Last Modified: Feb 28, 2025
Affected Product(s):
BIG-IP Install/Upgrade, LTM
Known Affected Versions:
16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 17.0.0, 17.0.0.1, 17.0.0.2, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4
Fixed In:
17.5.0, 17.1.2, 16.1.5
Opened: Jun 12, 2023 Severity: 3-Major
1. An hourly spike in CPU usage occurs. 2. TMM Idle enforcer gets activated. 3. Users may complain of slow connections once per hour, or timeouts may occur briefly once per hour.
TMM CPU Usage goes high for about one second, which may cause a delay in traffic handling, and the Idle Enforcer gets activated briefly.
This issue occurs when the Clientssl profile is assigned to a virtual server and passing traffic. This happens during the normal operation while running an affected software version.
When a workaround fix is applied via an EHF, a DB key is needed to be disabled for the fix to take effect. tmm.ssl.useffdhe It enables or disables the timely generation of FFDHE key pairs and the default value is set to true. When the db variable is true (enabled), BIG-IP will generate FFDHE key pairs periodically as usual. When the db variable is false (disabled), BIG-IP will disable the periodic generation of FFDHE key pairs of size >= 2048 bits. If ClientHello sends only DH groups during handshake to a virtual server, and BIG-IP is configured with tmm.ssl.useffdhe = false, then BIG-IP can still provide the FFDHE key pair for the handshake through the DH key pair available in the cache if any, or offload the request to software crypto. To enable the fix post-EHF installation, you should run $ tmsh modify sys db tmm.ssl.useffdhe value false
A new db variable is introduced in the fix - tmm.ssl.useffdhe It enables or disables the timely generation of FFDHE key pairs and the default value is set to true. When the db variable is true (enabled), BIG-IP will generate FFDHE key pairs periodically as usual. When the db variable is false (disabled), BIG-IP will disable the periodic generation of FFDHE key pairs of size >= 2048 bits. If ClientHello sends only DH groups during handshake to a virtual server, and BIG-IP is configured with tmm.ssl.useffdhe = false, then BIG-IP can still provide the FFDHE key pair for the handshake through the DH key pair available in the cache if any, or offload the request to software crypto. Some default profiles are configured with cipher-groups using DH groups and are therefore incompatible with disabling this variable. This variable should not be disabled when using any profile with cipher groups from the following: f5-aes, f5-cc-stip, f5-default, f5-ecc, f5-fips, f5-hw_keys, f5-quic, and f5-secure