Bug ID 1075421: Connections can fail when hardware syncookie mode is activated.

Last Modified: Jan 16, 2024

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
12.1.0, 12.1.1, 12.1.2, 12.1.3,,,,,,,, 12.1.4,, 12.1.5,,,, 12.1.6, 13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 13.1.5,, 14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 14.1.5,,,,,, 15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 15.1.4,, 15.1.5,, 15.1.6,, 16.0.0,, 16.0.1,,, 16.1.0, 16.1.1, 16.1.2,,, 16.1.3,,,,,

Fixed In:
17.0.0, 16.1.4, 15.1.7

Opened: Jan 25, 2022

Severity: 3-Major


If a virtual server is in hardware syncookie mode and it is forwarded to TMM0, then the connection can fail. This can happen if CMP demote mode is used, which is possible with certain iRules. You can observe this using a packet capture where the frame is received on non-TMM0 and a RST frame with 'No flow found for ACK' is sent from TMM0.


Connection fails when all TMMs except TMM0 are targeted.


CMP demotion is used. The common cause of this is a non-CMP compatible iRule as described in K13033. There can be other causes.


Prevent CMP demotion. This depends on the cause, but one common cause is due to a non-CMP compatible iRule as described in K13033.

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips