MAG Webserver Health Check using incorrect source IP causing the Web server to be displayed as DOWN

  • 7014116
  • 14-Nov-2013
  • 14-Nov-2013


NetIQ Access Manager 3.2
NetIQ Access Manager 3.2 Support Pack 2 applied
Strong network level security enabled only allowing access to specific resource from certain IP addresses


Access Manager setup and working well. Due to network constraints, the TCP connect settings for the Web server configuration has been configured with 'Make Outbound Connection Using' set to specific IP addresses. The reason for this is that the network is locked down and firewall policies only allow connections from certain IP addresses. With this change in place, all users can access the protected resources on the web servers without any issues.

Despite this, the healthcheck reported in iManager for this working AG shows that many of the Web servers are DOWN. Traces show that the heartbeat requests from the AG to the Web servers are using the primary IP address for the web server healthchecks, that are all being blocked at the Firewall. There is no option to change the source IP address of the outgoing request to be a specific interface for the healthchecks as we do with the 'Make Outbound Connection Using'option above when users access the web server.


A defect has been opened with development. In the meantime, iptables can be used to rewrite the outgoing source IP address to workaround the issue.

The following is an example of how to do this:

iptables -t nat -A POSTROUTING -d -s -j SNAT –to-source

This rewrites our source address to look like the packets are coming from instead of, but only when packets are destine for The above example can be further locked for for specific interfaces (-o eth0), specific TCP ports (-m tcp --dport 80) if needed.