Bug ID 690316: Software syncookies are sent for FastL4 virtual server with software syncookies disabled

Last Modified: Jun 20, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1

Opened: Oct 24, 2017
Severity: 3-Major

Symptoms

If a virtual server using FastL4 is configured with software SYN cookies disabled and global hardware SYN cookies disabled using the pvasyncookies.enabled DB setting, then software SYN cookies may still be sent if a SYN flood occurs on the VIP. This can be observed by seeing that the virtual server went into syncookie mode in the LTM logfile.

Impact

The VIP enters SYN cookie mode.

Conditions

If the FastL4 profile has software-syn-cookie disabled, hardware-syn-cookie enabled, and the pvasyncookies.enabled db setting is set to false.

Workaround

Both hardware-syn-cookie and software-syn-cookie should be disabled in the FastL4 profile.

Fix Information

None

Behavior Change