Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.4.1, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.0.0, 11.6.0 HF6, 11.5.3 HF2, 11.4.1 HF10
Opened: Apr 14, 2015 Severity: 2-Critical
The BIG-IP system has a virtual server with an access profile. There is live traffic using that virtual. If the access profile is updated, enforcement of certain behaviors on the live traffic may end up accessing stale profile data, and result in a crash.
Traffic disrupted while tmm restarts.
If an access profile is attached to a virtual server, and the profile is updated while the virtual has active connections.
(These are untested...) Without HA, (1) disable virtuals using access profile, (2) delete any active connections on the virtuals, (3) update access profile, and, (4) enable virtuals. With HA, (1) update access profile on standby, (2) failover to the standby, and (3) sync the configuration.
Upon access profile update, cleanup of the previous profile data is deferred until there are no active connections referencing it.