We are experiencing issues with some of our websites using Chrome website (version 80) where the HTTP2 profile is applied to the VIP
We get the following error - ERR_HTTP2_SERVER_REFUSED_STREAM
We are running version 12.1.4 and have tried a few settings on http2 profile but the problem still persists
Any ideas on how to resolve this or if anybody is also experiencing this?
Thanks. Is there a temporary solution that does not involve a software upgrade if you are in version 12.1.2? I must correct my original post as we are also on version 12.1.2
By using a Perfomance layer 4 VIP and disabling http/2 the websites works on Chrome 80 but fails on other browsers now to the same VIP. The issue seems to be SSL and TLS related somehow
Switching to a Perfomance layer 4 VIP just does packet passthrough to the pool members - any issues with TLS is due to the pool member webserver/TLS implementation.
If you are on BigIP 12.1.2, you have probably hit a different HTTP2 issue - probably:
There is no workaround - you will need to upgrade to resolve this issue.
Here is the list of HTTP2 issues fixed in the latest 12.x series release since 12.1.2 (released Nov 2017):
the latest version available is 188.8.131.52 which provides bugfixes for these HTTP/2 related issues: Known Issues in BIG-IP v12.1.x 788773-5 CVE-2019-9515 K50233772 HTTP/2 Vulnerability: CVE-2019-9515 788769-5 CVE-2019-9514 K01988340 HTTP/2 Vulnerability: CVE-2019-9514 773673-5 CVE-2019-9512 K98053339 HTTP/2 Vulnerability: CVE-2019-9512 Cumulative fixes from BIG-IP v12.1.5 that are included in this release 699598-4 3-Major HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR Cumulative fixes from BIG-IP v184.108.40.206 that are included in this release 745713-2 CVE-2019-6619 K94563344 TMM may crash when processing HTTP/2 traffic 744536 3-Major HTTP/2 may garble large headers 751586-1 4-Minor http2 virtual does not honour translate-address disabled Cumulative fixes from BIG-IP v12.1.4 that are included in this release 740490-2 2-Critical Configuration changes involving HTTP2 or SPDY may leak memory 680264 3-Major HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags Cumulative fixes from BIG-IP v220.127.116.11 that are included in this release 720293-1 3-Major HTTP2 IPv4 to IPv6 fails Cumulative fixes from BIG-IP v18.104.22.168 that are included in this release 703940-3 CVE-2018-5530 K45611803 Malformed HTTP/2 frame consumes excessive system resources 718071-3 2-Critical HTTP2 with ASM policy not passing traffic 702151-2 3-Major HTTP/2 can garble large headers 698916-3 3-Major TMM crash with HTTP/2 under specific condition 698379-3 3-Major K61238215 HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR( 673052-2 3-Major On i-Series platforms, HTTP/2 is limited to 10 streams 659519-1 3-Major K42400554 Non-default header-table-size setting on HTTP2 profiles may cause issues Cumulative fixes from BIG-IP v22.214.171.124 that are included in this release 705611-1 2-Critical The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used 700393-2 2-Critical K53464344 Under certain circumstances, a stale HTTP/2 stream can cause a tmm crash 673951-4 2-Critical K56466330 Memory leak when using HTTP2 profile 705794-1 3-Major Under certain circumstances a stale HTTP/2 stream might cause a tmm crash 689449-3 3-Major Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured 677457 3-Major K13036194 HTTP/2 Gateway appends semicolon when a request has one or more cookies 654086-3 3-Major Incorrect handling of HTTP2 data frames larger than minimal frame size Cumulative fixes from BIG-IP v126.96.36.199 that are included in this release 668501-2 CVE-2017-6151 K07369970 HTTP2 does not handle some URIs correctly 665924-1 2-Critical K24847056 The HTTP2 and SPDY filters may cause a TMM crash in complicated scenarios 574526-1 3-Major K55542554 HTTP/2 and SPDY do not parse the path for the location/existence of the query parameter Cumulative fixes from BIG-IP v188.8.131.52 that are included in this release 681710-4 CVE-2017-6155 K10930474 Malformed HTTP/2 requests may cause TMM to crash Cumulative fixes from BIG-IP v12.1.3 that are included in this release 677119 3-Major HTTP2 implementation incorrectly treats SETTINGS_MAX_HEADER_LIST_SIZE 652535-1 3-Major K54443700 HTTP/2 stream reset with PROTOCOL_ERROR when frame header is fragmented.