Last Modified: Oct 04, 2024
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 17.0.0, 17.0.0.1, 17.0.0.2
Opened: Oct 11, 2021 Severity: 3-Major
Virtual servers that are not expected to be in SYN Cookie mode are indeed SYN Cookie checked by the HW. A wildcard Virtual Server that listens on any IP address and any port, enters correctly in full-hardware SYN Cookie mode. At the same time, another virtual server that listens on any IP address and a specific port enters incorrectly in SYN Cookie mode. The incorrect SYN Cookie activation on the more specific virtual server can be observed by looking at the output of 'tmsh show ltm virtual <virtual_name>', where the SYN Cookie status is 'not-activated', but the 'Total Hardware Accepted' counter keeps increasing: SYN Cookies Status not-activated Hardware SYN Cookie Instances 0 Software SYN Cookie Instances 0 Current SYN Cache 0 SYN Cache Overflow 0 Total Software 0 Total Software Accepted 0 Total Software Rejected 0 Total Hardware 0 Total Hardware Accepted 1827
- SYN Cookies are incorrectly activated also on the more specific virtual server, that listens on a specific port; - Unreliable SYN Cookie statistics on the more specific virtual server.
- Platforms with Neuron support (BIG-IP iSeries) - Overlapping virtual servers that only differ in destination port, such that one has a specific port and the other has 'any' - SYN Cookies are activated on the less-specific virtual server, that listens on port 'any'
None
None