Bug ID 523128: At SYN time PVA offloading enabled, SYN-Cookie mode can be triggered earlier than other mode with same SYN-Cookie threshold level

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4

Opened: May 13, 2015
Severity: 4-Minor

Symptoms

When syncookie is enabled, given same threshold and same traffic, Syncookie mode is easier to trigger when PVA acceleration is enabled than when PVA-acceleration is disabled.

Impact

SYN cookie protection is easier to be triggered when PVA acceleration is enabled, especially when the syncache level is lowered from the default value.

Conditions

Virtual server with PVA hardware acceleration and hardware SYN cookie support.

Workaround

Change the pva offload state from "embryonic" to "establish" root@(localhost)(cfg-sync Standalone)(Offline)(/Common)(tmos)# modify ltm profile fastl4 fastL4 pva-offload-state establish

Fix Information

None

Behavior Change