Bug ID 523128: At SYN time PVA offloading enabled, SYN-Cookie mode can be triggered earlier than other mode with same SYN-Cookie threshold level

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Opened: May 13, 2015

Severity: 4-Minor

Symptoms

When syncookie is enabled, given same threshold and same traffic, Syncookie mode is easier to trigger when PVA acceleration is enabled than when PVA-acceleration is disabled.

Impact

SYN cookie protection is easier to be triggered when PVA acceleration is enabled, especially when the syncache level is lowered from the default value.

Conditions

Virtual server with PVA hardware acceleration and hardware SYN cookie support.

Workaround

Change the pva offload state from "embryonic" to "establish" root@(localhost)(cfg-sync Standalone)(Offline)(/Common)(tmos)# modify ltm profile fastl4 fastL4 pva-offload-state establish

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips