Last Modified: Feb 26, 2026
Affected Product(s):
BIG-IP AFM, CGN, LTM
Known Affected Versions:
15.1.10.8, 16.1.6.1, 17.1.3.1, 17.5.1.4, 21.0.0, 21.0.0.1
Opened: Feb 25, 2026 Severity: 4-Minor
ICMP is enabled by default on virtual server destination addresses. "icmp-echo' is disabled by default on security nat source-translation objects. "proxy-arp" is disabled by default on security nat source-translation objects. When a security nat source-translation object shares one of its addresses with a virtual server destination address: - If the security nat source-translation was created *before* the virtual server, enabling "proxy-arp" on the security nat source-translation object disables ICMP on the virtual server address. Even if "proxy-arp" shouldn't have anything to do with the ICMP behaviour of the virtual address. - If the security nat source-translation was created *after* the virtual server, enabling "proxy-arp" on the security nat source-translation does not have any effect on the ICMP behaviour of the virtual server address. This is the expected behaviour.
ICMP is disabled on the virtual server address.
- A security nat source-translation object shares one of its addresses with a virtual server destination address. - The security nat source-translation object was created before the virtual server - The "proxy-arp" setting of the security nat source-translation object is set to "enabled"
Two possible workarounds: (1) - Delete the virtual server and the security nat source-translation object sharing the address. - Recreate the virtual server, and then recreate the security nat source-translation object. Or: (2) Set "proxy-arp" on the security nat source-translation object to "disabled".
None