Bug ID 570973: L7 hardware syn cookie feature is broken in BIG-IP v12.0.0 hf1 and hf2

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
12.1.0, 12.0.0 HF3, 11.6.1 HF1

Opened: Feb 01, 2016

Severity: 2-Critical

Symptoms

In BIG-IP v12.0.0 hf1 and hf2 hardware syn cookie feature for L7 (e.g. Standard Virtual Server type or FastL4 with http profile) virtual server is broken due to HSB bitstream update with a new hardware syn cookie algorithm. It does not impact 12.0.0 base release.

Impact

When syncookie protection is triggered, ingress legitimate traffic may be dropped by BIG-IP.

Conditions

Hardware syn cookie is enabled (which is the default setting) on L7 virtual server.

Workaround

Disable hardware syn cookie on L7 virtual servers. Note: After this workaround you may encounter Bug ID 555020 SW syncookies and windowscaling will cause 3WHS to fail on L7 VIP in which case you would need to apply the workaround from that as well.

Fix Information

This bug is fixed in 12.0.0-hf3 and 12.1.0.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips