Bug ID 425124: Wildcard IP tunnels may not handle internal flows correctly

Last Modified: Apr 28, 2025

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
11.2.1, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3

Fixed In:
12.0.0

Opened: Jul 12, 2013

Severity: 2-Critical

Related Article: K15347

Symptoms

Tunneled packets inherently carry two flows, one that is for the external IP header, and the other for the internal flow. If the internal flow happens to be handled by a different TMM, the packets are CMP-forwarded to the correct TMM. Logically, the return packets are supposed to traverse the same two TMMs in reverse order. This appears not the case in several tunnel types, such as GRE.

Impact

Service unreachable.

Conditions

BIG-IP system's virtuals send and receive traffic over wild-card IP tunnels (IPIP, GRE) with multiple TMMs.

Workaround

There are two ways to avoid this problem: 1. Avoid wild-card tunnel, and instantiate tunnels with explicit local- and remote-addresses. 2. Enable SNAT on internal flows of wild-card tunnels.

Fix Information

Wildcard IP tunnels now handle internal flows as expected.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips