Forum Discussion

NiHo_202842's avatar
NiHo_202842
Icon for Cirrostratus rankCirrostratus
May 29, 2015
Solved

What are reasons for the Software Syn Cookie counter increasing?

We are seeing a (slow) increase in the rejected Software SYN Cookie counter on one of our virtual servers. Strange, as we never max out our connections. Any reasons why this could be happening?

 

Edit: Syncookie status is off for the respective virtual server.

 

Edit 2: I reset the counters, and rejected has risen until 16 again.

 

 

  • there is a bug about spurious ACK which will increase software syn cookie rejected counter. you may open a support case to verify.

    ID505089 Spurious ACKs result in SYN cookie rejected stat increment

    e.g.

     before
    
    [root@ve11a:Active:In Sync] config  date; tmsh show ltm virtual bar
    Sun May 31 18:35:25 SGT 2015
    
    ------------------------------------------------------------------
    Ltm::Virtual Server: bar
    ------------------------------------------------------------------
    Status
      Availability     : unknown
      State            : enabled
      Reason           : The children pool member(s) either don't have service checking enabled, or service check results are not available yet
      CMP              : enabled
      CMP Mode         : all-cpus
      Destination      : 172.28.24.10:80
    
    Traffic                             ClientSide  Ephemeral  General
      Bits In                                    0          0        -
      Bits Out                                   0          0        -
      Packets In                                 0          0        -
      Packets Out                                0          0        -
      Current Connections                        0          0        -
      Maximum Connections                        0          0        -
      Total Connections                          0          0        -
      Evicted Connections                        0          0        -
      Slow Connections Killed                    0          0        -
      Min Conn Duration/msec                     -          -        0
      Max Conn Duration/msec                     -          -        0
      Mean Conn Duration/msec                    -          -        0
      Total Requests                             -          -        0
    
    SYN Cookies
      Status                         not-activated
      Hardware SYN Cookie Instances              0
      Software SYN Cookie Instances              0
      Current SYN Cache                          0
      SYN Cache Overflow                         0
      Total Software                             0
      Total Software Accepted                    0
      Total Software Rejected                    0
      Total Hardware                             0
      Total Hardware Accepted                    0
    
    CPU Usage Ratio (%)
      Last 5 Seconds                             0
      Last 1 Minute                              0
      Last 5 Minutes                             0
    
     spurious ack
    
    [root@centos1 ~] date; hping 172.28.24.10 -p 80 -A -c 5
    Sun May 31 18:27:44 SGT 2015
    HPING 172.28.24.10 (eth0 172.28.24.10): A set, 40 headers + 0 data bytes
    len=46 ip=172.28.24.10 ttl=255 DF id=11968 sport=80 flags=RA seq=0 win=0 rtt=72.0 ms
    len=46 ip=172.28.24.10 ttl=255 DF id=55232 sport=80 flags=RA seq=1 win=0 rtt=1.6 ms
    len=46 ip=172.28.24.10 ttl=255 DF id=11981 sport=80 flags=RA seq=2 win=0 rtt=1.5 ms
    len=46 ip=172.28.24.10 ttl=255 DF id=55241 sport=80 flags=RA seq=3 win=0 rtt=1.9 ms
    len=46 ip=172.28.24.10 ttl=255 DF id=11990 sport=80 flags=RA seq=4 win=0 rtt=1.6 ms
    
    --- 172.28.24.10 hping statistic ---
    5 packets tramitted, 5 packets received, 0% packet loss
    round-trip min/avg/max = 1.5/15.7/72.0 ms
    
     after
    
    [root@ve11a:Active:In Sync] config  date; tmsh show ltm virtual bar
    Sun May 31 18:36:19 SGT 2015
    
    ------------------------------------------------------------------
    Ltm::Virtual Server: bar
    ------------------------------------------------------------------
    Status
      Availability     : unknown
      State            : enabled
      Reason           : The children pool member(s) either don't have service checking enabled, or service check results are not available yet
      CMP              : enabled
      CMP Mode         : all-cpus
      Destination      : 172.28.24.10:80
    
    Traffic                             ClientSide  Ephemeral  General
      Bits In                                    0          0        -
      Bits Out                                   0          0        -
      Packets In                                 0          0        -
      Packets Out                                0          0        -
      Current Connections                        0          0        -
      Maximum Connections                        0          0        -
      Total Connections                          0          0        -
      Evicted Connections                        0          0        -
      Slow Connections Killed                    0          0        -
      Min Conn Duration/msec                     -          -        0
      Max Conn Duration/msec                     -          -        0
      Mean Conn Duration/msec                    -          -        0
      Total Requests                             -          -        0
    
    SYN Cookies
      Status                         not-activated
      Hardware SYN Cookie Instances              0
      Software SYN Cookie Instances              0
      Current SYN Cache                          0
      SYN Cache Overflow                         0
      Total Software                             0
      Total Software Accepted                    0
      Total Software Rejected                    5
      Total Hardware                             0
      Total Hardware Accepted                    0
    
    CPU Usage Ratio (%)
      Last 5 Seconds                             0
      Last 1 Minute                              0
      Last 5 Minutes                             0
    

4 Replies

  • there is a bug about spurious ACK which will increase software syn cookie rejected counter. you may open a support case to verify.

    ID505089 Spurious ACKs result in SYN cookie rejected stat increment

    e.g.

     before
    
    [root@ve11a:Active:In Sync] config  date; tmsh show ltm virtual bar
    Sun May 31 18:35:25 SGT 2015
    
    ------------------------------------------------------------------
    Ltm::Virtual Server: bar
    ------------------------------------------------------------------
    Status
      Availability     : unknown
      State            : enabled
      Reason           : The children pool member(s) either don't have service checking enabled, or service check results are not available yet
      CMP              : enabled
      CMP Mode         : all-cpus
      Destination      : 172.28.24.10:80
    
    Traffic                             ClientSide  Ephemeral  General
      Bits In                                    0          0        -
      Bits Out                                   0          0        -
      Packets In                                 0          0        -
      Packets Out                                0          0        -
      Current Connections                        0          0        -
      Maximum Connections                        0          0        -
      Total Connections                          0          0        -
      Evicted Connections                        0          0        -
      Slow Connections Killed                    0          0        -
      Min Conn Duration/msec                     -          -        0
      Max Conn Duration/msec                     -          -        0
      Mean Conn Duration/msec                    -          -        0
      Total Requests                             -          -        0
    
    SYN Cookies
      Status                         not-activated
      Hardware SYN Cookie Instances              0
      Software SYN Cookie Instances              0
      Current SYN Cache                          0
      SYN Cache Overflow                         0
      Total Software                             0
      Total Software Accepted                    0
      Total Software Rejected                    0
      Total Hardware                             0
      Total Hardware Accepted                    0
    
    CPU Usage Ratio (%)
      Last 5 Seconds                             0
      Last 1 Minute                              0
      Last 5 Minutes                             0
    
     spurious ack
    
    [root@centos1 ~] date; hping 172.28.24.10 -p 80 -A -c 5
    Sun May 31 18:27:44 SGT 2015
    HPING 172.28.24.10 (eth0 172.28.24.10): A set, 40 headers + 0 data bytes
    len=46 ip=172.28.24.10 ttl=255 DF id=11968 sport=80 flags=RA seq=0 win=0 rtt=72.0 ms
    len=46 ip=172.28.24.10 ttl=255 DF id=55232 sport=80 flags=RA seq=1 win=0 rtt=1.6 ms
    len=46 ip=172.28.24.10 ttl=255 DF id=11981 sport=80 flags=RA seq=2 win=0 rtt=1.5 ms
    len=46 ip=172.28.24.10 ttl=255 DF id=55241 sport=80 flags=RA seq=3 win=0 rtt=1.9 ms
    len=46 ip=172.28.24.10 ttl=255 DF id=11990 sport=80 flags=RA seq=4 win=0 rtt=1.6 ms
    
    --- 172.28.24.10 hping statistic ---
    5 packets tramitted, 5 packets received, 0% packet loss
    round-trip min/avg/max = 1.5/15.7/72.0 ms
    
     after
    
    [root@ve11a:Active:In Sync] config  date; tmsh show ltm virtual bar
    Sun May 31 18:36:19 SGT 2015
    
    ------------------------------------------------------------------
    Ltm::Virtual Server: bar
    ------------------------------------------------------------------
    Status
      Availability     : unknown
      State            : enabled
      Reason           : The children pool member(s) either don't have service checking enabled, or service check results are not available yet
      CMP              : enabled
      CMP Mode         : all-cpus
      Destination      : 172.28.24.10:80
    
    Traffic                             ClientSide  Ephemeral  General
      Bits In                                    0          0        -
      Bits Out                                   0          0        -
      Packets In                                 0          0        -
      Packets Out                                0          0        -
      Current Connections                        0          0        -
      Maximum Connections                        0          0        -
      Total Connections                          0          0        -
      Evicted Connections                        0          0        -
      Slow Connections Killed                    0          0        -
      Min Conn Duration/msec                     -          -        0
      Max Conn Duration/msec                     -          -        0
      Mean Conn Duration/msec                    -          -        0
      Total Requests                             -          -        0
    
    SYN Cookies
      Status                         not-activated
      Hardware SYN Cookie Instances              0
      Software SYN Cookie Instances              0
      Current SYN Cache                          0
      SYN Cache Overflow                         0
      Total Software                             0
      Total Software Accepted                    0
      Total Software Rejected                    5
      Total Hardware                             0
      Total Hardware Accepted                    0
    
    CPU Usage Ratio (%)
      Last 5 Seconds                             0
      Last 1 Minute                              0
      Last 5 Minutes                             0
    
    • NiHo_202842's avatar
      NiHo_202842
      Icon for Cirrostratus rankCirrostratus
      Ahh. that might indeed be the case. I opened up a case just to be sure. Thank you!
  • there is a bug about spurious ACK which will increase software syn cookie rejected counter. you may open a support case to verify.

