Bug ID 758904: After full config sync or modifications to SSL profiles, new SSL/TLS handshakes will fail for at least 5 seconds

Last Modified: Dec 11, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2

Opened: Feb 15, 2019
Severity: 3-Major

Symptoms

After a device finishes receiving a configuration sync from its peer or SSL profiles are modified, new connections to virtual servers are unable to complete TLS handshakes. If a device process a full (non-incremental) sync from the peer device, all SSL profiles are affected. If only a few SSL profiles are modified, then only virtual servers that reference those SSL profiles are affected. The BIG-IP system logs this message: warning tmm[12345]: 01260009:4: Connection error: hud_ssl_handler:910: invalid profile (40)

Impact

After the TCP handshake completes, the BIG-IP system responds to the client with a TCP FIN. As a result, new TLS connections to affected virtual servers fail for approximately 5 seconds before recovering without intervention, until the next configuration change occurs and causes TMM to start up another 5-second timer.

Conditions

-- High Availability (HA) configured with two or more devices. -- One or more Client SSL profiles are modified, and these profiles are in use by a Virtual Server. -- A full config sync is triggered.

Workaround

In the case where this occurs because you are directly modifying the SSL profile referenced by a virtual server (as opposed to it occurring because of a ConfigSync operation), you can avoid directly modifying SSL profile that's actively referenced by the virtual server, replacing the SSL profile used in the virtual server with a new one. 1) Create a new SSL profile that has same configuration as a SSL profile currently in use (i.e., create a copy of the currently used SSL profile). 2) Modify any parameters on the new SSL profile as you like. 3) Assign the new SSL profile to the virtual server, and remove the old one. 4) Once the new SSL profile is successfully attached to the virtual server, you may want to the delete old SSL profile.

Fix Information

None

Behavior Change