Bug ID 493743: TCP4 filter allows non-SYN packet to create new connflow after sending RST.

Last Modified: Oct 16, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
12.0.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
12.1.0, 12.0.0 HF1

Opened: Dec 01, 2014

Severity: 2-Critical

Related Article: K36717289

Symptoms

TCP4 filter allows non-SYN packet to create new connflow after sending RST.

Impact

New connflow might be created after RST is sent. Possible data being treated as valid SYN-Cookie by FPGA.

Conditions

BIG-IP series 5000, 7000, 10000, and 12000 platforms and VIPRION B2100, B2200, and B4300 blades, which have hardware SYN cookie protection enabled by default.

Workaround

Change the sys db variable connection.syncookies.algorithm to 'software'.

Fix Information

BIG-IP series 5000, 7000, 10000, and 12000 platforms and VIPRION B2100, B2200, and B4300 blades with hardware SYN cookie protection enabled by default no longer allow new connflow to be created after RST is sent.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips