Bug ID 425124: Wildcard IP tunnels may not handle internal flows correctly

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.2.1, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3

Fixed In:
12.0.0

Opened: Jul 12, 2013
Severity: 2-Critical
Related Article:
K15347

Symptoms

Tunneled packets inherently carry two flows, one that is for the external IP header, and the other for the internal flow. If the internal flow happens to be handled by a different TMM, the packets are CMP-forwarded to the correct TMM. Logically, the return packets are supposed to traverse the same two TMMs in reverse order. This appears not the case in several tunnel types, such as GRE.

Impact

Service unreachable.

Conditions

BIG-IP system's virtuals send and receive traffic over wild-card IP tunnels (IPIP, GRE) with multiple TMMs.

Workaround

There are two ways to avoid this problem: 1. Avoid wild-card tunnel, and instantiate tunnels with explicit local- and remote-addresses. 2. Enable SNAT on internal flows of wild-card tunnels.

Fix Information

Wildcard IP tunnels now handle internal flows as expected.

Behavior Change