SNAT pool near maximum allocated-f5-False

SNAT pool near maximum allocated-f5-False
0

SNAT pool near maximum allocated-f5-False

Vendor: f5

OS: False

Description:
Source Network Address Translation (SNAT) is used by an F5 load balancer to allocate a dedicated IP and port for a connection facing a pool member. This allows the pool member to return the traffic to the correct session. SNAT uses ports to do the translation, and there is a limit to the number of ports one can use concurrently for a given IP address. Indeni will alert when the SNAT pool is nearing its capacity.

Remediation Steps:
Monitor the pool(s) utilization. Investigate the source of traffic increase and consider adding an IP to the pool if needed. For more information read https://support.f5.com/csp/article/K33355231 (the log message referred to in the article will be generated at 100% of pool utilization)

How does this work?
This alert uses the iControl REST interface to extract the number of current server side connections per SNAT pool. Please note that this alert is not compatible with IP addresses belonging to different networks.

Why is this important?
SNAT port exhaustion could be a problem in environments that have large amounts of connections and too few source NAT IP’s. If all available port combinations are exhausted it will lead to connections being dropped by the system.

Without Indeni how would you find this?
An adminstrator could login to the device through SSH, execute the command “tmsh -c ‘cd /;show ltm snatpool recursive’”. Then for each SNAT pool compare the connection count to the SNAT pool limit. More information can be found here: https://support.f5.com/csp/article/k7820.

f5-rest-mgmt-tm-ltm-snatpool-stats

#! META
name: f5-rest-mgmt-tm-ltm-snatpool-stats
description: Get snatpool server side connection statistics
type: monitoring
monitoring_interval: 5 minutes
requires:
    vendor: "f5"
    product: "load-balancer"
    rest-api: "true"

#! COMMENTS
lb-snatpool-usage:
    why: |
        SNAT port exhaustion could be a problem in environments that have large amounts of connections and too few source NAT IP's. If all available port combinations are exhausted it will lead to connections being dropped by the system.
    how: |
        This alert uses the iControl REST interface to extract the number of current server side connections per SNAT pool. Please note that this alert is not compatible with IP addresses belonging to different networks.
    without-indeni: |
        An adminstrator could login to the device through SSH, execute the command "tmsh -c 'cd /;show ltm snatpool recursive'". Then for each SNAT pool compare the connection count to the SNAT pool limit. More information can be found here: https://support.f5.com/csp/article/k7820.
    can-with-snmp: false
    can-with-syslog: false

#! REMOTE::HTTP
url: /mgmt/tm/ltm/snatpool/stats?$select=tmName,serverside.totConns
protocol: HTTPS

#! PARSER::JSON

_metrics:
    - # Get the usage for each SNAT Pool
        _groups:
            $.entries.*.nestedStats.entries:
                _tags:
                    "im.name":
                        _constant: "lb-snatpool-usage"
                    "name":
                        _value: "tmName.description"
                _value.double:
                    _value: "['serverside.totConns'].value"

f5-rest-mgmt-tm-ltm-snatpool

#! META
name: f5-rest-mgmt-tm-ltm-snatpool
description: Get snatpool stats
type: monitoring
monitoring_interval: 5 minutes
requires:
    vendor: "f5"
    product: "load-balancer"
    rest-api: "true"

#! COMMENTS
lb-snatpool-limit:
    why: |
        SNAT port exhaustion could be a problem in environments that have large amounts of connections and too few source NAT IP's. If all available port combinations are exhausted it will lead to connections being dropped by the system.
    how: |
        This alert uses the iControl REST interface to extract the number of IP addresses in a SNAT pool. It then calculates the minimum limit to each pool by multiplying the number of IP addresses with 64000. Please note that this alert is not compatible with IP addresses belonging to different networks.
    without-indeni: |
        An adminstrator could login to the device through SSH, execute the command "tmsh -c 'cd /;list ltm snatpool recursive'". Then for each configured SNAT pool multiply the number of IP addresses with 64000.
    can-with-snmp: false
    can-with-syslog: false

#! REMOTE::HTTP
url: /mgmt/tm/ltm/snatpool?$select=members,fullPath
protocol: HTTPS

#! PARSER::JSON

_metrics:
    - # Get the minimum limit for each SNAT Pool
        _groups:
            "$.items[0:]":
                _tags:
                    "im.name":
                        _constant: "lb-snatpool-limit"
                    "name":
                        _value: "fullPath"
                _temp:
                    "addresses":
                        _count: "members"
        _transform:
            _value.double: |
                {

                    limit = temp("addresses") * 64000
                    print limit

                }

f5_snatpool_exhaustion

package com.indeni.server.rules.library.templatebased

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.NearingCapacityWithItemsTemplateRule
case class f5_snatpool_exhaustion() extends NearingCapacityWithItemsTemplateRule(
  ruleName = "f5_snatpool_exhaustion",
  ruleFriendlyName = "F5 Devices: SNAT pool near maximum allocated",
  ruleDescription = "Source Network Address Translation (SNAT) is used by an F5 load balancer to allocate a dedicated IP and port for a connection facing a pool member. This allows the pool member to return the traffic to the correct session. SNAT uses ports to do the translation, and there is a limit to the number of ports one can use concurrently for a given IP address. Indeni will alert when the SNAT pool is nearing its capacity.",
  usageMetricName = "lb-snatpool-usage",
  limitMetricName = "lb-snatpool-limit",
  applicableMetricTag = "name",
  threshold = 80.0,
  alertDescription = "Some SNAT pools are nearing their capacity. Capacity is calculated as 64000 multiplied by the number of IP addresses in the pool. If the traffic flow increases and the pool(s) reach capacity, traffic will be dropped.\n\nThis alert was added per the request of a senior network engineer at a Fortune 50 financial services company.",
  alertItemDescriptionFormat = "The number of ports in use is %.0f where the limit is %.0f.",
  baseRemediationText = "Monitor the pool(s) utilization. Investigate the source of traffic increase and consider adding an IP to the pool if needed. For more information read https://support.f5.com/csp/article/K33355231 (the log message referred to in the article will be generated at 100% of pool utilization)",
  alertItemsHeader = "Affected Pools")()