Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10
Opened: Oct 12, 2016 Severity: 3-Major
On BIG-IP 11.5.x, approximately 50% of TCP connections have all of their packets dropped when hardware syncookies are being issued and certain other features are enabled.
Approximately 50% of connections will have all of their packets dropped when hardware syncookies are being issued.
-- An 11.5.x version of the BIG-IP is in use on the system. -- The platform supports hardware syncookies. -- Hardware syncookies are being issued. -- The sys db TM.TCPProgressive is set to a value other than 'enable'. If the sys db TM.TCPProgressive is set to 'disable' or 'negotiate', the issue occurs when the previous conditions are met, and any one of the following conditions applies to the TCP profile attached to the virtual server: -- MPTCP is enabled. -- Rate pacing is enabled. -- Congestion control is set to vegas, illinois, woodside, chd (Caia-Hamilton Delay based) or cdg (Caia Delay-Gradient).
Any of the following actions will mitigate this issue: 1. Disable hardware syncookies. 2. Set sys db TM.TCPProgressive to 'enable'. 3. If sys db TM.TCPProgressive is set to 'negotiate', set the following options on the TCP profile as follows: a. Disable MPTCP. b. Disable rate pacing. c. Set congestion control to reno, new-reno, high-speed, or scalable.
None