Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1
Fixed In:
13.0.0, 12.1.2, 11.6.3.2
Opened: Sep 08, 2016 Severity: 3-Major
When the VDI plugin makes outgoing connections, the source address is selected from a SNAT pool. Should the connection pass through another matching virtual server before reaching the external network, the selected SNAT address may be inappropriate for the egress VLAN.
Return traffic from destination may not be able to return to the BIG-IP, thus breaking the VDI functionality.
-- APM configuration. -- VDI functionality enabled. -- Additional virtual server matching the VDI-initiated connections.
No workaround short of removing the additional virtual server matching the VDI traffic.
Outgoing VDI connections now select an appropriate SNAT address even when passing through additional matching virtual servers before reaching the external network.