Bug ID 528188: Packet filters are by-passed for some fragmented ICMP echo requests to a virtual address

Last Modified: Oct 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Opened: Jun 16, 2015
Severity: 3-Major
Related AskF5 Article:
K17502

Symptoms

A packet filter is in place to block ICMP traffic to a virtual address, but the virtual address responds to ICMP echo requests.

Impact

Traffic is not blocked despite the existence of a packet-filter rule.

Conditions

A packet filter is in place to block ICMP echo request traffic to a virtual address, and a fragmented ICMP echo request is received by the BIG-IP system. If the ICMP echo request needs to be forwarded to another tmm, the packet-filter is not honored.

Workaround

Use AFM rather than packet-filter. Note: This may require additional licensing.

Fix Information

None

Behavior Change