Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2
Fixed In:
13.0.0, 12.1.2, 11.6.1 HF2, 11.5.4 HF3
Opened: Jul 22, 2016 Severity: 3-Major
Request-oriented OneConnect load balancing ends when the server returns an error status code.
The client remains connected to the server, and no further load-balancing decisions are made.
OneConnect is enabled and the server responds with a HTTP error status code.
It may be possible to detect the HTTP status code in the response, and manually detach the client-side. To do so, use an iRule similar to the following: when HTTP_RESPONSE { if { [HTTP::status] == 200 } { return } if { [HTTP::status] == 401 } { set auth_header [string tolower [HTTP::header values "WWW-Authenticate"]] if { $auth_header contains "negotiate" || $auth_header contains "ntlm" } { # Connection-oriented auth. System should already be doing the right thing unset auth_header return } unset auth_header } catch { ONECONNECT::detach enable } }. Note: These workarounds should not be used when the backend server is using connection-oriented HTTP authentication (e.g., NTLM or Negotiate authentication).
With OneConnect, the client-side remains detachable when the server-side returns an HTTP error status code.