Recently i had a customer with a problem: The customer configured an IPMP group with a number of additional IPs. They had a number of application servers running on the system and as all of them needed to use the same portnumber they used additional IP addresses. But afterwards they observed a problem: For the backup the system used all the IP addresses of the additional interfaces for new connections originating from the system.
This was creating problems on the connections having to go through a firewall. As those additional IP addresses were configured for server processes to provide their services, but not for connection to the outside, the firewall rules were not configured accordingly to allow outbound traffic.
Well, this is expected behaviour, it’s even somewhat documented how to get configure it to the behaviour the customer wanted to see, but it’s a little bit hidden.
To simplify the situation a little bit: The system will use any non-deprecated address on the IPMP group as the source IP. You surely know that test addresses are flagged as deprecated in an IPMP configuration however the use case is not limited to those test addresses. You can use it for any interface that shouldn’t be used as a source address. Or as the documentation states it:
DEPRECATED address
Refers to an IP address that cannot be used as the source address for data. Typically, IPMP test addresses, which have the NOFAILOVER flag, are also automatically marked as DEPRECATED by the system. However, any address can be marked DEPRECATED to prevent the address from being used as a source address.
The solution to this problem is quite simple. For any additional IP address that you don’t want to use as an source address on your system, just use the following command: