• After modifying the SSL Profile used for the Avi Controller portal (default profile is System-Standard-Portal), all access to the Controller UI and shell (CLI) becomes unavailable.
• This issue occurs specifically when the list of "Accepted Versions" for SSL/TLS protocols is configured with a non-consecutive selection.
• For example, configuring TLS 1.0 and TLS 1.2 (skipping TLS 1.1), or TLS 1.1 and TLS 1.3 (skipping TLS 1.2), will trigger this condition.
• Example screenshot of the offending configuration in the SSL profile:
  • 
• Location of the SSL profile in System Settings:
  • 

This behavior is caused by a software defect in the Avi Controller's OpenSSL control plane logic. 

Workaround:

• To restore access, the underlying NGINX configuration file on the controller node must be manually edited to specify a valid, consecutive list of TLS protocols.
• After correcting the file, the NGINX service must be restarted.
• Please contact Broadcom Support for assistance with performing this workaround, as it requires modification of a critical control plane service.

Permanent Resolution:

• This issue is permanently resolved by upgrading to one of the following Avi Controller versions or any subsequent releases:
  • 30.2.6
  • 31.2.1