Bug ID 631654: Attaching VDI profile to virtual server changes the default behavior of ACCESS::restrict_irule_events

Last Modified: Sep 06, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 15.0.0, 15.0.1

Opened: Dec 03, 2016
Severity: 3-Major
Related AskF5 Article:
K42704252

Symptoms

ACCESS::restrict_irule_events is enabled by default. But if you add the VDI profile to the virtual server, it changes this default behavior and disables this flag. Due to this, you will start seeing that iRule events are raised for internal APM requests as well. When this is happening, the system posts the following error signatures in /var/log/ltm: err tmm[20661]: 01220001:3: TCL error: /Common/stream_vdi_debug <HTTP_RESPONSE> - Operation not supported (line 15) invoked from within STREAM::expression "@$matchstring@$replacestring@" ". err tmm[19745]: 01220001:3: TCL error: /Common/stream_vdi <HTTP_REQUEST> - Operation not supported (line 1) invoked from within "STREAM::disable".

Impact

iRule implementation may not work as expected. For example: attaching the OFBA iRule (_sys_APM_MS_Office_OFBA_Support) to the virtual server which has VDI profile breaks OFBA functionality.

Conditions

Virtual server with VDI profile attached. And any iRule implementation written with the assumption that restrict_irule_events are enabled by default.

Workaround

Enable the ACCESS::restrict_irule_events flag manually using syntax similar to the following: when CLIENT_ACCEPTED { ACCESS::restrict_irule_events enable } Note: This impacts Citrix Wyse client RSA next-token change scenario.

Fix Information

None

Behavior Change