Bug ID 954089: Incorrect Protocol Inspection "Drop" action for UDP connection flows

Last Modified: Nov 22, 2021

Affected Product(s):
BIG-IP AFM(all modules)

Fixed In:
16.1.0

Opened: Oct 09, 2020

Severity: 3-Major

Symptoms

When a drop action is performed for a UDP connection flow, BIG-IP does not drop the connection correctly.

Impact

Multiple connections are created on the server side, which could lead to port exhaustion.

Conditions

- Protocol Inspection's profile is attached at either the Virtual Server or the Firewall rule level. - UDP traffic is processed and matches an action set to "Drop" occurs.

Workaround

None

Fix Information

Protocol Inspection "Drop" action drops only packet, and keeps the connection and continues to drop the subsequent traffic for a UDP connection flow.

Behavior Change

Protocol Inspection "Drop" action on UDP connection should only drop the packet, but keep the connection in such a state that subsequent traffic gets dropped. The old behavior was to drop the packet and remove the connection.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips