SSL issues on F5 BigIP after firmware upgrade to 11.6

I have recently had a weird issue with a cluster of LTM boxes after they were upgraded to 11.6.

Basically one of them denied to run SSL web sites (SSL negotiation could not complete in neither of browsers).

All VSs were members of the same traffic group. The group worked fine on one cluster node but did not work on the other node. HTTP VSs on the same traffic group were not affected. Configs were identical. Reboot did not help.

So we spent a considerable amount of time OOH with F5 Support and a test that finally allowed us to approach the root cause was as follows.

We created a new traffic group, created a new HTTPS VS with default certificates, assigned it to the group and failed it over to the faulty node. The VS worked and this also allowed us to have time for troubleshooting without bringing prod web sites down all together.

We then moved one of the prod web sites onto the new traffic group – the VS did not work. We reverted all encryption settings to defaults and then back to our customised settings and the website came back to life! So almost classic Turn it off/turn it on 🙂

Long story short the solution was to create a blank file as follows:

touch /service /mcpd /forcereload

And reboot

reboot

What this procedure does is basically the config gets rebuilt into “binary” form from scratch (which does not happen if you just do normal reboot).