Bug ID 504306: https monitors might fail to re-use SSL sessions.

Last Modified: Feb 13, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.1.0, 11.2.0, 11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5

Fixed In:
12.0.0, 11.6.0 HF6, 11.5.3, 11.4.1 HF9, 11.2.1 HF15

Opened: Feb 02, 2015
Severity: 3-Major
Related AskF5 Article:
K16646

Symptoms

SSL handshakes for https monitors might fail to correctly re-use SSL session IDs.

Impact

The bigd process might consume more CPU than necessary because it might always be performing complete SSL handshakes with monitored servers. BIG-IP version 11.5.0 or higher in environments with both TLS 1.0 and TLS 1.2 servers that perform SSL session caching may experience monitor flapping or servers that are marked down unexpectedly.

Conditions

A configuration that utilizes https monitors to servers that implement an SSL session cache. More servers utilizing the same https monitor make the problem more likely to occur. For the monitor flapping or false negative symptom in 11.5.0 or higher, a monitor must be configured for a combination of TLS 1.0 and TLS 1.2 servers.

Workaround

None.

Fix Information

https monitors now properly perform SSL session re-use.

Behavior Change