Bug ID 542987: MAP-E tunnel does not correctly use ICMP ID in IPv6 address calculation

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
12.1.0

Opened: Sep 02, 2015

Severity: 3-Major

Symptoms

BigIP provides MAP-E BR (border router) functionality. When ICMP traffic originates from the public Internet side, BigIP MAP-E uses the ICMP type and code, instead of the ICMP identifier field, as the port number in IPv6 address mapping calculation. However, this use case is rare due to NAT44 usually implemented at the MAP-E CE.

Impact

The affected ICMP traffic gets lost.

Conditions

BigIP provides BR functionality, and the ICMP traffic originates from public network side, and enters the MAP-E tunnel through the the BigIP.

Workaround

ICMP traffic coming from public network side to the private network behind the MAP-E CE devices is rare.

Fix Information

With the fix, ICMP traffic with identifier information is encapsulated in a MAP-E tunnel with correct MAP-E CE IPv6 address.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips