Bug ID 691219: Hardware syncookie mode is used when global auto last hop is disabled.

Last Modified: Nov 22, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Opened: Oct 27, 2017
Severity: 3-Major

Symptoms

When global auto last hop is disabled, for iSeries platforms (excluding i2xxx/i4xxx) and B4450 blades, hardware syncookie mode is used on SYN attack.

Impact

The virtual server can enter hardware syncookie mode, at which point responses will be routed using the incoming packet route. This can break configurations that are using asymmetric routing.

Conditions

Global autohop is disabled. This setting is controlled by the following DB variable: # tmsh list sys db connection.autolasthop sys db connection.autolasthop { value "enable" } The default setting is enable.

Workaround

Disable hardware syncookies using the following DB variable: # tmsh list sys db pvasyncookies.enabled sys db pvasyncookies.enabled { value "true" } The default setting is true.

Fix Information

None

Behavior Change