Last Modified: Mar 21, 2019
See more info
Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 12.1.4, 14.0.0, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 14.1.0, 220.127.116.11, 18.104.22.168, 22.214.171.124
Opened: Nov 13, 2017
As a result of this issue, you may encounter the following symptoms: - Unexplained authentication session failures - NTLM or negotiate authentication between the client and BIG-IP pool members may intermittently fail with repeated requests for re-authentication, or repeated notifications that their current credentials are incorrect.
NTLM or negotiate authentication between the client and BIG-IP pool members may intermittently fail.
- The OneConnect profile on the virtual server has a re-use mask other than 255.255.255.255. - You have no SNAT associated with the virtual server, or the affected virtual server is configured with both a SNAT and a SNAT persistence iRule. - The configuration contains elements that detach OneConnect connections.
To work around this issue, you can set the OneConnect re-use mask to 255.255.255.255. To do so, perform the following procedure: Impact of workaround: A OneConnect profile with a source mask of 255.255.255.255 will only aggregate connections originating from the same client IP address. This may result in less optimal connection re-use on the OneConnect profile associated with the virtual server. Log in to the BIG-IP Configuration utility. Click Local Traffic. Click Profiles. Click Other. Select OneConnect. Select the OneConnect profile associated with your virtual server. Change your Source Mask to 255.255.255.255. Click Update.