Forum Discussion
Dave_24602
Nimbostratus
NimbostratusBugIp icmp packet drop thresholds....
Hello All,
I was windering if there's a way to raise the icmp packet drop thresholds within the Bigip, maybe via a DB variable?
You see I have a client that has a backend application heavily dependent on ping to verify avaiablilty of sevices. They currently have 3400's and are running sometimes in the high 600 to 800 Meg of aggregate througput traffic. We have dumps showing the selective packet dropping via the BigIP for icmp packect while the tcp and udp packets are not effected. Talking with F5 support we ahve found that icmp takes lower priority and in near congested environments will be selectivly disgarded.
I like to know if there are db variable that could be used to increse this threashold.
Also I have looked into packect filtering and rate shapping, but have foiund a way to classify and prioitize icmp traffic. If anyone has an ideas please let me know.
Many Thanks
Dave
Cspillane_18296Hello Dave,
not sure how useful this will be but I dug it up from a previous case I worked on, might be relevant:
BigDB settings
* The TM.MaxRejectRate BigDB key can reduce the effects of a denial of service attack by allowing you to limit the number of TCP RSTs or ICMP unreachable packets that the BIG-IP sends in response to incoming connections that cannont be matched with virtual server connections.
Note: For more information, refer to SOL9259: Limiting the rate at which the BIG-IP system issues TCP RSTs or ICMP unreachable packets.
https://support.f5.com/kb/en-us/solutions/public/9000/200/sol9259.html
* The TM.MaxICMPRate BigDB key can reduce the effects of a denial of service attack by allowing you to limit the number of responses the BIG-IP LTM will send for ICMP errors and ICMP unreachable events.
Note: For more information, refer to SOL7113: Limiting responses from BIG-IP LTM for ICMP errors and ICMP Unreachable events.
https://support.f5.com/kb/en-us/solutions/public/7000/100/sol7113.html