Bug ID 711056: License check VPE expression fails when access profile name contains dots

Last Modified: Sep 14, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6

Fixed In:
15.0.0

Opened: Mar 20, 2018

Severity: 3-Major

Symptoms

License Check Agent always flows down fallback branch. Logs show the following pattern: -- err apmd[13738]: 01490190:3: /Common/my.profile.name:Common:2a392ccd: Key 'tmm.profilelicense./Common/my.profile.name#' was not found in MEMCACHED. -- err apmd[13738]: 01490086:3: /Common/my.profile.name:Common:2a392ccd: Rule evaluation failed with error: can't use empty string as operand of "-"

Impact

License check always fails, resulting in denied logon.

Conditions

-- Access profile contains '.' (dot) characters in its name. -- License Check agent is used in the VPE to check against profile license.

Workaround

Use a different policy name without '.' characters.

Fix Information

A new session variable named 'session.access.profileid' contains the profile name, with '.' characters being replaced with '_' characters, if any. If License agent branch rule uses profile license consumption as the criterion, do one of the following: -- If profile name is hard-coded, manually replace the '.' characters with '_' characters in the profile name. -- If the profile name is fetched from session variable, use 'session.access.profileid' instead of 'session.access.profile', as shown in the following example: expr {(([mcget -license "tmm.profilelicense.[mcget {session.access.profileid}]"] - [mcget -license "tmm.profilelicense.[mcget {session.access.profileid}]#"]) * 100) >= ([mcget -license "tmm.profilelicense.[mcget {session.access.profileid}]"] * 20)}

Behavior Change

A new session variable named 'session.access.profileid' contains the profile name, with '.' characters being replaced with '_' characters, if any. If License agent branch rule uses profile license consumption as the criterion, do one of the following: -- If profile name is hard-coded, manually replace the '.' characters with '_' characters in the profile name. -- If the profile name is fetched from session variable, use 'session.access.profileid' instead of 'session.access.profile', as shown in the following example: expr {(([mcget -license "tmm.profilelicense.[mcget {session.access.profileid}]"] - [mcget -license "tmm.profilelicense.[mcget {session.access.profileid}]#"]) * 100) >= ([mcget -license "tmm.profilelicense.[mcget {session.access.profileid}]"] * 20)}

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips