Forum Discussion
Hi Juan,
the Syncookie messages are caused by too much ongoing 3-way TCP-handshakes.
Unless you're hosting a very impressive application with a couple ten-thousand new TCP-sessions each second and/or with a huge network RRT latency, this is either a indicator that you're a victim of an ongoing TCP-SynFlood attack or that your network/routing infrastructure is more or less asymetric connected, so that the initial TCP-SYN packets can be received by your LTM, but the TCP-Handshake cannot complete successfully after.
I think you have to use a network monitor to find out the source of the TCP-SYN flood, to know the cause of the error messages. But keep in mind, that the SRC-IPs of the received SYN packets may be already spoofed.
Note: The error message is more or less a informational message to display you that the F5 has switched from the regular TCP backlog-queue based session tracking behavior (required RAM to track the individual connections) to a cryptografic tracking behavior (requires just CPU instead of RAM)
Cheers, Kai