Last Modified: Aug 05, 2025
Affected Product(s):
BIG-IP MA-VE, PEM, PSM, SSLO, SWG, TMOS
Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 16.1.5.2, 16.1.6, 17.0.0, 17.0.0.1, 17.0.0.2, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2, 17.1.2.1, 17.1.2.2, 17.5.0, 17.5.1
Opened: Dec 14, 2023 Severity: 3-Major
If SNMP configuration that contains Secure Vault-protected attributes ("$M$...") is copied from a BIG-IP system to another and the devices do not have the same Secure Vault master key, the target device will appear to accept the configuration, but will be unable to decrypt the attributes. If the system is subsequently rebooted, MCPD will remain inoperative or restart repeatedly during startup. The LTM log files will contain error messages similar to the following: bigip01 notice mcpd[30645]: 01071027:5: Master key OpenSSL error: 4008867572:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:664: bigip01 notice mcpd[30645]: 01b00001:5: Processed value is empty: class name (usmuser) field name () bigip01 err mcpd[30645]: 01071684:3: Unable to encrypt application variable (/Common/ifoobar_1_1 auth_password usmuser /Common/snmpd). Or bigip01 notice mcpd[7011]: 01b00001:5: Processed value is empty: class name (trapsess) field name () bigip01 err mcpd[7011]: 01071684:3: Unable to encrypt application variable (/Common/i192_0_2_1 auth_password trapsess /Common/snmpd). The LTM log file may contain this log message, indicating that MCPD exited and restarted while attempting to load the configuration: bigip01 emerg load_config_files[25201]: "/usr/bin/tmsh -n -g -a load sys config partitions all " - failed. -- Error: failed to reset strict operations; disconnecting from mcpd. Will reconnect on next command.
- SNMP configuration does not function. - If the device is rebooted or MCPD is restarted, the system will remain INOPERATIVE or MCPD will be in a restart loop.
- SNMP configuration that contains Secure Vault-encrypted attributes ("$M$..."), present as SNMPv3 auth-password and/or privacy-password attributes - SNMP configuration is copied from a BIG-IP system to another BIG-IP system, and the two devices do not share the same Secure Vault master key.
Do not copy SNMP configuration with encrypted attributes between disparate devices. If a device is currently in an inoperative state and affected by this issue: - Create a backup copy of /config/bigip_base.conf - Manually edit bigip_base.conf and remove the SNMPv3 users and traps - If the system does not recover automatically, restart MCPD or reboot the device once.
None