Last Modified: May 29, 2024
Affected Product(s):
BIG-IP APM, SSLO, SWG
Known Affected Versions:
15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5
Fixed In:
17.0.0, 16.1.4, 15.1.9, 14.1.4.5
Opened: Oct 16, 2020 Severity: 3-Major
When attempting to access a resource that requires subsession validation, the client may receive an HTTP 503 "Service Unavailable" response, and the logs indicate that per-request policy execution time has expired.
Some clients will fail to connect to their destination.
Multiple connections are accessing the same subsession, triggering subsession lock contention.
Add criteria to the gating criteria to enable more fine-grained subroutines to reduce subsession contention. For example, add category, or application name, to the gating criteria. In the case of API protection, consider concatenating credentials with the resource hostname (plus port). Increase the per-request policy execution timeout value, controlled by the variable tmm.access.prp_global_timeout, to a higher value.
Subesssion lock contention wait time is reduced. Clients will not fail to connect due to subsession lock contention.