Bug ID 667577: Access profile 'Restrict to Single Client IP' setting not enforced with DTLS tunnel

Last Modified: Nov 07, 2022

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3

Fixed In:
13.1.0, 13.0.1

Opened: Jun 01, 2017

Severity: 3-Major


After APM end users establish a session from one client IP address, if they roam and get a different client IP address, the DTLS tunnel will still be able to establish, because the system does not enforce 'Restrict to Single Client IP'.


The DTLS tunnel will be established, which allows the client to access internal network resources from forbidden subnet.


The client IP used to establish the session is different from the client IP used to establish DTLS tunnel and the 'Restrict to Single Client IP' setting is enabled.


Disable usage of DTLS tunnel.

Fix Information

The 'Restrict to Single Client IP' setting is enforced correctly for DTLS tunnel.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips