Bug ID 483328: Client SSL profiles might fail to complete handshake, system logs critical-level error '01260000:2: Profile name-of-profile: could not load key/certificate'

Last Modified: Feb 13, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP All(all modules)

Known Affected Versions:
11.3.0, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3

Fixed In:
12.0.0, 11.6.0 HF4, 11.5.2, 11.5.1 HF6

Opened: Oct 08, 2014
Severity: 3-Major
Related AskF5 Article:
K15851

Symptoms

- SSL (e.g., HTTPS) virtual servers fail to negotiate SSL handshake. Operations on the device stall (not immediately fail). - At a packet capture level, the BIG-IP system acknowledges the Client Hello, but does not send a Server Hello. - System logs critical-level messages similar to the following whenever a user or the system modifies a virtual server: crit tmm[14270]: 01260000:2: Profile name-of-profile: could not load key/certificate.

Impact

All traffic to affected SSL virtual servers is disrupted.

Conditions

This issue might occur after an upgrade at the time of the initial ConfigSync; the device that receives the initial ConfigSync is likely to be affected. This issue might also occur if an administrator makes changes to certificates and keys referenced by an SSL profile (for example, deletes and recreates a certificate or key with the same name), and then performs a ConfigSync to the peer device; the peer device may be affected.

Workaround

After a device has been affected, restarting the affected TMMs resolves the issue. Note that restarting TMM temporarily disrupts traffic (or causes a failover). You can restart the TMMs by running 'bigstart restart tmm' on the affected appliance, or 'clsh bigstart restart tmm' on an affected VIPRION system.

Fix Information

SSL virtual servers now successfully negotiate SSL handshake, so the device no longer logs the following message: crit tmm[14270]: 01260000:2: Profile name-of-profile: could not load key/certificate.

Behavior Change