Last Modified: Jul 19, 2025
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2, 17.1.2.1, 17.1.2.2, 17.5.0, 17.5.1
Opened: Mar 07, 2025 Severity: 3-Major
On a VCMP guest, if a virtual server enters hardware syncookie mode due to a syn flood, and the virtual server is passing a significant amount of valid traffic, it may not exit syncooke mode.
Syncookies may continue to be issued even though the attack has stopped.
-- VCMP guest -- Hardware syncookie mode
Remove traffic from the virtual server until syncookies deactivates. This can be accomplished by using cli transaction to alter the first virtual server and create an identical new virtual server. Example: Assume my_vs1 is the existing virtual server listening on port 80 tmsh create /cli transaction delete ltm virtual my_vs1 create ltm virtual my_vs2 destination 10.10.10.16:80 pool pool1 profiles add { fastL4 http } source-address-translation { type automap } submit /cli transaction This will, delete the first virtual server but existing TCP connections will be maintained. And then the new virtual server will be created which will accept new transaction. Since syncookie are enabled per virtual server, this new virtual server will not be in hardware syncookie mode.
None