Bug ID 530466: MultiConnect is incompatible with CORS policy

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP AAM(all modules)

Known Affected Versions:
11.4.1, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3,,,,,,,, 12.1.4,, 12.1.5,,,, 12.1.6, 13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 13.1.5,

Opened: Jun 29, 2015
Severity: 3-Major


The issue happens when MultiConnect is enabled and a resource is reloaded by a user request. If the browsers have CORS policy enforcement applied to the resource, the consequent requests for the resource are forwarded to a subdomain and a CORS header "Origin" is inserted into the request. In response the browser expects "Access-Control-Allow-Origin" header with a value allowing the subdomain as a host in the request. AAM doesn't recognize the header and just ignores it or has it passed to OWS which doesn't expect it.


Lack of loading of the resource which may result in incorrect rendering of the page.


An AAM policy with MultiConnect option is configured and attached to a virtual. There are resource(s) in a page are used for which CORS policy is enforced in a client browser, for example, font file for CSS.


1) Disable MultiConnect. 2) Create an iRule to properly process Origin header.

Fix Information


Behavior Change