Bug ID 783125: iRule drop command on DNS traffic without Datagram-LB may cause TMM crash

Last Modified: Jun 14, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP DNS, LTM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.4, 14.1.0.5, 14.1.0.6, 15.0.0

Opened: May 17, 2019
Severity: 2-Critical

Symptoms

The TMM may crash and restart when an iRule on a DNS virtual server performs the 'drop' command while the BIG-IP system is handling both a DNS request and DNS response at the same time for the same DNS client IP and port without UDP Datagram-LB.

Impact

TMM crash or restart. Traffic impacted. Traffic disrupted while tmm restarts.

Conditions

-- The BIG-IP instance has two or more TMM processes as a result of having two or more physical cores or virtual CPUs. -- A virtual server with both DNS and UDP profiles and one or more iRules. -- The UDP profile has Datagram LB disabled. -- The iRules have a 'drop' command. -- The iRules have a DNS_REQUEST and/or DNS_RESPONSE event with an iRule command that require coordinating data with another TMM on the system, such as the 'table' command.

Workaround

F5 strongly recommends using a UDP profile with Datagram-LB enabled for DNS UDP virtual servers. Alternatively, replace the 'drop' command with DNS::drop in DNS_REQUEST and DNS_RESPONSE events, or with UDP::drop in other iRule events. See the respective references pages for DNS::drop and UDP::drop for the Valid Events each iRule command is available in: https://clouddocs.f5.com/api/irules/DNS__drop.html https://clouddocs.f5.com/api/irules/UDP__drop.html

Fix Information

None

Behavior Change