Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 14.0.0, 14.0.0.1, 14.0.0.2
Fixed In:
14.1.0, 14.0.0.3, 13.1.1.2
Opened: Jun 14, 2018 Severity: 2-Critical Related Article:
K74431483
After modifying the ssl_profile attribute on an HTTPS monitor on a device in a high availability (HA) configuration, and after performing a full ConfigSync, the corresponding monitor on the peer-sync unit does not have the updated value.
The ssl_profile value for the HTTPS monitor on the peer unit is set to none, resulting in the two devices reporting themselves as in-sync, but having potentially different HTTPS monitor configurations.
-- An HTTPS monitor is used on BIG-IP systems in an high availability (HA) configuration. -- The ssl_profile field is modified on an HTTPS monitor. -- A sync-to-peer (full ConfigSync, not incremental sync) is attempted to propagate the modified ssl_profile value to the peer units.
-- Do not run HTTPS monitors using in-tmm monitors, -- Use the traditional HTTPS monitor configuration for SSL-attributes (cipherlist, key, cert, and compatibility attributes on HTTPS monitor). Note: Using these attributes generates deprecation warnings, but the configuration still takes effect.
After modifying the ssl_profile attribute on an HTTPS monitor on a system within an high availability (HA) configuration, and after performing a full ConfigSync, the corresponding monitor on the peer unit now receives the updated monitor attribute, as expected.