Last Modified: Apr 29, 2023
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2
Opened: Nov 27, 2019 Severity: 3-Major
GTM HTTPS monitor fails. Tcpdump shows the server is sending a TCP reset in the packet following big3d sending Client Hello trying to reuse a session.
Monitored resource is stuck in a down state.
Monitored server has changed SSL protocol requirements, for example, changes to no longer accept TLS 1.1 connections.
The cached SSL sessions can be cleared by restarting big3d, or by following the process below: If restarting big3d is not possible, the cached SSL sessions can be expired by triggering an SSL alert from the webserver instead of a TCP reset. The process varies based on the webserver and the protocols and ciphers involved. The following example is for the case where the server had been reconfigured to no longer accept TLSv1.1. 1. Re-enable the server disallowed protocol TLSv1.1. 2. Change the server allowed cipher list to only allow TLSv1.2 ciphers. 3. Verify monitors have no been marked up (big3d should now be sending TLS1.2 client hello). 4. Now the server can be configured to refuse TLSv1.1.
None
