Bug ID 1128505: HTTP::disable/enable sequence before first request may result in premature HUDEVT_ACCEPTED to proxy

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 17.0.0, 17.0.0.1

Opened: Jul 22, 2022
Severity: 4-Minor

Symptoms

The ORBIT framework added HUDEVT_ACCEPTED handling through hud_orbit_accepted_handling. This allows ORBIT to move releasing HUDEVT_ACCEPTED from the filter to ORBIT, HTTP adopted this new feature. When HTTP is disabled, HUDEVT_ACCEPTED handling is explicitly disabled by HTTP when going into passthru, subsequent enabling of HTTP does not restore this handling. If this sequence happens prior to the first HTTP request, then HUDEVT_ACCEPTED is released prematurely up the chain, thus the server-side connection may be established before the first request is processed. Attempts to manipulate the LB criteria at that point may fail due to the criteria being locked, this may result in the connection being RST with an "Address in use" reset cause.

Impact

Connection is reset with "Address in use" reset cause.

Conditions

-- HTTP Virtual server -- HTTP::disable is called from CLIENT_ACCEPTED and the subsequently re-enabled before the first request arrives at HTTP in CLIENTSSL_HANDSHAKE

Workaround

None

Fix Information

None

Behavior Change