Bug ID 500450: ASM and APM on same virtual server caused Set-Cookie header modification done by ASM not honored by APM websso.

Last Modified: Oct 01, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP APM, ASM(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5

Fixed In:
12.0.0, 11.6.0 HF6, 11.5.3 HF2

Opened: Jan 10, 2015
Severity: 3-Major

Symptoms

With APM and ASM configured on the same virtual server, cookie validation on ASM could modify the Set-Cookie header sent by the application server or inject another Set-Cookie header. APM websso module does not honor the Set-Cookie modification, nor the injection. ASM subsequently causes the connection to reset.

Impact

Connection reset on the above condition.

Conditions

With APM and ASM configured on the same virtual server, if cookie validation on ASM modifies the Set-Cookie header sent by the application server or injects another Set-Cookie header, then APM websso module does not honor this.

Workaround

Use layered virtual servers with an iRule virtual command to send traffic from the ASM virtual server to an APM virtual server with ARP disabled instead of having everything on one virtual server.

Fix Information

The APM websso module is modified to handle an ASM use case. Now the websso reparses the HTTP 401 response header from the server at the client side in addition to the current parsing at server-side processing. With this fix any Set-Cookie modification or addition by ASM is sent to server in the response to 401 header.

Behavior Change