Bug ID 510612: syncookie and loose init do not work together

Last Modified: Jan 12, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Opened: Mar 04, 2015
Severity: 3-Major
Related Article:
K99545311

Symptoms

If a TCP FastL4 virtual server is configured as loose init and also syncookie is enabled: - syncookie protection will be bypassed if non-SYN packets are received that do not match a flow. - connections may fail after a long idle period where the flow data has been deleted from TMM but the client can still try to resume via loose init. If it's software syn cookie protection, BIG-IP will proxy the TCP handshake and then initiate a TCP handshake to the back end server and attempt to send the data. If it's hardware syn cookie protection, BIG-IP will simply pass the first piece of data after the TCP handshake to the back end server without sending a syn. In both scenarios this is considered an improper configuration.

Impact

Failed ACK will be sent to virtual server and cause numerous RESETs. Normal traffic continues without error.

Conditions

TCP virtual server with loose init and with syncookie enabled and triggered.

Workaround

Avoid configuring syncookie and loose init together. This combination, using loose init together with syncookie, is not recommended. Essentially, loose init means to disable the 3-way handshake check at the BIG-IP system, while syncookie means to enforce the 3-way handshake check at the BIG-IP system (possibly by hardware). Configuring these two in combination will produce unexpected side effects.

Fix Information

None

Behavior Change