Bug ID 616298: Loading the configuration fails when a virtual server uses HTTP Strict Transport Security (HSTS).

Last Modified: Nov 12, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5

Fixed In:
13.0.0

Opened: Sep 14, 2016
Severity: 3-Major

Symptoms

When loading the BIG-IP system's configuration by running the 'tmsh load sys config' command, the command fails and returns an error similar to the following example: 01071afb:3: With HSTS mode enabled in HTTP Profile '/Common/my-http', virtual server '/Common/my-vs' using this profile requires a 'clientssl' profile attached. Unexpected Error: Loading configuration process failed. This validation error should only be returned when a virtual server using HSTS was not assigned a client-ssl profile. This issue consists in the fact the BIG-IP system returns the error when your configuration is correct. Note this issue can also occur during an upgrade from an unaffected version (e.g., 12.1.4) to an affected version (e.g., 12.1.5).

Impact

The configuration fails to load. This can have several consequences, depending on what you were doing: -- Upgrading from an unaffected version to an affected one: the configuration does not load after the upgrade and the system remains inoperative. -- Reloading the configuration to get rid of unsaved changes: you cannot do so, and the configuration elements you were trying to remove continue to exist in memory. -- Reloading the configuration to pick up manual changes you made to a configuration file (e.g., bigip.conf): you cannot do so, and the new configuration elements are not loaded into memory.

Conditions

This issue occurs when all of the following conditions are met: -- Your configuration contains at least one virtual server making use of a HTTP profile with HSTS enabled. -- You attempt to reload the BIG-IP system's configuration (either explicitly via the tmsh utility, or implicitly during an upgrade).

Workaround

There is a temporary workaround. Potential impact of workaround: ideally, this workaround should not be performed on a unit that is already processing traffic, as the virtual servers will not operate in HSTS mode until the procedure is complete. As such, a small window will exist during which new clients will not immediately learn that the virtual servers wish to use HSTS. 1) Edit the /config/bigip.conf file (and all /config/partitions/*/bigip.conf files) and change the following section in HTTP profiles: From this: hsts { mode enabled } To this: hsts { mode disabled } 2) Load the configuration: tmsh load sys config partitions all 3) Re-apply HSTS to the appropriate HTTP profiles. However, note that the issue occurs again the next time a configuration load is attempted. If you are planning to upgrade to an affected version and you use HSTS, you can contact F5 Support to obtain an Engineering Hotfix for this issue for your software version.

Fix Information

The configuration loads as expected.

Behavior Change