Bug ID 1612217: A large amount of SPVA DoS allow list entries can overload DMA-Agent causing a tenant to fail to pass traffic

Last Modified: Oct 21, 2024

Affected Product(s):
F5OS Velos(all modules)

Known Affected Versions:
F5OS-A 1.5.1, F5OS-A 1.5.2

Fixed In:
F5OS-A 1.8.0

Opened: Jul 10, 2024

Severity: 3-Major

Symptoms

If the DMA-Agent receives a high volume of SPVA allow list entries at once, it may become overwhelmed and stop working. As a result, no traffic will be able to exit the tenant. This can be identified by observing the DMA-Agent using 100% of the cpu.

Impact

Tenant will fail to pass any traffic on the data-plane. The TMSTAT sep_stats.tx_send_drops3 will be incremented.

Conditions

This is usually seen in configurations where there are many virtual servers configured with a dos profile that contains an IP-based allow list. The problem does not arise when VIPs are added individually, but it often happens after TMM is restarted following a tenant reboot.

Workaround

Perform the following on the tenant: tmsh modify sys db dos.forceswdos value true tmsh save sys conf To recover the DMA-Agent in F5OS, set the tenant state to “configured” and then set it back to “deployed.

Fix Information

The DMA-Agent now handles a high volume of SPVA allow list entries.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips