Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
11.6.1, 12.0.0, 12.0.0 HF1, 12.0.0 HF2
Fixed In:
12.1.0, 12.0.0 HF3, 11.6.1 HF1
Opened: Feb 01, 2016 Severity: 2-Critical
In BIG-IP v12.0.0 hf1 and hf2 hardware syn cookie feature for L7 (e.g. Standard Virtual Server type or FastL4 with http profile) virtual server is broken due to HSB bitstream update with a new hardware syn cookie algorithm. It does not impact 12.0.0 base release.
When syncookie protection is triggered, ingress legitimate traffic may be dropped by BIG-IP.
Hardware syn cookie is enabled (which is the default setting) on L7 virtual server.
Disable hardware syn cookie on L7 virtual servers. Note: After this workaround you may encounter Bug ID 555020 SW syncookies and windowscaling will cause 3WHS to fail on L7 VIP in which case you would need to apply the workaround from that as well.
This bug is fixed in 12.0.0-hf3 and 12.1.0.