Bug ID 1042153: AFM TCP connection issues when tscookie-vlans enabled on server/client side VLAN.

Last Modified: Jul 24, 2024

Affected Product(s):
BIG-IP AFM(all modules)

Fixed In:
17.1.1, 17.0.0, 16.1.5, 15.1.10

Opened: Aug 21, 2021

Severity: 3-Major

Symptoms

The BIG-IP system is unable to restore the Timestamp (by replacing the TS cookie) when the packet is offloaded to hardware. This happens only when TS cookie enabled on either of the VLANS (client/server), when the TS cookie enabled on both the VLAN no issues are seen.

Impact

The TS cookie will not be restored to its original value when the SYN packet is processed by software in BIG-IP and the SYNACK will be handled by the hardware in BIG-IP. As s result, end-hosts (client/server) RTT calculation is incorrect and causes various issues (ex : blocks the Internet access from hosts in the backend infrastructure).

Conditions

Configure TCP BADACK Flood DDoS vector to start mitigation at a given value and enable TS cookies on the server VLAN.

Workaround

Use fastL4 profile with EST mode i.e. change the 'pva-offload-state to EST'

Fix Information

Restoring the Timestamp is fine.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips