Bug ID 591476: Stuck crypto queue can erroneously be reported

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM, LTM(all modules)

Known Affected Versions:
11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2

Fixed In:
13.0.0, 12.1.2, 11.6.1 HF2, 11.5.4 HF3

Opened: May 05, 2016
Severity: 3-Major
Related AskF5 Article:
K53220379

Symptoms

In some cases, a stuck crypto queue can be erroneously detected on Cavium Nitrox-based (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The following message appears in the ltm log: Device error: crypto codec cn-crypto-0 queue is stuck. tmm crash

Impact

The system reports device errors in logs, and takes crypto high availability (HA) action, possibly resulting in failover. Traffic disrupted while tmm restarts.

Conditions

-- Running on one of the following platforms: + BIG-IP 800, 1600, 3600, 3900, 6900, 89xx, 2xxx, 4xxx, 5xxx, 7xxx, 10xxx, 11xxx, 12xxx, i2xxx, and i4xxx + VIPRION B41xx-B43xx, B21xx, and B22xx blades. -- Performing SSL. -- Under heavy load.

Workaround

Modify the crypto queue timeout value to 0 to prevent timeouts using the following command: tmsh modify sys db crypto.queue.timeout value 0 To clear erroneously stuck queues, you must restart tmm or reboot the BIG-IP system. Note: Traffic is disrupted while during restarts.

Fix Information

The crypto driver now only examines requests in the hardware DMA ring to detect a stuck queue on Nitrox devices.

Behavior Change