Bug ID 454636: HSL logging may be sent to a virtual server unexpectedly

Last Modified: Feb 13, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5

Fixed In:
11.6.0, 11.5.1 HF6, 11.4.1 HF6

Opened: Mar 28, 2014
Severity: 3-Major
Related AskF5 Article:
K15418

Symptoms

If an iRule or remote-logging profile is configured to send logging (HSL) and the destination address matches a network virtual, where network virtual is when mask is greater than /1 and less than /32 for IPv4 and less than /128 for IPv6, the virtual server will process the logging traffic.

Impact

Log messages might be lost.

Conditions

This occurs when a network virtual which matches the remote-logging destination address.

Workaround

Create a host virtual, where host virtual is when the mask is /32 for IPv4 and /128 for IPv6, which matches the HSL destination address and forwards the traffic to intended destination with SNAT automap enabled.

Fix Information

Remote-logging will never match a wildcard virtual server. In route-domain 0, remote-logging can only match a host virtual where the destination exactly matches the logging destination. For all other route-domains, remote-logging will continue to match network and host virtuals where the destination exactly matches the logging destination. There is no source matching.

Behavior Change