Bug ID 709186: VLAN SYN cookies go into constant activated/deactivated cycle

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1

Fixed In:
14.1.0

Opened: Mar 07, 2018

Severity: 4-Minor

Symptoms

When VLAN SYN cookies are enabled on the BIG-IP client-side VLAN and per-virtual SYN cookies are disabled, and syn flood is running, VLAN SYN cookies can be observed activated as expected, but then BIG-IP falls into a never-ending cycle of VLAN SYN cookies activating/deactivating.

Impact

BIG-IP doesn't stay in hardware syncookie mode, diminishing the protection effect

Conditions

Hardware syncookie enabled on specific VLAN, and syn flood is run against that VLAN

Workaround

Switch to VIP-based syncookie protection

Fix Information

Use an estimated total per-VLAN syncookies generation count to determine if it is time to exit per-VLAN syncookie mode globally. The PDE register only reports the syncookie counts on the local PDE, and the number becomes lower with a platform with many PDEs assigned to tmms, which can easily fall below the fixed global exit threshold. By estimating the total syncookies count, we can make different platforms have similar exit condition.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips