NiHo_202842
May 29, 2015Cirrostratus
Solved
What are reasons for the Software Syn Cookie counter increasing?
We are seeing a (slow) increase in the rejected Software SYN Cookie counter on one of our virtual servers.
Strange, as we never max out our connections. Any reasons why this could be happening?
...
- May 31, 2015
there is a bug about spurious ACK which will increase software syn cookie rejected counter. you may open a support case to verify.
ID505089 Spurious ACKs result in SYN cookie rejected stat increment
e.g.
before [root@ve11a:Active:In Sync] config date; tmsh show ltm virtual bar Sun May 31 18:35:25 SGT 2015 ------------------------------------------------------------------ Ltm::Virtual Server: bar ------------------------------------------------------------------ Status Availability : unknown State : enabled Reason : The children pool member(s) either don't have service checking enabled, or service check results are not available yet CMP : enabled CMP Mode : all-cpus Destination : 172.28.24.10:80 Traffic ClientSide Ephemeral General Bits In 0 0 - Bits Out 0 0 - Packets In 0 0 - Packets Out 0 0 - Current Connections 0 0 - Maximum Connections 0 0 - Total Connections 0 0 - Evicted Connections 0 0 - Slow Connections Killed 0 0 - Min Conn Duration/msec - - 0 Max Conn Duration/msec - - 0 Mean Conn Duration/msec - - 0 Total Requests - - 0 SYN Cookies Status not-activated Hardware SYN Cookie Instances 0 Software SYN Cookie Instances 0 Current SYN Cache 0 SYN Cache Overflow 0 Total Software 0 Total Software Accepted 0 Total Software Rejected 0 Total Hardware 0 Total Hardware Accepted 0 CPU Usage Ratio (%) Last 5 Seconds 0 Last 1 Minute 0 Last 5 Minutes 0 spurious ack [root@centos1 ~] date; hping 172.28.24.10 -p 80 -A -c 5 Sun May 31 18:27:44 SGT 2015 HPING 172.28.24.10 (eth0 172.28.24.10): A set, 40 headers + 0 data bytes len=46 ip=172.28.24.10 ttl=255 DF id=11968 sport=80 flags=RA seq=0 win=0 rtt=72.0 ms len=46 ip=172.28.24.10 ttl=255 DF id=55232 sport=80 flags=RA seq=1 win=0 rtt=1.6 ms len=46 ip=172.28.24.10 ttl=255 DF id=11981 sport=80 flags=RA seq=2 win=0 rtt=1.5 ms len=46 ip=172.28.24.10 ttl=255 DF id=55241 sport=80 flags=RA seq=3 win=0 rtt=1.9 ms len=46 ip=172.28.24.10 ttl=255 DF id=11990 sport=80 flags=RA seq=4 win=0 rtt=1.6 ms --- 172.28.24.10 hping statistic --- 5 packets tramitted, 5 packets received, 0% packet loss round-trip min/avg/max = 1.5/15.7/72.0 ms after [root@ve11a:Active:In Sync] config date; tmsh show ltm virtual bar Sun May 31 18:36:19 SGT 2015 ------------------------------------------------------------------ Ltm::Virtual Server: bar ------------------------------------------------------------------ Status Availability : unknown State : enabled Reason : The children pool member(s) either don't have service checking enabled, or service check results are not available yet CMP : enabled CMP Mode : all-cpus Destination : 172.28.24.10:80 Traffic ClientSide Ephemeral General Bits In 0 0 - Bits Out 0 0 - Packets In 0 0 - Packets Out 0 0 - Current Connections 0 0 - Maximum Connections 0 0 - Total Connections 0 0 - Evicted Connections 0 0 - Slow Connections Killed 0 0 - Min Conn Duration/msec - - 0 Max Conn Duration/msec - - 0 Mean Conn Duration/msec - - 0 Total Requests - - 0 SYN Cookies Status not-activated Hardware SYN Cookie Instances 0 Software SYN Cookie Instances 0 Current SYN Cache 0 SYN Cache Overflow 0 Total Software 0 Total Software Accepted 0 Total Software Rejected 5 Total Hardware 0 Total Hardware Accepted 0 CPU Usage Ratio (%) Last 5 Seconds 0 Last 1 Minute 0 Last 5 Minutes 0