Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP All
Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.6.2 HF1, 11.3.0, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.0.0, 11.6.0 HF4, 11.5.2, 11.5.1 HF6
Opened: Oct 08, 2014 Severity: 3-Major Related Article:
K15851
- SSL (e.g., HTTPS) virtual servers fail to negotiate SSL handshake. Operations on the device stall (not immediately fail). - At a packet capture level, the BIG-IP system acknowledges the Client Hello, but does not send a Server Hello. - System logs critical-level messages similar to the following whenever a user or the system modifies a virtual server: crit tmm[14270]: 01260000:2: Profile name-of-profile: could not load key/certificate.
All traffic to affected SSL virtual servers is disrupted.
This issue might occur after an upgrade at the time of the initial ConfigSync; the device that receives the initial ConfigSync is likely to be affected. This issue might also occur if an administrator makes changes to certificates and keys referenced by an SSL profile (for example, deletes and recreates a certificate or key with the same name), and then performs a ConfigSync to the peer device; the peer device may be affected.
After a device has been affected, restarting the affected TMMs resolves the issue. Note that restarting TMM temporarily disrupts traffic (or causes a failover). You can restart the TMMs by running 'bigstart restart tmm' on the affected appliance, or 'clsh bigstart restart tmm' on an affected VIPRION system.
SSL virtual servers now successfully negotiate SSL handshake, so the device no longer logs the following message: crit tmm[14270]: 01260000:2: Profile name-of-profile: could not load key/certificate.