Forum Discussion

Juan_Ojeda_2939's avatar
Juan_Ojeda_2939
Icon for Nimbostratus rankNimbostratus
Dec 15, 2016

Syncookie threshold 16384 exceeded

Friends: I am receiving quite a few "Syncookie threshold" logs, according to the literature that finds this value can be modified but does not say why. The strange thing is that most of the logs affect the self IP. Dec 11 00:00:57 lbsm1 warning tmm2[10924]: 01010038:4: Syncookie threshold 16384 exceeded, virtual = X.X.X.X:443 Dec 11 00:01:05 lbsm1 warning tmm2[10924]: 01010038:4: Syncookie threshold 16384 exceeded, virtual = X.X.X.X:443 Dec 11 00:01:08 lbsm1 warning tmm3[10924]: 01010038:4: Syncookie threshold 16384 exceeded, virtual = X.X.X.X:443 Dec 11 00:01:16 lbsm1 warning tmm3[10924]: 01010038:4: Syncookie threshold 16384 exceeded, virtual = X.X.X.X:443 Dec 11 00:01:26 lbsm1 warning tmm2[10924]: 01010038:4: Syncookie threshold 16384 exceeded, virtual = X.X.X.X:443 Dec 11 00:01:28 lbsm1 notice tmm3[10924]: 01010241:5: Syncookie HW mode exited, server = X.X.X.X:4900, HSB modId = 1 from HSB Dec 11 00:01:29 lbsm1 warning tmm1[10924]: 01010038:4: Syncookie threshold 16384 exceeded, virtual = X.X.X.X:4900 Dec 11 00:01:30 lbsm1 notice tmm1[10924]: 01010240:5: Syncookie HW mode activated, server = X.X.X.X:4900, HSB modId = 1 Dec 11 00:01:37 lbsm1 warning tmm3[10924]: 01010038:4: Syncookie threshold 16384 exceeded, virtual = X.X.X.X:443 Dec 11 00:01:39 lbsm1 warning tmm[10924]: 01010038:4: Syncookie threshold 16384 exceeded, virtual = X.X.X.X:443 Dec 11 00:01:47 lbsm1 warning tmm1[10924]: 01010038:4: Syncookie threshold 16384 exceeded, virtual = X.X.X.X:443 Dec 11 00:01:58 lbsm1 notice tmm1[10924]: 01010241:5: Syncookie HW mode exited, server = X.X.X.X:4900, HSB modId = 1 from HSB Dec 11 00:01:58 lbsm1 warning tmm2[10924]: 01010038:4: Syncookie threshold 16384 exceeded, virtual = X.X.X.X:443 Dec 11 00:01:58 lbsm1 warning tmm2[10924]: 01010038:4: Syncookie threshold 16384 exceeded, virtual = X.X.X.X:4900

 

Can they give me a hand !! Thank you!!.

 

1 Reply

  • Hi Juan,

     

    the Syncookie messages are caused by too much ongoing 3-way TCP-handshakes.

     

    Unless you're hosting a very impressive application with a couple ten-thousand new TCP-sessions each second and/or with a huge network RRT latency, this is either a indicator that you're a victim of an ongoing TCP-SynFlood attack or that your network/routing infrastructure is more or less asymetric connected, so that the initial TCP-SYN packets can be received by your LTM, but the TCP-Handshake cannot complete successfully after.

     

    I think you have to use a network monitor to find out the source of the TCP-SYN flood, to know the cause of the error messages. But keep in mind, that the SRC-IPs of the received SYN packets may be already spoofed.

     

    Note: The error message is more or less a informational message to display you that the F5 has switched from the regular TCP backlog-queue based session tracking behavior (required RAM to track the individual connections) to a cryptografic tracking behavior (requires just CPU instead of RAM)

     

    Cheers, Kai