Bug ID 644489: Unencrypted iSession connection established even though data-encrypt configured in profile

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP AAM, WOM(all modules)

Known Affected Versions:
11.6.0, 11.6.1, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0, 12.1.2 HF1, 11.6.2

Opened: Feb 10, 2017

Severity: 3-Major

Related Article: K14899014


iSession connections may be intermittently established as unencrypted even though they are configured to be secure.


An unencrypted iSession connection may be established which is inconsistent with configuring data-encrypt as enabled in the sever-side iSession profile.


Either of two scenarios can result in an unencrypted iSession connection being established: 1) An error occurs during dynamic server-ssl profile replacement. 2) Both the WOM local-endpoint and destination WOM remote-endpoint lack server-ssl profiles. In both cases the virtual server must have a server-side iSession profile with data-encrypt enabled and the remote virtual must have a client-ssl profile with allow-non-ssl enabled.


Configure the client-ssl profile with allow-non-ssl disabled (the default value) to reject non-SSL connections.

Fix Information

The outgoing connection is aborted if the server-side iSession profile is configured with data-encrypt enabled and either of the two following scenarios occurs: 1) The destination remote-endpoint and the local-endpoint lack server-ssl profiles. 2) An error occurs during dynamic server-ssl profile replacement.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips