Bug ID 953601: HTTPS monitors marking pool member offline when restrictive ciphers are configured for all TLS protocol versions

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 15.1.5, 15.1.5.1, 15.1.6

Fixed In:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5

Opened: Oct 08, 2020

Severity: 3-Major

Symptoms

HTTPS monitor marks pool member/nodes as down and they remain down until bigd is restarted or the monitor instance is removed and created again.

Impact

HTTPS monitor shows pool members or nodes down when they are up.

Conditions

BIG-IP is configured with restrictive ciphers that are only compatible with TLS 1.2 (ECDH+AESGCM) but all of the TLS protocol versions are allowed. When HTTPS monitor TLS 1.0 handshake fails, due to incompatible ciphers with the server being monitored. It does not try TLS 1.2 version and marks pool members or nodes as down.

Workaround

Restart bigd or remove and add monitors.

Fix Information

In case of handshake failure, BIG-IP will try TLS 1.2 version.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips