Bug ID 667577: Access profile 'Restrict to Single Client IP' setting not enforced with DTLS tunnel

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3

Fixed In:
13.1.0, 13.0.1

Opened: Jun 01, 2017
Severity: 3-Major

Symptoms

After APM end users establish a session from one client IP address, if they roam and get a different client IP address, the DTLS tunnel will still be able to establish, because the system does not enforce 'Restrict to Single Client IP'.

Impact

The DTLS tunnel will be established, which allows the client to access internal network resources from forbidden subnet.

Conditions

The client IP used to establish the session is different from the client IP used to establish DTLS tunnel and the 'Restrict to Single Client IP' setting is enabled.

Workaround

Disable usage of DTLS tunnel.

Fix Information

The 'Restrict to Single Client IP' setting is enforced correctly for DTLS tunnel.

Behavior Change