Bug ID 689080: Erroneous syncookie validation in HSB causes the BIG-IP system to choose the wrong MSS value

Last Modified: Oct 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3

Fixed In:

Opened: Oct 17, 2017
Severity: 2-Critical


When a software encoding algorithm is being used by tmm to generate syn cookies in a SYN/ACK packet, there is a chance that HSB might mistakenly identify the ACK response to the SYN/ACK as valid syncookie response and stamp a SYNCOOKIE_VALID flag on the packet. In that case, software processes try to extract the MSS (maximum segment size) value encoded in the syncookie, which would be a wrong value. This may cause connection to fail in subsequent transactions, or cause performance degradation.


Connections either fail, or the smaller, incorrect MSS value causes performance degradation.


When software syncookie protection mode is activated and a software encoding algorithm is being used.



Fix Information

If a software syncookie encoding algorithm is being used, tmm now ignores the SYNCOOKIE_VALID flag stamped by HSB, so the correct MSS value is calculated.

Behavior Change