Bug ID 1056941: HTTPS monitor continues using cached TLS version after receiving fatal alert.

Last Modified: Dec 18, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 17.0.0, 17.0.0.1, 17.0.0.2, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4

Fixed In:
17.1.2

Opened: Oct 24, 2021

Severity: 3-Major

Symptoms

After an HTTPS monitor completes successfully, the TLS version is cached and used for subsequent monitor probes. If the back end server TLS version changes between monitor polls and no longer allows the cached TLS version, the back end server correctly sends a fatal alert to the BIG-IP in response to the no longer allowed TLS version. The BIG-IP will continue to use the cached, now prohibited, version in all subsequent probes resulting in a false down resource until the cached information is cleared on the BIG-IP.

Impact

BIG-IP continues to send prohibited TLS version and reports the member as down.

Conditions

ClientSSL profile is changed on backend BIG-IP device's virtual server,

Workaround

Any one of these workarounds will work. -- Delete and re-add pool member. -- Change HTTPS monitor to any other monitor (including another HTTPS monitor) and then back. -- Restart bigd with "bigstart restart bigd" - Note that this impacts all monitoring on the BIG-IP. -- Restart BIG-IP - Note that this impacts all traffic on the BIG-IP.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips