Last Modified: May 29, 2024
Affected Product(s):
F5OS Velos
Known Affected Versions:
F5OS-C 1.3.2, F5OS-C 1.5.0
Fixed In:
F5OS-C 1.6.0, F5OS-C 1.5.1
Opened: Sep 05, 2022 Severity: 3-Major
When a VELOS device is configured with a prefix-length other than /24, /16, or /8 for IPv4 management addresses, the system may fail to install correct routes for handling reply traffic sourced from the floating management address. One of the two following situations may occur: 1. The floating management address will not be accessible from other devices on the same local network (cannot ping the floating management IP from the standby system controller). 2. The floating management address will not be accessible from another range of IPs, because the system thinks those addresses are link-local. For instance, if a device is assigned an IP address of 198.51.78.88/26: [root@controller-1 ~]# ip route show table mgmt-floating4 default via 198.51.100.126 dev mgmt-floating 198.51.100.0/26 dev mgmt-floating scope link The system will not be accessible from devices with IP address 198.51.100.0 through 198.51.100.63.
Floating system controller management IP may not be able to reply to traffic from all IPs.
-- VELOS controller -- Management network with an IPv4 management address configured, and management network prefix-length other than /24, /16, or /8.
On active system controller (and after any reboot or system controller failover), fix the routing rules. Log in to the active system controller as root and run the following commands: CORRECT_NETWORK=$(ip route show table main | grep mgmt-floating | cut -f1 -d' ') WRONG_ROUTE=$(ip route show table mgmt-floating4 | grep 'scope link') ip route delete table mgmt-floating4 $WRONG_ROUTE ip route add table mgmt-floating4 $CORRECT_NETWORK dev mgmt-floating
The system correctly handles IPv4 management addresses with a prefix-length other than /24, /16, and /8.