Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IQ Platform
Fixed In:
7.0.0.2, 7.0.0.1
Opened: Oct 30, 2019 Severity: 3-Major
TCP traffic on a BIG-IQ system using a self IP address might not correctly honor the MSS size specified during the connection establishment. The result is IP fragmentation of TCP segments sent out on the wire. The expected behavior is that TSO would package the TCP segments in a way that would not require fragmentation. When a large amount of data needs to be transferred using a self IP address, BIG-IQ might send out fragmented IP packets with both the DF and MF bits set. Setting both bits is RFC compliant and valid, however some routers drop such packets. This might result in retransmissions and low throughput. This Hotfix also addressed the following: BIG IQ Mongo DB does not support IPV6 short form for HA. Mongo does a plain string comparison and the BIG IQ should throw an "Unsupported form" error when it encounters IPV6 short form in the high availability (HA) context. When the promote task fails, the promote directives are not cleared from the failover state which causes promote to happen every time we create a high availability (HA) pair leading to a split-brain problem.
Data transfer from the BIG-IQ system's self IP address might be slow or fail.
This occurs when a self IP address processes large data transfers, and the router between the two endpoints does not process the IP fragments that have both the DF and MF bits set. This occurs only when TCP segmentation offload (TSO) is enabled, and traffic is using a tmm interface. TSO enabled is the default setting.
To work around this issue, you can disable TSO by issuing the command: ethtool -K tmm tso off. Note: This has a different effect from setting the db key tm.tcpsegmentationoffload to 'disable' (which is not a workaround for the issue). Note: To persist the effect of this command across reboots, use the solution specified in K14397: Running a command or custom script based on a syslog message, available here: https://support.f5.com/csp/#/article/K14397. For example, alert tmmready "Tmm ready" { exec command="/sbin/ethtool -K tmm tso off" }
Data transfer from the BIG-IQ system self IP address has been improved. BIG-IQ now checks to return an Unsupported notation exception in ha_reset. This should not affect other scripts because none of the other scripts are getting called directly like ha_reset and there is normalization happening for calls from UI/API. Added the removal of promoteDirectives on ha_reset -f.