Bug ID 660252: Enabling SYN-Cookies may severely impact DNAT performance

Last Modified: Mar 21, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3

Opened: Apr 24, 2017
Severity: 2-Critical

Symptoms

Low number of connections per second and lower throughput performance. Log messages: Syncookie embryonic connection counter ###### exceeded sys threshold ###### Syncookie HW mode activated, server = x.x.x.x:x, HSB modId = 1

Impact

Low number of connections per second and lower throughput performance.

Conditions

Using DNAT with SYN-Cookies enabled, or non-maximum value for SYN-cookie threshold.

Workaround

There are three workarounds: -- Use a different NAT method. -- Disable SYN-cookies. -- Increase the SYN-cookie threshold to the maximum value.

Fix Information

None

Behavior Change