Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1
Opened: Apr 11, 2018 Severity: 4-Minor
When the self IP has a firewall rule to reject ICMP unreachable, the system will be sent from active to standby and not from standby to active. This is correct behavior, but v13.x might show ICMP unreachable messages sent from standby to active along with those from active to standby.
No functional impact. ICMP unreachable messages not showing has no effect on BIG-IP system functionality. Note: If there is a firewall to block traffic on self IPs, but still want ICMP unreachable messages, that configuration is not valid, and HA will not work.
-- AFM firewall rule is applied to the self IP as reject ICMP unreachable messages. -- Active/standby high availability (HA) cluster.
There is no workaround.
None
In v12.x, with AFM in reject mode and self IP rule is 'reject'. The reject ICMP unreachable messages are observed only from active to standby. In v13.x, ICMP unreachable messages are observed in both directions, active to standby and standby to active.