Last Modified: Oct 16, 2023
Affected Product(s):
BIG-IP CGN
Known Affected Versions:
11.3.0, 11.4.0, 11.4.1
Fixed In:
11.5.0, 11.4.1 HF6
Opened: Jul 11, 2013 Severity: 3-Major
A DNAT configuration may be written to the LTM log (and used for reverse mapping an address) that reverse maps to two different source addresses, depending on which DNAT configuration text is used to reverse map.
Non-unique reverse mappings.
If you configure lsn-pools, assigns to virtuals, and passes traffic through those virtuals that have lsn-pools with overlapping translation ranges. An example would be 4.0.0.0/24 and 4.0.0.0/23, with source ranges of 10.10.0.0/16 and 10.20.0.0/16. Or the translation ranges may be identical. The result is that two different source ranges use the same translation space. The config for each will be logged in the ltm log. This is not a problem if the same lsn-pool is assigned to multiple virtual servers, even if those virtual servers have different source ranges. (That is a correct configuration.)
Do not use overlapping translation ranges in two different lsn-pools in deterministic mode. (The same lsn-pool may safely be assigned to multiple virtuals with different source ranges or ports.)
Validation will now prevent LSN pools with overlapping prefixes from being configured.