Bug ID 671044: FIPS certificate creation can cause failover to standby system

Last Modified: Jan 29, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4

Fixed In:
14.0.0

Opened: Jun 26, 2017
Severity: 1-Blocking
Related AskF5 Article:
K78612407

Symptoms

FIPS certificate creation can cause failover or outage of a system under heavy load. The certificate creation could take longer than the default timeout, causing TMOS to think the FIPS chip is locked up.

Impact

Possible failover from active to standby, or an outage if there is no standby system, or if the certificate creation causes both active and standby systems to time out.

Conditions

Creating a FIPS certificate while the system is handling a high FIPS traffic load.

Workaround

Setting crypto.queue.timeout to 2000 will avoid this problem. The actual timeout needed depends on the system type and how heavily loaded the FIPS chip is. 2000 should be more than sufficient for all currently supported BIG-IP platforms under high load.

Fix Information

FIPS certificate creation no longer causes failover to standby system under these conditions.

Behavior Change