Last Modified: Feb 13, 2019
Affected Product:
See more info
BIG-IP LTM
Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4
Fixed In:
12.1.0, 11.6.1 HF1, 11.5.4 HF2
Opened: Jul 17, 2015
Severity: 3-Major
Related AskF5 Article:
K75309122
Config sync problems after modifying cert in default client-ssl profile when the profile is already active and in use on members in a high availability configuration.
After config sync, units in the sync group have different cert/key settings for client-ssl profiles. You can see this in the inherit-certkeychain setting, which changes from 'true' to 'false' after syncing the configuration with the changed default value.
Modify cert in default client-ssl profile and perform a config sync operation.
1. Remove client-ssl definitions from bigip.conf on each unit. 2. Reload the config. 3. Synchronize the config.
The system now correctly syncs the default client-ssl profile that was modified with a new cert and key, so the active and standby unit configurations now have the correct cert/key settings after config sync.