Bug ID 697428: Change in behaviour, in CGNAT/AFM the NAT listener takes precedence if IP address matches existing virtual server

Last Modified: Feb 03, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Fixed In:

Opened: Dec 04, 2017
Severity: 3-Major


As a result of the code changes done to fix a hairpin listener issue, there is a change in the listener behavior with multiple listeners. The translation object is now a listener when the inbound mode is enabled. Based on the address it is set to listen to, the translation object can become a higher priority listener than the virtual server.


When a new connection request matches both a virtual server and a NAT, the BIG-IP system places higher precedence on the virtual server listener. Unless the NAT has a more specific address For example, when the BIG-IP system receives a new connection request for the destination IP address, the virtual server listener has higher precedence than the NAT listener If the virtual server listener is a network address such as, then the NAT listener takes precedence. Note: There is a change in behavior for virtual server and NAT precedence for CGNAT/BIG-IP AFM in which, if listener IP address for both virtual server and NAT match, the NAT takes precedence. For more information, refer to K67779110: Traffic not passing through forwarding virtual server after upgrading to BIG-IP AFM V15.1.0.


When the inbound mode is enabled for a source translation object it becomes a listener. When there are multiple listeners matching the destination host or network IP address then the precedence is as follows: Virtual servers (Destination address) NATs (NAT address) Connections matching both a virtual server and a NAT


Disable the inbound mode on the translation object unless they specifically want the object to be a listener for the incoming traffic.

Fix Information

Modification in the listener behavior based on the code changes done for this fix.

Behavior Change

In CGNAT/BIG-IP AFM, if the NAT has a matching IP address to an existing virtual server, then the NAT listener takes precedence. The behavior remains the same for the NAT configurations in other modules, where the virtual server listener takes precedence.