Symptoms

If AFM DoS is enabled in hardware, and the sys db tunable <userinput>dos.dropv4mapped</userinput> is not set, incoming IPv6 packets with IPv4 mapped IPv6 addresses may still be dropped in hardware if the <userinput>ipv6_bad_addr</userinput> vector is enabled with a finite rate-limit/detection value.

Impact

Packets might be dropped in HW.

Conditions

AFM HW DoS enabled with vector ipv6_bad_addr enabled with a finite rate-limit/detection value. Then if you have incoming IPv6 packets which have src or dst address as a IPv4 mapped IPv6 address.

Workaround

To avoid this, configure the rate-limit and detection for <uicontrol>IPv6 Bad Addr</uicontrol> vector to be infinite when you have set <userinput>dos.dropv4mapped</userinput> to false.

Fix Information

None

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips