Bug ID 438549: IPSec traffic cannot be SNATed

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP PEM(all modules)

Known Affected Versions:
11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10

Opened: Nov 20, 2013

Severity: 2-Critical


If you turn on the SNAT pool or SNAT Automap on IPOther virtual, no traffic passes through in most cases. In some cases, the traffic passes but the out stats (packets and bytes)is zero. This is not a limitation as simply IPSec traffic cannot be SNATed by definition.


No impact as this is a limitation in the actual definition of the IPSec protocol.


Have IPOther virtual with SNAT pool or SNAT Automap turned on while passing IPSec (ESP or AH) traffic.


To workaround this, do not turn on SNAT pool or SNAT Automap on IPOTher virtual that processes IPSec traffic.

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips