Last Modified: May 29, 2024
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1
Fixed In:
15.0.0, 14.1.0.2, 13.1.3
Opened: Dec 08, 2018 Severity: 2-Critical
Client request fails, due to being dropped on the BIG-IP system.
Client request gets dropped due to BIG-IP AFM dropping the flow.
-- The BIG-IP AFM L4 BDoS feature is enabled. -- Virtual server setup is such that the client-facing virtual server's destination is forwarded through another virtual server, which is an internally forwarded flow.
Disable BDoS feature. The feature can be disabled using the following commands: -- To disable BDoS globally, run the following command: modify security dos device-config dos-device-config dynamic-signatures { network { detection disabled mitigation none }} To disable BDoS globally per-profile, run the following command: modify security dos profile <profile-name> dos-network modify { test { dynamic-signatures { detection disabled mitigation none } } } modify security dos profile test protocol-dns modify { test { dynamic-signatures { detection disabled mitigation none } } }
The system now handles the looped flows properly, so the BDoS module does not incorrectly cause the packet to be dropped.