Forum Discussion

Kevin_49772's avatar
Kevin_49772
Icon for Nimbostratus rankNimbostratus
Mar 17, 2016

Default clientssl ciphers different between HA pair on same version

Running 11.4.1 on an HA pair and when the standby became active, even though the configs were in sync, it was discovered that the parent CSSL profile 'clientssl' was not in sync - it had a custom set of ciphers on the primary LTM, but was set to DEFAULT on the standby. It allowed SSLv3 and RC4 when the standby unit was active, but they are disabled on the primary. I corrected the cipher list to be more exclusive and sync status never changed to 'out of sync'.

 

Is that bit of config not replicated between HA devices? Seems like an odd choice to be by design, but that's what it looks like.