Last Modified: Apr 29, 2023
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4
Opened: Nov 13, 2017 Severity: 3-Major
As a result of this issue, you may encounter the following symptoms: - Unexplained authentication session failures - NTLM or negotiate authentication between the client and BIG-IP pool members may intermittently fail with repeated requests for re-authentication, or repeated notifications that their current credentials are incorrect.
NTLM or negotiate authentication between the client and BIG-IP pool members may intermittently fail.
- The OneConnect profile on the virtual server has a re-use mask other than 255.255.255.255. - You have no SNAT associated with the virtual server, or the affected virtual server is configured with both a SNAT and a SNAT persistence iRule. - The configuration contains elements that detach OneConnect connections.
To work around this issue, you can set the OneConnect re-use mask to 255.255.255.255. To do so, perform the following procedure: Impact of workaround: A OneConnect profile with a source mask of 255.255.255.255 will only aggregate connections originating from the same client IP address. This may result in less optimal connection re-use on the OneConnect profile associated with the virtual server. Log in to the BIG-IP Configuration utility. Click Local Traffic. Click Profiles. Click Other. Select OneConnect. Select the OneConnect profile associated with your virtual server. Change your Source Mask to 255.255.255.255. Click Update.
None
