Bug ID 567862: intermittent SSL traffic failure with Safenet HSM on BIG-IP chassis and appliance

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
12.1.0, 11.6.1 HF2

Opened: Jan 14, 2016

Severity: 3-Major

Symptoms

BIG-IP intermittently has SSL traffic failures with HSM. This symptom happens on both chassis and appliance. The general error messages are logged with "FIPS acceleration device failure: fips_poll_completed_reqs: req: 44 status: 0x1 : Cancel"

Impact

SSL traffic is failing.

Conditions

When Safenet HSM is used with BIG-IP.

Workaround

"bigstart restart pkcs11d" might mitigate this issue.

Fix Information

Multiple issues are fixed including better sync-up between tmm and pkcs11d. Fixes are also included to deal with key handle changes at HSM.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips