Bug ID 673147: Virtual server configuration incorrectly allows mutually exclusive iSession and OneConnect profiles.

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP AAM, LTM(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0

Opened: Jul 07, 2017

Severity: 2-Critical

Related Article: K01350083

Symptoms

The system does not prevent you from configuring a server-side iSession profile and a OneConnect profile on the same virtual server. This is not a valid configuration. Virtual server configuration should allow either a server-side iSession profile or a OneConnect profile, but not both. Although the virtual server configuration completes, three errors are logged to /var/log/tmm: 1) notice ISESSION: 172.27.114.10.443 ! 172.27.14.10.43321: connection error: isession_setup_ssl:1645: server-side SSL hudfilter replacement failed: ERR_NOT_FOUND 2) notice hudchain contains precluded serverside filter: CONNPOOL 3) notice MCP message handling failed in 0x898c80 (16977920): Jul 7 12:34:19 - MCP Message: notice create { notice virtual_server_profile { notice virtual_server_profile_vs_name "/Common/http_optimize_client" notice virtual_server_profile_profile_name "/Common/oneconnect" notice virtual_server_profile_object_id 159423 notice virtual_server_profile_profile_class_id profile_connpool notice virtual_server_profile_profile_type 13 notice virtual_server_profile_profile_context 0 notice virtual_server_profile_partition_id "Common" notice virtual_server_profile_leaf_name "http_optimize_client" notice virtual_server_profile_folder_name "/Common" notice virtual_server_profile_transaction_id 62 notice } notice } Loading a configuration containing a virtual server with both a server-side iSession profile and a OneConnect profile succeeds, but logs a mutually exclusive profile error: notice hudchain contains precluded serverside filter: CONNPOOL

Impact

OneConnect and iSession are mutually exclusive features, because both implement connection pooling. Configuring a virtual server with both server-side iSession and OneConnect profiles will break connection pooling, causing connections associated the virtual server to hang.

Conditions

Three conditions must be satisfied. 1) The BIG-IP has AAM licensed. 2) A server-side iSession profile is added to a virtual server. 3) A OneConnect profile is added to the same virtual server. Conditions 2 and 3 can be done in either order.

Workaround

Avoid configuring both server-side iSession and a OneConnect profiles on the same virtual server, as this is never a valid configuration.

Fix Information

An error is now returned for attempts to configure both a server-side iSession profile and a OneConnect profile on the same virtual server. The error message text is: Configuration error: A virtual server (<vs name>) is not allowed to have both OneConnect and iSession profiles.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips