Last Modified: Apr 09, 2026
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 16.1.5.2, 16.1.6, 16.1.6.1, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2, 17.1.2.1, 17.1.2.2, 17.1.3, 17.1.3.1, 17.5.1, 17.5.1.2, 17.5.1.3, 17.5.1.4, 17.5.1.5, 21.0.0, 21.0.0.1
Opened: Mar 05, 2026 Severity: 3-Major
After adding and then removing an IP data group entry that includes a route-domain (for example, 10.0.0.0%10/8), iRule class match commands against the data group stop matching entries that were previously working. All traffic may be treated as if it does not match the data group.
iRule class match lookups against the affected data group return no match, causing traffic to be classified incorrectly. For example, traffic that should match an internal users data group may be treated as external.
- An IP data group is in use by an iRule with a class match command. - An entry with a route-domain qualifier (for example, %10) is added to the data group and then removed.
Restart TMM (bigstart restart tmm — causes a traffic disruption), reboot the BIG-IP system, or create a new data group with the same entries and update the iRule to reference the new data group.
None