Bug ID 724213: Modified ssl_profile monitor param not synced correctly

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 14.0.0, 14.0.0.1, 14.0.0.2

Fixed In:
14.1.0, 14.0.0.3, 13.1.1.2

Opened: Jun 14, 2018

Severity: 2-Critical

Related Article: K74431483

Symptoms

After modifying the ssl_profile attribute on an HTTPS monitor on a device in a high availability (HA) configuration, and after performing a full ConfigSync, the corresponding monitor on the peer-sync unit does not have the updated value.

Impact

The ssl_profile value for the HTTPS monitor on the peer unit is set to none, resulting in the two devices reporting themselves as in-sync, but having potentially different HTTPS monitor configurations.

Conditions

-- An HTTPS monitor is used on BIG-IP systems in an high availability (HA) configuration. -- The ssl_profile field is modified on an HTTPS monitor. -- A sync-to-peer (full ConfigSync, not incremental sync) is attempted to propagate the modified ssl_profile value to the peer units.

Workaround

-- Do not run HTTPS monitors using in-tmm monitors, -- Use the traditional HTTPS monitor configuration for SSL-attributes (cipherlist, key, cert, and compatibility attributes on HTTPS monitor). Note: Using these attributes generates deprecation warnings, but the configuration still takes effect.

Fix Information

After modifying the ssl_profile attribute on an HTTPS monitor on a system within an high availability (HA) configuration, and after performing a full ConfigSync, the corresponding monitor on the peer unit now receives the updated monitor attribute, as expected.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips