Last Modified: Aug 12, 2025
Affected Product(s):
F5OS F5OS, F5OS-A, F5OS-C, Velos
Known Affected Versions:
F5OS-A 1.5.1, F5OS-A 1.5.2, F5OS-A 1.5.3, F5OS-C 1.5.1
Fixed In:
F5OS-C 1.8.0, F5OS-A 1.8.0
Opened: Jul 10, 2024 Severity: 3-Major
If the DMA-Agent receives a high volume of SPVA allow list entries at once, it may become overwhelmed and stop working. As a result, no traffic will be able to exit the tenant. This can be identified by observing the DMA-Agent using 100% of the cpu.
Affected tenants will fail to pass any traffic on the data-plane. The TMSTAT sep_stats.tx_send_drops3 will be incremented. This issue could also effect other tenants hosted on the same F5OS hypervisor.
This is usually seen in configurations where there are many virtual servers configured with a dos profile that contains an IP-based allow list. The problem does not arise when VIPs are added individually, but it often happens after TMM is restarted following a tenant reboot.
Perform the following on the tenant: tmsh modify sys db dos.forceswdos value true tmsh save sys conf To recover the DMA-Agent in F5OS, set the tenant state to “configured” and then set it back to “deployed.
The DMA-Agent now handles a high volume of SPVA allow list entries.