Last Modified: Jan 22, 2021
See more info
Known Affected Versions:
14.0.0, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 14.0.1, 22.214.171.124, 14.1.0, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 14.1.2, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 14.1.3, 188.8.131.52, 15.0.0, 15.0.1, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 15.1.0, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 15.1.1, 15.1.2, 22.214.171.124, 16.0.0, 126.96.36.199, 16.0.1
Opened: Oct 16, 2019
Related AskF5 Article: K74221031
After upgrading, the configuration fails to load and throws an error about a profile that is located in profile_base.conf using SSLv2. However, upon inspection you will notice that there is no SSLv2 cipher in use.
Beginning in version 14.x, SSLv2 has been changed from being a warning condition, and now prevents the configuration from loading. In most cases the upgrade script properly removes this, so there is no issue. However, if this issue is encountered, the configuration fails to load after upgrading.
The upgrade failure is seen when all the following conditions are met: -- BIG-IP system with SSLv2 as the ciphers option in an SSL profile running software v12.x/v13.x. -- Upgrading to a version that reports an error when using SSLv2, such as v14.x/v15.x. (1) Modified root SSL profile (such as /Common/clientssl or /Common/serverssl) is present in bigip.conf. (2) The modified root SSL profile contains an invalid keyword 'COMPAT', 'SSLv2', or 'RC2' in its ciphers (3) The default profiles whose ciphers inherited from the root profile are not present in bigip.conf. The error for invalid ciphers is reported against these profiles.
There are two possible workarounds: -- The easiest way to work around this is to comment out the modified base profile from bigip.conf and then run the command: tmsh load sys config. -- If you are post upgrade, you can use sed to remove the !SSLv2 entries. To do so, perform these steps on the standby device: 1. cp /config/bigip.conf /config/backup_bigip.conf 2. Run: sed -i "s/\!SSLv2://g" /config/bigip.conf 3. tmsh load /sys config