Clients of a private network may exchange data packets with servers connected to a public network through a cluster of distributed network devices (i.e., cluster members), which apply network security rules to the packets, for example. The network devices may employ Port Address Translation (PAT) on the packets. It is generally difficult to scale PAT across the network devices when the cluster is configured with a single Internet Protocol (IP) address pool in which the IP addresses are allocated to the cluster members on fixed, per-IP address basis, especially when stateful processing of the packets is involved. Dynamic PAT sessions are typically created and terminated on a per-connection basis, so all cluster members must continuously exchange PAT IP allocation data to accommodate for potential flow asymmetry within a connection. Conventionally, each cluster member uses an allocated, fixed set of IP addresses from a PAT pool to service all transit connections which happen to load-balance to a particular cluster member, which results in the following operational problems.
First, a potential resource starvation problem may be created on cluster members joining or re-joining the cluster. Since all pool IP addresses are always allocated, a new or a re-joining member may not receive an allocation until a pre-allocated PAT IP address is freed up; thus, depending on the nature of traffic transiting the cluster, a cluster member may have to wait a rather long time for such an allocation. Furthermore, an administrator cannot practically predict the state of allocation before actually attempting to join a new member into the cluster due to a lack of visibility into the allocation process inside of the cluster. Second, multiple different connections from a single client may be distributed to different cluster members and therefore use different mapped IP addresses; this disrupts many client/server-based web applications, which expect all related connections from a single client to use a single source IP address.