Bug ID 760406: HA connection might stall on Active device when the SSL session cache becomes out-of-sync.

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5

Fixed In:
16.0.0, 15.1.5.1, 14.1.4.1

Opened: Mar 04, 2019

Severity: 3-Major

Symptoms

A BIG-IP system in a high availability (HA) configuration might exhibit slow performance in handling TLS/SSL traffic and experience 'SSL handshake timeout' errors. Messages such as the following can appear in the "ltm" log: 01260009:4: Connection error: hud_ssl_handler:1554: codec alert (20)

Impact

-- In Scenario 1, the sync operations causes the session cache to be out-of-sync between active and standby nodes. -- In Scenario 2, the save operation clears the session cache on the standby node. As a result, the session cache might be out-of-sync between active and standby nodes. In either Scenario: -- SSL Connection mirroring fails and posts the timeout message. -- The high availability (HA) system performance becomes degraded due to SSL connection timeout.

Conditions

This might occur in either of the following scenarios: Scenario 1 -- Manual sync operations are performed during while traffic is being passed. -- SSL Connection mirroring is enabled. Scenario 2 -- Saving configuration on an high availability (HA) Standby node during while traffic is being passed. -- SSL Connection mirroring is enabled.

Workaround

-- Disable SSL session caching by setting 'Cache Size' in the client SSL profile option to 0. -- Set device management sync type to Automatic with incremental sync.

Fix Information

N/A

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips