Last Modified: Oct 15, 2025
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2, 17.1.2.1, 17.1.2.2, 17.1.3
Opened: Jun 25, 2025 Severity: 2-Critical
Tmctl fw_lsn_pool_pba_stat shows an incorrect negative value for active_port_blocks (for example, -320268). port_block_deallocations exceeds port_block_allocations, causing active_port_blocks (derived as allocations - deallocations) to go negative. Other counters (for example, active_clients_reached_limit) may appear inconsistent with actual usage. Behaviour indicates data plane/NAT functionality is unaffected; the issue is limited to statistics/visibility.
The active_port_blocks counter does not reflect the actual number of active port blocks and may display negative values. This is a stats/visibility issue only; traffic translation and NAT functionality continue to work as expected. May cause operational confusion or misreporting in monitoring/automation systems relying on this counter.
NAT configuration using CGNAT Port Block Allocation (PBA) with: PAT mode: pba Mapping: address-pooling-paired Port-block parameters (example): block-size 256 client-block-limit 3 block-idle-timeout 120 block-lifetime 86400 Observed in environments with very high port block churn (hundreds of millions of allocations and deallocations).
None
None