Symptoms

Ports that are in L2 mode have learning disabled. So although HSB should tell the switch about the ingress port from which the packet came, it cannot do so in this release. That means that the SYN ACK packet will be flooded to both the VLANs. But only the client that sends that actual SYN will accept the SYN ACK, as the other interface contains the incorrect MAC addresses and will be dropped by the host connected to the second side of port.

Impact

Global syn-cookie does not work without a virtual server even if another global DoS vectors work without a virtual server. The system will send a spurious SYN ACK. There may or may not be any impact, as the spurious SYN ACK packet's MAC address will not be matched and should be dropped by the host. However, there is a possibility that it might lead to flooding of SYN ACK packets when a SYN attack is ongoing.

Conditions

Whenever AFM global syn cookie is triggered in hardware.

Workaround

None.

Fix Information

None

Behavior Change