Bug ID 1003377: Disabling DoS TCP SYN-ACK does not clear suspicious event count option

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 15.1.4,, 15.1.5,, 15.1.6,, 15.1.7, 15.1.8,,, 16.0.0,, 16.0.1,,, 16.1.0, 16.1.1, 16.1.2,,, 16.1.3,,,,,

Fixed In:
16.1.4, 15.1.9

Opened: Mar 17, 2021

Severity: 4-Minor


When the 'Only Count Suspicious Events' option is turned on for the TCP SYN ACK Flood vector and the vector gets disabled, TMM continues operating as if 'Only Count Suspicious Events' is still configured.


BIG-IP system might continue altering TCP initial sequence numbers for SYN-ACK cookie validations.


Disabling TCP SYN ACK Flood vector with 'Only Count Suspicious Events' enabled.


Disable the 'Only Count Suspicious Events' option first, and then disable TCP SYN ACK Flood vector.

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips