Last Modified: Nov 07, 2022
See more info
BIG-IP MA-VE, vCMP
Known Affected Versions:
11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1
12.0.0, 11.6.1 HF2, 11.5.4 HF3
Opened: Jan 08, 2015
Related Article: K45948191
When incoming NTP packets from the configured NTP server arrive for a non-local IP on a BIG-IP system that is either a Virtual Edition (VE) guest, an appliance, or a vCMP guest on an appliance host, an iptables rule is triggered that results in further outgoing packets to the NTP server to have their destination IP addresses changed to 127.3.0.0, which is not routable and thus causes NTP time syncs to stop.
NTP time syncing stops on affected BIG-IP systems.
An NTP server is configured on a BIG-IP system that is either a VE, an appliance, or a vCMP guest on an appliance host, and packets arrive from the configured NTP server destined for an IP address belonging to another machine on the network. This can happen for several reasons: 1) The customer has a device on the same management network doing very low-to-zero volume of traffic over its management port. NTP syncs time less often than the L2 FDB expiration time. 2) The customer is using a L2 topology that uses redundant switches with NIC teaming / bonding, and one of the hosts cuts over to the other switch. This also causes transmits of packets that have no valid L2 FDB entry. 3) An STP topology change occurs in a given network, causing switches to drop L2 FDB entries for relevant hosts and flood unknown unicast destination traffic to all ports of a given VLAN. 4) Any unicast misdirection of NTP traffic to the management port not covered above.
To remove the iptables rule that is causing the problem: # iptables -t nat -D bpnet-in -p udp --dport 123 -j DNAT --to-destination 127.3.0.0. Comment out the following line in the function setup_virtual_backplane() in the file /etc/init.d/cluster to prevent the rule from coming back upon reboot: iptables -t nat -A bpnet-in -p udp --dport 123 -j DNAT --to-destination $int_mgmtip.
Incoming NTP packets from configured NTP server to non-local IP now works correctly with outgoing NTP.