Last Modified: Apr 24, 2024
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3
Opened: Apr 14, 2022 Severity: 3-Major
Virtual servers may complete a three-way handshake before resetting a connection when they are disabled or when iRules process traffic for disabled virtual servers.
When a virtual server is marked as disabled and a client attempts to connect to it, tmm will normally send a reset to the first SYN packet. However, if you then administratively disable the pool ( disabled pool members - Not forced offline) tmm will complete the three-way handshake before sending resets. Additionally, when in this state, iRules will process and can pass traffic to pools if the iRule is configured to do that even though the virtual server status is disabled.
-- Virtual Server with a pool assigned -- Pool is disabled administratively
Avoid marking pools disabled or use forced offline for virtual servers that you want to administratively disable.
None