Forum Discussion
NiHo_202842
Cirrostratus
CirrostratusWhat are reasons for the Software Syn Cookie counter increasing?
We are seeing a (slow) increase in the rejected Software SYN Cookie counter on one of our virtual servers.
Strange, as we never max out our connections. Any reasons why this could be happening?
...
there is a bug about spurious ACK which will increase software syn cookie rejected counter. you may open a support case to verify.
ID505089 Spurious ACKs result in SYN cookie rejected stat increment
e.g.
before [root@ve11a:Active:In Sync] config date; tmsh show ltm virtual bar Sun May 31 18:35:25 SGT 2015 ------------------------------------------------------------------ Ltm::Virtual Server: bar ------------------------------------------------------------------ Status Availability : unknown State : enabled Reason : The children pool member(s) either don't have service checking enabled, or service check results are not available yet CMP : enabled CMP Mode : all-cpus Destination : 172.28.24.10:80 Traffic ClientSide Ephemeral General Bits In 0 0 - Bits Out 0 0 - Packets In 0 0 - Packets Out 0 0 - Current Connections 0 0 - Maximum Connections 0 0 - Total Connections 0 0 - Evicted Connections 0 0 - Slow Connections Killed 0 0 - Min Conn Duration/msec - - 0 Max Conn Duration/msec - - 0 Mean Conn Duration/msec - - 0 Total Requests - - 0 SYN Cookies Status not-activated Hardware SYN Cookie Instances 0 Software SYN Cookie Instances 0 Current SYN Cache 0 SYN Cache Overflow 0 Total Software 0 Total Software Accepted 0 Total Software Rejected 0 Total Hardware 0 Total Hardware Accepted 0 CPU Usage Ratio (%) Last 5 Seconds 0 Last 1 Minute 0 Last 5 Minutes 0 spurious ack [root@centos1 ~] date; hping 172.28.24.10 -p 80 -A -c 5 Sun May 31 18:27:44 SGT 2015 HPING 172.28.24.10 (eth0 172.28.24.10): A set, 40 headers + 0 data bytes len=46 ip=172.28.24.10 ttl=255 DF id=11968 sport=80 flags=RA seq=0 win=0 rtt=72.0 ms len=46 ip=172.28.24.10 ttl=255 DF id=55232 sport=80 flags=RA seq=1 win=0 rtt=1.6 ms len=46 ip=172.28.24.10 ttl=255 DF id=11981 sport=80 flags=RA seq=2 win=0 rtt=1.5 ms len=46 ip=172.28.24.10 ttl=255 DF id=55241 sport=80 flags=RA seq=3 win=0 rtt=1.9 ms len=46 ip=172.28.24.10 ttl=255 DF id=11990 sport=80 flags=RA seq=4 win=0 rtt=1.6 ms --- 172.28.24.10 hping statistic --- 5 packets tramitted, 5 packets received, 0% packet loss round-trip min/avg/max = 1.5/15.7/72.0 ms after [root@ve11a:Active:In Sync] config date; tmsh show ltm virtual bar Sun May 31 18:36:19 SGT 2015 ------------------------------------------------------------------ Ltm::Virtual Server: bar ------------------------------------------------------------------ Status Availability : unknown State : enabled Reason : The children pool member(s) either don't have service checking enabled, or service check results are not available yet CMP : enabled CMP Mode : all-cpus Destination : 172.28.24.10:80 Traffic ClientSide Ephemeral General Bits In 0 0 - Bits Out 0 0 - Packets In 0 0 - Packets Out 0 0 - Current Connections 0 0 - Maximum Connections 0 0 - Total Connections 0 0 - Evicted Connections 0 0 - Slow Connections Killed 0 0 - Min Conn Duration/msec - - 0 Max Conn Duration/msec - - 0 Mean Conn Duration/msec - - 0 Total Requests - - 0 SYN Cookies Status not-activated Hardware SYN Cookie Instances 0 Software SYN Cookie Instances 0 Current SYN Cache 0 SYN Cache Overflow 0 Total Software 0 Total Software Accepted 0 Total Software Rejected 5 Total Hardware 0 Total Hardware Accepted 0 CPU Usage Ratio (%) Last 5 Seconds 0 Last 1 Minute 0 Last 5 Minutes 0
nitass_89166
Noctilucent
Noctilucentthere is a bug about spurious ACK which will increase software syn cookie rejected counter. you may open a support case to verify.
ID505089 Spurious ACKs result in SYN cookie rejected stat increment
e.g.
before
[root@ve11a:Active:In Sync] config date; tmsh show ltm virtual bar
Sun May 31 18:35:25 SGT 2015
------------------------------------------------------------------
Ltm::Virtual Server: bar
------------------------------------------------------------------
Status
Availability : unknown
State : enabled
Reason : The children pool member(s) either don't have service checking enabled, or service check results are not available yet
CMP : enabled
CMP Mode : all-cpus
Destination : 172.28.24.10:80
Traffic ClientSide Ephemeral General
Bits In 0 0 -
Bits Out 0 0 -
Packets In 0 0 -
Packets Out 0 0 -
Current Connections 0 0 -
Maximum Connections 0 0 -
Total Connections 0 0 -
Evicted Connections 0 0 -
Slow Connections Killed 0 0 -
Min Conn Duration/msec - - 0
Max Conn Duration/msec - - 0
Mean Conn Duration/msec - - 0
Total Requests - - 0
SYN Cookies
Status not-activated
Hardware SYN Cookie Instances 0
Software SYN Cookie Instances 0
Current SYN Cache 0
SYN Cache Overflow 0
Total Software 0
Total Software Accepted 0
Total Software Rejected 0
Total Hardware 0
Total Hardware Accepted 0
CPU Usage Ratio (%)
Last 5 Seconds 0
Last 1 Minute 0
Last 5 Minutes 0
spurious ack
[root@centos1 ~] date; hping 172.28.24.10 -p 80 -A -c 5
Sun May 31 18:27:44 SGT 2015
HPING 172.28.24.10 (eth0 172.28.24.10): A set, 40 headers + 0 data bytes
len=46 ip=172.28.24.10 ttl=255 DF id=11968 sport=80 flags=RA seq=0 win=0 rtt=72.0 ms
len=46 ip=172.28.24.10 ttl=255 DF id=55232 sport=80 flags=RA seq=1 win=0 rtt=1.6 ms
len=46 ip=172.28.24.10 ttl=255 DF id=11981 sport=80 flags=RA seq=2 win=0 rtt=1.5 ms
len=46 ip=172.28.24.10 ttl=255 DF id=55241 sport=80 flags=RA seq=3 win=0 rtt=1.9 ms
len=46 ip=172.28.24.10 ttl=255 DF id=11990 sport=80 flags=RA seq=4 win=0 rtt=1.6 ms
--- 172.28.24.10 hping statistic ---
5 packets tramitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.5/15.7/72.0 ms
after
[root@ve11a:Active:In Sync] config date; tmsh show ltm virtual bar
Sun May 31 18:36:19 SGT 2015
------------------------------------------------------------------
Ltm::Virtual Server: bar
------------------------------------------------------------------
Status
Availability : unknown
State : enabled
Reason : The children pool member(s) either don't have service checking enabled, or service check results are not available yet
CMP : enabled
CMP Mode : all-cpus
Destination : 172.28.24.10:80
Traffic ClientSide Ephemeral General
Bits In 0 0 -
Bits Out 0 0 -
Packets In 0 0 -
Packets Out 0 0 -
Current Connections 0 0 -
Maximum Connections 0 0 -
Total Connections 0 0 -
Evicted Connections 0 0 -
Slow Connections Killed 0 0 -
Min Conn Duration/msec - - 0
Max Conn Duration/msec - - 0
Mean Conn Duration/msec - - 0
Total Requests - - 0
SYN Cookies
Status not-activated
Hardware SYN Cookie Instances 0
Software SYN Cookie Instances 0
Current SYN Cache 0
SYN Cache Overflow 0
Total Software 0
Total Software Accepted 0
Total Software Rejected 5
Total Hardware 0
Total Hardware Accepted 0
CPU Usage Ratio (%)
Last 5 Seconds 0
Last 1 Minute 0
Last 5 Minutes 0
NiHo_202842Ahh. that might indeed be the case. I opened up a case just to be sure. Thank you!
