Bug ID 2221177: Big3d cannot validate certificates after they are renewed

Last Modified: May 05, 2026

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6, 15.1.10.7, 15.1.10.8, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 16.1.5.2, 16.1.6, 16.1.6.1, 17.0.0, 17.0.0.1, 17.0.0.2, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2, 17.1.2.1, 17.1.2.2, 17.1.3, 17.1.3.1, 17.5.0, 17.5.1, 17.5.1.2, 17.5.1.3, 17.5.1.4, 17.5.1.5

Fixed In:
17.5.1.6, 17.1.3.2

Opened: Feb 10, 2026

Severity: 2-Critical

Related Article: K000159906

Symptoms

After renewing your big3d certificates, LTM virtual servers become unavailable in GTM, and the bigip_add command starts failing. Logs in /varl/og/ltm "big3d SSL cert EXPIRED at IP <IP_ADDRESS>" "SSL error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed" "SSL error:14094413:SSL routines:ssl3_read_bytes:sslv3 alert unsupported certificate"

Impact

Big3d fails to verify the new certificate. Note: This can also occur if you use a public CA to sign the device certificate used for high availability.

Conditions

-- BIG-IP DNS (GTM) -- A Public CA is used to sign the certificates used by big3d

Workaround

Follow the worksteps described in K000159906: BIG-IP GTM/DNS iQuery Connection Failure Due to Missing Extended Key Usage (EKU) Extensions in Device Certificates, available at https://my.f5.com/manage/s/article/K000159906

Fix Information

Both `gtmd` and `big3d` traditionally use the device certificate for mutual TLS connections. This works if the certificate supports both client and server authentication or lacks extended key usage. If the device certificate is limited to server authentication, configure a client certificate using DB variables `gtm.ssl.crt` and `gtm.ssl.key`. Once set, `gtmd` immediately uses the new certificates, and the `gtm_add` script exchanges them for TLS connections. Updating the DB variables while in a sync group breaks existing TLS connections. Restore trust using `bigip_add`, `big3d_install`, or manually installing the client certificate as trusted on remote devices.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips