Bug ID 469739: ConfigSync may fail if HA pair has dissimilar cert-key-chain sub-object names within an SSL profile

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.0, 11.5.1, 11.6.0, 11.6.1, 11.6.2, 11.6.3,,,,, 11.6.4, 11.6.5,,,, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
12.0.0, 11.6.0 HF5, 11.5.2

Opened: Jun 30, 2014

Severity: 4-Minor

Related Article: K16218


MCPD may generate one of the following validation errors as a result of a ConfigSync, or a config load, or attaching an SSL profile to a virtual server, or modifying a virtual server: 0107149e:3: Virtual server /Common/name-of-virtual-server has more than one clientssl/serverssl profile with same server name. 010717e1:3: Client SSL profile cannot contain more than one set of same certificate/key type.


Depending on the manifestation of this issue one of the following can happen: - administrator may be prevented from performing further configuration operations - administrator may be prevented from synchronizing the configuration - the configuration may not load


This occurs when HA pairs have dissimilar cert-key-chain names within an SSL profile, and the changes were synchronized to the peer device. Either the ConfigSync will fail (if the SSL profile was attached to a virtual server), or the ConfigSync will succeed, but on the receiving device, the SSL profile will have two cert-key-chain objects. This happens given the following conditions: - Systems are performing a full (not incremental) sync - SSL profile is attached to a virtual server - cert-key-chain sub-object has differing names on the two devices


Find the client-ssl profile name for the virtual server that fails to load. List and compare the cert-key-chain names of the client-ssl profile on the devices in the HA configuration. Choose the correct cert-key-chain name and ensure the cert-key-chain name is the same on all devices. Synchronize the configuration.

Fix Information

The ConfigSync operation completes successfully if HA pair has dissimilar cert-key-chain sub-object names within an SSL profile.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips