Bug ID 694270: Connections running over a OneConnect-enabled virtual server may prematurely detach.

Last Modified: Apr 29, 2023

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3,,,,,,,, 12.1.4,, 12.1.5,,,, 12.1.6, 14.0.0,,,,,, 14.0.1,, 14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 14.1.5,,,,, 15.0.0, 15.0.1,,,,

Opened: Nov 13, 2017

Severity: 3-Major


As a result of this issue, you may encounter the following symptoms: - Unexplained authentication session failures - NTLM or negotiate authentication between the client and BIG-IP pool members may intermittently fail with repeated requests for re-authentication, or repeated notifications that their current credentials are incorrect.


NTLM or negotiate authentication between the client and BIG-IP pool members may intermittently fail.


- The OneConnect profile on the virtual server has a re-use mask other than - You have no SNAT associated with the virtual server, or the affected virtual server is configured with both a SNAT and a SNAT persistence iRule. - The configuration contains elements that detach OneConnect connections.


To work around this issue, you can set the OneConnect re-use mask to To do so, perform the following procedure: Impact of workaround: A OneConnect profile with a source mask of will only aggregate connections originating from the same client IP address. This may result in less optimal connection re-use on the OneConnect profile associated with the virtual server. Log in to the BIG-IP Configuration utility. Click Local Traffic. Click Profiles. Click Other. Select OneConnect. Select the OneConnect profile associated with your virtual server. Change your Source Mask to Click Update.

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips