Forum Discussion

M_Rahm's avatar
M_Rahm
Icon for Nimbostratus rankNimbostratus
Jun 19, 2019

Outbound Routing issue using IP Forwarding Virtual Server with SNAT

Hi DevCentral Team,

 

We really need your help on this as we have been having issues with the Outbound connection from Servers.

We have 2 Pools in 2 different partitions (Prod & UAT-4 Servers in total) that need to initiate connections to the same destination.

To achieve this, we have created 2 IP forwarding Virtual Servers in 2 different partitions pointing to 2 different Firewalls’ Context interfaces.

But only the Prod VS is working (patting) and forwarding to the right Firewall interface but the other UAT VS is sending to the Prod FW Interface so not working.

Can you please see the screenshot below and suggest what we can do to make other VS work.

We are using image 13.0.0 build 0.0.1645 on BIG-IP (LTM).

Chassis Information

 Chassis Name      BIG-IP VPR-C2400

Thank you.

application delivery
LTM

10 Replies

Sort By
    • M_Rahm's avatar
      M_Rahm
      Icon for Nimbostratus rankNimbostratus
      Jun 19, 2019

      Hi Kees,

      Thanks for your response. Yes we are using Route Domains and the 2 partitions that we have, belong to the same Route Domain screenshot attached.

  • KeesvandenBos's avatar
    KeesvandenBos
    Icon for MVP rankMVP
    Jun 19, 2019

    Hi,

     

    It is logical that both virtual servers will forward traffic to the same interface, they are in the same route domain and share the same routing table.

     

    The only way to get this working is to create a Performance L4 VS on the input VLAN with a load balancing pool. ( set translate address and port to off ). In this pool configure the gateway as a pool member (the gateway of the corresponding partition.

     

    Cheers,

     

    Kees

    • M_Rahm's avatar
      M_Rahm
      Icon for Nimbostratus rankNimbostratus
      Jun 19, 2019

      Kees,

      Thanks for your response. This makes sense but we need the policy based routing which will forward to the appropriate gateway from F5 based on the Source Address and will have to do SNAT too. I have attached the following iRule on the UAT VS but it's sending to the same gateway as Prod VS is. For example, I have a static route (16.15.19.33/32) pointing to 10.17.131.1 configured in Prod Partition and 16.15.19.32/30 pointing to 10.17.7.1 in UAT partition.

      Four servers (2 in each pool) are going to the same destination, 16.15.19.33.

       

      The question is, while adding the iRule in the L3 forwarding Virtual Server at the GUI, will I have to leave the Source Address blank (0.0.0.0) and SNAT option as "none". And leave the static route as it is or remove it. Been trying to find a solution for this for more than 3 weeks now :-). Any suggestion would be greatly appreciated. Thanks again.

       

      Note: The Source IP addresses are in 2 different partitions so the following iRule gave an error while configuring in AT Partition saying it could not find the snatpool SNAT_SD_Prod_Pool_131.103.

       

      when CLIENT_ACCEPTED {

       if { [IP::addr [IP::client_addr] equals 10.17.131.0/27] } {

         snatpool SNAT_SD_Prod_Pool_131.103 member 10.17.131.103

         node 10.17.131.1

       } elseif { [IP::addr [IP::client_addr] equals 10.17.7.12/30] } {

         snatpool SNAT_SD_UAT_Pool_7.106 member 10.17.7.106

         node 10.17.7.1

       }

      }

       

      So changed it to the following in the UAT partition but still the traffic was being sent to Prod Firewall Interface which belongs to the Prod Partition.

      when CLIENT_ACCEPTED {

       if { [IP::addr [IP::client_addr] equals 10.17.7.12/30] } {

         snatpool SNAT_SD_UAT_Pool_7.106 member 10.17.7.106

         node 10.17.7.1

       }

      }

  • KeesvandenBos's avatar
    KeesvandenBos
    Icon for MVP rankMVP
    Jun 19, 2019

    An IP forwarding virtual server will never look at the pool/node you set in an irule. It will perform a routing lookup and based on the answer it will forward the traffic.

     

    Ok, create two performance L4 virtual servers in the Prod partition. Destination IP is 16.15.19.33, pool with 10.17.131.1 as a member. Add the ip address of first server as source to the first created virtual server and the second ip to the second virtual server. (assign the correct SNAT pool to both virtual servers)

    Repeat this in the UAT partition but use 10.17.7.1  as the pool member.

     

    This will solve your routing issue.

     

    Cheers,

     

    Kees

    • M_Rahm's avatar
      M_Rahm
      Icon for Nimbostratus rankNimbostratus
      Jun 19, 2019

      Hi Kees,

      Thanks for the reply. I have set this up following your steps but the Servers are not sending the traffic to the FW interface now i.e. not leaving the F5 even though I am showing traffic on the VIP Stats. Any thoughts would be appreciated. Thanks.

      • M_Rahm's avatar
        M_Rahm
        Icon for Nimbostratus rankNimbostratus
        Jun 19, 2019

        So just FYI, this is a bi-directional traffic flow. Inbound connection will hit the same VIP, 10.17.131.103 for Prod and 10.17.7.106 UAT which are being used as SNAT Pool for outbound connection from the server through F5. Sorry for the hassle but I am surprised to see the struggle we are going through to set this up for the last 3 weeks. Any help would be appreciated. Thanks.

  • KeesvandenBos's avatar
    KeesvandenBos
    Icon for MVP rankMVP
    Jun 20, 2019

    Ok, what if you create only one performance L4 virtual server (no port and address translation) with the snat pool for production. And perform a tcpdump with the :nnn behind the interface and post the output here.

     

    Cheers,

     

    Kees

    • M_Rahm's avatar
      M_Rahm
      Icon for Nimbostratus rankNimbostratus
      Jun 22, 2019

      Hi Kees,

       

      Sorry for the late response as I was busy with migration. Appreciate your patience. Can I send the tcpdump to any email address as it may have some proprietary info.

      Pleas let me know. Thanks a lot for your help.