Bug ID 698594: Cave Creek Crypto hardware reports a false positive of a stuck queue state

Last Modified: Dec 13, 2023

Affected Product(s):
BIG-IP AAM, APM, ASM, GTM, LTM, PEM, PSM, SSLO, SWG, WAM, WOM(all modules)

Known Affected Versions:
12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3

Opened: Dec 12, 2017

Severity: 3-Major

Related Article: K53752362

Symptoms

In some cases, a stuck crypto queue may be erroneously detected on Cave Creek-based systems. This includes BIG-IP 2x00, 4x00, i850, i2x00, i4x00, and HRC-i2800. The system writes messages similar to the following example to the /var/log/ltm file: crit tmm3[11707]: 01010025:2: Device error: crypto codec qa-crypto3-3 queue is stuck. warning sod[4949]: 01140029:4: HA crypto_failsafe_t qa-crypto3-3 fails action is failover.

Impact

The system reports device errors in logs, and takes crypto high availability (HA) action, possibly resulting in failover.

Conditions

This issue occurs when all of the following conditions are met: - Your BIG-IP system uses the Cave Creek encryption hardware. - You are making use of hardware-based SSL encryption. - The BIG-IP system is under heavy load.

Workaround

To work around this issue, you can modify the crypto queue timeout value. To do so, perform the following procedure. Impact of workaround: Performing the following procedure should not have a negative impact on your system. 1. Log in to the BIG-IP system as an administrative user. 2. Log in to the Traffic Management Shell (tmsh) by running the following command: tmsh 3. To change the crypto queue timeout value, run the following command: modify /sys db crypto.queue.timeout value 300 4. Save the change by running the following command: save sys config Increasing the crypto queue timeout gives the hardware enough time to process all queued request.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips