For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

11 Replies

  • Hawary's avatar
    Hawary
    Icon for Altostratus rankAltostratus
    May 05, 2015

    Hi Seth, thank you for your answer. actually i tried to import the ucs file took from a device with 10.0.0 to a device with 11.5 without the license but it gave an error and the import failed. also i was planning to use the SCF file from the device with 10.0.0 and make the necessary changes and trying to put into the device with OS 11.5 and check. if it didn't work fine, my last step is to disable the HA between the devices running OS 10.0.0 and try to upgrade the secondary device into OS 11.5 and then i will take the configuration (either UCS or SCF) and copying it to the new devices. do you think that is there any other method we can replace the appliances other than that?again thank you for your help.

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    May 06, 2015

    actually i tried to import the ucs file took from a device with 10.0.0 to a device with 11.5 without the license but it gave an error and the import failed.

     

    if you can post output of tmsh load sys config command from 11.5 device, somebody here may know what the wrong is or, at least, give some suggestion.

     

    try to upgrade the secondary device into OS 11.5

     

    it is same as you restore 10.0.0 ucs file to 11.5 device.

     

  • Hawary's avatar
    Hawary
    Icon for Altostratus rankAltostratus
    May 07, 2015
    Hi Nitass,
thank you for your help, the output of running the command is as follows:

root@(hawary)(cfg-sync Standalone)(Active)(/Common)(tmos) load sys ucs F5-Beta-03-05-15.ucs no-license
Replace all configuration on the system? (y/n) y
Processing UCS file: /var/local/ucs/F5-Beta-03-05-15.ucs

Installing full UCS (10.0.0) data, excluding license file.
Saving active configuration...
tar: conf/ssl.crt/server.crt: time stamp 2015-05-06 11:17:54 is 9181 s in the future
tar: conf/ssl.crt: time stamp 2015-05-06 11:17:54 is 9181 s in the future
tar: conf/ssl.key/server.key: time stamp 2015-05-06 11:17:54 is 9181 s in the future
tar: conf/ssl.key: time stamp 2015-05-06 11:17:54 is 9181 s in the future
The hostname is set to xxx.xxxx
Extracting manifest: /var/local/ucs/F5-Beta-03-05-15.ucs
Product : BIG-IP
Platform: Z99
Version : UCS   : 10.0.0
          System: 11.3.0
Edition : UCS   : Hotfix HF2
          System: VE Trial 11.3.0-HF1 (based on BIGIP 11.3.0HF6)
Hostname: xxx.xxxx
Installing --full-- configuration on host xxx.xxxx
Installing configuration...
File latheefbundle.p12 of type "certificate" not rolled forward to file-object:the file is empty or contains             invalid data.
ATTENTION REQUIRED:
  Your previous configuration files have been archived, as listed
 below. If you customized any settings in these files before
upgrading, you will need to manually restore those changes by
 using the Configuration utility or Traffic Management Shell (tmsh).
 Archiving /config/wa/pvsystem.conf.10.0.0
Archiving /config/wa/pvsystem.dtd.10.0.0
 Archiving /config/wa/globalfragment.xml.10.0.0
Archiving /config/wa/transforms/common.zip.10.0.0
Post-processing...
Reloading License and configuration - this may take a few minutes...
Configuration loading error: base-config-load-failed
For additional details, please see messages in /var/log/ltm

WARNING: There were one or more errors detected during installation.
       Check the error messages and take the proper actions if needed.
ERROR: UCS installation failed.
Operation aborted.
root@(LB-Pri)(cfg-sync Standalone)(Active)(/Common)(tmos)

    what could be the issue?

    thank you for your help.

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    May 07, 2015

    what could be the issue?

    what do you get when running tmsh load sys config?

     tmsh load sys config
  • Hawary's avatar
    Hawary
    Icon for Altostratus rankAltostratus
    May 07, 2015

    i think " load sys config [ucs file]" have the same effect as "load sys ucs [ucs file]", am i right?

