cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

http2 profile Chrome - ERR_HTTP2_SERVER_REFUSED_STREAM

southern_shredd
Nimbostratus
Nimbostratus

We are experiencing issues with some of our websites using Chrome website (version 80) where the HTTP2 profile is applied to the VIP

 

We get the following error - ERR_HTTP2_SERVER_REFUSED_STREAM

 

We are running version 12.1.4 and have tried a few settings on http2 profile but the problem still persists

 

Any ideas on how to resolve this or if anybody is also experiencing this?

 

3 REPLIES 3

Simon_Blakely
F5 Employee
F5 Employee

southern_shredd
Nimbostratus
Nimbostratus

Thanks. Is there a temporary solution that does not involve a software upgrade if you are in version 12.1.2? I must correct my original post as we are also on version 12.1.2

 

By using a Perfomance layer 4 VIP and disabling http/2 the websites works on Chrome 80 but fails on other browsers now to the same VIP. The issue seems to be SSL and TLS related somehow

 

 

 

Switching to a Perfomance layer 4 VIP just does packet passthrough to the pool members - any issues with TLS is due to the pool member webserver/TLS implementation.

 

If you are on BigIP 12.1.2, you have probably hit a different HTTP2 issue - probably:

 

Bug ID 677119: HTTP2 implementation incorrectly treats SETTINGS_MAX_HEADER_LIST_SIZE

 

There is no workaround - you will need to upgrade to resolve this issue.

Here is the list of HTTP2 issues fixed in the latest 12.x series release since 12.1.2 (released Nov 2017):

 

the latest version available is 12.1.5.1 which provides bugfixes for these HTTP/2 related issues:   Known Issues in BIG-IP v12.1.x 788773-5 CVE-2019-9515 K50233772 HTTP/2 Vulnerability: CVE-2019-9515 788769-5 CVE-2019-9514 K01988340 HTTP/2 Vulnerability: CVE-2019-9514 773673-5 CVE-2019-9512 K98053339 HTTP/2 Vulnerability: CVE-2019-9512   Cumulative fixes from BIG-IP v12.1.5 that are included in this release 699598-4 3-Major HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR   Cumulative fixes from BIG-IP v12.1.4.1 that are included in this release 745713-2 CVE-2019-6619 K94563344 TMM may crash when processing HTTP/2 traffic 744536 3-Major HTTP/2 may garble large headers 751586-1 4-Minor http2 virtual does not honour translate-address disabled   Cumulative fixes from BIG-IP v12.1.4 that are included in this release 740490-2 2-Critical Configuration changes involving HTTP2 or SPDY may leak memory 680264 3-Major HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags   Cumulative fixes from BIG-IP v12.1.3.7 that are included in this release 720293-1 3-Major HTTP2 IPv4 to IPv6 fails   Cumulative fixes from BIG-IP v12.1.3.6 that are included in this release 703940-3 CVE-2018-5530 K45611803 Malformed HTTP/2 frame consumes excessive system resources 718071-3 2-Critical HTTP2 with ASM policy not passing traffic 702151-2 3-Major HTTP/2 can garble large headers 698916-3 3-Major TMM crash with HTTP/2 under specific condition 698379-3 3-Major K61238215 HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR( 673052-2 3-Major On i-Series platforms, HTTP/2 is limited to 10 streams 659519-1 3-Major K42400554 Non-default header-table-size setting on HTTP2 profiles may cause issues   Cumulative fixes from BIG-IP v12.1.3.4 that are included in this release 705611-1 2-Critical The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used 700393-2 2-Critical K53464344 Under certain circumstances, a stale HTTP/2 stream can cause a tmm crash 673951-4 2-Critical K56466330 Memory leak when using HTTP2 profile 705794-1 3-Major Under certain circumstances a stale HTTP/2 stream might cause a tmm crash 689449-3 3-Major Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured 677457 3-Major K13036194 HTTP/2 Gateway appends semicolon when a request has one or more cookies 654086-3 3-Major Incorrect handling of HTTP2 data frames larger than minimal frame size   Cumulative fixes from BIG-IP v12.1.3.2 that are included in this release 668501-2 CVE-2017-6151 K07369970 HTTP2 does not handle some URIs correctly 665924-1 2-Critical K24847056 The HTTP2 and SPDY filters may cause a TMM crash in complicated scenarios 574526-1 3-Major K55542554 HTTP/2 and SPDY do not parse the path for the location/existence of the query parameter   Cumulative fixes from BIG-IP v12.1.3.1 that are included in this release 681710-4 CVE-2017-6155 K10930474 Malformed HTTP/2 requests may cause TMM to crash   Cumulative fixes from BIG-IP v12.1.3 that are included in this release 677119 3-Major HTTP2 implementation incorrectly treats SETTINGS_MAX_HEADER_LIST_SIZE 652535-1 3-Major K54443700 HTTP/2 stream reset with PROTOCOL_ERROR when frame header is fragmented.