Bug ID 1102429: iRule 'reject' command under 'FLOW_INIT' event does not send the reject packet out in some cases.

Last Modified: Feb 14, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.1, 12.1.2, 12.1.3,,,,,,,, 12.1.4,, 12.1.5,,,, 12.1.6, 13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 13.1.5,, 14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 14.1.5,,,,,, 15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 15.1.4,, 15.1.5,, 15.1.6,, 15.1.7, 15.1.8,,, 16.1.0, 16.1.1, 16.1.2,,, 16.1.3,,,,,, 17.0.0,,

Fixed In:
17.1.0, 16.1.4, 15.1.9

Opened: Apr 25, 2022

Severity: 3-Major


Invoking the iRule command 'reject' under the iRule event 'FLOW_INIT' may, in some cases, fail to send out the intended reject packet (i.e. TCP reset or ICMP port unreachable).


The connection is actually removed from the BIG-IP system's connection table, and correctly does not progress. However, the lack of a reject packet could make the client retransmit its initial packet or insist in opening more connections.


The issue occurs when the BIG-IP system does not have a route back to the client, and should instead deliver the reject packet by means of autolasthop.



Fix Information

iRule 'reject' command under 'FLOW_INIT' event now works correctly even when autolasthop should be employed to deliver the reject packet back to the client.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips