Increase in traffic dropped under TCP Flood after upgrade to V16.01.2

Hi Kumar,

If you experience an increase in the TCP flood then check the source system that generates higher amount of TCP traffic. Inspect what causes this and if required tweak the TCP Flood value in the configuration. The traffic is dropped as the amount of traffic is higher than that of the configured value for TCP flood. In such cases, you need to inspect the behavior of the source locally.

Thanks

Hi Kumar,

If you experience an increase in the TCP flood then check the source system that generates higher amount of TCP traffic. Inspect what causes this and if required tweak the TCP Flood value in the configuration. The traffic is dropped as the amount of traffic is higher than that of the configured value for TCP flood. In such cases, you need to inspect the behavior of the source locally.

Thanks

Hi Sachungurung,

I think there is a key point that Kumar is making that is being overlooked. Something has change (maybe not for the better) in the way TCP Flooding is detected and processed. It is far more sensitive than it was in prior releases.

If I put a UTM SG next to a XG and repeat a regression test. The XG will drop a ton of data caused by normal web surfing where as the SG system processes it correctly.  The current defaults are IMHO now unusable.Currently TCP flood control thresholds need to be set to over 600 with burst near 900 to avoid false blocking and get an even remotely stable setup.  This is not comparable to the numbers that worked in previous releases nor is it comparable to what we are use to from the SG series where 100 for the source was find and 200 on the destination.

The problem gets worse when the source station is on Wifi do to the nature of those communications.

Hi Bob,

I am not sure if anything changed from the development end but, looking at the default configuration for Anti DoS in both the firmware, they look similar. If you have a test v15 appliance then place it in the network to verify if it is really the upgrade causing an issue or the reports are genuine. In case there is still a doubt, I would recommend that it should be reported to Support.

Thanks

same issues here, even by just going to speedtest.net traffic is being dropped.

Hi Bob,

Did the necessary settings and adjusted the figures over 600 with burst near 900 under TCP flood control, but still there is a huge amount of traffic dropped. I think I have to report te issue to Support.

Thanks,

Kumar

That was my plan too; month end just got in the way; I tried UK support but after 30 minutes on hold at 3am US time I gave up. Much more time in the coming days.

For the time being I have created DoS Bypass rules for important sites related to my organization and these websites seems to load fast. But traffic drop issue still persist.

Thanks,

Kumar

Hi Kumar,

Provide me the case# from Support. I will personally monitor the case and update asap.

Thanks

Sachin,

Sorry for the delayed response, but I have disabled the DDoS protection for the time being and there is no such notifications as of now.

If you suggest then I can raise a Help-desk ticket?

Thanks,

Kumar

Kumar,

open a ticket with the Support in order to get them to connect to your XG, collect the logs and come to you back.

Let us know what is the result.

Regards