Last Modified: Jun 15, 2024
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
16.0.1, 16.0.0, 15.1.0, 14.1.4, 14.1.3.1, 13.1.3.5
Opened: Feb 09, 2021 Severity: 2-Critical
A pool with an HTTPS monitor may have its members marked down due to the monitor not being able to find a matching cipher for the SSL connection. This occurs when the @STRENGTH keyword is provided in the cipher suites list in the server SSL profile used by the HTTPS monitor, because bigd does not handle this keyword correctly.
Pool members are wrongly marked down, preventing them from handling incoming traffic.
Problem is observed when all conditions listed below are met: - The db variable bigd.tmm set to disable (default setting). - Pool is using an HTTPS monitor. - The HTTPS monitor uses a custom server SSL profile. - The server SSL profile uses a cipher string with @STRENGTH keyword.
1. Select the cipher group instead of cipher suites in the server SSL profile. 2. Manually enter the ciphers in the desired order.
None