Bug ID 494782: HW Accelerated Shun List drops are not logged

Last Modified: Oct 17, 2023

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Opened: Dec 05, 2014

Severity: 4-Minor

Symptoms

When a hardware accelerated shun list drops packets from a shunned host, the drops are not logged as they would be if dropped in software. This is because there is no equivalent logging infrastructure in hardware. However, there is a sys db variable called dos.blleaklimit (default value is 255) which controls how frequently packet(s) will be leaked by HW into SW. The leaked packets will be logged and statistics will also be available in AVR.

Impact

Reduced visibility when the drops are in HW.

Conditions

SPVA, auto-blacklist enabled for the Single Endpoint Sweep vector.

Workaround

As a workaround, if you set the leak limit to 0, all packets will be leaked into SW, and packets will be logged.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips