Bug ID 758904

Bug Tracker
ID 758904

Bug ID 758904: After full config sync or modifications to SSL profiles, new SSL/TLS handshakes fail for at least 5 seconds

Last Modified: Nov 09, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1

Opened: Feb 15, 2019

Severity: 3-Major

Symptoms

After a device finishes receiving a configuration sync from its peer or after SSL profiles are modified, new connections to virtual servers are unable to complete TLS handshakes for 5 seconds. If a device processes a full (non-incremental) sync from the peer device, all SSL profiles are affected. If only a few SSL profiles are modified, then only virtual servers that reference those SSL profiles are affected. The BIG-IP system logs this message: warning tmm[12345]: 01260009:4: Connection error: hud_ssl_handler:910: invalid profile (40)

Impact

After the TCP handshake completes, the BIG-IP system responds to the client with a TCP FIN. As a result, new TLS connections to affected virtual servers fail for approximately 5 seconds before recovering without intervention, until the next configuration change occurs and causes TMM to start up another 5-second timer.

Conditions

-- High Availability (HA) configured with two or more devices. -- One or more Client SSL profiles are modified, and these profiles are in use by a virtual server. Note: Client SSL profiles are modified when an associated object (e.g., a certificate, a key, etc.) is updated. -- A full config sync is triggered. -- Running BIG-IP v13.x. This has not been found to impact any other software versions.

Workaround

In the case where this occurs because you are directly modifying the SSL profile referenced by a virtual server (as opposed to it occurring because of a ConfigSync operation), you can avoid directly modifying SSL profile that's actively referenced by the virtual server, replacing the SSL profile used in the virtual server with a new one. 1. Create a new SSL profile that has same configuration as a SSL profile currently in use (i.e., create a copy of the currently used SSL profile). 2. Modify the parameters on the new SSL profile as needed. 3. Assign the new SSL profile to the virtual server, and remove the old one. 4. Once the new SSL profile is successfully attached to the virtual server, you may want to the delete old SSL profile.

Fix Information

None

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips