Bug ID 570053: HA peer's certkeychain of clientssl profile is unexpectedly either removed or re-named after config sync.

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
12.1.0, 11.6.1 HF1, 11.5.4 HF2

Opened: Jan 26, 2016

Severity: 3-Major

Related Article: K78448635

Symptoms

HA peer's certkeychain of clientssl profile is unexpectedly either removed or re-named after config sync.

Impact

Missing certkeychain of a clientSSL profile can result in its inability to handle some kind of SSL traffic. For example, if the clientSSL originally has EC key/cert but loses it, then it is no longer able to handle SSL connection using EC cipher suites.

Conditions

The issue is seen when all the below conditions are met. 1. When more than one certkeychains are configured in the clientSSL profile. 2. When the content of a certkeychain of the clientSSL profile is modified. For example, "modify ltm profile client-ssl a4 cert-key-chain modify { default { cert rsa.crt key rsa.key } }". 3. Performs config sync in HA setup.

Workaround

Basically reconfigure certkeychain but avoid modifying the content. 1. On any BIG-IP system, leave only the RSA certkeychain in the clientSSL profile, just like the default configuration. 2. Config sync, so that both systems have only the RSA certkeychain. 3. In any BIG-IP system, add certkeychains for other types (EC or DSA) you need. You can "add" or "delete" but do not "modify" any existing certkeychain. 4. Do config sync, so that both systems have the same certkeychains in the clientSSL profile.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips