Last Modified: May 29, 2024
Affected Product(s):
BIG-IP TMOS
Opened: Oct 27, 2017 Severity: 3-Major
When global auto last hop is disabled, for iSeries platforms (excluding i2xxx/i4xxx) and B4450 blades, hardware syncookie mode is used on SYN attack.
The virtual server can enter hardware syncookie mode, at which point responses will be routed using the incoming packet route. This can break configurations that are using asymmetric routing.
Global autohop is disabled. This setting is controlled by the following DB variable: # tmsh list sys db connection.autolasthop sys db connection.autolasthop { value "disable" } The default setting is enable.
Disable hardware syncookies by setting the following DB variable to false: tmsh modify sys db pvasyncookies.enabled value false
None