This article is to explain how source ip for egress traffic is selected with Link Load Balancing for different scenarios - with and without RNAT.

To be able to understand the various scenarios, familiarity with LLB and RNAT is recommended as a prerequisite. Please refer to the links in the "Additional Resources" section to familiarize yourself with these features.


Reference Network topology:



Scenario-1
SNIP-1: [1.1.1.1], SNIP-2 [2.2.2.2], RNAT – [NOT CONFIGURED]
Traffic Flow:

• Client traffic reaches ADC
• ADC picks a Service based on Load Balancing Method e.g. Service-1
• Source IP: SNIP-1 is used as it is from same subnet as Service-1, SNIP-2 will be used if Service-2 is selected

Result – Traffic exists via ISP-1 with an IP of 1.1.1.2, expected to return on same path


Scenario-2
SNIP-1: [1.1.1.1], SNIP-2 [NOT CONFIGURED], RNAT – [NOT CONFIGURED]
Traffic Flow:

• Client traffic reaches ADC
• ADC picks a Service based on Load Balancing Method, if Service-1 is selected flow will be same as above.
• If Service-2 is selected which does not have a SNIP in same subnet..
• Source IP: SNIP-1 is used as it is the only SNIP available.

 
Result – Traffic exists via ISP-2 with an IP of 1.1.1.2 (ISP-1 IP Pool) – This will either cause asymentric traffic i.e. outbound traffic via ISP-2, Inbound Via ISP-2 or could be dropped by ISP-2 for VLAN / source IP mismatch issues. 

Scenario-3
SNIP-1: [1.1.1.1], SNIP-2 [2.2.2.2],
RNAT – [10.10.10.100 ==> 1.1.1.3]
RNAT – [10.10.10.100 ==> 2.2.2.3]
 
Traffic Flow:

• Client traffic reaches ADC
• ADC picks a Service based on Load Balancing Method e.g. Service-1
• Source IP: If the client IP is 10.10.10.100 src ip of 1.1.1.3 will be used and (if Service-2 was selected 2.2.2.3 would have been used) RNAT takes preference over SNIP

Result: Traffic exists via ISP-1 with an IP of 1.1.1.3, expected to return on same.
 
Scenario-4
SNIP-1: [1.1.1.1], SNIP-2 [2.2.2.2],
RNAT – [10.10.10.100 ==> 2.2.2.3]
 
Traffic Flow:

• Client traffic reaches ADC
• ADC picks a Service based on Load Balancing Method e.g. Service-1
• Source IP: If the client IP is 10.10.10.100 src ip of 2.2.2.3 is used (RNAT takes preference over SNIP)

Result: Traffic exists via ISP-1 with an IP of 2.2.2.3 (ISP-2 IP Pool) , this can cause the same effects as Scenario-2
 

Summary: In order to avoid potential  issue like asymmetric routing and traffic drop by ISP due to source IP / VLAN mismatches, refer to the two point below.
 
If not using RNAT –Ensure that a SNIP exists in each Service (ISP) subnet, refer Scenario-1, this ensures the right source IP is used based on the Egress ISP

If using RNAT – Ensure one RNAT statement exists for each Service bound to the LLB, refer Scenario-3.

A Common misconception is that if you want a client to always exist via ISP-X then rnat the client to an IP from ISP-X subnet (something like Scenario-4). But this is NOT CORRECT. The LB decision is not influenced by RNAT configuration. The rnat will take effect but the LB decision can pick another link ISP-Y causing outcomes described in Scenario-2 / Scenario-4 which may not be ideal.
 

 

https://docs.citrix.com/en-us/netscaler/12/link-load-balancing/configure-basic-llb-setup.html
https://docs.citrix.com/en-us/netscaler/12/link-load-balancing/configure-rnat-with-llb.html
https://docs.citrix.com/en-us/netscaler/12/networking/ip-addressing/configuring-network-address-translation/configuring-rnat.html