Last Modified: Feb 07, 2024
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1
Fixed In:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
Opened: Jul 08, 2019 Severity: 3-Major
OneConnect profile in conjunction with 'Source-port preserve-strict' or cmp-hash setting of 'dst-ip' or 'src-ip' on the server-side VLAN may result in zombie forwarding flows. On the server-side the incoming traffic hits a different TMM from the one that handles the outgoing traffic. Unexpected 'Inet port exhaustion' messages may be logged in the LTM log file.
Zombie forwarding flows. Over time, the current allocation count grows and does not return to its prior level when traffic stops. The current allocation can be checked with this command: # tmctl memory_usage_stat name=connflow -s name,cur_allocs
-- OneConnect configured. And one of the following: -- Source-port is set to preserve-strict. -- The cmp-hash setting on the server-side VLAN is set to 'dst-ip' or 'src-ip'.
You can use any of the following workarounds: -- Remove the OneConnect profile from the Virtual Server. -- Do not use 'source-port preserve-strict' setting on the Virtual Server. -- Set the 'cmp-hash default' on the server-side VLAN if it is set to 'cmp-hash src-ip' or 'cmp-hash dst-ip'. Note: After making this change, it may be necessary to run the command 'tmsh restart sys service tmm', which will clear the old flows but also impact traffic. Traffic interrupted while tmm restarts.
None