Last Modified: Nov 02, 2023
BIG-IP AFM, CGN
Known Affected Versions:
15.1.0, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 15.1.1, 15.1.2, 22.214.171.124, 15.1.3, 126.96.36.199, 15.1.4, 188.8.131.52, 15.1.5, 184.108.40.206, 15.1.6, 220.127.116.11, 15.1.7, 15.1.8, 18.104.22.168, 22.214.171.124, 15.1.9, 126.96.36.199, 16.1.0, 16.1.1, 16.1.2, 188.8.131.52, 184.108.40.206, 16.1.3, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 17.0.0, 184.108.40.206, 220.127.116.11, 17.1.0, 18.104.22.168, 22.214.171.124, 126.96.36.199
17.1.1, 16.1.4, 15.1.10
Opened: Dec 20, 2021 Severity: 4-Minor
A client opening new TCP connections or sending new UDP packets from the same source IP and source port can cause the allocation of multiple new port blocks even if there are still existing translation endpoints in the current blocks.
After the first allocated port block becomes zombie, a new port block is allocated for each new client packet or client connection coming from the same source IP / source port, even if there are still available translation endpoints in the allocated non-zombie blocks. The new blocks keep piling up until the original zombie block timeout expires.
All of the following conditions must be met: - AFM NAT or CGNAT configured with port block allocation. - In the port-block-allocation settings, a block-lifetime value different from zero. - A client sending UDP packets or opening TCP connections periodically, always from the same source IP address and source port. - A protocol profile on the virtual server with an idle timeout lower than the interval between the client packets or new connections.
Increase the protocol profile idle-timeout to a value greater than the interval between UDP packets or connections from the client.
A maximum of two blocks is allocated: the original block and an additional block when the original block becomes zombie.