Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2
Fixed In:
12.1.2 HF1, 11.6.1 HF2, 11.5.4 HF3
Opened: Jan 18, 2016 Severity: 3-Major
Syncookie mode can be activated with a wildcard virtual, even in the case where there is no SYN flood.
Syncookie mode is activated with high connection rates to a wildcard virtual.
The default number of connections per second before activating syncookie mode is 1993. This value can be increased to a max of 4093. After this threshold is reached, then syncookie mode is activated. This is an insufficient maximum for wildcard virtuals, since they can have 30k+ connections per second.
Break up the wildcard virtual into multiple virtuals to reduce the number of connections per virtual.
It is now possible to set the PvaSynCookies.Virtual.MaxSynCache DB variable to 64K (previous max was 4093)