Bug ID 601496: iRules and OCSP Stapling

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2

Fixed In:
13.0.0, 12.1.2, 11.6.1 HF2

Opened: Jun 26, 2016
Severity: 3-Major
Related AskF5 Article:
K21331842

Symptoms

Using certain iRules on virtual servers with OCSP Stapling enabled on the Client SSL profile might cause OCSP requests to be reissued, resulting in a memory leak. You may notice warning messages similar to the following in /var/log/ltm: warning tmm[11300]: 011e0003:4: Aggressive mode sweeper: /Common/default-eviction-policy (0) (global memory) 115 Connections killed.

Impact

TMM memory used increases gradually, eventually the aggressive mode sweeper is activated.

Conditions

This occurs when the following conditions are met: -- Virtual server with OCSP Stabling enabled. -- iRule attached to the virtual server that uses SSL::renegotiate.

Workaround

None.

Fix Information

Using certain iRules on virtual servers with OCSP Stapling enabled on the Client SSL profile no longer causes OCSP requests to be reissued, so there is no associated memory leak.

Behavior Change