Last Modified: Feb 07, 2024
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 15.1.5, 15.1.5.1, 15.1.6
Fixed In:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
Opened: Oct 08, 2020 Severity: 3-Major
HTTPS monitor marks pool member/nodes as down and they remain down until bigd is restarted or the monitor instance is removed and created again.
HTTPS monitor shows pool members or nodes down when they are up.
BIG-IP is configured with restrictive ciphers that are only compatible with TLS 1.2 (ECDH+AESGCM) but all of the TLS protocol versions are allowed. When HTTPS monitor TLS 1.0 handshake fails, due to incompatible ciphers with the server being monitored. It does not try TLS 1.2 version and marks pool members or nodes as down.
Restart bigd or remove and add monitors.
In case of handshake failure, BIG-IP will try TLS 1.2 version.