Bug ID 425736: System might erroneously forward ICMP error packets

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.4.0, 11.4.1

Fixed In:
11.5.0

Opened: Jul 19, 2013
Severity: 3-Major

Symptoms

The BIG-IP system might erroneously forward ICMP error packets. ICMP error messages include type 3 (destination unreachable), type 11 (Time Exceeded), type 12 (Parameter Problem).

Impact

When ICMP errors arrive for nonexistent flows, the error packets might be forwarded and create a new flow. This results in unnecessary flows, extraneous memory usage, failure to update MTU with needed ICMP fragmentation, and potential use of NAT ports. The unnecessary flows created by the ICMP unreachable error might cause subsequent ICMP Unreachable/Fragmentation needed messages to be ignored by BIG-IP system and MTU for the route not being updated.

Conditions

This might occur when there is a virtual server matching ICMP, and the triggering packet carried in the ICMP payload does not match any existing flow (possibly because the flow has timed out or been deleted), or when the flow is nonexistent.

Workaround

n/a

Fix Information

The BIG-IP system no longer erroneously forwards ICMP error packets, so no extraneous flows are created.

Behavior Change