Last Modified: Apr 28, 2023
Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 15.1.0, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 15.1.1, 15.1.2, 188.8.131.52, 15.1.3, 184.108.40.206, 15.1.4, 220.127.116.11, 15.1.5, 18.104.22.168, 15.1.6, 22.214.171.124, 15.1.7, 15.1.8, 126.96.36.199, 188.8.131.52
12.1.0, 12.0.0 HF3, 11.6.1, 11.5.4 HF2
Opened: Jan 13, 2015 Severity: 3-Major Related Article:
Related Article: K16783
When a FastL4 virtual server with HTTP profile is used, certain kinds of traffic may cause huge memory growth and result in out-of-memory situation.
Memory growth could grow unbounded due to lack of flow control. This may lead to out of memory conditions eventually. Traffic disrupted while tmm restarts.
-- FastL4 virtual server with HTTP profile. -- Handles HTTP cloaking traffic that starts up as HTTP and then switches over to non-HTTP data
To work around this issue, you can perform one of the following actions: -- If the HTTP profile is required, use a standard virtual server rather than performance (FastL4) type. -- If the HTTP profile is not required, you can remove the HTTP profile from the virtual server. -- To process connections that change from HTTP to non-HTTP, create an iRule that uses HTTP::disable after the first HTTP_REQUEST or HTTP_RESPONSE boundary can be identified.
If the FastL4 virtual server with HTTP profile handles HTTP cloaking traffic that starts up as HTTP and then switches over to non-HTTP data then a http-transparent profile can now be added to the FastL4 virtual. Then the following workaround must be implemented so memory growth no longer increases unbounded due to lack of flow control. Workaround: -- Use FastL4 and HTTP-Transparent profile combinations instead. -- Set the http-transparent profile attribute enforcement.pipeline to 'pass-through'. This allows the HTTP filter to run in 'passthrough' mode which avoids the excessive memory consumption.