Bug ID 644489: Unencrypted iSession connection established even though data-encrypt configured in profile

Last Modified: Oct 01, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP AAM, WOM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0, 12.1.2 HF1, 11.6.2

Opened: Feb 10, 2017
Severity: 3-Major
Related AskF5 Article:


iSession connections may be intermittently established as unencrypted even though they are configured to be secure.


An unencrypted iSession connection may be established which is inconsistent with configuring data-encrypt as enabled in the sever-side iSession profile.


Either of two scenarios can result in an unencrypted iSession connection being established: 1) An error occurs during dynamic server-ssl profile replacement. 2) Both the WOM local-endpoint and destination WOM remote-endpoint lack server-ssl profiles. In both cases the virtual server must have a server-side iSession profile with data-encrypt enabled and the remote virtual must have a client-ssl profile with allow-non-ssl enabled.


Configure the client-ssl profile with allow-non-ssl disabled (the default value) to reject non-SSL connections.

Fix Information

The outgoing connection is aborted if the server-side iSession profile is configured with data-encrypt enabled and either of the two following scenarios occurs: 1) The destination remote-endpoint and the local-endpoint lack server-ssl profiles. 2) An error occurs during dynamic server-ssl profile replacement.

Behavior Change