ADC -  While using VPN Plugin to access intranet resources, addresses for the subnet 172.16.0.0/16 are replaced by spoofed IP with a message similar to this:

"Replaced the spoofed ip 172.16.10.10 to original IP 0.0.0.0 in ICMP packet"

And the traffic never reaches the destination

Customer can either upgrade to the ADC versions with the bug fixed, which are available from 13.0-64.35 and above

As an alternative customer can configure a custom "-fqdnSpoofedIP" parameter, for example to be 169.254.0.0/16, and make sure that this segment is not used at any of the internal destinations/intranet destinations. 

---

Problem Cause

Documented Bug:

NSHELP-23912. Fixed at V13.0 build 64.35 and above versions.

 

The VPN parameter -fqdnSpoofedIP has a very inadequate default value of 172.16.0.0/16. A more reasonable default would for example be 169.254.0.0/16.

 

Even though you do not configure explicetely the spoofed IP settings under session action, the ADC GateWay forces below configuration to client, which includes default SpoofedIP range "FQDN-SpoofedIP": {"IPv4": "172.16.0.0","IPv4-Prefix": 16}. This can be seen at the client logs. 

when this happens and a client tries to reach out to a device on that network segment, like 172.16.2.5, any port, and that is part of default spoofed IP range,the VPN client converts that to real IP.

But as “172.16.2.5” is not spoofed IP and not provided by Gateway client app, therefore it won’t able to convert that to a real IP, and this causes to use 0.0.0.0 as destination, which is causing failure and traffic does not reach the correct destination.