Bug ID 1041261: iRule sideband connection might use a local MAC address for a floating IP address

Last Modified: Sep 23, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 16.1.0

Opened: Aug 17, 2021
Severity: 4-Minor

Symptoms

When MAC masquerade is in use and sideband connection is generated with iRule (using 'connect' and 'send' commands) and floating self-ip is used as a source of the connection, the outgoing sideband packets are not using the masquerade MAC address.

Impact

Duplicate MAC warnings. Traffic might not be directed to a proper device.

Conditions

iRule configured to create a sideband connection sourced specifically from a floating IP address.

Workaround

- Instead of specifying a source address in an iRule, direct traffic to specially crafted virtual server: when CLIENT_ACCEPTED { set data "FOOBAR" #set conn_id [connect -protocol UDP -myaddr 10.11.63.44 -myport 2137 172.16.1.215:80] set conn_id [connect -protocol UDP sideband_vs] <<<<<<----------- set send_bytes [send -timeout 1000 -status send_status $conn_id $data] log local0. "Sent $send_bytes with status $send_status" } } - On the virtual server, use SNAT pool with floating self-ip, note virtual-server is not enabled on any vlan: ltm virtual sideband_vs { destination 172.16.1.215:http ip-forward ip-protocol udp mask 255.255.255.255 profiles { fastL4 { } } source 0.0.0.0/0 source-address-translation { pool SPOOL type snat } vlans-enabled } ltm snatpool SPOOL{ members { 10.11.63.46 } } - Make sure the virtual-address is configured for a desired floating traffic group: ltm virtual-address 172.16.1.215 { address 172.16.1.215 mask 255.255.255.255 traffic-group traffic-group-1 } Traffic will use a MAC masquerade after getting SNATted: 00:4c:50:53:52:43 > 00:01:4c:4f:4f:50, 127.1.1.1.10610 > 172.16.1.215.http: UDP, length 6 out slot1/tmm0 lis= 00:4c:50:53:52:43 > 00:01:4c:4f:4f:50, 127.1.1.1.10610 > 172.16.1.215.http: UDP, length 6 in slot1/tmm0 lis=/Common/sideband_vs 02:23:e9:88:88:88 > 00:50:56:bd:6f:c2, 10.11.63.46.10610 > 172.16.1.215.http: UDP, length 6 out slot1/tmm0 lis=/Common/sideband_vs

Fix Information

None

Behavior Change