Bug ID 1054041: Neuron-based platforms may activate SYN Cookies for the wrong virtual server

Last Modified: Jan 20, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 17.0.0, 17.0.0.1, 17.0.0.2

Opened: Oct 11, 2021
Severity: 3-Major

Symptoms

Virtual servers that are not expected to be in SYN Cookie mode are indeed SYN Cookie checked by the HW. A wildcard Virtual Server that listens on any IP address and any port, enters correctly in full-hardware SYN Cookie mode. At the same time, another virtual server that listens on any IP address and a specific port enters incorrectly in SYN Cookie mode. The incorrect SYN Cookie activation on the more specific virtual server can be observed by looking at the output of 'tmsh show ltm virtual <virtual_name>', where the SYN Cookie status is 'not-activated', but the 'Total Hardware Accepted' counter keeps increasing: SYN Cookies Status not-activated Hardware SYN Cookie Instances 0 Software SYN Cookie Instances 0 Current SYN Cache 0 SYN Cache Overflow 0 Total Software 0 Total Software Accepted 0 Total Software Rejected 0 Total Hardware 0 Total Hardware Accepted 1827

Impact

- SYN Cookies are incorrectly activated also on the more specific virtual server, that listens on a specific port; - Unreliable SYN Cookie statistics on the more specific virtual server.

Conditions

- Platforms with Neuron support (BIG-IP iSeries) - Overlapping virtual servers that only differ in destination port, such that one has a specific port and the other has 'any' - SYN Cookies are activated on the less-specific virtual server, that listens on port 'any'

Workaround

None

Fix Information

None

Behavior Change