Last Modified: May 29, 2024
Affected Product(s):
BIG-IP LTM
Fixed In:
17.1.1, 16.1.4.2, 15.1.10.3
Opened: Jul 04, 2023 Severity: 3-Major Related Article:
K000137796
When updating a large CRL file in BIG-IP using tmsh, the file may only be partially read due to internal memory allocation failure. Please note that the size of the CRL file causing this issue varies across hardware types, network bandwidth and usage, and system resources.
When a large CRL file is attached to a profile, an update may indicate success when only a partial upload has occurred. Connections to VIP with this profile may have unexpected results, such as a certificate not being blocked as expected.
1. Using tmsh, a large CRL file is updated to an existing CRL. 2. This large CRL file is attached to multiple profiles. 3. The system is under heavy load
A large CRL file can be divided into smaller chunks and loaded into multiple profiles.
If an error occurs during CRL upload or update, the profiles containing this partial CRL file will be invalidated and further connections to the VIP will be terminated. An error will be logged to /var/log/ltm whenever a CRL file read operation fails due to memory allocation. The log received will look like: 01260028:2: Profile <profile name> - cannot load <CRL file location> CRL file error: unable to load large CRL file - try chunking it to multiple files.