Bug ID 606575: Request-oriented OneConnect load balancing ends when the server returns an error status code.

Last Modified: Oct 01, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2

Fixed In:
13.0.0, 12.1.2, 11.6.1 HF2, 11.5.4 HF3

Opened: Jul 22, 2016
Severity: 3-Major

Symptoms

Request-oriented OneConnect load balancing ends when the server returns an error status code.

Impact

The client remains connected to the server, and no further load-balancing decisions are made.

Conditions

OneConnect is enabled and the server responds with a HTTP error status code.

Workaround

It may be possible to detect the HTTP status code in the response, and manually detach the client-side. To do so, use an iRule similar to the following: when HTTP_RESPONSE { if { [HTTP::status] == 200 } { return } if { [HTTP::status] == 401 } { set auth_header [string tolower [HTTP::header values "WWW-Authenticate"]] if { $auth_header contains "negotiate" || $auth_header contains "ntlm" } { # Connection-oriented auth. System should already be doing the right thing unset auth_header return } unset auth_header } catch { ONECONNECT::detach enable } }. Note: These workarounds should not be used when the backend server is using connection-oriented HTTP authentication (e.g., NTLM or Negotiate authentication).

Fix Information

With OneConnect, the client-side remains detachable when the server-side returns an HTTP error status code.

Behavior Change