Bug ID 1391525

Bug Tracker
ID 1391525

Bug ID 1391525: Timestamp Cookies and ePVA acceleration are incompatible on VELOS and rSeries platforms

Last Modified: Jul 24, 2024

Affected Product(s):
BIG-IP AFM, F5OS, LTM(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3

Opened: Nov 01, 2023

Severity: 3-Major

Symptoms

VELOS and rSeries platforms don't support Timestamp Cookies when ePVA acceleration is enabled. When Timestamps Cookies and ePVA acceleration are enabled, the BIG-IP Tenant sends TCP segments to the clients with the wrong TSecr value (part of the TCP Timestamps option). Some clients drop these segments because they don't match any of the Timpestamps TSval values of the segments they previously sent to the BIG-IP Tenant.

Impact

The BIG-IP Tenant sends TCP segments with a wrong TCP TSecr value to the clients when Timestamp Cookies are enabled and ePVA acceleration is used. Some clients drop these packets and eventually the TCP connection times out. Some clients may issue a TCP reset.

Conditions

- VELOS or rSeries platform running a BIG-IP Tenant - A Virtual Server with a fastl4 profile with PVA acceleration enabled and tcp-timestamp-mode set to 'preserve' - Timestamp Cookies enabled (this is an AFM feature): security dos device-config dos-device-config dos-device-vector { tcp-ack-ts { tscookie enabled }}

Workaround

- Disable TS cookies: "tmsh modify security dos device-config dos-device-config dos-device-vector { tcp-ack-ts { tscookie disabled }}" OR - Disable PVA acceleration in the fastl4 profile: "tmsh modify ltm profile fastl4 <profile_name> pva-acceleration none"

Fix Information

None

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips