Bug ID 1305117: SSL profile "no-dtlsv1.2" option is left disabled while upgrading from v14.x or v15.x to 17.1.0

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP Install/Upgrade, TMOS(all modules)

Known Affected Versions:
17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3

Opened: Jun 07, 2023

Severity: 2-Critical

Symptoms

Starting from 16.0.0, given DTLSv1.2 support, "no-dtlsv1.2" option is newly available on SSL profile. Default value is "no-dtlsv1.2" option enabled. While upgrading from older version to 16.0.0 or later, by default "no-dtlsv1.2" option is to be automatically enabled with following notification message. > bigip1 warning mcpd[XXXX]: 0107185a:4: Warning generated, for version 16.0.0 or greater : /Common/[SSL-profile-name], default option no-dtlsv1.2 set. However, when user directly upgrades from v14.x/v15.x to v17.1.0, "no-dtlsv1.2" option may not be automatically enabled on SSL profile.

Impact

After upgrade to 17.1.0, "no-dtlsv1.2" option may not be enabled on SSL profile.

Conditions

- roll-forward upgrade from v14.x/v15.x to v17.1.0. upgrade from v16.x to v17.1.0 is not affected. - custom client|server-ssl profile configured on pre-upgrade version v14.x/v15.x

Workaround

After upgrade to 17.1.0, manually enable "no-dtlsv1.2" option.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips