Symptoms

When MAC masquerade is in use and sideband connection is generated with iRule (using 'connect' and 'send' commands) and floating self-ip is used as a source of the connection, the outgoing sideband packets are not using the masquerade MAC address.

Impact

Duplicate MAC warnings. Traffic might not be directed to a proper device.

Conditions

iRule configured to create a sideband connection sourced specifically from a floating IP address.

Workaround

- Instead of specifying a source address in an iRule, direct traffic to specially crafted virtual server: when CLIENT_ACCEPTED { set data "FOOBAR" #set conn_id [connect -protocol UDP -myaddr 10.11.63.44 -myport 2137 172.16.1.215:80] set conn_id [connect -protocol UDP sideband_vs] <<<<<<----------- set send_bytes [send -timeout 1000 -status send_status $conn_id $data] log local0. "Sent $send_bytes with status $send_status" } } - On the virtual server, use SNAT pool with floating self-ip, note virtual-server is not enabled on any vlan: ltm virtual sideband_vs { destination 172.16.1.215:http ip-forward ip-protocol udp mask 255.255.255.255 profiles { fastL4 { } } source 0.0.0.0/0 source-address-translation { pool SPOOL type snat } vlans-enabled } ltm snatpool SPOOL{ members { 10.11.63.46 } } - Make sure the virtual-address is configured for a desired floating traffic group: ltm virtual-address 172.16.1.215 { address 172.16.1.215 mask 255.255.255.255 traffic-group traffic-group-1 } Traffic will use a MAC masquerade after getting SNATted: 00:4c:50:53:52:43 > 00:01:4c:4f:4f:50, 127.1.1.1.10610 > 172.16.1.215.http: UDP, length 6 out slot1/tmm0 lis= 00:4c:50:53:52:43 > 00:01:4c:4f:4f:50, 127.1.1.1.10610 > 172.16.1.215.http: UDP, length 6 in slot1/tmm0 lis=/Common/sideband_vs 02:23:e9:88:88:88 > 00:50:56:bd:6f:c2, 10.11.63.46.10610 > 172.16.1.215.http: UDP, length 6 out slot1/tmm0 lis=/Common/sideband_vs

Fix Information

None

Behavior Change