Last Modified: Feb 07, 2024
Affected Product(s):
BIG-IP AFM
Fixed In:
17.1.1, 17.0.0, 15.1.10
Opened: Aug 21, 2021 Severity: 3-Major
The BIG-IP system is unable to restore the Timestamp (by replacing the TS cookie) when the packet is offloaded to hardware. This happens only when TS cookie enabled on either of the VLANS (client/server), when the TS cookie enabled on both the VLAN no issues are seen.
The TS cookie will not be restored to its original value when the SYN packet is processed by software in BIG-IP and the SYNACK will be handled by the hardware in BIG-IP. As s result, end-hosts (client/server) RTT calculation is incorrect and causes various issues (ex : blocks the Internet access from hosts in the backend infrastructure).
Configure TCP BADACK Flood DDoS vector to start mitigation at a given value and enable TS cookies on the server VLAN.
Use fastL4 profile with EST mode i.e. change the 'pva-offload-state to EST'
Restoring the Timestamp is fine.