Bug ID 597823: Erroneous syncookie validation in HSB causes the BIG-IP system to choose the wrong MSS value

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10

Fixed In:
13.0.0

Opened: Jun 07, 2016

Severity: 3-Major

Symptoms

When a software encoding algorithm is being used by tmm to generate syn cookies in a SYN/ACK packet, there is a chance that HSB might mistakenly identify the ACK response to the SYN/ACK as valid syncookie response and stamp a SYNCOOKIE_VALID flag on the packet. In that case, software processes try to extract the MSS (maximum segment size) value encoded in the syncookie, which would be a wrong value. This may cause connection to fail in subsequent transactions, or cause performance degradation.

Impact

Connections either fail, or the smaller, incorrect MSS value causes performance degradation.

Conditions

When software syncookie protection mode is activated and a software encoding algorithm is being used.

Workaround

None.

Fix Information

If a software syncookie encoding algorithm is being used, tmm now ignores the SYNCOOKIE_VALID flag stamped by HSB, so the correct MSS value is calculated.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips