Bug ID 438549: IPSec traffic cannot be SNATed

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP PEM(all modules)

Known Affected Versions:
11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9

Opened: Nov 20, 2013
Severity: 2-Critical

Symptoms

If you turn on the SNAT pool or SNAT Automap on IPOther virtual, no traffic passes through in most cases. In some cases, the traffic passes but the out stats (packets and bytes)is zero. This is not a limitation as simply IPSec traffic cannot be SNATed by definition.

Impact

No impact as this is a limitation in the actual definition of the IPSec protocol.

Conditions

Have IPOther virtual with SNAT pool or SNAT Automap turned on while passing IPSec (ESP or AH) traffic.

Workaround

To workaround this, do not turn on SNAT pool or SNAT Automap on IPOTher virtual that processes IPSec traffic.

Fix Information

None

Behavior Change