Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5
Fixed In:
13.0.0, 12.1.3.6
Opened: Sep 03, 2015 Severity: 3-Major
When a BIG-IP system is configured with explicit HTTP proxy, an ACCESS iRule does not work reliably in HTTP_PROXY_REQUEST. The issue happens when the current ACCESS iRule searches the associated session ID from the connection itself in either of these ways: -- The session ID is embedded in the request. -- The connection was processed by ACCESS previously. When neither condition is satisfied, then the current ACCESS iRule cannot find the associated session ID.
Whenever ACCESS iRule commands cannot find the associated session ID, ACCESS iRule commands are processed as if the caller provided an empty session ID in its arguments. As a result, ACCESS::iRule commands return an empty result.
This occurs when the following conditions are met: -- ACCESS iRule such as ACCESS::session data get/set. -- ACCESS::session exists. -- Session ID is not provided by the caller. -- Caller expects the session ID to be resolved internally.
If possible, use ACCESS_ACL_ALLOWED as the event for the iRule, when the session ID is known. This would work for a BIG-IP system configured for reverse proxy or forward proxy.
Fixed to allow ACCESS iRule commands in commands such as HTTP_PROXY_REQUEST where previously there was not enough data for them to execute. Note: This fix is only for IP address-based sessions where the access policy is not evaluated via iRules, but in the usual method (attached to virtual server). This fix does not address the issue for NTLM-based sessions and sessions that use 'ACCESS::policy evaluate'.