Bug ID 469739: ConfigSync may fail if HA pair has dissimilar cert-key-chain sub-object names within an SSL profile

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4

Fixed In:
12.0.0, 11.6.0 HF5, 11.5.2

Opened: Jun 30, 2014
Severity: 4-Minor
Related AskF5 Article:
K16218

Symptoms

MCPD may generate one of the following validation errors as a result of a ConfigSync, or a config load, or attaching an SSL profile to a virtual server, or modifying a virtual server: 0107149e:3: Virtual server /Common/name-of-virtual-server has more than one clientssl/serverssl profile with same server name. 010717e1:3: Client SSL profile cannot contain more than one set of same certificate/key type.

Impact

Depending on the manifestation of this issue one of the following can happen: - administrator may be prevented from performing further configuration operations - administrator may be prevented from synchronizing the configuration - the configuration may not load

Conditions

This occurs when HA pairs have dissimilar cert-key-chain names within an SSL profile, and the changes were synchronized to the peer device. Either the ConfigSync will fail (if the SSL profile was attached to a virtual server), or the ConfigSync will succeed, but on the receiving device, the SSL profile will have two cert-key-chain objects. This happens given the following conditions: - Systems are performing a full (not incremental) sync - SSL profile is attached to a virtual server - cert-key-chain sub-object has differing names on the two devices

Workaround

Find the client-ssl profile name for the virtual server that fails to load. List and compare the cert-key-chain names of the client-ssl profile on the devices in the HA configuration. Choose the correct cert-key-chain name and ensure the cert-key-chain name is the same on all devices. Synchronize the configuration.

Fix Information

The ConfigSync operation completes successfully if HA pair has dissimilar cert-key-chain sub-object names within an SSL profile.

Behavior Change