Bug ID 694270: Connections running over a OneConnect-enabled virtual server may prematurely detach.

Last Modified: Mar 21, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3

Opened: Nov 13, 2017
Severity: 3-Major

Symptoms

As a result of this issue, you may encounter the following symptoms: - Unexplained authentication session failures - NTLM or negotiate authentication between the client and BIG-IP pool members may intermittently fail with repeated requests for re-authentication, or repeated notifications that their current credentials are incorrect.

Impact

NTLM or negotiate authentication between the client and BIG-IP pool members may intermittently fail.

Conditions

- The OneConnect profile on the virtual server has a re-use mask other than 255.255.255.255. - You have no SNAT associated with the virtual server, or the affected virtual server is configured with both a SNAT and a SNAT persistence iRule. - The configuration contains elements that detach OneConnect connections.

Workaround

To work around this issue, you can set the OneConnect re-use mask to 255.255.255.255. To do so, perform the following procedure: Impact of workaround: A OneConnect profile with a source mask of 255.255.255.255 will only aggregate connections originating from the same client IP address. This may result in less optimal connection re-use on the OneConnect profile associated with the virtual server. Log in to the BIG-IP Configuration utility. Click Local Traffic. Click Profiles. Click Other. Select OneConnect. Select the OneConnect profile associated with your virtual server. Change your Source Mask to 255.255.255.255. Click Update.

Fix Information

None

Behavior Change