    ID505089 Spurious ACKs result in SYN cookie rejected stat increment

    e.g.

     before
    
    [root@ve11a:Active:In Sync] config  date; tmsh show ltm virtual bar
    Sun May 31 18:35:25 SGT 2015
    
    ------------------------------------------------------------------
    Ltm::Virtual Server: bar
    ------------------------------------------------------------------
    Status
      Availability     : unknown
      State            : enabled
      Reason           : The children pool member(s) either don't have service checking enabled, or service check results are not available yet
      CMP              : enabled
      CMP Mode         : all-cpus
      Destination      : 172.28.24.10:80
    
    Traffic                             ClientSide  Ephemeral  General
      Bits In                                    0          0        -
      Bits Out                                   0          0        -
      Packets In                                 0          0        -
      Packets Out                                0          0        -
      Current Connections                        0          0        -
      Maximum Connections                        0          0        -
      Total Connections                          0          0        -
      Evicted Connections                        0          0        -
      Slow Connections Killed                    0          0        -
      Min Conn Duration/msec                     -          -        0
      Max Conn Duration/msec                     -          -        0
      Mean Conn Duration/msec                    -          -        0
      Total Requests                             -          -        0
    
    SYN Cookies
      Status                         not-activated
      Hardware SYN Cookie Instances              0
      Software SYN Cookie Instances              0
      Current SYN Cache                          0
      SYN Cache Overflow                         0
      Total Software                             0
      Total Software Accepted                    0
      Total Software Rejected                    0
      Total Hardware                             0
      Total Hardware Accepted                    0
    
    CPU Usage Ratio (%)
      Last 5 Seconds                             0
      Last 1 Minute                              0
      Last 5 Minutes                             0
    
     spurious ack
    
    [root@centos1 ~] date; hping 172.28.24.10 -p 80 -A -c 5
    Sun May 31 18:27:44 SGT 2015
    HPING 172.28.24.10 (eth0 172.28.24.10): A set, 40 headers + 0 data bytes
    len=46 ip=172.28.24.10 ttl=255 DF id=11968 sport=80 flags=RA seq=0 win=0 rtt=72.0 ms
    len=46 ip=172.28.24.10 ttl=255 DF id=55232 sport=80 flags=RA seq=1 win=0 rtt=1.6 ms
    len=46 ip=172.28.24.10 ttl=255 DF id=11981 sport=80 flags=RA seq=2 win=0 rtt=1.5 ms
    len=46 ip=172.28.24.10 ttl=255 DF id=55241 sport=80 flags=RA seq=3 win=0 rtt=1.9 ms
    len=46 ip=172.28.24.10 ttl=255 DF id=11990 sport=80 flags=RA seq=4 win=0 rtt=1.6 ms
    
    --- 172.28.24.10 hping statistic ---
    5 packets tramitted, 5 packets received, 0% packet loss
    round-trip min/avg/max = 1.5/15.7/72.0 ms
    
     after
    
    [root@ve11a:Active:In Sync] config  date; tmsh show ltm virtual bar
    Sun May 31 18:36:19 SGT 2015
    
    ------------------------------------------------------------------
    Ltm::Virtual Server: bar
    ------------------------------------------------------------------
    Status
      Availability     : unknown
      State            : enabled
      Reason           : The children pool member(s) either don't have service checking enabled, or service check results are not available yet
      CMP              : enabled
      CMP Mode         : all-cpus
      Destination      : 172.28.24.10:80
    
    Traffic                             ClientSide  Ephemeral  General
      Bits In                                    0          0        -
      Bits Out                                   0          0        -
      Packets In                                 0          0        -
      Packets Out                                0          0        -
      Current Connections                        0          0        -
      Maximum Connections                        0          0        -
      Total Connections                          0          0        -
      Evicted Connections                        0          0        -
      Slow Connections Killed                    0          0        -
      Min Conn Duration/msec                     -          -        0
      Max Conn Duration/msec                     -          -        0
      Mean Conn Duration/msec                    -          -        0
      Total Requests                             -          -        0
    
    SYN Cookies
      Status                         not-activated
      Hardware SYN Cookie Instances              0
      Software SYN Cookie Instances              0
      Current SYN Cache                          0
      SYN Cache Overflow                         0
      Total Software                             0
      Total Software Accepted                    0
      Total Software Rejected                    5
      Total Hardware                             0
      Total Hardware Accepted                    0
    
    CPU Usage Ratio (%)
      Last 5 Seconds                             0
      Last 1 Minute                              0
      Last 5 Minutes                             0
    
    • NiHo_202842's avatar
      NiHo_202842
      Icon for Cirrostratus rankCirrostratus
      Ahh. that might indeed be the case. I opened up a case just to be sure. Thank you!