Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6
Fixed In:
13.0.0
Opened: Oct 13, 2016 Severity: 3-Major
BIG-IP may enter a state where the software indicates it is not in syncookie protection mode for a virtual IP, but the FPGA is still in that mode.
This may lead to undesired behavior in processing traffic. For example it would cause the VIP to remain in hardware syncookie protection mode while SYN traffic is nominal.
This only occurs on the following platforms (B2100/B4300 blades, 5000/7000/10000 appliances) with Xilinx FPGA. It can be triggered if BIG-IP enters and exits syncookie protection frequently in a short interval as SYN traffic varies.
Usually "bigstart restart tmm" would clear this error condition.
BIG-IP hardware and software would have consistent syncookie protection state. However, this also introduces a behavior change on the following platforms (B2100/B4300 blades, 5000/7000/10000 appliances). When SYN traffic returns to nominal, it requires some legitimate traffic to trigger BIG-IP to exit syncookie protection mode.