Bug ID 425736: System might erroneously forward ICMP error packets

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
11.4.0, 11.4.1

Fixed In:

Opened: Jul 19, 2013

Severity: 3-Major


The BIG-IP system might erroneously forward ICMP error packets. ICMP error messages include type 3 (destination unreachable), type 11 (Time Exceeded), type 12 (Parameter Problem).


When ICMP errors arrive for nonexistent flows, the error packets might be forwarded and create a new flow. This results in unnecessary flows, extraneous memory usage, failure to update MTU with needed ICMP fragmentation, and potential use of NAT ports. The unnecessary flows created by the ICMP unreachable error might cause subsequent ICMP Unreachable/Fragmentation needed messages to be ignored by BIG-IP system and MTU for the route not being updated.


This might occur when there is a virtual server matching ICMP, and the triggering packet carried in the ICMP payload does not match any existing flow (possibly because the flow has timed out or been deleted), or when the flow is nonexistent.



Fix Information

The BIG-IP system no longer erroneously forwards ICMP error packets, so no extraneous flows are created.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips