For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

tiwang's avatar
tiwang
Icon for Nimbostratus rankNimbostratus
Aug 19, 2014

what is it with APM and mqx 64k size of a HTTP body?

hi out there we are running version 11.3 of the os and I have hit a annoying problem with a vs which act as frontend for a file-server where up and download through HTTP.

 

See here - here is a Little part of the ltm log where a client on 195.82.25.34 connects to file.online.com on 95.8.53.41:

 

Aug 19 14:21:07 hsp-f5 info tmm6[13630]: Rule /dk_dmz/DK_Cookie_Clientless_mode : Clientless-mode Aug 19 14:21:07 hsp-f5 info tmm6[13630]: Rule /dk_dmz/DK_log_headers : ============================================= Aug 19 14:21:07 hsp-f5 info tmm6[13630]: Rule /dk_dmz/DK_log_headers : Client 195.82.25.34:5506 -> file.online.com/GMInboundService/GMInboundService.svc (POST request) Aug 19 14:21:07 hsp-f5 info tmm6[13630]: Rule /dk_dmz/DK_log_headers : Content-Type: text/xml; charset=utf-8 Aug 19 14:21:07 hsp-f5 info tmm6[13630]: Rule /dk_dmz/DK_log_headers : SOAPAction: "http://tempuri.org/IGMInboundService/SendFile" Aug 19 14:21:07 hsp-f5 info tmm6[13630]: Rule /dk_dmz/DK_log_headers : Host: file.online.com Aug 19 14:21:07 hsp-f5 info tmm6[13630]: Rule /dk_dmz/DK_log_headers : Content-Length: 81047 Aug 19 14:21:07 hsp-f5 info tmm6[13630]: Rule /dk_dmz/DK_log_headers : Expect: 100-continue Aug 19 14:21:07 hsp-f5 info tmm6[13630]: Rule /dk_dmz/DK_log_headers : Accept-Encoding: gzip, deflate Aug 19 14:21:07 hsp-f5 info tmm6[13630]: Rule /dk_dmz/DK_log_headers : Connection: Keep-Alive Aug 19 14:21:07 hsp-f5 info tmm6[13630]: Rule /dk_dmz/DK_log_headers : clientless-mode: 1 Aug 19 14:21:07 hsp-f5 info tmm6[13630]: Rule /dk_dmz/DK_log_headers : ============================================= Aug 19 14:21:07 hsp-f5 err tmm6[13630]: 01230140:3: RST sent from 95.8.53.41:443 to 195.82.25.34:5506, [0x171f4d4:2330] APM HTTP body too big Aug 19 14:21:07 hsp-f5 err tmm6[13630]: 01230140:3: RST sent from 95.8.53.41:443 to 195.82.25.34:5506, [0x16c8e24:1305] TCP 3WHS rejected Aug 19 14:21:07 hsp-f5 err tmm6[13630]: 01230140:3: RST sent from 95.8.53.41:443 to 195.82.25.34:5506, [0x16c8e24:1305] TCP 3WHS rejected

 

I have defined the kernel flag to log TCP rst cause which tells me that the APM HTTP body is to big - if I run without APM the vs Works fine - where it acts as solely reverse proxie - but I need to use the APM to get a certificate based kerberos sso up and run (which also Works fine up to file-sizes of ~ 48k) so I think I am forced to use the apm and get a workaround on this Little problem. Any suggestions on how I can come around this 64k limitation? best regards /thomas iwang

 

application delivery
BIG-IP Access Policy Manager (APM)
deployment
LTM
security

15 Replies

  • tiwang's avatar
    tiwang
    Icon for Nimbostratus rankNimbostratus
    Aug 20, 2014

    hi out there - really no-one which has ran into the same problem?

     

    best regards /ti

     

  • Michael__'s avatar
    Michael__
    Icon for Nimbostratus rankNimbostratus
    Aug 22, 2014

    I had the same problem months ago, F5 support told me these times: "Current limitation is that in clientless mode clients can not sent requests bigger then 64KB."

    So only a ENG-HF helped. But now if you on 11.3 HF9 you can change this behavior:

    tmsh modify sys db tmm.access.maxrequestbodysize value "<-VALUE->"

    http://support.f5.com/kb/en-us/solutions/public/14000/100/sol14175.html 

    405348-1 Modify the db variable "tmm.access.maxrequestbodysize" with a value larger than the max email body size you would like to support.

  • RobertWebb_7911's avatar
    RobertWebb_7911
    Icon for Nimbostratus rankNimbostratus
    Jan 26, 2015

    Apologies for digging up an old question but I am glad I found this. F5 support and I have been racking our brains trying to figure out this same issue.

     

    Since I found this and now knowing what to look for, I have found that the mentioned HF in 11.3 was applied in 11.4 and 11.6 but not 11.5.1. I am currently on 11.5.1 and cannot upgrade at the moment. Now it will be what teeth do I have to pull to get this into 11.5.1 ASAP as I need to go to production with this by March.

     

  • Michael__'s avatar
    Michael__
    Icon for Nimbostratus rankNimbostratus
    Jan 28, 2015

    Hi Robert,

     

    I also missed that in 11.5.1 :S

     

    I suggest to open a case and ask for an ENG HF for BZ405348 on top of HF7, it shouldn't take long to get it since it allready exists - I recieved 11.5.1.7.36.167-HF7-ENG allready 2 weeks ago :)

     

    Regards

     

  • RobertWebb_7911's avatar
    RobertWebb_7911
    Icon for Nimbostratus rankNimbostratus
    Jan 28, 2015

    Michael,

     

    I have a support case on it and they have escalated to product development. I am just waiting on an update at this point for the timeline to release.

     

  • Mark_van_D's avatar
    Mark_van_D
    Icon for Cirrostratus rankCirrostratus
    Jan 29, 2015

    Thanks guys. Just running into the same issue, was doing my head in.

     

    Also have a support case open to get the ENG HF.

     

  • RobertWebb_7911's avatar
    RobertWebb_7911
    Icon for Nimbostratus rankNimbostratus
    Jan 29, 2015

    Mark,

     

    If you having the actual same issue on 11.5.0 or 11.5.1, have your engineer look up case number 1-920778668.