Bug ID 968533: Rate limiting is performed for all PUSH packets in the hardware even when "Only Count Suspicious Events" is enabled for the push flood vector.

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
15.1.4

Fixed In:
15.1.4.1

Opened: Nov 30, 2020

Severity: 2-Critical

Symptoms

When a PUSH flood vector is programmed to hardware after a flood is detected, rate limiting is performed on all the PUSH packets even when "Only Count Suspicious Events" is enabled.

Impact

The packets with PUSH flag for the good connections also get dropped even though "Only Count Suspicious Events" is enabled.

Conditions

-- Push flood vector is triggered. -- Rate limiting is enabled for the push flood vector. -- The issue is observed only on the hardware platform.

Workaround

None

Fix Information

Fixed an issue with rate limiting on PUSH packets.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips