For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

OttimoMassimo_1's avatar
OttimoMassimo_1
Icon for Nimbostratus rankNimbostratus
May 13, 2013

Using the same IP address for a VIP and a SNAT - yay or nay?

Hi,   We've run into a potential issue with response times from a VIP. Said VIP shares an IP address with a unique SNAT for outbound connections from a range of internal hosts. The VIP shares a ra...
config
design
Adrian_Turcu_10's avatar
Adrian_Turcu_10
Icon for Nimbostratus rankNimbostratus
May 13, 2013
I guess in the initial post was supposed to mention the listening VIP config for the inbound connections. This VIP shares the same IP as the selective SNAT from above and it experience the "lag".

4. 

 
virtual external-VIP {
   snat automap
   pool server-farm-pool
   destination 192.168.1.2:http
   ip protocol tcp
   profiles { http tcp }
   vlans external-VLAN enable
}

The external VIP is available only on the external-VLAN , while the forwarding VIP is on the internal-pool-VLAN only.

The external VIP listens on a port < 1024 for client connections

The SNAT will generate traffic from the same IP address as the external VIP, but on ports always > 1024

So, how would the connection tracking get confused especially the 2 types of traffic originate on different interfaces (internal-VLAN vs external-VLAN) ?

Thanks,

Adrian

P.S. Myself and OttimoMassimo work in the same place, tracking on the same issue...