Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP PEM
Known Affected Versions:
11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10
Opened: Nov 20, 2013 Severity: 2-Critical
If you turn on the SNAT pool or SNAT Automap on IPOther virtual, no traffic passes through in most cases. In some cases, the traffic passes but the out stats (packets and bytes)is zero. This is not a limitation as simply IPSec traffic cannot be SNATed by definition.
No impact as this is a limitation in the actual definition of the IPSec protocol.
Have IPOther virtual with SNAT pool or SNAT Automap turned on while passing IPSec (ESP or AH) traffic.
To workaround this, do not turn on SNAT pool or SNAT Automap on IPOTher virtual that processes IPSec traffic.
None