Bug ID 521774: Traceroute and ICMP errors may be blocked by AFM policy

Last Modified: Oct 01, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Known Affected Versions:
11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5

Fixed In:
12.0.0, 11.6.0 HF6, 11.5.3 HF2

Opened: May 06, 2015
Severity: 3-Major
Related AskF5 Article:
K17420

Symptoms

ICMP error packets for existing connections can be blocked by AFM policy. Diagnostics that use ICMP error messages, such as traceroute, may fail to display information beyond the AFM device.

Impact

Network diagnostics such as traceroute through an AFM device will not display information from routers between the AFM device and the destination IP address.

Conditions

The AFM policy has a rule to drop or reject that can match the IP header of ICMP messages going from a router IP address back to the client or server IP address that sent the original packet.

Workaround

If possible and allowed, create an AFM rule matching the affected ICMP packets with an action of accept-decisively.

Fix Information

None

Behavior Change