Last Modified: May 01, 2019
See more info
Known Affected Versions:
13.1.0, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 13.1.1, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52
Opened: Feb 07, 2018
Config with apparently invalid SSL cipher entry fails to load after upgrade from v13.1.0, and requires a manual config load after upgrade: 'tmsh load sys config' This occurs because starting in v13.1.0, 'https' monitors rely upon SSL-attributes configured through a 'serverssl' profile, which does not support the 'kEDH' cipher; but the 'kEDH' cipher was a default cipher for previous releases (where 'https' relied upon 'OpenSSL').
The configuration fails to load, an error message is issued, and the device remains offline until a manual config load is performed.
-- Config uses 'https' monitors. -- Upgrade occurs from v13.1.0 to a later version.
You can use either of the following workarounds: -- After upgrade from v13.1.0, perform manual config load by running the following command: tmsh load sys config (This works because upon a manual config load command ('tmsh load sys config'), the system replaces the existing 'https' ciphers with defaults appropriate for a 'serverssl' profile in the new version of the software. Even though the system posts an error referencing the invalid 'kEDH' cipher, the device will become 'Active' seconds later, and new default ciphers will be established for 'https' monitors.) -- Remove 'https' monitors prior to upgrade, and add again after upgrade.
Config loads without error after upgrade from v13.1.0.