Bug ID 622260: Some TCP connections do not work when hardware syncookies are being issued and certain options are enabled

Last Modified: Mar 12, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9

Opened: Oct 12, 2016
Severity: 3-Major

Symptoms

On BIG-IP 11.5.x, approximately 50% of TCP connections have all of their packets dropped when hardware syncookies are being issued and certain other features are enabled.

Impact

Approximately 50% of connections will have all of their packets dropped when hardware syncookies are being issued.

Conditions

-- An 11.5.x version of the BIG-IP is in use on the system. -- The platform supports hardware syncookies. -- Hardware syncookies are being issued. -- The sys db TM.TCPProgressive is set to a value other than 'enable'. If the sys db TM.TCPProgressive is set to 'disable' or 'negotiate', the issue occurs when the previous conditions are met, and any one of the following conditions applies to the TCP profile attached to the virtual server: -- MPTCP is enabled. -- Rate pacing is enabled. -- Congestion control is set to vegas, illinois, woodside, chd (Caia-Hamilton Delay based) or cdg (Caia Delay-Gradient).

Workaround

Any of the following actions will mitigate this issue: 1. Disable hardware syncookies. 2. Set sys db TM.TCPProgressive to 'enable'. 3. If sys db TM.TCPProgressive is set to 'negotiate', set the following options on the TCP profile as follows: a. Disable MPTCP. b. Disable rate pacing. c. Set congestion control to reno, new-reno, high-speed, or scalable.

Fix Information

None

Behavior Change