Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.0.0
Opened: May 05, 2015 Severity: 3-Major
By inserting clientless-mode header, the administrator can invoke APM clientless mode, and APM can automatically decide whether it actually needs to enter this mode or not. APM cancels the clientless mode whenever it detects the session for this particular request has been established. However, when APM performs this operation certain internal states were not reverted back: 1. Allowed iRule events. 2. Original classification of HTTP request. This issue makes certain iRule events such as ACCESS_ACL_ALLOWED or URI classification based feature such logout URI fails to work.
This issue makes certain iRule events such as ACCESS_ACL_ALLOWED or URI classification based feature such logout URI fails to work.
Using an iRule to insert the clientless-mode header on every request. when HTTP_REQUEST { HTTP::header insert clientless-mode 1 }
By inserting the clientless-mode header only when the session is not established, will avoid this issue. The following is the sample iRule. when HTTP_REQUEST { if { ! [ ACCESS::session exists -state_allow ] } { HTTP::header insert clientless-mode 1 } }
APM properly reverts the internal states so that iRule events such as ACCESS_ACL_ALLOWED, and URI classification-based features, such as logout URI, work again when clientless-mode header is inserted on every request.