Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.6.2 HF1, 11.3.0
Fixed In:
11.6.0, 11.5.1 HF3
Opened: Apr 29, 2014 Severity: 2-Critical Related Article:
K54806834
When attempting to monitor a server that does not correctly negotiate TLSv1, the monitor will mark the node or pool member down. Running the ssldump utility on the node will reveal the client (BIG-IP) sending a 'Client Hello' to which the server never responds.
Unable to monitor services on problematic server using HTTPS monitors.
A legacy web server that does not correctly understand current SSL protocol negotiation. Oracle WebLogic 10.3.4 is one such server.
Use HTTP instead of HTTPS. Use a different server version or different web server software.
The HTTPS monitor has been improved to automatically attempt SSLv3/SSLv2-compatible protocol negotiation if TLSv1 protocol negotiation fails.
HTTPS monitors will fall back to an SSLv2/SSLv3 compatible protocol negotiation if TLSv1/SSLv3 negotiation fails on a specific monitor instance. That particular monitor instance will then continue to use the older protocol negotiation until bigd is restarted or the monitor is reconfigured.