Bug ID 1070105: Multiple virtual servers with wildcards are not properly prioritized.

Last Modified: Nov 25, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 17.0.0, 17.0.0.1

Opened: Dec 23, 2021
Severity: 3-Major

Symptoms

Traffic is supposed to be routed to virtual servers based on which ever one has the best (i.e. most specific) match to the incoming traffic using destination address/port and source address (see https://support.f5.com/csp/article/K14800). But this does not always work correctly, e.g. when two virtual servers use destination port any.

Impact

Traffic is routed to the wrong virtual server.

Conditions

Here's an example where this is a problem: 1) Two virtual servers with the same destination address both using port any. 2) One server uses a wildcard source address and one a specific address. For instance: ltm virtual test1 { destination 10.93.19.5:any ip-protocol tcp mask 255.255.255.255 pool pool1 profiles { tcp { } } serverssl-use-sni disabled source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port disabled vs-index 2 } ltm virtual test2 { destination 10.93.19.5:any ip-protocol tcp mask 255.255.255.255 pool pool1 profiles { tcp { } } serverssl-use-sni disabled source 10.93.19.2/32 source-address-translation { type automap } translate-address enabled translate-port disabled vs-index 3 } Traffic from 10.93.19.2 will be incorrectly routed to the test1 server.

Workaround

Avoid multiple virtual servers with the same destination address and port any.

Fix Information

None

Behavior Change