Symptoms
Packet drop is observed after DoS Protection Rule is applied.
Threat logs for DoS Protection are not generated.
This tends to happen when the DoS Protection Rule is created with Classified setting and "src-dest-ip-both" is selected for the Address setting.
The issue can happen even if the number of active sessions is much lower than the max session number that the platform supports and also lower than the "Maximum Concurrent Sessions" setting in DoS Protection Profile.
During that time, the following global counters are incremented.
flow_dos_rule_drop Packets dropped: Rate limited or IP blocked
flow_dos_rule_drop_classified Packets dropped: due to classified rate limiting
flow_dos_no_empty_entp Unable to find empty classified entry during insertion
Cause
If those counters above show the same value, it indicates that hash insertion to classification table failed thus packets were dropped.
Hash insertion fails when the classification table is full or when hash collision happens.
By the setting of "src-dest-ip-both", the firewall has to track the sessions based on the source IP and the destination IP pair which results in utilizing more entries in classification table. When more entries are created, there're more chances for the hash collision to happen.
Solution
- Select "source-ip-only" or "destination-ip-only" instead of using "src-dest-ip-both" in Classified setting.
- Use Aggregate setting instead of Classified.
- "debug dataplane reset dos classification-table" command can be used as a temporal workaround to clear the classification table. Note: This is not a permanent fix.
- Configure DoS Protection rule to be more specific, for example, reduce the number of Zones to apply the policy instead of selecting all existing Zones.