Last Modified: Feb 07, 2024
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1
Fixed In:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
Opened: Oct 28, 2021 Severity: 3-Major
A virtual server which is part of an iApp service and which was previously working correctly now rejects all traffic. Upon inspecting the log, entries similar to the following examples may be noticed: ==> /var/log/tmm <== <13> Oct 28 23:41:36 bigip1 notice hudfilter_init: clientside matches TCP position. 0 0 ==> /var/log/ltm <== Oct 28 23:41:36 bigip1 err tmm[21251]: 01010008:3: Proxy initialization failed for /Common/my.app/my-vs. Defaulting to DENY. Oct 28 23:41:36 bigip1 err tmm[21251]: 01010008:3: Listener config update failed for /Common/my.app/my-vs: ERR:ERR_UNKNOWN
Traffic outage as the affected virtual server(s) no longer passes any traffic.
This issue is known to occur when strict-updates is disabled for an iApp service which includes a non-default NTLM profile.
To recover an affected system, either restart TMM (bigstart restart tmm) or delete and redeploy the iApp service. To prevent this issue from occurring again, modify the iApp configuration to use the default NTLM profile rather than a custom one (if the iApp template involved allows this).
Disabling strict-updates for an iApp service, which includes a non-default NTLM profile, no longer causes virtual servers associated with the profile to suddenly stop working.