Last Modified: Oct 13, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4
Opened: Feb 13, 2019 Severity: 3-Major
The db variable Tmm.HTTP.TCL.Validation is enabled by default. This db variable should be disabled when APM is provisioned/enabled, and when ACCESS::restrict_irule_event is disabled and HTTP_RESPONSE_RELEASE events are detected with the assigned iRules.
TCP reset triggered when it should not. With respect to the specific condition described, the system should post the logon page.
Steps to Reproduce: 1. Fresh install of APM 2. Define the following iRule in the virtual server. when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } when HTTP_REQUEST { set u [ HTTP::uri ] log local0. "XXX: [ HTTP::uri ]" } when HTTP_RESPONSE_RELEASE { log local0. "XXX: [ HTTP::status ] [ HTTP::header Location ]" set l [ HTTP::header Location ] if { $l starts_with {/my.policy} } { append l {?modified_by_irule=1} HTTP::header replace Location $l } elseif { $l starts_with {/renderer/agent_logon_page_form.eui} } { # Next response will be the real response to the client. ACCESS::log "XXX: lp_seen" set lp_seen 1 } if { [ HTTP::status ] == 200 && [ info exists lp_seen ] && $lp_seen == 1 } { unset lp_seen HTTP::header insert X-MyAppSpecialHeader 1 } } 3. Configure START :: LOGON PAGE :: ALLOW policy. 4. Access the virtual server.
Manually disable Tmm.HTTP.TCL.Validation.
None