ASM DoS L7 TPS-based Detection issue

Hi, I'm facing a issue when a suspicious source ip reaches the threshold defined on a DoS profile.

 

The expected behavior is that profile do rate limit to the connections from suspicious origins. No other settings (Geo, url, hurl, device) are set to block or rate limit.

 

But, the ASM DoS is dropping all connections to even the non suspicious source ip addresses. When trying to perform request to a site, we get protocol error or request timed out.

 

The BIG-IP ASM license, has a 200Mbps throughput limit, this what I suspected on my initial troubleshooting.

 

But, the strange thing, is that all other virtual servers, on this same unit, that haven't DoS profiles attached, keeps work normally during the attack prevention, so, I need to discard throughput limit at all.

 

Plus, when DoS is in transparent mode, the detection keep logging suspicious ip with TPS-based reach values, and no one problem occurs, so, just when DoS in blocking mode all stops to work at the virtual server with that profile locally, so, going down just one web site. And if we change to transparent mode during attack, the site comes up again.

 

I have an opened ticket, but, no one could help me since a week ago.

 

From the tcp "Record Traffic", I can see many "Dup ACK", retransmition and few ip fragments, what means to me, ack storm or something really wrong on the network.

 

In a lab, I got a license with 25Mbps limit and tried to simulate high troughtput consum and an Dos attacking. My LTM warn about throughput limit reaching and DoS has detected to the suspicious traffic. So, it was start to blocking just to suspicious source ip working as expected, what confused me alot.

 

Has someone any idea about this?

 

Has someone faced this same issue?

 

Thanks in advance.