Bug ID 715750: The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection.

Last Modified: Sep 05, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 14.0.0, 14.0.0.1, 14.0.0.2

Fixed In:
14.1.0, 14.0.0.3, 13.1.1.2, 12.1.3.7

Opened: Apr 18, 2018
Severity: 3-Major
Related AskF5 Article:
K41515225

Symptoms

Upon receiving a FIN midstream in an SSL connection, the BIG-IP system will immediately proxy the FIN to the remote host on the peer side. At this point, depending on the specific configuration of the remote host on the peer side, the BIG-IP system may exhibit behaviors that may be deemed undesirable. For instance, if the remote host on the peer side acknowledges the FIN but ignores it and keeps sending data to the BIG-IP system, the BIG-IP system will drop all ingress data (i.e., not proxy it) while keeping the side that transmitted the original FIN open indefinitely. Once the remote host on the peer side completes transmitting data and sends a FIN of its own, the BIG-IP system will finally release the side that sent the original FIN by allowing it to close.

Impact

There is no real impact to the BIG-IP system because of this issue. However, both the client and the server can be negatively impacted by this issue. For example, if the original FIN was received by the BIG-IP system on the clientside: -- The client connection is not allowed to close for potentially a very long time. During this time, the client does not receive anything other than Keep-Alive packets from the BIG-IP system. This can delay or adversely impact applications on the client. -- The server continues to send data to the BIG-IP system unnecessarily. After accounting for the fact this could be a lot of data and many connections could be in this state, the server and/or its surrounding network could become impacted/congested. At a minimum, this might cause a waste of resources.

Conditions

This issue occurs when the following conditions are met: -- A standard virtual server with the clientssl and serverssl profiles in use. -- As part of a connection handled by the virtual server, one side sends a FIN midstream to the BIG-IP system.

Workaround

There is no workaround at this time.

Fix Information

SSL shutdown behavior is controlled with profile option 'Alert Timeout', which specifies the duration in time for the system to try to close an SSL connection before resetting the connection. The default is 'Indefinite'.

Behavior Change

SSL shutdown behavior is controlled with profile option 'Alert Timeout', which specifies the duration in time for the system to try to close an SSL connection before resetting the connection. The default is 'Indefinite'.