Last Modified: Mar 12, 2019
See more info
Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9
Opened: Jan 06, 2015
The issue was that the db variable tm.minipfragsize was set to 576 by default on the image 11.5.1-hf6. What this means is that BIG-IP will not process packets with payload length less than 576 bytes. When MTU is set to 576, the payload length will be 576 - ip header length (20 bytes typically). So the 576 bytes fragmented packets were getting dropped. The workaround for this issue is to set db variable value to 552 so that it passes the ip min size check.
Data traffic is not passing BIG-IP if ESP is fragmented.
MTU set to 576 on the interface of an intermediate node before BigIP. The value of this db variable tm.minipfragsize set to anything greater than 552. Let ESP packets reach BIG-IP as fragmented with size 576 bytes. Then we will see the packet drops in BigIP
Set the db variable tm.minipfragsize to 552 when the MTU is set to 576 on any node previous to BigIP.