Bug ID 655357: Corrupted L2 FDB entries on B4450 blades might result in dropped traffic

Last Modified: May 14, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0, 12.1.3

Opened: Apr 05, 2017
Severity: 2-Critical
Related AskF5 Article:
K06245820

Symptoms

ARP replies reach front panel port of B4450 blades but fail to reach TMMs. This occurs because the switch in the B4450 blade has an L2 learning issue in the switch fabric that requires the system to correct the new L2 FDB entries learned on Higig trunks. The L2 module runs in poll mode by default, which is exposed to a 3-second race window in software, during which learning events in the switch hardware for a given L2 FDB entry can be lost. That can lead to corrupted L2 FDB entries and cause traffic hitting the corrupted L2 FDB entries to fail.

Impact

The traffic hitting the corrupted L2 FDB entry will be dropped by the switch.

Conditions

-- An L2 FDB entry is learned on Higig trunk. -- Multiple L2 learning events happen on the L2 FDB entry during the 3-second race window in software.

Workaround

Delete the corrupted L2 FDB entries and cause the switch to re-learn them. To do so, identify the affected VLAN and flush L2 FDB entries on that VLAN using the following command: tmsh delete net fdb vlan {vlan_name}.

Fix Information

A db variable switchboard.l2.mitigation was introduced to configure this feature. -- A value of "enable" allows packets to be forwarded in the case of corrupted L2 FDB entries. Packets will be hashed on source and destination addresses. Enabling forwarding this way is only a temporary measure. -- A value of "monitor" does not forward packets but will count packets which were affected by corrupted L2 FDB entries. The stat table switch/l2_mitgation, updated every 11 seconds, reports packet counts. Differences in packet counts are logged to /var/log/ltm. -- A value of "disable" disables both forwarding and packet counting. Packet counts are reset.

Behavior Change