Bug ID 1056941: HTTPS monitor continues using cached TLS version after receiving fatal alert.

Last Modified: Sep 29, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 17.0.0, 17.0.0.1

Opened: Oct 24, 2021
Severity: 3-Major

Symptoms

After an HTTPS monitor completes successfully, the TLS version is cached and used for subsequent monitor probes. If the back end server TLS version changes between monitor polls and no longer allows the cached TLS version, the back end server correctly sends a fatal alert to the BIG-IP in response to the no longer allowed TLS version. The BIG-IP will continue to use the cached, now prohibited, version in all subsequent probes resulting in a false down resource until the cached information is cleared on the BIG-IP.

Impact

BIG-IP continues to send prohibited TLS version and reports the member as down.

Conditions

ClientSSL profile is changed on backend BIG-IP device's virtual server,

Workaround

-- Delete and re-add pool member. -- Change HTTPS monitor to any other monitor (including another HTTPS monitor) and then back. -- Restart bigd with "bigstart restart bigd" - Note that this impacts all monitoring on the BIG-IP. -- Restart BIG-IP - Note that this impacts all traffic on the BIG-IP.

Fix Information

None

Behavior Change