Follow

Issue: Pushing a Cert to an F5 with BGP configured fails.

Applies To:

All versions up to and including 19.1

Issue Summary:

If BGP is configured on the F5 and a cert is pushed, it may fail. The attempt should get to stage 800 (or maybe further, but not much), wait 5 minutes / 300 seconds, and then time-out. This timeout will generate an XML error that looks something like:

Error: There is an error in XML document (522, 2).. Additional error data 
System.InvalidOperationException: There is an error in XML document (522, 2). --->
System.IO.IOException: Unable to read data from the transport connection:
An existing connection was forcibly closed by the remote host. --->

More Information:

An F5 may be configured with BGP or Border Gateway Protocol - a routing methodology of finding the best route through a myriad of potential options. 

More information can be found here:

https://support.f5.com/csp/article/K10168

or

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-routing-administration-12-1-1.pdf

What APPEARS to be happening, is a timeout due to problems with the routing of traffic, though this is not known at this time. That explains why some portions of the request might go through (e.g. the private key inserted) and other portions fail. BGP is not the only method to implement a floating IP, and care must be used to make sure the IP we are going to is routing correctly.

Resolution:

At this time, there is none as this feature is not currently supported.

In THEORY, it should work though, so please verify your routing internally and on the F5 to ensure it's not just a routing issue.

Please also go to ideas.venafi.com to express your interest in supporting this feature.

Was this article helpful?
0 out of 0 found this helpful

Comments