Bug ID 853581: GTM HTTPS monitor reuses SSL session ID after connection reset.

Last Modified: Apr 29, 2023

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 13.1.5,, 14.0.0,,,,,, 14.0.1,, 14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 14.1.5,,,,, 15.0.0, 15.0.1,,,,, 15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 15.1.4,, 15.1.5,, 15.1.6,, 15.1.7, 15.1.8,,, 16.0.0,, 16.0.1,,

Opened: Nov 27, 2019

Severity: 3-Major


GTM HTTPS monitor fails. Tcpdump shows the server is sending a TCP reset in the packet following big3d sending Client Hello trying to reuse a session.


Monitored resource is stuck in a down state.


Monitored server has changed SSL protocol requirements, for example, changes to no longer accept TLS 1.1 connections.


The cached SSL sessions can be cleared by restarting big3d, or by following the process below: If restarting big3d is not possible, the cached SSL sessions can be expired by triggering an SSL alert from the webserver instead of a TCP reset. The process varies based on the webserver and the protocols and ciphers involved. The following example is for the case where the server had been reconfigured to no longer accept TLSv1.1. 1. Re-enable the server disallowed protocol TLSv1.1. 2. Change the server allowed cipher list to only allow TLSv1.2 ciphers. 3. Verify monitors have no been marked up (big3d should now be sending TLS1.2 client hello). 4. Now the server can be configured to refuse TLSv1.1.

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips