Bug ID 1016921: SSL Connection mirroring - session resumption does not occur on standby when the session ticket is enabled

Last Modified: Jan 20, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1

Fixed In:
17.0.0

Opened: May 07, 2021
Severity: 3-Major

Symptoms

Eight-second delays occur on traffic through an SSL connection mirroring virtual server, and errors occur on the standby device: crit tmm7[11598]: 01010025:2: Device error: crypto codec Couldn't create an OpenSSL EC group object OpenSSL error:0906D06C:PEM err tmm7[11598]: 01010282:3: Crypto codec error: sw_crypto-7 Couldn't initialize the elliptic curve parameters. crit tmm7[11598]: 01010025:2: Device error: crypto codec No codec available to initialize request context.

Impact

SSL traffic is significantly delayed and errors are thrown on the standby device.

Conditions

All of these conditions: -- SSL connection mirroring enabled -- Session tickets are enabled -- High availability (HA) environment and one of the following: -- Running BIG-IP v14.1.4.1 or above (in the v14.1.x branch) or -- Engineering hotfix applied to v14.x/v15.x that has the ID760406 fix (see https://cdn.f5.com/product/bugtracker/ID760406.html)

Workaround

Any one of the following could prevent the problem. -- client-ssl profile cache-size 0. -- client-ssl profile session-ticket disabled (default). -- disable SSL connection mirror on virtual server.

Fix Information

None

Behavior Change