Forum Discussion

Nimbostratus

Dec 05, 2007

SNAT conflict with MoveIT software

We are using Big-IP v4.5 and we failed our MoveIT migration this pass weekend because when we have SNAT enabled and 2 nodes behind the VIP the MoveIT software will lock out all of the users when I one...

config

design

hoolio

Cirrostratus

Dec 05, 2007

I would assume the app is blocking by source IP when a client fails five attempts. IP-based logic doesn't work so well when some/all of your clients are connecting from behind a proxy. You could configure the BIG-IP to insert the original client IP address in a custom header. But you would need to instruct the app to parse that header instead of the source IP on the TCP packets. I'm guessing you don't have that ability.

The other option would be to set the default gateway of the app servers to the floating self IP address of the BIG-IP and then remove the SNAT. The BIG-IP would then use the original client IP address as the source for packets it sends to the web servers.

Aaron

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)