Last Modified: Jun 28, 2025
Affected Product(s):
BIG-IP SSLO
Known Affected Versions:
16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 16.1.5.2, 16.1.6, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2, 17.1.2.1, 17.1.2.2
Opened: Mar 21, 2024 Severity: 3-Major
Navigating to the SSL Orchestrator GUI results in an error banner stating: "Invalid BIG-IP HA setup. Wait 2 minutes for self-recovery. If HA remains invalid, select HA-Status for more details to correct. Any Configuration changes are not allowed until resolved" and going to the HA Status page it shows an error that an NTP server isn't set.
SSL Orchestrator becomes unusable with configuration changes being disabled.
The BIG-IP is configured to use NTP auth servers, so does not actually have an NTP server set in System >> Configuration >> Device >> NTP, as well as is part of an HA pair.
The workaround is to add localhost to the NTP server list. This way the NTP auth server will still be used, as the NTP requests sent to localhost will just be ignored. To add localhost to the server list use the following steps: 1. On the standby enter tmsh 2. run `edit sys ntp` 3. add a new line to use localhost as a server `servers { localhost }` The configuration will look something like sys ntp { include "server <NTP auth server IP> key <key id> iburst trustedkey <key id>" servers { localhost } timezone <timezone> } 4. Restart ntp `restart sys service ntpd` 5. Exit tmsh 6. Verify ntp is working on the standby by running `ntpq -c as` and `ntpq -pn` 7. Perform a configsync to push the NTP change to the active 8. Verify ntp is working on the active by running `ntpq -c as` and `ntpq -pn`
None