Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.0.0, 11.6.0 HF6
Opened: Jun 03, 2015 Severity: 3-Major
In a BIG-IP chassis, it is possible that the AFM "attack started" event and "attack stopped" event happen on two different slots of the chassis. In that case avrd is not able to detect and report "attack stopped" event and the user would continue to see "attack ongoing" in the DoS Overview Page.
User will get confused when he see that the AFM DoS Overview Page still shows the attack as ongoing when it has actually stopped.
This will only happen in a BIG-IP chassis based system with multiple slots, and if the AFM DoS "attack started" and "attack stopped" events are given to different slots.
No workaround
With this change the bug has been fixed and now the AFM DoS Overview Page will always know when a attack has stopped.