Bug ID 442199: HA group must be set up before running ccmode

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP Install/Upgrade(all modules)

Known Affected Versions:
11.5.1, 11.5.0

Fixed In:
11.6.0, 11.5.1 HF2, 11.5.0 HF3

Opened: Jan 06, 2014

Severity: 2-Critical


HA peer discovery process fails when running ccmode.


Unable to set up HA group. In the GUI, upon attempting the Peer Discovery step, the system returns an iControl connection failure error.


This occurs if the ccmode utility (for installations requiring Common Criteria compliance) is run prior to set-up of an HA group.


There are two workarounds: -- Create all HA groups before running the ccmode utility. -- Complete the following process on both systems prior to initial HA setup or before adding a new device: 1. Run the fommand: tmsh modify sys httpd ssl-protocol "all -SSLv2". 2. Run the command: tmsh save sys config. 3. Perform HA-setup/device-addition. 4. Return the httpd ssl-protocol option to the value that conforms to Common Criteria requirements. To do so, run the following two commands: a. tmsh modify sys httpd ssl-protocol "all -SSLv2 -SSLv3". b. tmsh save sys config.

Fix Information

The system now completes the correct set up of system to prevent error messages and failure of HA peer discovery, so HA groups are created as expected.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips