Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP Install/Upgrade, LTM
Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4
Opened: Jan 31, 2018 Severity: 2-Critical Related Article:
K03310035
A monitor configuration with invalid SSL-attributes for 'key' or 'cert' is not detected as invalid, and upon upgrade to on-or-after v13.1.0 may result in an invalid configuration; or may result in a config that loads with the pool 'up', but the monitor 'key' and 'cert' attributes must be added manually. The invalid configuration includes: 'key' and 'cert' attributes do not match, or are not supported. This affects the following monitors, which contain SSL attributes: 'https', 'SIP', 'Firepass'. In some cases this issue may present with valid and matching 'key' and 'cert', with the 'key' in the encrypted form.
After upgrade, the configuration does not load.
-- A pre-v13.1.0 configuration containing monitors with invalid 'key' or 'cert' attributes (i.e., 'https', 'SIP', 'Firepass' monitors). -- In some cases the 'key' and 'cert' may be valid and match, with the 'key' in the encrypted form. -- Upgrading that configuration to v13.1.0 or later.
You can use the following workarounds: -- Repair configuration attributes so that 'key' and 'cert' attributes match, so upgrade may complete successfully. -- Remove the monitors before the upgrade, and re-add them after the upgrade is completed. -- In the case where the 'key' and 'cert' are valid and match, replace the encrypted key with the decrypted form. Note: Clearing the 'key' and 'cert' values properly resets the attributes to 'DEFAULT', which is a recommended practice.
None