Bug ID 570973: L7 hardware syn cookie feature is broken in BIG-IP v12.0.0 hf1 and hf2

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 12.0.0, 12.0.0 HF1, 12.0.0 HF2

Fixed In:
12.1.0, 12.0.0 HF3, 11.6.1 HF1

Opened: Feb 01, 2016
Severity: 2-Critical

Symptoms

In BIG-IP v12.0.0 hf1 and hf2 hardware syn cookie feature for L7 (e.g. Standard Virtual Server type or FastL4 with http profile) virtual server is broken due to HSB bitstream update with a new hardware syn cookie algorithm. It does not impact 12.0.0 base release.

Impact

When syncookie protection is triggered, ingress legitimate traffic may be dropped by BIG-IP.

Conditions

Hardware syn cookie is enabled (which is the default setting) on L7 virtual server.

Workaround

Disable hardware syn cookie on L7 virtual servers. Note: After this workaround you may encounter Bug ID 555020 SW syncookies and windowscaling will cause 3WHS to fail on L7 VIP in which case you would need to apply the workaround from that as well.

Fix Information

This bug is fixed in 12.0.0-hf3 and 12.1.0.

Behavior Change