Operational Defect Database
BugZero found this defect 1566 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
F5 | 874317
Client-side asymmetric routing could lead to SYN and SYN-ACK on different VLAN
Last update date:
4/26/2024
Affected products:
BIG-IP
BIG-IP All
Affected releases:
12.1.0
12.1.1
12.1.2
12.1.3
12.1.3.1
12.1.3.2
12.1.3.3
12.1.3.4
12.1.3.5
12.1.3.6
12.1.3.7
12.1.4
Fixed releases:
No fixed releases provided.
Description:
Severity: 3-Major ... Symptoms ... When BIG-IP is configured with at least two VLANs/interfaces, and a virtual server with auto-lasthop disabled, then when that virtual server receives a SYN from a client and sends the SYN/ACK directly back to the client on a different VLAN/interface, it currently expects the ACK to be received on the outgoing interface unless the client is not directly connected and the connection is using a default gateway. ... Impact ... The mismatch could lead to connections failing to establish. ... Conditions ... -- The BIG-IP is configured with two VLANs/interfaces for a client (one for incoming packets, one for outgoing packets, i.e. asymmetric routing). -- The client using asymmetric routing is connecting to a virtual server with auto-lasthop disabled. -- The outgoing route to the client (from the BIG-IP) is directly connected to the client (i.e. on the same network; not going through a gateway). -- The DB variable connection.vlankeyed has the value "enable...
