Bug ID 874317: Client-side asymmetric routing could lead to SYN and SYN-ACK on different VLAN

Last Modified: Apr 29, 2023

Affected Product(s):
BIG-IP All(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3,,,,,,,, 12.1.4,, 12.1.5,,,, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 13.1.5,, 14.0.0,,,,,, 14.0.1,, 14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 14.1.5,,,,, 15.0.0, 15.0.1,,,,, 15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 15.1.4,, 15.1.5,, 15.1.6,, 15.1.7, 15.1.8,,, 16.0.0,, 16.0.1,,

Opened: Jan 29, 2020

Severity: 3-Major


When BIG-IP is configured with at least two VLANs/interfaces, and a virtual server with auto-lasthop disabled, then when that virtual server receives a SYN from a client and sends the SYN/ACK directly back to the client on a different VLAN/interface, it currently expects the ACK to be received on the outgoing interface unless the client is not directly connected and the connection is using a default gateway.


The mismatch could lead to connections failing to establish.


-- The BIG-IP is configured with two VLANs/interfaces for a client (one for incoming packets, one for outgoing packets, i.e. asymmetric routing). -- The client using asymmetric routing is connecting to a virtual server with auto-lasthop disabled. -- The outgoing route to the client (from the BIG-IP) is directly connected to the client (i.e. on the same network; not going through a gateway). -- The DB variable connection.vlankeyed has the value "enabled" (which is the default).


Use only a single VLAN on the client side, or disable the DB variable "connection.vlankeyed".

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips