Bug ID 591828: For unmatched connection, TCP RST may not be sent for data packet

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP AFM, ASM(all modules)

Known Affected Versions:
11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.6.0, 11.6.1, 11.6.2, 11.6.3,,, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3

Fixed In:
13.0.0,,, 11.5.7

Opened: May 06, 2016

Severity: 3-Major

Related Article: K52750813


When TCP connection times out (no entry in 'show sys conn'), and subsequent data packet comes in (not SYN), The BIG-IP system does not send a RST to the client to reset the connection.


Client retransmits several times and then terminates TCP connection. There is no RST sent from BIG-IP to client for unmatched connection.


This issue occurs if AFM is provisioned. Additionally, in BIG-IP v12.1.0 and above, it occurs if ASM is provisioned (regardless of AFM provisioning). -- Packets other than SYN with no entry in the connection table arrive. This can occur either after a failover (when mirroring is disabled) when traffic arrives at the newly-active system, or can occur if the relevant virtual server has 'reset-on-timeout' disabled.


Enable the reset on timeout option to send TCP RST to client when connection times out. Note: This workaround does not address the circumstances where a newly-active BIG-IP system receives traffic (e.g. after a failover or system reboot).

Fix Information

The BIG-IP system now sends a TCP RST for unknown connections so the clients and backend servers can start a new connection.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips