Last Modified: Dec 18, 2024
Affected Product(s):
BIG-IP Install/Upgrade, LTM
Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2
Opened: Mar 27, 2024 Severity: 3-Major
L2 forwarding issues may be encountered for some flows. Due to this, there can be hinderances in the traffic flow towards server.
Traffic drop is observed when packets are sent towards server.
Flow 1: Client(L3 Net1)--- (vg2)--> BIG-IP --(vg1)--> Gateway --(vg1)--> BIG-IP (again) --(vg2)--> server(L3 Net2) 1. Client and server are in same vlan but not in same subnet. 2. Gateway is in another vlan, it is the gateway for both client and server. 3. connection.vlankeyed is disabled. 4. After an upgrade from 14.X to 15.X, traffic returning from gateway towards the server is dropped Flow 2: Client --(VG1)--> BIG-IP --(nonVgVlan1)--> IPS --(nonVgVlan2)--> BIG-IP (again) --(VG2)--> Server 1. Client traffic over transparent vlan-group towards Server is intercepted by a standard virtual server and sent to IPS on a non-vlan-group vlan. 2. connection.vgl2transparent is enabled 3. When traffic is sent from BIG-IP to IPS, the destination MAC will be the MAC address of a server (ARL non local) and the source MAC is still the original client MAC which is breaking the returning traffic from IPS. 4. The expectation here is traffic leaving from BIG-IP to IPS should have BIG-IP nonVgVlan1 MAC address as source MAC.
For this workaround, ensure "nw_l2_transparent license enabled". 1. For Flow 1, keep connection.vgl2transparent disabled and add the following config: ltm virtual VG_transparent { destination <SERVER> ip-protocol tcp l2-forward mask 255.255.255.255 profiles { fastL4 { } } rules { t-nexthop } source 0.0.0.0/0 translate-address enabled translate-port enabled vlans { vg2 } vlans-enabled } ltm rule t-nexthop { when CLIENT_ACCEPTED { nexthop vg1 transparent } when SERVER_CONNECTED { nexthop vg2 transparent } } 2. For Flow 2, keep connection.vgl2transparent disabled.
None