Forum Discussion

Carl_Brothers's avatar
Jan 27, 2025

Removing AAM/WAM for a successful upgrade

If you are wanting to upgrade to version 16 or 17 of BIG-IP, one thing that can cause your config not to load, is any element of AAM/WAM/WOM. As I discovered via a customer of mine, even removing all AAM/WAM items from traffic objects is not enough. While I know how to identify things in the conf files and can see them in iHealth, that doesn't help Admins in the field assess if this is an issue for them, and if it is, how to document what needs to be changed for the necessary approvals. 

With some help, I wrote this knowledge article to meet these needs as well as provide a way to quickly make the changes - https://my.f5.com/manage/s/article/K000149084 

I am sharing this in the forum to not only advertise this, but explain some of the commands and help the community understand how they might be used for other tasks.

From spending time running a few BIG-IPs myself in a prior life and working with hundreds of customers, I knew that my solution needed to address partitions and even iApps. My coworker Fernando C provided me the syntax to crawl every partition and I quickly found ways to morph that into this document. Lets take a look at the syntax that can read the lan TCP profiles in the Common partition and then see the changes needed to read all partitions.  

In order to filter the results a bit better we run these from bash so that we have access to a number of tools like grep, awk, sed, etc.

# Return all virtual server names in Common that use a TCP Profile from wam or wom (aka AAM)
# grep to find the profile prefixes and then piping that to AWK to grab the third word in the output of each line
tmsh list ltm virtual one-line | grep -E "(profiles.*(w(a|o)m-tcp-lan*))" | awk '{print $3}'

This simply returns the virtual server name without the partition name.

Now to read all partitions, the tmsh portion of the command has to change.  Specifically, we pass the -c option to tmsh to tell it to run multiple commands.  When you enter tmsh, by default you are in the Common partition, so we have to back out to the root.  Because we are in the root directory, we need to add the recursive option to read all subfolders which in this case are the partitions.

#Read all partitions and filter for virtual servers that use the wam/wom TCP profiles on the lan or server side 
tmsh -c 'cd /; list ltm virtual recursive one-line' | grep -E "(profiles.*(w(a|o)m-tcp-lan*))" | awk '{print $3}'

Now the output is the partition name and virtual server name, or if iApps are involved, the appservice name as well.

You can take the output from the first command and pass it to xarg to use your output as a variable in a command to execute.  CAUTION, the following command will attempt to make changes to your config.

#Read all partitions and filter for virtual servers that use the wam/wom TCP profiles on the lan or server side then insert new profiles and delete the original profile
#This will cause an error
tmsh -c 'cd /; list ltm virtual recursive one-line' | grep -E "(profiles.*(w(a|o)m-tcp-lan*))" | awk '{print $3}' | xargs -t -I vsName tmsh modify ltm virtual vsName profiles add { f5-tcp-lan { context serverside } } profiles delete { wam-tcp-lan-optimized }

If you run this command, it will error out, because without the proper syntax, tmsh assumes you are referencing objects in the /Common partition and as a result it will help you by implicitly adding that to the beginning of every object in your xarg command.  I added the -t option to xarg to output the command that it will execute.

To correct the syntax error, in the awk command, you add a forward slash and now tmsh will treat your command as if you have explicitly declared the partition name for every object.

Caution - This will make changes to your configuration, very fast...

#Read all partitions and filter for virtual servers that use the wam/wom TCP profiles on the lan or server side then insert new profiles and delete the original profile
#CAUTION - This will make changes to your system. 
tmsh -c 'cd /; list ltm virtual recursive one-line' | grep -E "(profiles.*(w(a|o)m-tcp-lan*))" | awk '{print "/" $3}' | xargs -t -I vsName tmsh modify ltm virtual vsName profiles add { f5-tcp-lan { context serverside } } profiles delete { wam-tcp-lan-optimized }

 

When I first hit the wall with xarg beyond the /Common partition, I did not realize what the fix was.  However my OCD wanted to see a slash in front of the partition name and I had modified the awk to add it, but had given up on the xarg to modify things outside of /Common.  It wasn't until I went to show the error to a peer, Chad T., that I discovered I stumbled upon the proper syntax, and realized I could simplify the instructions quite a bit.



