Bug ID 1075905: TCP connections may fail when hardware SYN Cookie is active

Last Modified: Dec 07, 2023

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 15.1.4, 15.1.4.1, 15.1.5

Fixed In:
17.1.0, 15.1.5.1, 14.1.5

Opened: Jan 26, 2022

Severity: 2-Critical

Symptoms

When an object is in hardware SYN Cookie mode, some of the valid connections are also rejected with a "No flow found for ACK" reset cause.

Impact

Service degradation.

Conditions

VELOS and rSeries platforms.

Workaround

Disable hardware SYN Cookie on all objects (virtual server, VLAN, and so on).

Fix Information

Valid connections are now accepted in hardware SYN Cookie mode. New DB variable PvaSynCookies.HashMode added; which only takes effect on rSeries and VELOS platforms. This DB variable sets the syn cookie encoding algorithm to default, xor, or bsd. If a different encoding algorithm would otherwise be automatically selected, this setting overrides that selection. F5 recommends setting the value to "default".

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips