Sticky DIP

Sticky DIP Addresses

When a host initiates several sessions that match an access policy with network address translation (NAT) enabled and is assigned an address from a dynamic IP (DIP) pool, the security device assigns a different source IP address for each session. Such random address assignment can be problematic for services that create multiple sessions that require the same source IP address for each session.

For example, it is important to have the same IP address for multiple sessions when using the AOL Instant Messaging (AIM) client. You create one session when you log in, and another for each chat. For the AIM server to verify that a new chat belongs to an authenticated user, it must match the source IP address of the login session with that of the chat session. If they are different—possibly because they were randomly assigned from a DIP pool during the NAT process—the AIM server rejects the chat session. To ensure that the device assigns the same IP address from a DIP pool to a host for multiple concurrent sessions, enable the “sticky” DIP address feature.

Sticky: specifies that the security device assigns the same IP address to a host for multiple concurrent sessions.

Alarm Raise Threshold: sets a DIP utilization alarm threshold, expressed as a percentage of possible DIP utilization. When DIP utilization exceeds this threshold, the device triggers a SNMP trap. Because this threshold is zero by default, it is not enabled until you increase the setting to a nonzero value. (Possible values are 50 to 100, inclusive).

Alarm Clear Threshold: sets an optional threshold, also expressed as a percentage of possible DIP utilization. When DIP utilization falls below this threshold, (and DIP utilization previously exceeded the alarm-raise threshold), the device triggers a SNMP alarm. The default value for this threshold is 10% below the configured alarm-raise threshold. (Possible configured values are 40 to 100, inclusive.)

The device logs these alarm events.