Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4
Opened: Dec 03, 2016 Severity: 3-Major Related Article:
K42704252
ACCESS::restrict_irule_events is enabled by default. But if you add the VDI profile to the virtual server, it changes this default behavior and disables this flag. Due to this, you will start seeing that iRule events are raised for internal APM requests as well. When this is happening, the system posts the following error signatures in /var/log/ltm: err tmm[20661]: 01220001:3: TCL error: /Common/stream_vdi_debug <HTTP_RESPONSE> - Operation not supported (line 15) invoked from within STREAM::expression "@$matchstring@$replacestring@" ". err tmm[19745]: 01220001:3: TCL error: /Common/stream_vdi <HTTP_REQUEST> - Operation not supported (line 1) invoked from within "STREAM::disable".
iRule implementation may not work as expected. For example: attaching the OFBA iRule (_sys_APM_MS_Office_OFBA_Support) to the virtual server which has VDI profile breaks OFBA functionality.
Virtual server with VDI profile attached. And any iRule implementation written with the assumption that restrict_irule_events are enabled by default.
Enable the ACCESS::restrict_irule_events flag manually using syntax similar to the following: when CLIENT_ACCEPTED { ACCESS::restrict_irule_events enable } Note: This impacts Citrix Wyse client RSA next-token change scenario.
None