Symptoms
Consider the following scenario:
-
You increase the Maximum concurrent UDP sessions per IP address flood mitigation setting significantly on a server that is running Microsoft Forefront Threat Management Gateway 2010.
-
Many clients in the exception list send lots of UDP packets to the Threat Management Gateway server.
In this scenario, you may experience an increase in the number of backlogged packets that are waiting to be processed. This could cause the queue of UDP traffic to lead to other alerts, such as a "SYN Attack" being triggered.
Note You can monitor the number of backlogged packets by looking at the following Performance Monitor counter:
-
Forefront TMG Firewall Packet Engine
-
Backlogged Packets
-
Cause
A increase in the number of backlogged packets occurs because of a performance bottleneck when new firewall sessions are created.
Resolution
To resolve this issue, install the hotfix package that is described in the following Microsoft Knowledge Base article:
2649961 Rollup 1 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
References
For more information about flood mitigation, visit the following Microsoft TechNet website:
Overview of flood mitigationFor more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates
