Bug ID 1105389: CONNECT method causes the enforcer to hold a connection with TMM

Last Modified: May 11, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Opened: May 10, 2022
Severity: 3-Major

Symptoms

HTTP tunneling with CONNECT method might cause BD to hang during the ingress process under the right conditions, this results in occupation of the XDATA which eventually may lead to TMM core due to low memory.

Impact

The connection stays open between the enforcer and the client after a response violation is received. Traffic disrupted while tmm restarts.

Conditions

A virtual server that does not support the HTTP CONNECT method is attached to an ASM policy with an "Illegal method" violation set to not blocking and "Illegal HTTP status in response" set to blocking.

Workaround

Set "Illegal method" to blocking in the ASM policy.

Fix Information

None

Behavior Change