Bug ID 585823: FW NAT translation fails if the matched FW NAT rule uses source address list and the source translation object in the rule is configured for dynamic-pat (with deterministic mode)

Last Modified: Jul 13, 2024

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2

Fixed In:
13.0.0, 12.1.2

Opened: Apr 06, 2016

Severity: 3-Major

Symptoms

Firewall NAT translation failures are observed if the pre-translation connection matches a Firewall NAT policy rule that uses source address list to match the incoming source address and the source translation object in the rule is configured to do 'dynamic-pat' with mode = deterministic

Impact

Translation failure occurs as described resulting in the connection failures.

Conditions

Following conditions suffice for the issue: a) FW NAT rule has source translation object of type 'dynamic-pat' and mode = deterministic AND b) FW NAT rule has match source address-list only (and no inline source addresses on the match side)

Workaround

If a FW NAT rule has source translation object with dynamic-pat and deterministic mode, the source address(es) on the match side should be specified as inline address(es) instead of specifying the source address-list with such addresses.

Fix Information

Fix involves using the addresses specified in the source address list of the FW NAT rule to match incoming connections and perform translation.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips