Bug ID 1071485: For IP based bypass, Response Analytics sends RST.

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP SSLO, SWG(all modules)

Known Affected Versions:
15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1

Fixed In:
17.0.0, 16.1.3.1, 15.1.10

Opened: Jan 05, 2022

Severity: 3-Major

Symptoms

When SSL takes a dynamic bypass action (IP based bypass decision), the Per-Request Policy agents skip execution when necessary. That is, Category Lookup exits early due to no data because of the early bypass. The same check is not present in Response Analytics and URL Filter agents so that they don't take the error path due to not seeing Category Lookup data.

Impact

Category Lookup skips execution due to IP based bypass and thus Response Analytics and URL Filtering do not have the necessary data, so they take an internal error path. This will cause an RST.

Conditions

IP based bypass (in client SSL profile) with Response Analytics or URL Filtering in the Per-Request Policy.

Workaround

Do not add Response Analytics or URL Filtering agents to paths that you know will not have appropriate Category Lookup data due to bypass.

Fix Information

When the SSL level filter bypasses based on client data, Per-Request Policy agents will now be appropriately bypassed as well if there is not enough data to run on. They will take the fallback branches instead of sending a RST on error.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips