For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

BJ_114988's avatar
BJ_114988
Icon for Nimbostratus rankNimbostratus
Jun 16, 2015

I am planning to upgrade My F5 from 10.2.4 to 11.6. what upgrade process i have to follow?

I am planning to upgrade My F5 from 10.2.4 to 11.6. what upgrade process i have to follow? are there any issues that anybody faced during upgrade , please let me know if any  
Praveen_Kumar_K's avatar
Praveen_Kumar_K
Icon for Nimbostratus rankNimbostratus
Sep 18, 2015

Hello Rapp,

 

could you please elaborate first point? we have upgraded F5 from 11.4.1 to 11.6.0 and noticed SSL is not working. We are using Thales HSM for key storage and encryption. While checking F5 log, found "tmm7[22268] 01260010 FIPS acceleration device failure: cannot locate key" I verified that key is available on F5, i am not sure why F5 detects key is not available. I tried to reassign the key and cert in SSL profile, still no success. F5 support is clueless and ready to blame it on HSM.

 

"SSL Profiles "inherit-certchain" setting is screwed up - does not migrate correctly. You'll have to manually go over the config file to fix it. Relevant if you use parent (clientside or serverside) SSL profiles that are something else than the default profile "clientssl"."

 

  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    Sep 18, 2015
    Hello, Praveen Have you checked the default "clientssl" profile? I do not have experience with Thales HSM, but I can recall a similar issue where another HSM was paired with F5. Namely, the "default.crt" and "default.key" files were no longer included in the certificate chain after the upgrade which caused external HSM to be inaccessible for the BigIP. The error message was the same. In addition to SSL problems, we had cluster-sync issues for the same reason. If that does not apply, I'm out of ideas and cannot recommend anything else than redoing configuration where you paired BigIP with external HSM crypto. This link may help you, should you decide to take the last option: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-platform-fips-administration/3.html The inherit-certchain issue only applies for custom clientside SSL profiles where the "Parent Profile" is not "clientssl". The first symptoms of this issue being the case is that as you open a client SSL profile in GUI, you will see that incorrect files (crt and key) are in the chain. For as long as you do not apply configuration changes, the impact is only cosmetic (visually misleading), but right as you apply any change to your SSL profile, those wrong files in the chain you see will come effective and take down your service.