Bug ID 953601: HTTPS monitors marking pool member offline when restrictive ciphers are configured for all TLS protocol versions

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 13.1.5,, 14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 15.1.4,, 15.1.5,, 15.1.6, 16.1.0, 16.1.1, 16.1.2,

Fixed In:
17.0.0,,, 14.1.5

Opened: Oct 08, 2020
Severity: 3-Major


HTTPS monitor marks pool member/nodes as down and they remain down until bigd is restarted or the monitor instance is removed and created again.


HTTPS monitor shows pool members or nodes down when they are up.


BIG-IP is configured with restrictive ciphers that are only compatible with TLS 1.2 (ECDH+AESGCM) but all of the TLS protocol versions are allowed. When HTTPS monitor TLS 1.0 handshake fails, due to incompatible ciphers with the server being monitored. It does not try TLS 1.2 version and marks pool members or nodes as down.


Restart bigd or remove and add monitors.

Fix Information

In case of handshake failure, BIG-IP will try TLS 1.2 version.

Behavior Change