Bug ID 1069265: New connections or packets from the same source IP and source port can cause unnecessary port block allocations.

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP AFM, CGN(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 17.0.0, 17.0.0.1, 17.0.0.2, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3

Fixed In:
17.1.1, 16.1.4, 15.1.10

Opened: Dec 20, 2021

Severity: 4-Minor

Symptoms

A client opening new TCP connections or sending new UDP packets from the same source IP and source port can cause the allocation of multiple new port blocks even if there are still existing translation endpoints in the current blocks.

Impact

After the first allocated port block becomes zombie, a new port block is allocated for each new client packet or client connection coming from the same source IP / source port, even if there are still available translation endpoints in the allocated non-zombie blocks. The new blocks keep piling up until the original zombie block timeout expires.

Conditions

All of the following conditions must be met: - AFM NAT or CGNAT configured with port block allocation. - In the port-block-allocation settings, a block-lifetime value different from zero. - A client sending UDP packets or opening TCP connections periodically, always from the same source IP address and source port. - A protocol profile on the virtual server with an idle timeout lower than the interval between the client packets or new connections.

Workaround

Increase the protocol profile idle-timeout to a value greater than the interval between UDP packets or connections from the client.

Fix Information

A maximum of two blocks is allocated: the original block and an additional block when the original block becomes zombie.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips