Last Modified: Oct 17, 2023
BIG-IP AAM, APM, ASM, GTM, LTM, PEM, PSM, SSLO, SWG, WAM, WOM
Known Affected Versions:
12.1.2, 12.1.3, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 12.1.4, 126.96.36.199, 12.1.5, 188.8.131.52, 184.108.40.206, 220.127.116.11, 12.1.6, 15.1.2, 18.104.22.168, 15.1.3, 22.214.171.124, 15.1.4, 126.96.36.199, 15.1.5, 188.8.131.52, 15.1.6, 184.108.40.206, 15.1.7, 15.1.8, 220.127.116.11, 18.104.22.168, 15.1.9, 22.214.171.124, 15.1.10, 126.96.36.199
Opened: Dec 12, 2017 Severity: 3-Major Related Article:
Related Article: K53752362
In some cases, a stuck crypto queue may be erroneously detected on Cave Creek-based systems. This includes BIG-IP 2x00, 4x00, i850, i2x00, i4x00, and HRC-i2800. The system writes messages similar to the following example to the /var/log/ltm file: crit tmm3: 01010025:2: Device error: crypto codec qa-crypto3-3 queue is stuck. warning sod: 01140029:4: HA crypto_failsafe_t qa-crypto3-3 fails action is failover.
The system reports device errors in logs, and takes crypto high availability (HA) action, possibly resulting in failover.
This issue occurs when all of the following conditions are met: - Your BIG-IP system uses the Cave Creek encryption hardware. - You are making use of hardware-based SSL encryption. - The BIG-IP system is under heavy load.
To work around this issue, you can modify the crypto queue timeout value. To do so, perform the following procedure. Impact of workaround: Performing the following procedure should not have a negative impact on your system. 1. Log in to the BIG-IP system as an administrative user. 2. Log in to the Traffic Management Shell (tmsh) by running the following command: tmsh 3. To change the crypto queue timeout value, run the following command: modify /sys db crypto.queue.timeout value 300 4. Save the change by running the following command: save sys config Increasing the crypto queue timeout gives the hardware enough time to process all queued request.