Bug ID 1116813: Some of the valid connections may get rejected in HW SYN cookie mode

Last Modified: Jul 10, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
13.1.5, 13.1.5.1, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2

Fixed In:
17.1.0, 15.1.9

Opened: Jun 17, 2022

Severity: 3-Major

Symptoms

Due to algorithm mismatch in software and hardware, valid TCP connections may get rejected with "No flow found for ACK' reset-cause while HW SYN cookie mode is active.

Impact

Service degradation.

Conditions

In vCMP environment either the host or the guest is installed with an affected version.

Workaround

Disable HW SYN cookie globally on the guest.

Fix Information

SYN cookie hash algorithm is correctly selected on vCMP guests.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips