Last Modified: Nov 07, 2022
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9
Opened: Jan 06, 2015 Severity: 3-Major
The db variable tm.minipfragsize is set to 576 by default on the image 11.5.1-hf6. What this means is that BIG-IP system does not process packets with a payload length of less than 576 bytes. When MTU is set to 576, the payload length is 576. Because IP header length is 20 bytes typically, the BIG-IP system drops the 576 byte-fragmented packets. The workaround for this issue is to set the db variable value to 552 so that it passes the IP minimum size check.
There are packet drops on the BIG-IP system. Data traffic is not passing the BIG-IP system if ESP is fragmented.
-- MTU set to 576 on the interface of an intermediate node before the BIG-IP system. The db variable tm.minipfragsize set to anything greater than 552. -- ESP packets reach the BIG-IP system as fragmented with size 576 bytes.
Set the db variable tm.minipfragsize to 552 when the MTU is set to 576 on any node previous to the BIG-IP system.
None
