Last Modified: Nov 22, 2021
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
15.1.0, 13.1.3, 13.1.1, 13.1.0
Fixed In:
14.0.0
Opened: Dec 12, 2017 Severity: 3-Major
Tmm panics with the message OOPS('bad transition').
Traffic disrupted while tmm restarts. Although the configuration is invalid, there is no error message indicating so.
1. Virtual server configured with an access profile, client SSL and server SSL profiles, and proxy_ssl initially disabled 2. Using tmsh running in a transaction to enable of these at the same time: create cli transaction modify ltm profile client-ssl my-client-ssl proxy-ssl enabled modify ltm profile server-ssl my-server-ssl proxy-ssl enabled submit cli transaction 3. Manually edit bigip.conf to have access profile and both client SSL and server SSL profiles with proxy_ssl enabled, then run: tmsh load sys config 4. Start with disabled virtual server with attached profiles and access profile, and both client SSL and server SSL profiles with proxy_ssl enabled, then enable virtual server
None.
Tmm continues to run successfully even when an access profile is added to a split-SSL virtual server.
Proxy SSL feature is not compatible with access profiles. However, in v13.x or earlier it was possible to configure a virtual server with an access profile and Proxy SSL feature (client-SSL and server-SSL profile with Proxy SSL option enabled). In v14.x or later, it is no longer possible to configure virtual server with an access profile and Proxy SSL feature. We added the following log message when this is attempted (GUI error and /var/log/ltm): -- err mcpd[7726]: 01071d92:3: Cannot assign access profile and both clientssl and serverssl profiles with ssl proxy enabled to the same virtual server (/Common/apm_vs). If you have a v13.x version config that has virtual server configured with an access profile and SSL Proxy feature enabled and you upgrade to v14.x or later, the upgrade succeeds with following behavior: -- Virtual server will be disabled after upgrade. -- /var/log/ltm logs the following error: -- warning mcpd[7726]: 0107185a:4: Warning generated, for version 14.0.0 or greater : The configured virtual server /Common/apm_vs is disabled due to invalid configuration. A virtual server cannot be attached with access profile and both clientssl and serverssl profiles with ssl proxy enabled.