Bug ID 681377: The BIG-IP system sends out SYN/ACK with MSS 0 in VLAN syncookie protection mode on some platforms

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0

Opened: Sep 01, 2017

Severity: 2-Critical

Symptoms

A firmware issue exists on certain platforms that will result in SYN/ACK packets with an MSS filed with a value of 0, even though TMOS sets it to a different value.

Impact

Most TCP clients can handle these SYN/ACK packets gracefully, but some clients (such as Ixia traffic-test appliances) may not be able to handle them properly, thus impacting traffic.

Conditions

Hardware syncookie is enabled on a VLAN that is under SYN flood attack and the syncookie protection is triggered. This occurs on the following platforms: BIG-IP series 5000, 7000, and 10000 platforms, and VIPRION B2100, B2150, B2250, and B43x0 blades.

Workaround

Turn off hardware VLAN syncookie protection if regular TCP traffic is impacted.

Fix Information

In 13.1.0, the per-VLAN-based syncookie protection will be disabled in the data plane BIG-IP series 5000, 7000, and 10000 platforms, and VIPRION B2100, B2150, B2250, and B43x0 blades.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips