Bug ID 619879: HTTP iRule commands could lead to WEBSSO plugin being invoked

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2

Fixed In:
13.0.0, 12.1.2 HF1, 11.6.1 HF2

Opened: Sep 30, 2016
Severity: 3-Major

Symptoms

With SSO logs set to 'Debug' in Access log configuration, the following log messages are seen in '/var/log/apm': Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: constructor Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: webssoContext constructor ... Sep 30 12:46:17 BIG-IP3900mgmt err websso.3[14520]: 014d0005:3: Unsupported SSO Method Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: ctx: 0x914b510, SERVER: TMEVT_REQUEST Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: ctx: 0x914a718, CLIENT: TMEVT_ABORT_PROXY Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: webssoContext destructor ... Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: webssoConfig destructor With 'rstcause' enabled, the following log message is seen in '/var/log/ltm': Sep 30 12:46:17 BIG-IP3900mgmt err tmm2[13116]: 01230140:3: RST sent from 172.17.90.92:57611 to 127.0.0.1:10001, [0x24ccbbc:820] Internal error (APM::WEBSSO requested abort (Unsupported SSO Method))

Impact

client receives a HTTP 503 reset

Conditions

HTTP::disable followed by HTTP::enable. when CLIENT_ACCEPTED { HTTP::disable // do some other stuff HTTP::enable }

Workaround

When the access profile is added to the virtual server, the websso plugin profile is automatically added. Manually removing the websso plugin fixes this bug.

Fix Information

The server-side access hudfilter was mistakenly enabling the websso plugin. The logic has been updated so that this does not happen.

Behavior Change