For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

OttimoMassimo_1's avatar
OttimoMassimo_1
Icon for Nimbostratus rankNimbostratus
May 13, 2013

Using the same IP address for a VIP and a SNAT - yay or nay?

Hi,   We've run into a potential issue with response times from a VIP. Said VIP shares an IP address with a unique SNAT for outbound connections from a range of internal hosts. The VIP shares a ra...
config
design
What_Lies_Bene1's avatar
What_Lies_Bene1
Icon for Cirrostratus rankCirrostratus
May 13, 2013
How are you sure the VS traffic is always < 1024?

 

 

The connection tracking isn't getting confused but there is no way to guarantee uniqueness of port allocation. For example, an outbound connection uses port 2059 as it's source port as currently this port is free in that it is not in use by the SNAT and the VS isn't handling an inbound connection on that destination port. Then, some traffic is received by the VS on port 2059, not something you can control as it's inbound and a wildcard VS. Now we have a problem, port 2059 for that IP address is being used for the SNAT (an 'ephemeral listener' has been created to accept return traffic) so is that traffic processed by the VS, I doubt it.

 

 

Is that clear and logical?