Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.3.0, 11.4.0, 11.4.1, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.0.0, 11.6.0 HF6, 11.5.3 HF2, 11.4.1 HF9
Opened: Apr 02, 2015 Severity: 2-Critical Related Article:
K17440
When a configuration update or sync takes place while there are active connections on an affected internal virtual server (IVS), and a new connection is initiated during the update, the TMM can assert 'valid proxy' and crash. If there were are no preexisting active connections, the assertion does not occur, but connections initiated during the configuration update might be in a bad state and cause unpredictable effects.
This is intermittent and rarely encountered. When all preexisting connection flows on this IVS tear down, a 'valid proxy' assertion can trigger and cause a TMM crash and restart, resulting in lost connections across the BIG-IP system or blade. New IVS connection flows initiated during the configuration update might be in a bad state and exhibit unpredictable effects, even if there is no crash.
1. Active flows exist on an internal virtual server (IVS). Necessary to trigger the assertion. 2. A configuration update or sync affecting that IVS is in progress. 3. A new connection is initiated to that IVS during the update.
Try to avoid configuration changes affecting any IVS while connections are active. This is intermittent so most likely will not manifest, even with active connections.
When a configuration update or sync takes place while there are active connections on an affected internal virtual server (IVS), new connections fail and log an error message indicating that the IVS is not ready for connections. If the connections are to an ICAP server, the BIG-IP system performs the service-down-action configured in the request-adapt or response-adapt profile of the virtual server that attempted to initiate the connection. There are no assertions or unpredictable effects. Any new connections that failed for this reason may be retried after the configuration update is complete.