Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP BIG-IQ
Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1
Fixed In:
14.0.0, 13.1.1.2
Opened: Aug 08, 2017 Severity: 3-Major
After initially configuring a DSC cluster, iControl-REST on BIG-IP systems might fail to decrypt the secure values due to a stale BIG-IP master key in its cache, and returns the secure values encrypted by the BIG-IP master key. BIG-IQ is unable to decrypt these secure values and fails to discover the BIG-IP system.
Discovery fails due to secure value decryption error.
-- DSC cluster. -- iControl REST. -- BIG-IP system with stale BIG-IP master key in its cache. -- BIG-IQ attempts to decrypt the secure values.
Restart iControl-REST server on the BIG-IP system. On BIG-IP v12.0.0 and later: -- In TMSH, run the following command: restart sys service restjavad -- On the console, run the following command: bigstart restart restjavad On BIG-IP v11.x.x: -- In TMSH, run the following command: restart sys service icrd -- On the console, run the following command: bigstart restart icrd
The system now enforces obtaining the BIG-IP master key if the first decryption fails to proceed properly.