Forum Discussion
cxcal_18687
Nimbostratus
NimbostratusSNAT conflict with MoveIT software
We are using Big-IP v4.5 and we failed our MoveIT migration this pass weekend because when we have SNAT enabled and 2 nodes behind the VIP the MoveIT software will lock out all of the users when I one fails to login correctly after 5 attempts. We found that this is due to the SNAT address that is being used. Auditing the client source IP address is needed for troubleshooting.
Bottom line, traffic comes in but does not make it back out to the clients.
Any way around this issue?
1 Reply
hoolioCirrostratus
I would assume the app is blocking by source IP when a client fails five attempts. IP-based logic doesn't work so well when some/all of your clients are connecting from behind a proxy. You could configure the BIG-IP to insert the original client IP address in a custom header. But you would need to instruct the app to parse that header instead of the source IP on the TCP packets. I'm guessing you don't have that ability.
The other option would be to set the default gateway of the app servers to the floating self IP address of the BIG-IP and then remove the SNAT. The BIG-IP would then use the original client IP address as the source for packets it sends to the web servers.
Aaron
