LTM persistence with a SNAT pool

Question

How do I set persistence on a virtual server with a SNAT pool where the IPs are always changing. 
&nbsp;  
&nbsp; The scenario: 
&nbsp;  
&nbsp; I have an LTM in a one-armed setup so all connections must be SNAT'd to ensure that they return. I have a SNAT pool setup with 5 addresses. 
&nbsp;  
&nbsp; I have a virtual server setup that I need persistence to work. My problem is that I can't use source_address persistence because the back-end server will only see the SNAT IPs.  
&nbsp;  
&nbsp; SO what is the best method to get persistence in my setup? 
&nbsp;  
&nbsp; Thanks in advance. 
&nbsp; Kevin

hooleylist · Answer

Hi Kevin, 
&nbsp;  
&nbsp; Source address persistence is based on the client IP address.  Persistence is evaluated before SNAT'ing is done.  So you should still be able to use source address persistence with SNAT. 
&nbsp;  
&nbsp; If I've missed something in your scenario, can you elaborate? 
&nbsp;  
&nbsp; Thanks, 
&nbsp; Aaron

kevin_nail · Answer

Thanks for the quick reply. 
&nbsp;  
&nbsp; Maybe I am worrying for nothing.. 
&nbsp;  
&nbsp; To further explain.. 
&nbsp;  
&nbsp; Client comes in with an IP of 1.2.3.4 and get load-balanced to server A. 
&nbsp;  
&nbsp; The packet gets SNAT'd on the way out to 10.1.1.1 and server A sees the connection come from 10.1.1.1  
&nbsp;  
&nbsp; Client then clicks on a link and another packet comes in to the VIP with source IP of 1.2.3.4 but gets SNAT'd to 10.1.1.2  
&nbsp;  
&nbsp; So will it go back to server A with source_IP persistence set up? or will server A think it's a different connection because the IP is changed? 
&nbsp;  
&nbsp; But the LTM is creating the persistence record before the packet leaves then I should be ok. 
&nbsp;  
&nbsp; Thanks for your help. &nbsp;

hooleylist · Answer

I don't think there is a way to "persist" the client so the same IP in a SNAT pool is used over multiple TCP connections.  Most apps do not check the client IP address though so this shouldn't be an issue.  If the app uses NTLM authentication or the web app itself enforces the client IP address does not change over the course of a session, this would be a problem.  In that case you might want to use an iRule to select the SNAT IP based on the client IP.  If you need to do this, reply here and we can come up with some suggestions. 
&nbsp;  
&nbsp; Aaron

kevin_nail · Answer

Thanks Aaron, 
&nbsp;  
&nbsp; I think the iRule would be a great idea but it's not a vital thing at this point. If you have a quick one already wrote out, I would be glad for the help...but if not, like I said, it's not a mission critical thing at this point. 
&nbsp;  
&nbsp; Thanks for your help. &nbsp;

hooleylist · Answer

Here's an iRule example: https://devcentral.f5.com/wiki/irules.snat_pool_persistence.ashx&nbsp;

Forum Discussion

LTM persistence with a SNAT pool

5 Replies

Recent Discussions

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Related Content

SNAT pool persistence

SSL Orchestrator Advanced Use Cases: Outbound SNAT Persistence

Exchange2010 SNAT pool persistence

SNAT IP address logging

Decoding the IPv4 address from the persistence cookie