For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

OttimoMassimo_1's avatar
OttimoMassimo_1
Icon for Nimbostratus rankNimbostratus
May 13, 2013

Using the same IP address for a VIP and a SNAT - yay or nay?

Hi,   We've run into a potential issue with response times from a VIP. Said VIP shares an IP address with a unique SNAT for outbound connections from a range of internal hosts. The VIP shares a ra...
config
design
What_Lies_Bene1's avatar
What_Lies_Bene1
Icon for Cirrostratus rankCirrostratus
May 13, 2013
I've SNATted traffic using the VS address as the source on a pretty large scale in the past without issues.

 

 

Regarding your design I suspect the issue may lie with the fact the IP is shared with a wildcard VS. The SNAT may assign a source port that is then used for the destination port by a client attempting to connect to the the VS, the F5 has no way of knowing or reserving ports in this scenario and I'm amazed it works at all. If the VS was restricted to a single port this wouldn't be an issue as the F5 would know what not to use for the SNAT.