Bug ID 493743: TCP4 filter allows non-SYN packet to create new connflow after sending RST.

Last Modified: Feb 13, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
12.0.0

Fixed In:
12.1.0, 12.0.0 HF1

Opened: Dec 01, 2014
Severity: 2-Critical
Related AskF5 Article:
K36717289

Symptoms

TCP4 filter allows non-SYN packet to create new connflow after sending RST.

Impact

New connflow might be created after RST is sent. Possible data being treated as valid SYN-Cookie by FPGA.

Conditions

BIG-IP series 5000, 7000, 10000, and 12000 platforms and VIPRION B2100, B2200, and B4300 blades, which have hardware SYN cookie protection enabled by default.

Workaround

Change the sys db variable connection.syncookies.algorithm to 'software'.

Fix Information

BIG-IP series 5000, 7000, 10000, and 12000 platforms and VIPRION B2100, B2200, and B4300 blades with hardware SYN cookie protection enabled by default no longer allow new connflow to be created after RST is sent.

Behavior Change