Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP GTM
Known Affected Versions:
11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4
Fixed In:
12.0.0, 11.6.0 HF5, 11.5.1 HF6
Opened: Aug 29, 2014 Severity: 2-Critical Related Article:
K16185
BIG-IP GTM iQuery connections may reset during Secure Sockets Layer (SSL) key renegotiation. -- Virtual servers are temporarily marked down once every 24 hours. -- In the /var/log/gtm file, you observe messages that appear similar to the following example: - iqmgmt_receive: SSL error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure - err gtmd[10767]: 011ae0fa:3: iqmgmt_receive: SSL error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure (336150757) - alert gtmd[10767]: 011a500c:1: SNMP_TRAP: Box 10.20.30.1 state change green --> red (Box 10.20.30.1 on Unavailable)
Resources monitored by the BIG-IP GTM system are temporarily marked down until the iQuery connection is reestablished. Note: This is a subtly different issue from the one (with a very similar error, 140940F5 vs 140940E5) described in Bug ID 679316: iQuery connections reset during SSL renegotiation :: https://cdn.f5.com/product/bugtracker/ID679316.html. A BIG-IP system affected by this bug ID477240 might also be affected by ID679316, for which there is no fix.
This issue occurs when the following condition is met: -- SSL renegotiation occurs during an iQuery connection. The big3d process will attempt to renegotiate SSL keys every 24 hours. However, when the BIG-IP GTM system receives the SSL Client Hello message during renegotiation, the big3d process responds with a TCP FIN and closes the connection rather than renegotiating the session.
None.
SSL properly renegotiates rather than terminates connections when the session expires.