Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1
Fixed In:
13.1.0
Opened: Aug 17, 2016 Severity: 3-Major
AFM NAT does not support proxy ARP for source translation addresses that are in the same subnet as the egress interface.
Since AFM NAT does not respond to ARP requests for the translated IP Address in the directly connected topology, the return traffic does not reach the BIG-IP system.
- AFM NAT source translation is being used. - The source translation IP address is in the same subnet as the egress interface (self IP address).
You can use either of the following workarounds: -- Use static ARP configuration for the AFM NAT source translated addresses (in same subnet as egress interface) on the downstream device. -- Use the routing topology instead (so that NAT Address is not in the same subnet as the egress interface).
This is now fixed by allowing a configuration option per AFM NAT Source translation object that can be enabled to allow AFM NAT to respond to ARP requests for these addresses. By default, it is disabled.