Last Modified: Dec 07, 2023
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6
Opened: Dec 03, 2021 Severity: 3-Major
When a wildcard or subnet virtual server that listens on a specific VLAN or list of VLANs enter HW SYN Cookie mode its Neuron rule jumps to the top of the priority list and therefore catches the SYN packets of other virtual servers that have an overlapping destination address and are configured to listen on all VLANs.
Virtual servers that are not in SYN Cookie mode, perhaps even have SYN Cookie disabled, do not receive the TCP SYN packets. The limited number of possible MSS values may cause a slight performance degradation.
- On platforms with Neuron support (BIG-IP iSeries). - Wildcard or subnet virtual server that listens on a list of VLANs and other overlapping virtual servers that listen on all VLANs.
Disable HW SYN Cookie on the wildcard virtual server.
None