Bug ID 622378: Inconsistent hardware syncookie protection mode on B2100/B4300 blades and 5000/7000/10000 appliances

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6

Fixed In:
13.0.0

Opened: Oct 13, 2016

Severity: 3-Major

Symptoms

BIG-IP may enter a state where the software indicates it is not in syncookie protection mode for a virtual IP, but the FPGA is still in that mode.

Impact

This may lead to undesired behavior in processing traffic. For example it would cause the VIP to remain in hardware syncookie protection mode while SYN traffic is nominal.

Conditions

This only occurs on the following platforms (B2100/B4300 blades, 5000/7000/10000 appliances) with Xilinx FPGA. It can be triggered if BIG-IP enters and exits syncookie protection frequently in a short interval as SYN traffic varies.

Workaround

Usually "bigstart restart tmm" would clear this error condition.

Fix Information

BIG-IP hardware and software would have consistent syncookie protection state. However, this also introduces a behavior change on the following platforms (B2100/B4300 blades, 5000/7000/10000 appliances). When SYN traffic returns to nominal, it requires some legitimate traffic to trigger BIG-IP to exit syncookie protection mode.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips