Last Modified: Mar 21, 2023
Affected Product:
See more info
BIG-IP LTM
Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3
Opened: Sep 28, 2016
Severity: 3-Major
When running a stress test (for example, using Apache Bench tool) to aggressively connect virtual server whose clientSSL profile is using FIPS key; in 11.5.4, you may observe high CPU usage by using "top" command on the system and "Clock advanced" messages in the ltm logs; in 11.6.1, the above symptoms appeared in 11.5.4 are not seen, but ltm log prints a sequence of ERR_MEMORY_ALLOC_FAILURE at the beginning of the stress test.
When the connections occupy too much of the CPU's resource, it could impact the performance of other tasks of the system.
1. The connection to the virtual server is using a clientSSL profile whose SSL key is a FIPS key. 2. The connection that uses the FIPS key is triggered very frequently (such as in a stress test). For example, from the client side, it runs this Apache Bench command "ab -c 1000 -n 1000000 https://10.10.10.100/" to test the virtual server.
When this issue occurs, you can try to mitigate it by any methods that restricts FIPS key usage in the SSL connection, for example, do not configure the clientSSL profile with the FIPS key as the default clientSSL profile of the virtual server, and add more non-FIPS clientSSL profiles to the virtual server, so that the connections are not always handled by the FIPS key.
None
