Bug ID 609788: PCP may pick an endpoint outside the deterministic mapping

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP CGN(all modules)

Known Affected Versions:
11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2

Fixed In:
12.1.2 HF1

Opened: Aug 09, 2016

Severity: 2-Critical

Symptoms

When PCP is picking an endpoint for a LSN pool in deterministic mode and the initial pick fails due to an existing mapping, the subsequent picks are from the entire LSN pool translation port range. This may result in a mapping that violates the deterministic mapping algorithm.

Impact

Deterministic mapping restriction may be violated causing reverse mapping of public IP address to private IP address to not identify the correct subscriber.

Conditions

With PCP configured and enabled with a lsn-pool in deterministic mode.

Workaround

Configure PCP with a NAPT pool (such as the DNAT mode's backup pool) and enable logging. Do not use an lsn-pool in deterministic mode.

Fix Information

PCP no longer picks mappings outside of a client's DNAT range after the first mapping attempt fails.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips