Default clientssl ciphers different between HA pair on same version

Question

Running 11.4.1 on an HA pair and when the standby became active, even though the configs were in sync, it was discovered that the parent CSSL profile 'clientssl' was not in sync - it had a custom set of ciphers on the primary LTM, but was set to DEFAULT on the standby.  It allowed SSLv3 and RC4 when the standby unit was active, but they are disabled on the primary.  I corrected the cipher list to be more exclusive and sync status never changed to 'out of sync'.&nbsp;
Is that bit of config not replicated between HA devices? Seems like an odd choice to be by design, but that's what it looks like.&nbsp;

kevin_49772 · Accepted Answer

FYI to anyone else.&nbsp;
SOL14289: Changes made to base profiles are not synchronized to other hosts in a device group&nbsp;
Fixes Introduced In 11.5.0&nbsp;
https://support.f5.com/kb/en-us/solutions/public/14000/200/sol14289.html&nbsp;

devbabu · Answer

Should have been replicated. Any reasons 11.4.1 standby went to active ? UPGRADES...&nbsp;

Forum Discussion

Default clientssl ciphers different between HA pair on same version

2 Replies

Recent Discussions

BIG-IP Monitors (unknown)/ Cookie

Top-Rated Custom Blockchain App Development Company

I cannot activate the license on BIG-IP-NEXT

Convert Nginx rule to F5 irule

Python code using Parallel-SSH library to connect to F5 BigIP

Related Content

Capture Virtual Server Clientssl Profile & Ciphers Mapping - Bash

TLS server_name extension based routing without clientssl profile

limit to number of clientssl profiles

Delete Management Default Route?

Copper SFP Differences