Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.2.1, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3
Fixed In:
12.0.0
Opened: Jul 12, 2013 Severity: 2-Critical Related Article:
K15347
Tunneled packets inherently carry two flows, one that is for the external IP header, and the other for the internal flow. If the internal flow happens to be handled by a different TMM, the packets are CMP-forwarded to the correct TMM. Logically, the return packets are supposed to traverse the same two TMMs in reverse order. This appears not the case in several tunnel types, such as GRE.
Service unreachable.
BIG-IP system's virtuals send and receive traffic over wild-card IP tunnels (IPIP, GRE) with multiple TMMs.
There are two ways to avoid this problem: 1. Avoid wild-card tunnel, and instantiate tunnels with explicit local- and remote-addresses. 2. Enable SNAT on internal flows of wild-card tunnels.
Wildcard IP tunnels now handle internal flows as expected.