Bug ID 956645: Per-request policy execution may timeout.

Last Modified: Jan 27, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP APM, SSLO, SWG(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3

Fixed In:
17.0.0, 14.1.4.5

Opened: Oct 16, 2020
Severity: 3-Major

Symptoms

When attempting to access a resource that requires subsession validation, the client may receive an HTTP 503 "Service Unavailable" response, and the logs indicate that per-request policy execution time has expired.

Impact

Some clients will fail to connect to their destination.

Conditions

Multiple connections are accessing the same subsession, triggering subsession lock contention.

Workaround

Add criteria to the gating criteria to enable more fine-grained subroutines to reduce subsession contention. For example, add category, or application name, to the gating criteria. In the case of API protection, consider concatenating credentials with the resource hostname (plus port). Increase the per-request policy execution timeout value, controlled by the variable tmm.access.prp_global_timeout, to a higher value.

Fix Information

Subesssion lock contention wait time is reduced. Clients will not fail to connect due to subsession lock contention.

Behavior Change