Bug ID 691219: Hardware syncookie mode is used when global auto last hop is disabled.

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Opened: Oct 27, 2017

Severity: 3-Major

Symptoms

When global auto last hop is disabled, for iSeries platforms (excluding i2xxx/i4xxx) and B4450 blades, hardware syncookie mode is used on SYN attack.

Impact

The virtual server can enter hardware syncookie mode, at which point responses will be routed using the incoming packet route. This can break configurations that are using asymmetric routing.

Conditions

Global autohop is disabled. This setting is controlled by the following DB variable: # tmsh list sys db connection.autolasthop sys db connection.autolasthop { value "disable" } The default setting is enable.

Workaround

Disable hardware syncookies by setting the following DB variable to false: tmsh modify sys db pvasyncookies.enabled value false

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips