Bug ID 643034: Turn off TCP Proxy ICMP forwarding by default

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
11.2.1, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3

Fixed In:
13.1.0, 13.0.1, 12.1.3.6, 11.6.4, 11.5.9

Opened: Feb 02, 2017

Severity: 3-Major

Related Article: K52510343

Symptoms

Forwarding of ICMP PMTU messages through the BIG-IP can negatively impact performance if OneConnect or SNAT functionality is active.

Impact

Peers use suboptimal Path Maximum Transmission Units (PMTUs).

Conditions

Forwarding of ICMP PMTU messages through the BIG-IP when OneConnect or SNAT are active.

Workaround

For TCP and UDP proxies, ensure proxy-mss is disabled in the profile. OR Disable MTU caching on pool members.

Fix Information

There are legitimate reasons to forward ICMP messages through BIG-IP, so in some cases mitigation must occur at pool members. However, we have introduced more control (tm.tcp.enforcepathmtu) to tune this more precisely.

Behavior Change

The default behavior on TCP proxies is now to not forward ICMP messages, restoring the default from TMOS 12.0.0 and earlier. For TCP proxies to forward ICMP PMTU messages now requires BOTH proxy-mss 'enabled' in the TCP profile (which is the default setting) and 'tm.tcp.enforcepathmtu' set to 'enabled' (not the default).

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips