Bug ID 646604: Client connection may hang when NTLM and OneConnect profiles used together

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.6.0, 11.6.1, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3

Fixed In:
13.1.0, 13.0.1, 12.1.3, 11.6.2, 11.5.6

Opened: Feb 21, 2017

Severity: 2-Critical

Related Article: K21005334


In deployments where a NT LanManager (NTLM) authentication profile and a OneConnect profile are used together in a LTM virtual server to label an authenticated connection to a Domain Controller (DC); if the persisted connection to the DC is re-used, the connection may hang. A connection in this state may not be cleaned up by the sweeper, resulting in a memory leak.


A client connection won't be serviced and TMM memory will leak. Over a long time period, this may result in more widespread service disruptions.


The NTLM and OneConnect profiles are associated with a LTM virtual server.


Avoid the use of OneConnect profiles on virtual servers that use NTLM profiles. The connections to the Domain Controller won't be pooled, but all other features will be retained.

Fix Information

Fixed a problem that prevented NTLM and OneConnect profiles from working properly on the same LTM virtual server.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips