Symptoms

A BIG-IP system may not clear a crypto-failsafe condition after recovering from a cryptographic hardware lockup. As a result of this issue, you may encounter one or more of the following symptoms: The output of the tmsh show sys ha-status command appears similar to the following example: ------------------------------------------------------------------------------- Sys::HA Status Slot Feature Key Action Fail ------------------------------------------------------------------------------- 1 crypto-failsafe cn-crypto-11 failover yes In the /var/log/ltm file, you observe messages similar to the following examples: -- crit tmm[9184]: 01010025:2: Device error: crypto codec cn-crypto-0 queue is stuck. -- notice sod[8874]: 01140029:5: HA crypto_failsafe_t cn-crypto-0 fails action is failover.

Impact

If the crypto-failsafe action is to fail over, you will be unable to activate the BIG-IP system even after the cryptographic hardware recovers.

Conditions

This issue occurs when all of the following conditions are met: -- Your BIG-IP platform uses internal cryptographic hardware (such as, for vCMP, a Nitrox Lite SSL hardware accelerator card) or external cryptographic hardware (such as SafeNet/Thales hardware security module (HSM)). -- The cryptographic hardware fails and subsequently recovers.

Workaround

To restore the crypto-failsafe high availability (HA) fail status, restart tmm by issuing the following command: bigstart restart tmm. Note: On VIPRION platforms, this command must be run on the appropriate blade.

Fix Information

The system now allows the crypto device to be restored and not keep the crypto-failsafe HA status in the fail state.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips