Bug ID 425033: overlapping LSN-pools may result in non-unique translations

Last Modified: Oct 10, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP CGN(all modules)

Known Affected Versions:
11.3.0, 11.4.0, 11.4.1

Fixed In:
11.5.0, 11.4.1 HF6

Opened: Jul 11, 2013
Severity: 3-Major

Symptoms

A DNAT configuration may be written to the LTM log (and used for reverse mapping an address) that reverse maps to two different source addresses, depending on which DNAT configuration text is used to reverse map.

Impact

Non-unique reverse mappings.

Conditions

If you configure lsn-pools, assigns to virtuals, and passes traffic through those virtuals that have lsn-pools with overlapping translation ranges. An example would be 4.0.0.0/24 and 4.0.0.0/23, with source ranges of 10.10.0.0/16 and 10.20.0.0/16. Or the translation ranges may be identical. The result is that two different source ranges use the same translation space. The config for each will be logged in the ltm log. This is not a problem if the same lsn-pool is assigned to multiple virtual servers, even if those virtual servers have different source ranges. (That is a correct configuration.)

Workaround

Do not use overlapping translation ranges in two different lsn-pools in deterministic mode. (The same lsn-pool may safely be assigned to multiple virtuals with different source ranges or ports.)

Fix Information

Validation will now prevent LSN pools with overlapping prefixes from being configured.

Behavior Change