Where I would love some help from the community would be on ways to crawl the iApps to quickly disable Strict Updates.  The xarg commands to modify/delete objects associated with an iApp will fail if the default setting of "Strict Updates" is enabled.

 

Hope this helps,

Carl

 

 

 

 

 

  • iApp TMSH Building blocks

    In order to make the changes for any iApps via TMSH, admins might need to either reconfigure via the GUI, OR disable strict-updates to allow the scripts to make the changes.

    The GUI for iApps hides this setting in each iApp, under the advanced properties, so once again bash and tmsh can get us the answers we need very fast.

    Discovery/inventory

    #show deployed iApps that have strict-updates enabled
    #Because this is a default setting, we have to look at all-properties.
    tmsh -c 'cd /; list sys application service recursive one-line all-properties' | grep -E "strict-updates enabled" | awk '{ print "/" $4 }'

     

    #show deployed iApps that have strict-updates disabled
    #While we do not need the all-properties option, we will keep it for consistency.
    tmsh -c 'cd /; list sys application service recursive one-line all-properties' | grep -E "strict-updates disabled" | awk '{ print "/" $4 }'

    Now this part is where with great power comes great responsibility.  Once an iApp has been modified outside of the reconfigure GUI, you can never update the template used by the iApp and you can no longer use the reconfigure GUI, because that will overwrite any customizations made.

    This is not the final form for the knowledge article, but here is how we can disable strict-updates for all deployed iApps that have this set.

    #modify all deployed iApps to allow scripts to change objects
    tmsh -c 'cd /; list sys application service recursive one-line all-properties' | grep -E "strict-updates enabled" | awk '{ print "/" $4 }' | xargs -t -I iAppname tmsh modify sys application service iAppname strict-updates disabled
    

     

  • Identifying the iApp name or names that contain a specific setting that needs to be changed and then building a modify statement takes a few steps that usually involves setting a variable or two.

    In this example from the article, I am looking for specific known values (wam-tcp-lan-optimized, etc) and then we add more values to the string by using tmsh with grep that is then cleaned up with awk, tr and sed.

    PROFILES="wam-tcp-lan-optimized|wam-tcp-wan-optimized|wom-tcp-lan-optimized|wom-tcp-wan-optimized|"$(tmsh -c 'cd /; list ltm profile recursive one-line' | grep -E "defaults-from.*(wam|wom|webacceleration)" | awk '{print $4}' | tr '\n' '|' | sed '$s/.$/\n/') 

    awk is grabbing the fourth "word", then tr is replacing the newline character with a grep friendly pipe character and sed is replacing the last character with a new line character.
    Now we have a string that is formatted to pass into a grep statement to look for any of these values in a larger set of data.

    Now we want to grab virtual server names that are associated with iApps and use profiles that we found earlier. The attribute that is set in all objects which ties them into an iApp is the app-services (in the GUI this is shown as Application) setting.  By default that is set to a value of none, so we can have grep eliminate those lines.  Note that the awk command is grabbing the 10th word as the app-service name is a bit deeper in the config line.

    inScopeiApp=$(tmsh -c 'cd /; list ltm virtual recursive one-line all-properties' | grep -E "(profiles.*($PROFILES))" | grep -v "app-service none" | awk '{print $10 }' | tr '\n' '|' | sed '$s/.$/\n/')
    

     

    Now we can look at the iApps on the device, filter on the ones we just found, as well as filtering based on the status of the Strict Updates (in the conf files and tmsh output this is shown as strict-updates) setting.

    tmsh -c 'cd /; list sys application service recursive one-line all-properties' | grep -E "strict-updates enabled" | awk '{ print "/" $4 }' | grep -E $inScopeiApp 

     

    Now that you have that list of iApps, you can pipe that to xargs and modify the settings as you see fit. In the previous comment here I have a command that disables strict on every iApp, which is likely not a good thing to do.  Now you know how to filter that list down to just the ones that you are interested in.