For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

OttimoMassimo_1's avatar
OttimoMassimo_1
Icon for Nimbostratus rankNimbostratus
May 13, 2013

Using the same IP address for a VIP and a SNAT - yay or nay?

Hi,   We've run into a potential issue with response times from a VIP. Said VIP shares an IP address with a unique SNAT for outbound connections from a range of internal hosts. The VIP shares a ra...
config
design
What_Lies_Bene1's avatar
What_Lies_Bene1
Icon for Cirrostratus rankCirrostratus
May 14, 2013
OK, the extra information you've provided mostly indicates that sharing the address is not the cause of your issue, however, let me respond to a few things;

 

 

1) The originating segment doesn't matter; if the SNAT IP consumes port 16000 for an outbound translation that port cannot be used to serve a different inbound connection to the same IP address. Port 16000 for that IP address has already been used, how, why or where is not relevant.

 

2) Apologies but I missed the fact the inbound VS was NOT wildcard and was getting confused with the outbound one.

 

3) Regarding the Linux OS, this is a red herring. Any settings found there are for the HMS and management functions and interface. LTM/TMM does not use these settings; it has multiple protocol stacks that operate independently of the HMS. So yes, it's possible a lower port number could be used for an SNAT and that setting is completely ignored for anything other than management related traffic.