Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.6.2 HF1, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.0.0, 11.6.0 HF5, 11.5.2 HF1
Opened: Feb 25, 2015 Severity: 2-Critical Related Article:
K16453
The egress VxLAN traffic on VIPRION chassis and 5000 series appliances has bad UDP checksum in its outer UDP header. The BIG-IP hardware does not support UDP checksum offload for VxLAN traffic if the outer UDP header is IPv4. The BIG-IP hardware uses UDP destination port 4789 to identify VxLAN traffic. This occurs when sending UDP traffic with source port 8472 to a VIPRION platform, regardless of VXLAN.
The egress VxLAN traffic is dropped due to bad UDP checksum. Incoming UDP traffic with source port 8742 is dropped.
The outer UDP header of egress VxLAN traffic on VIPRION chassis and 5000 series appliances is IPv4 and has destination port equal to 4789 (5000 series) or 8472 (VIPRION).
Set db variable iptunnel.vxlan.udpport to 0. So the BIG-IP system hardware does not classify UDP destination port equal to 4789 as VxLAN traffic. Disable HW checksum
VIPRION chassis and 5000 series appliances no longer generate bad bad outer IPv4 UDP checksums on egressing VxLAN traffic.