RST 100+ seconds after client sends RST

I have a F5 BigIP running 9.4.7 Build 330.0 Hotfix HF2, behind a Cisco ASA running 8.0.5(20). I am seeing odd denies in my Cisco log, which I am trying to track down. We have some internal clients, connected to the ASA/F5 via a VPN tunnel. For whatever reason, sometimes the clients (Windows/IE) are closing the connection with a RST. When they do, the BigIP immediately responds with a ACK. Apparently looking for a reply, it continues to restransmit the ACK every few seconds. After several restransmits (between 100 and 200 seconds later), the BigIP then sends a RST. By this time, the ASA has already FIN_WAIT'ed the connection, and the connection has long-since been closed; the ASA sees this errant packet, and blocks it (and logs it to my syslog). The ASA is configured with the "sysopt connection timewait" setting, but that only holds the connection open for 15 seconds.

 

 

 

Is the BigIP behaving correctly, or is this a bug that has already been fixed in newer code? Is this a tune-able behavior? the vs in question is using the default TCP Profile settings (2000ms timewait, 5 sec FIN wait, 5 sec close wait).