Last Modified: Jun 23, 2025
Affected Product(s):
F5OS F5OS-A, F5OS-C
Known Affected Versions:
F5OS-C 1.5.1, F5OS-C 1.6.2
Fixed In:
F5OS-C 1.8.0, F5OS-A 1.8.0
Opened: Jan 31, 2024 Severity: 2-Critical
While a tenant transitions from active to standby, an egress packet in flight may trigger a L2 learn event in the FPGA data-plane. This can occur for tenants that transmit using a different MAC address while active, such as when MAC masquerading is enabled. If so, a dynamic L2 entry is created from the source MAC address of the egress packet. These dynamic entries also enable the service DAG without setting a service ID, which causes matching packets to be dropped in the VOQ system due to an invalid service DAG lookup result. This can disrupt egress traffic for another tenant on the same device, attempting to transmit to the destination MAC address that was recently relinquished by the standby tenant. These drops increment the 'ic_voq_drops' counter in the tmctl vqf_global table. These L2 entries will not be corrected by subsequent L2 learn events for the same MAC address from a different location. Thus, traffic disruption may persist until entries age out.
Traffic disruption from one tenant to another in specific directions.
- MAC masquerade configured on the traffic-group of an HA pair of tenants. - A failover from tenant A to tenant B. - Another tenant running alongside tenant 'A' attempts to transmit to the MAC masquerade address that is now owned by tenant 'B'.
None
L2 entries that are created from host generated L2 learn events, no longer enable the service DAG for matching packets.