Last Modified: Jan 30, 2020
See more info
Known Affected Versions:
13.1.0, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 13.1.1, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 13.1.3, 22.214.171.124, 126.96.36.199
Opened: Feb 15, 2019
After a device finishes receiving a configuration sync from its peer or SSL profiles are modified, new connections to virtual servers are unable to complete TLS handshakes. If a device process a full (non-incremental) sync from the peer device, all SSL profiles are affected. If only a few SSL profiles are modified, then only virtual servers that reference those SSL profiles are affected. The BIG-IP system logs this message: warning tmm: 01260009:4: Connection error: hud_ssl_handler:910: invalid profile (40)
After the TCP handshake completes, the BIG-IP system responds to the client with a TCP FIN. As a result, new TLS connections to affected virtual servers fail for approximately 5 seconds before recovering without intervention, until the next configuration change occurs and causes TMM to start up another 5-second timer.
-- High Availability (HA) configured with two or more devices. -- One or more Client SSL profiles are modified, and these profiles are in use by a Virtual Server. -- A full config sync is triggered.
In the case where this occurs because you are directly modifying the SSL profile referenced by a virtual server (as opposed to it occurring because of a ConfigSync operation), you can avoid directly modifying SSL profile that's actively referenced by the virtual server, replacing the SSL profile used in the virtual server with a new one. 1) Create a new SSL profile that has same configuration as a SSL profile currently in use (i.e., create a copy of the currently used SSL profile). 2) Modify any parameters on the new SSL profile as you like. 3) Assign the new SSL profile to the virtual server, and remove the old one. 4) Once the new SSL profile is successfully attached to the virtual server, you may want to the delete old SSL profile.