Forum Discussion

Nimbostratus

Dec 15, 2016

Syncookie threshold 16384 exceeded

Friends: I am receiving quite a few "Syncookie threshold" logs, according to the literature that finds this value can be modified but does not say why. The strange thing is that most of the logs affe...

LTM

security

Kai_Wilke

MVP

Dec 15, 2016

Hi Juan,

the Syncookie messages are caused by too much ongoing 3-way TCP-handshakes.

Unless you're hosting a very impressive application with a couple ten-thousand new TCP-sessions each second and/or with a huge network RRT latency, this is either a indicator that you're a victim of an ongoing TCP-SynFlood attack or that your network/routing infrastructure is more or less asymetric connected, so that the initial TCP-SYN packets can be received by your LTM, but the TCP-Handshake cannot complete successfully after.

I think you have to use a network monitor to find out the source of the TCP-SYN flood, to know the cause of the error messages. But keep in mind, that the SRC-IPs of the received SYN packets may be already spoofed.

Note: The error message is more or less a informational message to display you that the F5 has switched from the regular TCP backlog-queue based session tracking behavior (required RAM to track the individual connections) to a cryptografic tracking behavior (requires just CPU instead of RAM)

Cheers, Kai

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

Syncookie threshold 16384 exceeded

Jonathan - March 2026 Featured Member

F5 AppWorld 2026 Las Vegas - iRules Contest Winners!

2026 F5 DevCentral MVP Announcement

Recent Discussions

[ASM] : SQL-INJ "end-quote UNION" - How to allow this signature to specific url/uri/parameter only

[ASM] - How to disable the SQL injection attack signatures

[ASM] : "Request length exceeds defined buffer size " - How to increase the limit ?

Help with SSH Virtual Server

ASM allow specific url from outside country of geolocation ON

Related Content

Explanation of F5 DDoS threshold modes

Syncookie threshold 2999 exceeded

About memory threshold setting

log rate exceeded error

Syncookie threshold 1994 exceeded

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS