Bug ID 697428: Change in behaviour, in CGNAT/AFM the NAT listener takes precedence if IP address matches existing virtual server

Last Modified: Apr 28, 2025

Affected Product(s):
BIG-IP AFM(all modules)

Fixed In:
14.1.0

Opened: Dec 04, 2017

Severity: 3-Major

Symptoms

As a result of the code changes done to fix a hairpin listener issue, there is a change in the listener behavior with multiple listeners. The translation object is now a listener when the inbound mode is enabled. Based on the address it is set to listen to, the translation object can become a higher priority listener than the virtual server.

Impact

When a new connection request matches both a virtual server and a NAT, the BIG-IP system places higher precedence on the virtual server listener. Unless the NAT has a more specific address For example, when the BIG-IP system receives a new connection request for the destination IP address 192.168.10.1, the virtual server listener 192.168.10.1 has higher precedence than the NAT listener 192.168.10.1. If the virtual server listener is a network address such as 192.0.0.0/8, then the NAT listener 192.168.10.1 takes precedence. Note: There is a change in behavior for virtual server and NAT precedence for CGNAT/BIG-IP AFM in which, if listener IP address for both virtual server and NAT match, the NAT takes precedence. For more information, refer to K67779110: Traffic not passing through forwarding virtual server after upgrading to BIG-IP AFM V15.1.0.

Conditions

When the inbound mode is enabled for a source translation object it becomes a listener. When there are multiple listeners matching the destination host or network IP address then the precedence is as follows: Virtual servers (Destination address) NATs (NAT address) Connections matching both a virtual server and a NAT

Workaround

Disable the inbound mode on the translation object unless they specifically want the object to be a listener for the incoming traffic.

Fix Information

Modification in the listener behavior based on the code changes done for this fix.

Behavior Change

In CGNAT/BIG-IP AFM, if the NAT has a matching IP address to an existing virtual server, then the NAT listener takes precedence. The behavior remains the same for the NAT configurations in other modules, where the virtual server listener takes precedence.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips