Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP AFM, Install/Upgrade
Known Affected Versions:
17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2, 17.1.2.1
Opened: Mar 29, 2023 Severity: 3-Major
The following log is observed in the console or /var/log/ltm logs: Logging 01071d5e:3: DOS attack data (tcp-flags-uncommon): Suspicious vector feature is not supported for tcp-flags-uncommon vector. If this is after an upgrade it's likely the configuration will fail to load, which in turn will cause memory provisioning not to complete leaving the system provisioned for LTM only. This may leave insufficient 4KB page memory for the actual provisioning, for example if ASM is provisioned. The unit may show low memory symptoms such as oom killer activity, unresponsive management, cores due to daemon heartbeat timeout.
The following log is observed in the console or /var/log/ltm logs: Logging 01071d5e:3: DOS attack data (tcp-flags-uncommon): Suspicious vector feature is not supported for tcp-flags-uncommon vector. in the console or /var/log/ltm Failure to load configuration may be shown a few lines later: emerg load_config_files[13166]: "/usr/bin/tmsh -n -g -a load sys config partitions all " - failed.
1. The Only Count Suspicious Events option is enabled or the attribute suspicious is true on TCP Push Flood vector. 2. Upgrade to BIG-IP 17.1.0.
1. Confirm config: grep "suspicious true" /config/bigip.conf 2. Backup bigip.conf: cp /config/bigip.conf /config/bigip.conf.bak_ID1282029 3. Change affected configuration values: sed -i 's/suspicious true/suspicious false/g' /config/bigip.conf 4. Reload MCPD per K13030. AFM comes back up with config loaded fine.
None