Last Modified: Oct 21, 2024
Affected Product(s):
F5OS Velos
Known Affected Versions:
F5OS-A 1.5.1, F5OS-A 1.5.2
Fixed In:
F5OS-A 1.8.0
Opened: Jul 10, 2024 Severity: 3-Major
If the DMA-Agent receives a high volume of SPVA allow list entries at once, it may become overwhelmed and stop working. As a result, no traffic will be able to exit the tenant. This can be identified by observing the DMA-Agent using 100% of the cpu.
Tenant will fail to pass any traffic on the data-plane. The TMSTAT sep_stats.tx_send_drops3 will be incremented.
This is usually seen in configurations where there are many virtual servers configured with a dos profile that contains an IP-based allow list. The problem does not arise when VIPs are added individually, but it often happens after TMM is restarted following a tenant reboot.
Perform the following on the tenant: tmsh modify sys db dos.forceswdos value true tmsh save sys conf To recover the DMA-Agent in F5OS, set the tenant state to “configured” and then set it back to “deployed.
The DMA-Agent now handles a high volume of SPVA allow list entries.