Bug ID 758618: Auto-disable TMM.HTTP.TCL.Validation when APM is provisioned

Last Modified: Jan 20, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4

Opened: Feb 13, 2019
Severity: 3-Major

Symptoms

The db variable Tmm.HTTP.TCL.Validation is enabled by default. This db variable should be disabled when APM is provisioned/enabled, and when ACCESS::restrict_irule_event is disabled and HTTP_RESPONSE_RELEASE events are detected with the assigned iRules.

Impact

TCP reset triggered when it should not. With respect to the specific condition described, the system should post the logon page.

Conditions

Steps to Reproduce: 1. Fresh install of APM 2. Define the following iRule in the virtual server. when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } when HTTP_REQUEST { set u [ HTTP::uri ] log local0. "XXX: [ HTTP::uri ]" } when HTTP_RESPONSE_RELEASE { log local0. "XXX: [ HTTP::status ] [ HTTP::header Location ]" set l [ HTTP::header Location ] if { $l starts_with {/my.policy} } { append l {?modified_by_irule=1} HTTP::header replace Location $l } elseif { $l starts_with {/renderer/agent_logon_page_form.eui} } { # Next response will be the real response to the client. ACCESS::log "XXX: lp_seen" set lp_seen 1 } if { [ HTTP::status ] == 200 && [ info exists lp_seen ] && $lp_seen == 1 } { unset lp_seen HTTP::header insert X-MyAppSpecialHeader 1 } } 3. Configure START :: LOGON PAGE :: ALLOW policy. 4. Access the virtual server.

Workaround

Manually disable Tmm.HTTP.TCL.Validation.

Fix Information

None

Behavior Change