Bug ID 516057: Assertion 'valid proxy' can occur after a configuration change with active IVS flows.

Last Modified: Oct 01, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5

Fixed In:
12.0.0, 11.6.0 HF6, 11.5.3 HF2, 11.4.1 HF9

Opened: Apr 02, 2015
Severity: 2-Critical
Related AskF5 Article:
K17440

Symptoms

When a configuration update or sync takes place while there are active connections on an affected internal virtual server (IVS), and a new connection is initiated during the update, the TMM can assert 'valid proxy' and crash. If there were are no preexisting active connections, the assertion does not occur, but connections initiated during the configuration update might be in a bad state and cause unpredictable effects.

Impact

This is intermittent and rarely encountered. When all preexisting connection flows on this IVS tear down, a 'valid proxy' assertion can trigger and cause a TMM crash and restart, resulting in lost connections across the BIG-IP system or blade. New IVS connection flows initiated during the configuration update might be in a bad state and exhibit unpredictable effects, even if there is no crash.

Conditions

1. Active flows exist on an internal virtual server (IVS). Necessary to trigger the assertion. 2. A configuration update or sync affecting that IVS is in progress. 3. A new connection is initiated to that IVS during the update.

Workaround

Try to avoid configuration changes affecting any IVS while connections are active. This is intermittent so most likely will not manifest, even with active connections.

Fix Information

When a configuration update or sync takes place while there are active connections on an affected internal virtual server (IVS), new connections fail and log an error message indicating that the IVS is not ready for connections. If the connections are to an ICAP server, the BIG-IP system performs the service-down-action configured in the request-adapt or response-adapt profile of the virtual server that attempted to initiate the connection. There are no assertions or unpredictable effects. Any new connections that failed for this reason may be retried after the configuration update is complete.

Behavior Change