in advance for any suggestion.
Below some configuration screens....
Stefano.
This behavior is strange. When I create a snatpool I typically select a snat subnet that is not shared with the servers. The behavior you are describing makes it sound like your cisco router has two /24 interfaces instead of a single /23. I assume this has been checked?
