Last Modified: Jul 12, 2023
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.4.0, 11.4.1
Fixed In:
11.5.0
Opened: Jul 19, 2013 Severity: 3-Major
The BIG-IP system might erroneously forward ICMP error packets. ICMP error messages include type 3 (destination unreachable), type 11 (Time Exceeded), type 12 (Parameter Problem).
When ICMP errors arrive for nonexistent flows, the error packets might be forwarded and create a new flow. This results in unnecessary flows, extraneous memory usage, failure to update MTU with needed ICMP fragmentation, and potential use of NAT ports. The unnecessary flows created by the ICMP unreachable error might cause subsequent ICMP Unreachable/Fragmentation needed messages to be ignored by BIG-IP system and MTU for the route not being updated.
This might occur when there is a virtual server matching ICMP, and the triggering packet carried in the ICMP payload does not match any existing flow (possibly because the flow has timed out or been deleted), or when the flow is nonexistent.
n/a
The BIG-IP system no longer erroneously forwards ICMP error packets, so no extraneous flows are created.