Bug ID 435329: AAA Server using pool may use already-in-use layered IP address

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
11.0.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.5.1 HF1, 11.6.1 HF1, 11.5.1 HF2, 11.6.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.6.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.1.0, 11.2.0, 11.2.1, 11.3.0, 11.4.0, 11.4.1

Fixed In:
11.5.0, 11.4.1 HF4, 11.4.0 HF8, 11.3.0 HF9, 11.2.1 HF11

Opened: Oct 25, 2013

Severity: 2-Critical

Related Article: K14949

Symptoms

If a BIG-IP system is configured with several AAA Servers, each of which is using pool as a backend server, if mcpd or the BIG-IP system is restarted, and then another AAA Server is added, which is also configured to use a pool, that new server might use an existing pool, which results in accessing the wrong backend server.

Impact

The impact is that authentication requests may go to the wrong backend server. This issue occurs intermittently.

Conditions

This occurs when some AAA Servers exist and are configured with pools, and mcpd restarts before add or modify operation for another AAA Server that uses a pool.

Workaround

You can work around this issue using command: tmsh load sys config OR remove all related AAA Servers, pool, and nodes, and recreate them without restarting mcpd or the BIG-IP system. After restarting, do not add or modify AAA Servers with pools configured.

Fix Information

Layered virtual servers are now assigned the correct IP addresses, and no longer conflict or interfere with each other.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips