Last Modified: Nov 22, 2021
Affected Product(s):
BIG-IP AFM
Fixed In:
16.1.0
Opened: Oct 09, 2020 Severity: 3-Major
When a drop action is performed for a UDP connection flow, BIG-IP does not drop the connection correctly.
Multiple connections are created on the server side, which could lead to port exhaustion.
- Protocol Inspection's profile is attached at either the Virtual Server or the Firewall rule level. - UDP traffic is processed and matches an action set to "Drop" occurs.
None
Protocol Inspection "Drop" action drops only packet, and keeps the connection and continues to drop the subsequent traffic for a UDP connection flow.
Protocol Inspection "Drop" action on UDP connection should only drop the packet, but keep the connection in such a state that subsequent traffic gets dropped. The old behavior was to drop the packet and remove the connection.