Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.5.4 HF2, 11.4.0, 11.4.1, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.1.0, 11.6.1 HF2, 11.5.4 HF3
Opened: Feb 17, 2016 Severity: 2-Critical Related Article:
K47306383
If an SSL connection gracefully begins to disconnect at the same time as data is being encrypted by SSL acceleration hardware, the connection will remain open until the TCP profile timeout occurs instead of being closed immediately. This can cause unwanted higher memory usage, possibly causing crashes elsewhere.
There is a potential for higher memory usage, which in turn may cause TMM crash due to memory exhaustion resulting in service disruption.
* A virtual server with ClientSSL or ServerSSL profile. * BIG-IP SSL acceleration hardware. * While an SSL record is being encrypted by SSL accelerator hardware, the SSL connection begins to close by client TCP FIN or by any iRule command that closes the connection.
If the affected SSL traffic does not include any long idle periods, memory consumption can be mitigated by reducing the idle timeout of the TCP or SCTP profile.
SSL connections now disconnect normally if a disconnect attempt occurs while data is being encrypted by SSL acceleration hardware.