Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
10.2.4, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 12.0.0, 12.0.0 HF1, 12.0.0 HF2
Fixed In:
12.1.0, 12.0.0 HF3, 11.6.1 HF1, 11.5.4 HF2
Opened: Jul 01, 2015 Severity: 3-Major
A service on a pool member will receive connections frequently with a source port number above 65400, especially when the incoming connections to the Virtual IP listener are generated by test tools that increment their source port numbers sequentially. This could lead to premature SNAT port exhaustion, if SNAT is also being used.
The issue could result in resource contention (such as SNAT pool port exhaustion), or problems with the pool member services distinguishing between sessions. A notable exception: Port reuse before TIME_WAIT expires is specifically NOT an impact of this issue.
The issue appears to be limited to the legacy DAG algorithm on the VIPRION PB100 and PB200 blades. All supported versions of BIG-IP will exhibit this issue on this hardware when this DAG algorithm is used. The problem is not exhibited when the incoming sessions' source port numbers have a reasonable amount of entropy (as one would normally see with real Internet traffic); however, the use of test tools, or even intentional malicious traffic may cause this issue to be seen.
To work around SNAT pool port exhaustion, increase the pool size, or change to auto-map. An iRule may be used to help pool member services better distinguish incoming sessions.
The software emulation of the legacy DAG algorithm used on VIPRION PB100 and PB200 has been updated to more evenly distribute the source port numbers of sessions arriving at pool member services.