Hi ALL, We are seeing SYN Cookie threshold exceeding on LTM while I think we are not seeing this huge connection from source so it can cross threshold limit of 16,384... Internal warning tmm[13131]: 01010038:4: Syncookie threshold 2607 exceeded, virtual = :80 Internal notice tmm[13131]: 01010240:5: Syncookie HW mode activated, server = :80, HSB modId = 1 Internal notice tmm[13131]: 01010241:5: Syncookie HW mode exited, server = :80, HSB modId = 1 from HSB Also while I am trying command 'show sys connection' on LTM I am not seeing that huge connection. Also just wanted to confirm one information regarding 'show sys connection' that what is 186 value? Is this the number of connection generated by client? Can one client send 186 tcp connection? :54838 :80 :54838 :39081 tcp 186 Thanks

I don't think there is a SOL for it in the wild, but you need to turn off hardware SYN cookie protection for network virtual servers. It doesn't behave properly when turned on for anything other than a /32 destination virtual server. We had many problems with this last year and our local FSE finally confirmed it and sent out a newsletter detailing that it should be turned off. Software SYN cookie protection should get you by for those network VIPs. If not, contact your local F5 team. As soon as you disable hadrware SYN cookie in the TCP/FastL4 profile attached to the VS you should see things get better.

PS this is only an issue on platforms that can do hardware SYN cookie in their PVA cards. 5000s+ and Viprion.

What usually triggers this erroneous behavior are packet drops up stream.

Regarding SYN flood attack

14 Replies

Brad_Parker_139
Nacreous
Oct 29, 2015
I don't think there is a SOL for it in the wild, but you need to turn off hardware SYN cookie protection for network virtual servers. It doesn't behave properly when turned on for anything other than a /32 destination virtual server. We had many problems with this last year and our local FSE finally confirmed it and sent out a newsletter detailing that it should be turned off. Software SYN cookie protection should get you by for those network VIPs. If not, contact your local F5 team. As soon as you disable hadrware SYN cookie in the TCP/FastL4 profile attached to the VS you should see things get better.
- Brad_Parker_139
  Nacreous
  Oct 29, 2015
  PS this is only an issue on platforms that can do hardware SYN cookie in their PVA cards. 5000s+ and Viprion.
- Brad_Parker_139
  Nacreous
  Oct 29, 2015
  What usually triggers this erroneous behavior are packet drops up stream.
- Amit585731
  Nimbostratus
  Oct 30, 2015
  Thanks Brad. Yes becoz we continued to see issue continually we have already disabled SYN Cookie and enabled Software Cookie globally.
Brad_Parker
Cirrus
Oct 29, 2015
I don't think there is a SOL for it in the wild, but you need to turn off hardware SYN cookie protection for network virtual servers. It doesn't behave properly when turned on for anything other than a /32 destination virtual server. We had many problems with this last year and our local FSE finally confirmed it and sent out a newsletter detailing that it should be turned off. Software SYN cookie protection should get you by for those network VIPs. If not, contact your local F5 team. As soon as you disable hadrware SYN cookie in the TCP/FastL4 profile attached to the VS you should see things get better.
- Brad_Parker
  Cirrus
  Oct 29, 2015
  PS this is only an issue on platforms that can do hardware SYN cookie in their PVA cards. 5000s+ and Viprion.
- Brad_Parker
  Cirrus
  Oct 29, 2015
  What usually triggers this erroneous behavior are packet drops up stream.
- Amit585731
  Nimbostratus
  Oct 30, 2015
  Thanks Brad. Yes becoz we continued to see issue continually we have already disabled SYN Cookie and enabled Software Cookie globally.