Bug ID 1069809: AFM rules with ipi-category src do not match traffic after failover.

Last Modified: May 29, 2023

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4

Opened: Dec 22, 2021

Severity: 2-Critical

Symptoms

BIG-IP drops all traffic after a reboot or failover.

Impact

Site is down, no traffic passes through the BIG-IP.

Conditions

-- Create firewall rules with IPI deny-list category as source and default action as drop. -- After reboot, the rule with IPI category as source will overlap all rules and with default action as drop, traffic will be dropped.

Workaround

Workaround is to restart the pccd, as it compiles the blob again with all IPI category initialized: tmsh restart sys service pccd

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips