Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1
Fixed In:
14.0.0, 12.1.4.1
Opened: Jun 26, 2017 Severity: 1-Blocking Related Article:
K78612407
FIPS certificate creation can cause failover or outage of a system under heavy load. The certificate creation could take longer than the default timeout, causing TMOS to think the FIPS chip is locked up.
Possible failover from active to standby, or an outage if there is no standby system, or if the certificate creation causes both active and standby systems to time out.
Creating a FIPS certificate while the system is handling a high FIPS traffic load.
Setting crypto.queue.timeout to 2000 will avoid this problem. The actual timeout needed depends on the system type and how heavily loaded the FIPS chip is. 2000 should be more than sufficient for all currently supported BIG-IP platforms under high load.
FIPS certificate creation no longer causes failover to standby system under these conditions.