Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3
Fixed In:
13.1.0, 13.0.1, 12.1.3
Opened: Apr 06, 2017 Severity: 3-Major Related Article:
K04178391
When the SSL client or server system is set up to send SSL messages whose boundaries do not align with underlying TCP boundaries, the parser fails when SSL persistence is enabled. So, any SSL record spanning over multiple TCP segments (in this case it's ServerHello, Certificate, and ServerHelloDone) triggers the issue with the SSID error RST cause. This can also result from a message size exceeding the maximum configured size (default is 32K).
When the parsing fails, the SSL client or server hangs and times out. In other words, SSL traffic is affected. The SSL parsing should succeed regardless of a match or mismatch between SSL message boundary and TCP segment boundary.
[1] SSL persistence is enabled. [2a] SSL message boundary does not align with underlying TCP segment boundary. One example of boundary mismatch is when the TCP MTU size is changed to a lower value (around 1200 bytes). Even then there may be specific values for which the boundaries match and parsing succeeds. [2b] The message size is greater than the maximum configured size (default 32k).
Disable SSL persistence.
The system now switches the state of the SSL persistence to pass through all remaining messages, since no further parsing is needed.