Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

K36155089 in the wild?

Go to solution
ChristianH
Nimbostratus
Nimbostratus

‎28-Jun-2022 15:24

Does anyone have experience identifying K36155089 and / or know the impacts of this bug? We're supposedly affected and I'd like to see if anyone has experience with it and also if they know they performance impacts that the workaround causes?

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Dario_Garrido
MVP
MVP

‎29-Jun-2022 00:36

Hello ChristianH.

If your fastL4 is configured as:

  • PVA Acceleration: Full.
  • Offload State: SYN

Then you should be affected by the mentioned bug. That means that all the embryonic sessions (TCP-Half Open) will be removed from the connections table using the "Idle Timeout" counter instead of the "TCP Handshake Timeout" (which is more restrictive than the "Idle Timeout" counter).

  • Idle Timeout: 300 sec
  • TCP Handshake Timeout: 5 sec

Then, those connections (TCP Half-Open) will be remaining in the connection table for more time than expected.

The workaround KB states to change the Offload State from SYN to EST. That means using PVA after the connection is established.

|-----------> SYN >-----------| >> HW Offloading using SYN
|---------< SYN-ACK <---------|
|-----------> ACK >-----------|
|---> REST OF THE TRAFFIC >---| >> HW Offloading using EST

 That means that the TCP Handshake will be done using CPU instead of HW (a bit of CPU higher than using HW).

You could think about this set could be vulnerable to DoS attacks. But thanks to the SYN Cookie protection (by default), your system should be protected.
REFhttps://support.f5.com/csp/article/K74451051

 

Regards,
Dario.

View solution in original post

0 Kudos
3 REPLIES 3

Go to solution
Dario_Garrido
MVP
MVP

‎29-Jun-2022 00:36

Hello ChristianH.

If your fastL4 is configured as:

  • PVA Acceleration: Full.
  • Offload State: SYN

Then you should be affected by the mentioned bug. That means that all the embryonic sessions (TCP-Half Open) will be removed from the connections table using the "Idle Timeout" counter instead of the "TCP Handshake Timeout" (which is more restrictive than the "Idle Timeout" counter).

  • Idle Timeout: 300 sec
  • TCP Handshake Timeout: 5 sec

Then, those connections (TCP Half-Open) will be remaining in the connection table for more time than expected.

The workaround KB states to change the Offload State from SYN to EST. That means using PVA after the connection is established.

|-----------> SYN >-----------| >> HW Offloading using SYN
|---------< SYN-ACK <---------|
|-----------> ACK >-----------|
|---> REST OF THE TRAFFIC >---| >> HW Offloading using EST

 That means that the TCP Handshake will be done using CPU instead of HW (a bit of CPU higher than using HW).

You could think about this set could be vulnerable to DoS attacks. But thanks to the SYN Cookie protection (by default), your system should be protected.
REFhttps://support.f5.com/csp/article/K74451051

 

Regards,
Dario.
0 Kudos

Go to solution
ChristianH
Nimbostratus
Nimbostratus
In response to Dario_Garrido

‎29-Jun-2022 06:32

Beautifully explained, thank you!

0 Kudos

Go to solution
Dario_Garrido
MVP
MVP
In response to Smith845

‎29-Jun-2022 05:44

Hello Smith845,

There is no solution beyond the workaround.

 

Regards,
Dario.
0 Kudos
Copyright © 2023 Khoros, LLC