Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 14.0.0, 14.0.0.1, 14.0.0.2
Fixed In:
14.1.0, 14.0.0.3, 13.1.1.4, 12.1.4.1
Opened: May 23, 2018 Severity: 3-Major
If an LTM pool is configured with only FQDN members, the DNS server resolves the FQDN to IP addresses that match statically-configured LTM nodes, and the IP address records returned by the DNS server change, an ephemeral pool member may not be added to the pool for the new IP address. When in this state, if the FQDN template pool member is deleted from the pool, a new ephemeral pool member may be added corresponding to the last IP address record returned by the DNS server.
In this case: -- The original ephemeral member is removed from the pool. -- A new ephemeral member for the new address may NOT be added to the pool. -- In this state, if the FQDN template member is deleted from the pool, a new ephemeral member (i.e., the missing ephemeral with new IP address) is re-added to the pool. Note. This symptom can occur only if the statically-configured node is created prior to an ephemeral pool member being created for the same IP address. If an ephemeral pool member and node are created first, it is not possible to create a statically-configured node or pool member using the same IP address. Overall, traffic for the affected pool may not be sent to correct pool member (new ephemeral address). If no other members are defined in the pool, traffic will be interrupted.
This may occur when: 1. Static nodes are configured which match addresses that may be returned in the DNS query for a given FQDN name. 2. An FQDN node is created with autopopulate disabled, for an address which may resolve to the same address as one of the static nodes. 3. This FQDN node is added (as a pool member) with autopopulate disabled, to a pool with no other non-FQDN members. 4. The DNS server resolves the FQDN name to an address that matches one of the static nodes. 5. A subsequent DNS query resolves the FQDN name to a different address that matches a different static node.
This issue can be prevented by: -- Avoiding configuring a static (non-FQDN) node with an IP address that matches any address that might be returned by the DNS server when resolving the FQDN. -- Adding a statically-configured pool member to the pool in addition to the FQDN template member. Once the symptom occurs, recovery is possible by performing either of the following actions: -- Delete the statically-configured node with the conflicting IP address. -- Recreate the node using the following procedure: 1. Delete the FQDN template member from the pool. 2. Delete the orphaned ephemeral member from the pool. 3. Re-add the FQDN template member to the pool.
When an FQDN pool member address resolves to the same IP address as an existing static node, the corresponding ephemeral pool member is successfully created and deleted as expected, including when the IP address returned by the DNS query changes.