Bug ID 1306249: Hourly spike in the CPU usage causing delay in TLS connections

Last Modified: Nov 20, 2024

Affected Product(s):
BIG-IP Install/Upgrade, LTM(all modules)

Known Affected Versions:
16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 17.0.0, 17.0.0.1, 17.0.0.2, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4

Fixed In:
16.1.5

Opened: Jun 12, 2023

Severity: 3-Major

Symptoms

1. An hourly spike in CPU usage occurs. 2. TMM Idle enforcer gets activated. 3. Users may complain of slow connections once per hour, or timeouts may occur briefly once per hour.

Impact

TMM CPU Usage goes high for about one second, which may cause a delay in traffic handling, and the Idle Enforcer gets activated briefly.

Conditions

This issue occurs when the Clientssl profile is assigned to a virtual server and passing traffic. This happens during the normal operation while running an affected software version.

Workaround

When a workaround fix is applied via an EHF, a DB key is needed to be disabled for the fix to take effect. tmm.ssl.useffdhe It enables or disables the timely generation of FFDHE key pairs and the default value is set to true. When the db variable is true (enabled), BIG-IP will generate FFDHE key pairs periodically as usual. When the db variable is false (disabled), BIG-IP will disable the periodic generation of FFDHE key pairs of size >= 2048 bits. If ClientHello sends only DH groups during handshake to a virtual server, and BIG-IP is configured with tmm.ssl.useffdhe = false, then BIG-IP can still provide the FFDHE key pair for the handshake through the DH key pair available in the cache if any, or offload the request to software crypto. To enable the fix post-EHF installation, you should run $ tmsh modify sys db tmm.ssl.useffdhe value false

Fix Information

A new db variable is introduced in the fix - tmm.ssl.useffdhe It enables or disables the timely generation of FFDHE key pairs and the default value is set to true. When the db variable is true (enabled), BIG-IP will generate FFDHE key pairs periodically as usual. When the db variable is false (disabled), BIG-IP will disable the periodic generation of FFDHE key pairs of size >= 2048 bits. If ClientHello sends only DH groups during handshake to a virtual server, and BIG-IP is configured with tmm.ssl.useffdhe = false, then BIG-IP can still provide the FFDHE key pair for the handshake through the DH key pair available in the cache if any, or offload the request to software crypto.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips