Bug ID 853581: GTM HTTPS monitor reuses SSL session ID after connection reset.

Last Modified: Dec 11, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.4, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 15.0.0, 15.0.1, 15.1.0

Opened: Nov 27, 2019
Severity: 3-Major

Symptoms

GTM HTTPS monitor fails. Tcpdump shows the server is sending a TCP reset in the packet following big3d sending Client Hello trying to reuse a session.

Impact

Monitored resource is stuck in a down state.

Conditions

Monitored server has changed SSL protocol requirements, for example, changes to no longer accept TLS 1.1 connections.

Workaround

The cached SSL sessions can be cleared by restarting big3d, or by following the process below: If restarting big3d is not possible, the cached SSL sessions can be expired by triggering an SSL alert from the webserver instead of a TCP reset. The process varies based on the webserver and the protocols and ciphers involved. The following example is for the case where the server had been reconfigured to no longer accept TLSv1.1. 1. Re-enable the server disallowed protocol TLSv1.1. 2. Change the server allowed cipher list to only allow TLSv1.2 ciphers. 3. Verify monitors have no been marked up (big3d should now be sending TLS1.2 client hello). 4. Now the server can be configured to refuse TLSv1.1.

Fix Information

None

Behavior Change