Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP CGN
Known Affected Versions:
11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2
Fixed In:
12.1.2 HF1
Opened: Aug 09, 2016 Severity: 2-Critical
When PCP is picking an endpoint for a LSN pool in deterministic mode and the initial pick fails due to an existing mapping, the subsequent picks are from the entire LSN pool translation port range. This may result in a mapping that violates the deterministic mapping algorithm.
Deterministic mapping restriction may be violated causing reverse mapping of public IP address to private IP address to not identify the correct subscriber.
With PCP configured and enabled with a lsn-pool in deterministic mode.
Configure PCP with a NAPT pool (such as the DNAT mode's backup pool) and enable logging. Do not use an lsn-pool in deterministic mode.
PCP no longer picks mappings outside of a client's DNAT range after the first mapping attempt fails.