Bug ID 1070033: Virtual server may not fully enter hardware SYN Cookie mode.

Last Modified: Jan 20, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3

Fixed In:
17.0.0, 14.1.4.6

Opened: Dec 23, 2021
Severity: 3-Major

Symptoms

The SYN Cookies Status of a virtual server shows 'full-hardware', but the 'Total Software' counter of software SYN Cookies continues to increment together with the 'Total Hardware' SYN Cookie counter during a SYN flood attack.

Impact

A portion of the SYN flood attack is handled in software, which might have some performance impact.

Conditions

On platforms with multiple HSB modules each TMM connects to only one of the modules. This depends on platform, BIG-IP version and selected turboflex profile. The simplest way to check is to look at the epva_flowstat tmstat table. If there is only one row per TMM and there are more than one distinct mod_id numbers, then the device is affected. For example: $ tmctl -s tmm,mod_id,pdenum,slot_id epva_flowstat tmm mod_id pdenum slot_id --- ------ ------ ------- 0 1 0 0 1 1 8 0 2 2 0 0 3 2 8 0

Workaround

N/A

Fix Information

All TMMs now correctly enter hardware SYN Cookie mode.

Behavior Change