Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1
Fixed In:
14.0.0
Opened: Oct 26, 2017 Severity: 2-Critical
AFM pktclass daemon halts when it receives NAT policy rule configuration with an invalid (non-existent) address (or port) list attached (triggered either by running the 'tmsh merge' command or by manually modifying bigip*.conf files).
AFM pktclass daemon (or pccd) halts with following error message in /var/log/ltm: pccd[20954]: 015d0000:3: [NAT] commit failed.
User modifies AFM NAT policy configuration to include a non-existent firewall address (or port) list in a NAT policy rule either by running the 'tmsh merge' command or by manually modifying bigip*.conf files. These conditions cause MCP validation to be skipped and thus, pktclass daemon (pccd) aborts when it receives an invalid address (or port) list configuration for a NAT policy rule.
No not modify AFM NAT policy rule configuration either by running the 'tmsh merge' command or by manually modifying bigip*.conf files. Use TMSH/GUI commands/options to manage AFM NAT configuration.
MCP validation issue has been fixed to now detect the invalid address (or port) list condition in an AFM NAT policy rule when you attach a non-existent list either by running the 'tmsh merge' command or by manually modifying bigip*.conf files. MCP now catches the invalid configuration and posts an alert, preventing the pktclass daemon (pccd) from halting.