Bug ID 698984: Auto-disable TMM.HTTP.TCL.Validation when APM is provisioned

Last Modified: Oct 21, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1

Fixed In:
14.0.0, 13.1.1.2

Opened: Dec 14, 2017
Severity: 3-Major

Symptoms

The db variable Tmm.HTTP.TCL.Validation is enabled by default. This db variable should be disabled when APM is provisioned/enabled, and when ACCESS::restrict_irule_event is disabled and HTTP_RESPONSE_RELEASE events are detected with the assigned iRules.

Impact

TCP reset triggered when it should not. With respect to the specific condition described, the system should post the logon page.

Conditions

Steps to Reproduce: 1. Define the following iRule in the virtual server. when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } when HTTP_REQUEST { set u [ HTTP::uri ] log local0. "XXX: [ HTTP::uri ]" } when HTTP_RESPONSE_RELEASE { log local0. "XXX: [ HTTP::status ] [ HTTP::header Location ]" set l [ HTTP::header Location ] if { $l starts_with {/my.policy} } { append l {?modified_by_irule=1} HTTP::header replace Location $l } elseif { $l starts_with {/renderer/agent_logon_page_form.eui} } { # Next response will be the real response to the client. ACCESS::log "XXX: lp_seen" set lp_seen 1 } if { [ HTTP::status ] == 200 && [ info exists lp_seen ] && $lp_seen == 1 } { unset lp_seen HTTP::header insert X-MyAppSpecialHeader 1 } } 2. Configure START :: LOGON PAGE :: ALLOW policy. 3. Access the virtual server.

Workaround

Manually disable Tmm.HTTP.TCL.Validation.

Fix Information

Tmm.HTTP.TCL.Validation is now disabled automatically when APM provisioned during the upgrades. This is correct behavior.

Behavior Change