Last Modified: Apr 30, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 16.1.5.2, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2, 17.1.2.1, 17.5.0
Opened: Feb 27, 2025 Severity: 3-Major
When using "tmsh load sys config verify" or performing an MCPD forceload/reboot, no validation error is reported for a SSL profile referencing a non-existent cipher group. This is unexpected behavior. However, when using "tmsh load sys config", the system correctly identifies and reports the missing cipher group as a validation error. This is the expected behavior.
When a SSL profile references a non-existent cipher group, the configuration loads without validation errors under certain conditions. This can result in connection failures with error messages such as: Connection error: hud_ssl_handler:1315: alert(40) invalid profile unknown on VIP <VIP_NAME>
The disk config file (/config/bigip.conf) is missing the cipher group configuration, while that cipher group continues to be referenced within a SSL profile.
Ensure the disk config file (/config/bigip.conf) always has the cipher group present if it is being referenced by a Client or Server SSL profile.
None