One connect profile query.

Question

Hello All,&nbsp;
Just for a better understanding of Oneconnect profile function, from the KB5911 I learned following line :&nbsp;
" OneConnect applies a mask (much like applying an independent subnet mask) to client source IP addresses on server-side connections."&nbsp;
My query: As soon as say Client (IP: 10.10.10.1) connects to a VS a source mask of 255.255.255.255 is assigned?&nbsp;
OR&nbsp;
It will evaluate the number of Client source IPs (say the second connection is from 10.10.10.2 or 10.20.20.1 ) and based on that source, the subnet mask will be calculated whether to apply 255.255.0.0 or 0.0.0.0.&nbsp;
Regards,&nbsp;
Dayesh&nbsp;

dayesh_381792 · Answer

Just to add , or is the subnet mask is on the basis of source prefix length  we configure in the profile?&nbsp;
Thanks.&nbsp;

i_r_101_110 · Answer

I may need correction - especially on the third point, but to my understanding:&nbsp;
A broad one connect mask such as all zeros informs the bigip to never load balance but to reuse the same idle tcp connection to the same backend server.This is especially the case when SNAT is enabled on the VIP because the decision to make a new backend tcp connection is applied after SNAT occurs.&nbsp;
A mask of 255.255.255.255 instructs the bigip to only reuse the same backend tcp connection for the same source ip. In this case, it opens an additional backend tcp connection for each new source ip connection. &nbsp;
A mask of 255.255.0.0 would only open a new backend tcp connection if the new source ip connection was not in the same /16 network as the source ip of the existing backend tcp connection.&nbsp;

wlopez · Answer

As far as the oneconnect profile goes:&nbsp;
A mask of 0 (default value) causes the system to share reused connections across all source addresses. &nbsp;
A host mask of /32 (that is, all 1 values in binary) causes the system to share only those reused connections originating from the same source address.&nbsp;
You also need to take into account that persistence profiles and SNATs can affect if connections will be reused. When you are using a SNAT or SNAT pool, the server-side source address is translated first and then the OneConnect mask is applied to the translated address.&nbsp;

wlopez_98779 · Answer

As far as the oneconnect profile goes:&nbsp;
A mask of 0 (default value) causes the system to share reused connections across all source addresses. &nbsp;
A host mask of /32 (that is, all 1 values in binary) causes the system to share only those reused connections originating from the same source address.&nbsp;
You also need to take into account that persistence profiles and SNATs can affect if connections will be reused. When you are using a SNAT or SNAT pool, the server-side source address is translated first and then the OneConnect mask is applied to the translated address.&nbsp;

dayesh_381792 · Answer

Thanks for your response Wlopez and  Ngutierrez31 &nbsp;
Hi Wlopez,&nbsp;
In that case, will the subnet mask of the OC profile will be decided on the basis of Original client source IP or on the basis of the SNAT IP/Pool as the source address will be changed after the SNAT?&nbsp;
Thanks&nbsp;
Regards,&nbsp;
Dayesh&nbsp;

Forum Discussion

One connect profile query.

8 Replies

Recent Discussions

google autenticator broken barcode

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Related Content

Pool downtime query

iRule Processing query

SSL Profiles

iRuleLX Solution for OAUTH JWT authenticated Salesforce Query

BIG-IP Advanced Firewall Manager (AFM) DNS NXDOMAIN Query Attack Type Walkthrough - part two