Last Modified: Nov 05, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
16.1.6, 17.1.2, 17.1.2.1, 17.1.2.2, 17.5.0, 17.5.1, 17.5.1.2
Fixed In:
21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1
Opened: May 07, 2025 Severity: 2-Critical
SSL handshake failures triggered by sudden connection spikes and crypto queue saturation
Degraded service availability due to SSL handshake disruptions
1. Brief surge in SSL connection volume 2. Saturation of the crypto processing queue
None
OVERVIEW -------- This code implements an intelligent rate-limiting mechanism to protect TMM (Traffic Management Microkernel) from SSL/TLS crypto queue exhaustion during high load conditions. The system monitors pending crypto operations and handshake completion rates to detect and mitigate overload situations. CONFIGURATION PARAMETERS ------------------------ - tmm_ssl_crypto_queues_max (default: 2048) Maximum allowed pending crypto operations per TMM instance before triggering overload detection. - tmm_ssl_queues_exceed_time (default: 1 second) Grace period to wait after queue overflow is detected before evaluating handshake completion rate. OPERATIONAL BEHAVIOR -------------------- Stage 1: Normal Operation When pending crypto operations remain below the configured threshold (2048), the system operates normally with no restrictions. Stage 2: Queue Overflow Detection When pending crypto operations exceed tmm_ssl_crypto_queues_max: - The system records the current timestamp - Captures a snapshot of total handshakes completed - Enters monitoring mode for the configured grace period (1 second) - No connections are rejected during initial grace period Stage 3: Sustained Overload Analysis After the grace period expires, if queue remains overloaded: - Calculates handshake completion rate: Rate = (Handshakes completed since overflow) / (Time elapsed) - Compares completion rate against health threshold: Threshold = Current active handshakes / 100 (1% of active handshakes) Stage 4: Protection Action If completion rate falls below the 1% threshold: - System determines TMM is experiencing crypto starvation - Rejects new SSL/TLS connections with SSL_A_INTERNAL_ERROR - Logs diagnostic message containing: * Current pending crypto operations count * Per-TMM queue limit * Handshake completion rate * Current active handshakes count If completion rate exceeds the 1% threshold: - System determines TMM is recovering - Resets monitoring state - Resumes normal operation Stage 5: Automatic Recovery When pending crypto operations drop below threshold: - Monitoring state is immediately reset - System returns to normal operation - New connections are accepted normally