Are open NAT connections maintained upon failover?
I heard someone say by default open NAT connections are maintained when a failover occurs in a HA pair..
I can't find any doc referencing this online.. Any insight?
Thanks!
Forum Discussion
9 Replies
- Chris_Miller
Altostratus
From what I can see, SNAT and Virtual Server connections are mirrored.
https://support.f5.com/kb/en-us/solutions/public/7000/200/sol7222.html - Yep I found the same thing.. I don't have a HA pair I can test this on right now...
Can someone from F5 chime in or someone who could test this??
Thanks! 
nitassEmployee
i'm getting stuck on some test. anyway, if no one is available, i may be able to test it tomorrow - here is about 10:30pm now.
what tmos version would u like to test?
can u explain a bit more what u want to verify?- Thanks anything 10x is fine...
Specifically I'm trying to prove if NAT connections are maintained on a standby unit in a HA pair by default... upon failover the connections should be maintained... - Thanks anything 10x is fine...
Specifically I'm trying to prove if NAT connections are maintained on a standby unit in a HA pair by default... upon failover the connections should be maintained... - nitasswill do and update u all.
anyway, imo, it should work. - What is leading you to believe it should work?
- nitass
since nat is stateless, i think we don't need mirroring.
i tested on 10.2.0. SSH and FTP survived after failing over. I didn't use mac masquerade.
BIG-IP Version 10.2.0 1707.0
Final Editionvlan external {
tag 4093
interfaces 1.1
}
vlan internal {
tag 4094
interfaces 1.3
}
self 10.10.72.50 {
netmask 255.255.0.0
vlan internal
allow default
}
self 10.10.72.55 {
netmask 255.255.0.0
unit 1
floating enable
vlan internal
allow default
}
self 172.28.17.50 {
netmask 255.255.255.0
vlan external
}
nat 10.10.70.110 to 172.28.17.55 {
}[root@bigip01:Active] config b virtual list
No Virtual Servers were found.
[root@bigip01:Active] config b snat list
No SNATs were found. - Ahhh that's exactly what I was missing.. Makes perfect sense now if you think about it... Using NAT on an LTM is one instance where the LTM isn't considered a full proxy... It does not jump in the middle of the connection.. Hence why you don't need to configure a VS etc for a NAT... It's stateless and will forward on the the communication appropriately upon failover.
Thanks for running the tests!
