Symptoms

The BIG-IP AFM hardware DoS protection is incompatible when the vCMP host or guest uses different versions (where one device runs BIG-IP version 17.1.0 or later and the other device runs a version lower than BIG-IP 17.1.0).

Impact

The BIG-IP system drops packets that may be legitimate, thus reducing throughput and disrupting the existing services. Because of this issue, one or more of the following symptoms may occur: -- Throughput is lower than expected. -- The BIG-IP system intermittently drops legitimate TCP connections.

Conditions

- vCMP capable platform - vCMP enabled - DoS hardware offload enabled - The software version of the guest is lower than BIG-IP 17.1.0, and the host version is BIG-IP 17.1.0 or higher. Or - The software version of the host is lower than BIG-IP 17.1.0, and the guest version is BIG-IP 17.1.0 or higher.

Workaround

You can resolve this issue by: Upgrading vCMP host to v17.1.2 OR Upgrading all guests to match vCMP host version. OR Disabling the hardware DoS protection on a vCMP guest using the TMSH modify /sys db dos.forceswdos value true command. This is should only be used as a last resort as there is possible risk from DOS attacks.

Fix Information

Added support for setting the DoS version in the hardware register based on the guest software version, thereby addressing the DoS vectors incompatibility for the vCMP platform when the host version is BIG-IP 17.1.0 or later and the guest version is before BIG-IP 17.1.0.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips