Bug ID 437906: OneConnect is incompatible with WebSockets and the HTTP CONNECT method

Last Modified: Oct 16, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
11.0.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.5.1 HF1, 11.6.1 HF1, 11.5.1 HF2, 11.6.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.6.2 HF1, 11.1.0, 11.2.0, 11.2.1, 11.3.0, 11.4.0, 11.4.1

Fixed In:
11.6.0, 11.5.1 HF6, 11.4.1 HF4

Opened: Nov 14, 2013

Severity: 3-Major

Related Article: K15357

Symptoms

WebSockets and the HTTP CONNECT method convert the connection through the HTTP filter into pass-through mode. However, if OneConnect is enabled, then the BIG-IP system disconnects from the server at the end of the tunnel handshake, thwarting this.

Impact

No tunnels can be made if OneConnect is enabled, breaking WebSockets.

Conditions

This occurs when a OneConnect profile is attached to a HTTP virtual, and the client/server tries to open a tunnel via the CONNECT method, or via the WebSockets 101 Switching Protocols status code.

Workaround

Disable OneConnect. This also can be done within an iRule by using ONECONNECT::reuse disable.

Fix Information

WebSockets and the HTTP CONNECT method now work with OneConnect.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips