Last Modified: Feb 03, 2022
Affected Product:
See more info
BIG-IP AFM
Fixed In:
14.1.0
Opened: Dec 04, 2017
Severity: 3-Major
As a result of the code changes done to fix a hairpin listener issue, there is a change in the listener behavior with multiple listeners. The translation object is now a listener when the inbound mode is enabled. Based on the address it is set to listen to, the translation object can become a higher priority listener than the virtual server.
When a new connection request matches both a virtual server and a NAT, the BIG-IP system places higher precedence on the virtual server listener. Unless the NAT has a more specific address For example, when the BIG-IP system receives a new connection request for the destination IP address 192.168.10.1, the virtual server listener 192.168.10.1 has higher precedence than the NAT listener 192.168.10.1. If the virtual server listener is a network address such as 192.0.0.0/8, then the NAT listener 192.168.10.1 takes precedence. Note: There is a change in behavior for virtual server and NAT precedence for CGNAT/BIG-IP AFM in which, if listener IP address for both virtual server and NAT match, the NAT takes precedence. For more information, refer to K67779110: Traffic not passing through forwarding virtual server after upgrading to BIG-IP AFM V15.1.0.
When the inbound mode is enabled for a source translation object it becomes a listener. When there are multiple listeners matching the destination host or network IP address then the precedence is as follows: Virtual servers (Destination address) NATs (NAT address) Connections matching both a virtual server and a NAT
Disable the inbound mode on the translation object unless they specifically want the object to be a listener for the incoming traffic.
Modification in the listener behavior based on the code changes done for this fix.
In CGNAT/BIG-IP AFM, if the NAT has a matching IP address to an existing virtual server, then the NAT listener takes precedence. The behavior remains the same for the NAT configurations in other modules, where the virtual server listener takes precedence.