Last Modified: Jun 19, 2026
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
17.5.1, 17.5.1.2, 17.5.1.3, 17.5.1.4, 17.5.1.5, 17.5.1.6
Opened: Jun 09, 2026 Severity: 3-Major
When a FastL4 forwarding virtual server is actively in full-software SYN cookie protection mode, and the associated FastL4 profile is modified (any L4 setting change, e.g., idle-timeout, syn-cookie-enable), the SYN cookie runtime state becomes permanently latched. The virtual server remains stuck in full-software SYN cookie status indefinitely, even after: - The SYN flood/attack traffic has completely subsided - SYN cookie protection is explicitly disabled in the FastL4 profile (syn-cookie-enable disabled) - The global and per-VIP SYN cookie thresholds are raised significantly - Profile configuration reloads are performed The status only clears upon a TMM restart Observable symptom: tmsh show /ltm virtual /Common/vs_forwarding | grep -i "syn cookie" Status full-software Current SYN Cache 0 The Current SYN Cache drops to 0 (no active attack), but the Status remains full-software
- The forwarding virtual server becomes permanently stuck in full-software SYN cookie mode - Legitimate TCP traffic may be rejected, or experience degraded behavior while SYN cookie mode remains active (e.g., TCP options such as timestamps and SACK may not be honored) - The condition persists across profile configuration reloads and cannot be resolved without restarting TMM, leading to service disruption - Disabling SYN cookie protection in the FastL4 profile after the fact does not clear the stuck state
Conditions Required for the Issue to Occur: - A forwarding virtual server (with translate-address and translate-port both disabled) is configured with a FastL4 profile - The virtual server enters full-software SYN cookie protection mode, triggered by a SYN flood or traffic burst exceeding the SYN cookie threshold - The FastL4 profile is modified (any setting change) while the virtual server is actively in SYN cookie protection mode Platform and Version Affected: - Observed on BIG-IP 17.5.1 running on the rSeries r10900 platform
Restart TMM to clear the stuck SYN cookie state: tmsh restart sys service tmm Impact: Restarting TMM will cause a brief traffic interruption. It is recommended to perform this action during a maintenance window Workaround Status: There is currently no non-disruptive workaround to clear the stuck state without restarting TMM Preventive Measure: Avoid modifying the FastL4 profile while the virtual server is actively in SYN cookie protection mode
None