Last Modified: Nov 07, 2022
Affected Product(s):
BIG-IP All
Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1
Fixed In:
14.0.0
Opened: Nov 14, 2017 Severity: 2-Critical
Configuration sync operations do not sync iControl LX or iApp LX objects. In DHD DDos appliances, protected objects are essentially iApp LX blocks, and sometimes the system does not sync them to high availability (HA) peer.
iControl LX or iApp LX objects do not sync to HA peer. The Config Sync indicator on the BIG-IP system will say 'in sync'.
This issue occurs when there are dtca.key and dtca.crt files under the /config/ssl/ssl.key/ and /config/ssl/ssl.crt/ directories that do not match the same files on a peer device.
One possible workaround is to manually discover other BIG-IP devices in the REST device group by providing usernames and passwords. To do so, you can use a curl command similar to the following: curl -X POST -d '{"address":"other_BIG-IP_mgmt_ip", "userName": "admin", "password":"admin_pw"}' http://localhost:8100/shared/resolver/device-groups/tm-shared-all-big-ips/devices
dtca.key and dtca.crt are file objects that are managed by MCP. MCP keeps the correct copy of the these files in File Objects cache. iAppLX reads these from MCP and File objects cache rather than /config/ssl/ssl.key.