Bug ID 891145: TCP PAWS: send an ACK for half-open connections that receive a SYN with an older TSVal

Last Modified: Jan 20, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3

Opened: Mar 19, 2020
Severity: 3-Major

Symptoms

SYNs received with TSVal <= TS.Recent are dropped without sending an ACK in FIN-WAIT-2 state.

Impact

The new TCP connection cannot infer the half-open state of Local TCP connections, which prevents faster recovery of half-open connections. The local TCP connection stays around for a longer time.

Conditions

-- Timestamps are enabled in TCP profile. -- Local TCP connection is in FIN-WAIT-2 state. -- Remote TCP connection abandoned the flow. -- A new TCP connection sends a SYN with TSVal <= TS.Recent to the local connection.

Workaround

There are two workarounds: -- Reduce the Fin Wait 2 timeout (the default: 300 sec) so that TCP connection is terminated sooner. -- Disable TCP Timestamps.

Fix Information

None

Behavior Change

Have a question?

About F5

Education

F5 sites

Support Tasks

© F5, Inc. All rights reserved. Policies | Privacy | Trademarks