Bug ID 1054041: Neuron-based platforms may activate SYN Cookies for the wrong virtual server

Last Modified: Apr 24, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 13.1.5,, 14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 14.1.5,,,,,, 16.1.0, 16.1.1, 16.1.2,,, 16.1.3,,,,,, 16.1.4,,,, 17.0.0,,

Opened: Oct 11, 2021

Severity: 3-Major


Virtual servers that are not expected to be in SYN Cookie mode are indeed SYN Cookie checked by the HW. A wildcard Virtual Server that listens on any IP address and any port, enters correctly in full-hardware SYN Cookie mode. At the same time, another virtual server that listens on any IP address and a specific port enters incorrectly in SYN Cookie mode. The incorrect SYN Cookie activation on the more specific virtual server can be observed by looking at the output of 'tmsh show ltm virtual <virtual_name>', where the SYN Cookie status is 'not-activated', but the 'Total Hardware Accepted' counter keeps increasing: SYN Cookies Status not-activated Hardware SYN Cookie Instances 0 Software SYN Cookie Instances 0 Current SYN Cache 0 SYN Cache Overflow 0 Total Software 0 Total Software Accepted 0 Total Software Rejected 0 Total Hardware 0 Total Hardware Accepted 1827


- SYN Cookies are incorrectly activated also on the more specific virtual server, that listens on a specific port; - Unreliable SYN Cookie statistics on the more specific virtual server.


- Platforms with Neuron support (BIG-IP iSeries) - Overlapping virtual servers that only differ in destination port, such that one has a specific port and the other has 'any' - SYN Cookies are activated on the less-specific virtual server, that listens on port 'any'



Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips