Last Modified: Nov 07, 2022
See more info
Known Affected Versions:
13.1.0, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 13.1.1, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 13.1.3, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 13.1.4, 188.8.131.52, 13.1.5, 184.108.40.206
Opened: Feb 15, 2019
After a device finishes receiving a configuration sync from its peer or after SSL profiles are modified, new connections to virtual servers are unable to complete TLS handshakes for 5 seconds. If a device processes a full (non-incremental) sync from the peer device, all SSL profiles are affected. If only a few SSL profiles are modified, then only virtual servers that reference those SSL profiles are affected. The BIG-IP system logs this message: warning tmm: 01260009:4: Connection error: hud_ssl_handler:910: invalid profile (40)
After the TCP handshake completes, the BIG-IP system responds to the client with a TCP FIN. As a result, new TLS connections to affected virtual servers fail for approximately 5 seconds before recovering without intervention, until the next configuration change occurs and causes TMM to start up another 5-second timer.
-- High Availability (HA) configured with two or more devices. -- One or more Client SSL profiles are modified, and these profiles are in use by a virtual server. Note: Client SSL profiles are modified when an associated object (e.g., a certificate, a key, etc.) is updated. -- A full config sync is triggered. -- Running BIG-IP v13.x. This has not been found to impact any other software versions.
In the case where this occurs because you are directly modifying the SSL profile referenced by a virtual server (as opposed to it occurring because of a ConfigSync operation), you can avoid directly modifying SSL profile that's actively referenced by the virtual server, replacing the SSL profile used in the virtual server with a new one. 1. Create a new SSL profile that has same configuration as a SSL profile currently in use (i.e., create a copy of the currently used SSL profile). 2. Modify the parameters on the new SSL profile as needed. 3. Assign the new SSL profile to the virtual server, and remove the old one. 4. Once the new SSL profile is successfully attached to the virtual server, you may want to the delete old SSL profile.