Bug ID 500003: Incoming NTP packets from configured NTP server to non-local IP breaks outgoing NTP

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP MA-VE, vCMP(all modules)

Known Affected Versions:
11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1

Fixed In:
12.0.0, 11.6.1 HF2, 11.5.4 HF3

Opened: Jan 08, 2015
Severity: 3-Major
Related Article:
K45948191

Symptoms

When incoming NTP packets from the configured NTP server arrive for a non-local IP on a BIG-IP system that is either a Virtual Edition (VE) guest, an appliance, or a vCMP guest on an appliance host, an iptables rule is triggered that results in further outgoing packets to the NTP server to have their destination IP addresses changed to 127.3.0.0, which is not routable and thus causes NTP time syncs to stop.

Impact

NTP time syncing stops on affected BIG-IP systems.

Conditions

An NTP server is configured on a BIG-IP system that is either a VE, an appliance, or a vCMP guest on an appliance host, and packets arrive from the configured NTP server destined for an IP address belonging to another machine on the network. This can happen for several reasons: 1) The customer has a device on the same management network doing very low-to-zero volume of traffic over its management port. NTP syncs time less often than the L2 FDB expiration time. 2) The customer is using a L2 topology that uses redundant switches with NIC teaming / bonding, and one of the hosts cuts over to the other switch. This also causes transmits of packets that have no valid L2 FDB entry. 3) An STP topology change occurs in a given network, causing switches to drop L2 FDB entries for relevant hosts and flood unknown unicast destination traffic to all ports of a given VLAN. 4) Any unicast misdirection of NTP traffic to the management port not covered above.

Workaround

To remove the iptables rule that is causing the problem: # iptables -t nat -D bpnet-in -p udp --dport 123 -j DNAT --to-destination 127.3.0.0. Comment out the following line in the function setup_virtual_backplane() in the file /etc/init.d/cluster to prevent the rule from coming back upon reboot: iptables -t nat -A bpnet-in -p udp --dport 123 -j DNAT --to-destination $int_mgmtip.

Fix Information

Incoming NTP packets from configured NTP server to non-local IP now works correctly with outgoing NTP.

Behavior Change