Symptoms

As a result of the code changes done to fix a hairpin listener issue, there is a change in the listener behavior with multiple listeners. The translation object is now a listener when the inbound mode is enabled. Based on the address it is set to listen to, the translation object can become a higher priority listener than the virtual server.

Impact

When a new connection request matches both a virtual server and a NAT, the BIG-IP system places higher precedence on the virtual server listener. Unless the NAT has a more specific address For example, when the BIG-IP system receives a new connection request for the destination IP address 192.168.10.1, the virtual server listener 192.168.10.1 has higher precedence than the NAT listener 192.168.10.1. If the virtual server listener is a network address such as 192.0.0.0/8, then the NAT listener 192.168.10.1 takes precedence. Note: There is a change in behavior for virtual server and NAT precedence for CGNAT/BIG-IP AFM in which, if listener IP address for both virtual server and NAT match, the NAT takes precedence. For more information, refer to K67779110: Traffic not passing through forwarding virtual server after upgrading to BIG-IP AFM V15.1.0.

Conditions

When the inbound mode is enabled for a source translation object it becomes a listener. When there are multiple listeners matching the destination host or network IP address then the precedence is as follows: Virtual servers (Destination address) NATs (NAT address) Connections matching both a virtual server and a NAT

Workaround

Disable the inbound mode on the translation object unless they specifically want the object to be a listener for the incoming traffic.

Fix Information

Modification in the listener behavior based on the code changes done for this fix.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips