Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.4.0, 11.4.1, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.0.0, 11.6.0 HF6, 11.5.3 HF2
Opened: Jan 05, 2015 Severity: 2-Critical Related Article:
K31310380
An optimistic ACK sent by a server in response to a BIG-IP FIN/ACK packet results in a FIN/ACK storm.
Many connections delayed and CPU usage is very high. Peak usage is around 90%. Traffic suffers severe deterioration.
When an ACK with an 'invalid' sequence number is received, the resulting calculations involving the incoming seqno and rcv_nxt causes an outgoing ACK to be generated which will repeat if the server behavior repeats.
None.
This problem is now corrected by ensuring that when outgoing ACK is being generated that the FIN is stripped if it is not a retransmission of the FIN.