     

  • Hawary's avatar
    Hawary
    Icon for Altostratus rankAltostratus
    May 07, 2015

    the output is as follows:

    root@(hawary)(cfg-sync Standalone)(Active)(/Common)(tmos) load sys config file backupscf.scf
Replace the running configuration? (y/n) y
system configuration...
  /defaults/asm_base.conf
  /defaults/config_base.conf
 /defaults/low_profile_base.conf
 /defaults/wam_base.conf
 /defaults/analytics_base.conf
 /defaults/apm_saml_base.conf
  /defaults/app_template_base.conf
/defaults/classification_base.conf
  /defaults/daemon.conf
  /defaults/fullarmor_gpo_base.conf
  /defaults/profile_base.conf
 /defaults/security_base.conf
 /usr/share/monitors/base_monitors.conf
 /usr/local/gtm/include/gtm_base_region_isp.conf
  /usr/share/monitors/gtm_base_monitors.conf
Loading configuration...
  /var/local/scf/backupscf.scf
Syntax Error:(at line: 1) "provision" unexpected argument
root@(hawary)(cfg-sync Standalone)(Active)(/Common)(tmos)
  • Hawary's avatar
    Hawary
    Icon for Altostratus rankAltostratus
    May 07, 2015

    I hope that I understood what you mean exactly and got the right information. thank you in advance for your help. 

    [root@hawary:Active:Standalone] config 
[root@hawary:Active:Standalone] config  tmsh load sys ucs F5-Beta-03-05-15.ucs no-license
Processing UCS file: /var/local/ucs/F5-Beta-03-05-15.ucs

Installing full UCS (10.0.0) data, excluding license file.
Saving active configuration...
tar: conf/ssl.crt/server.crt: time stamp 2015-05-07 02:22:32 is 327 s in the future
tar: conf/ssl.crt: time stamp 2015-05-07 02:22:32 is 327 s in the future
tar: conf/ssl.key/server.key: time stamp 2015-05-07 02:22:32 is 327 s in the future
tar: conf/ssl.key: time stamp 2015-05-07 02:22:32 is 327 s in the future
The hostname is set to LB-Pri.sharjah.ac.ae
Extracting manifest: /var/local/ucs/F5-Beta-03-05-15.ucs
Product : BIG-IP
Platform: Z99
Version : UCS   : 10.0.0
         System: 11.3.0
Edition : UCS   : Hotfix HF2
         System: VE Trial 11.3.0-HF1 (based on BIGIP 11.3.0HF6)
Hostname: LB-Pri.sharjah.ac.ae
Installing --full-- configuration on host LB-Pri.sharjah.ac.ae
Installing configuration...
File latheefbundle.p12 of type "certificate" not rolled forward to file-object: the file is empty or contains   invalid data.
ATTENTION REQUIRED:
   Your previous configuration files have been archived, as listed
   below. If you customized any settings in these files before
   upgrading, you will need to manually restore those changes by
   using the Configuration utility or Traffic Management Shell (tmsh).
   Archiving /config/wa/pvsystem.conf.10.0.0
 Archiving /config/wa/pvsystem.dtd.10.0.0
 Archiving /config/wa/globalfragment.xml.10.0.0
  Archiving /config/wa/transforms/common.zip.10.0.0
Post-processing...
Reloading License and configuration - this may take a few minutes...
Configuration loading error: base-config-load-failed
For additional details, please see messages in /var/log/ltm

WARNING: There were one or more errors detected during installation.
      Check the error messages and take the proper actions if needed.
ERROR: UCS installation failed.
Operation aborted.
[root@LB-Pri:Active:Standalone] config  tmsh load sys config
Loading system configuration...
  /defaults/asm_base.conf
  /defaults/config_base.conf
  /defaults/low_profile_base.conf
  /defaults/wam_base.conf
  /defaults/analytics_base.conf
  /defaults/apm_saml_base.conf
  /defaults/app_template_base.conf
  /defaults/classification_base.conf
  /defaults/daemon.conf
 /defaults/fullarmor_gpo_base.conf
  /defaults/profile_base.conf
  /defaults/security_base.conf
  /usr/share/monitors/base_monitors.conf
Loading configuration...
  /config/bigip_base.conf
01070920:3: Application error for confpp: httpd: apr_sockaddr_info_get() failed for LB-Pri.sharjah.ac.ae
httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
Syntax OK
The certificate does not match the key.  To change them try 'tmsh modify sys httpd { ssl-certfile           /etc/httpd/conf/ssl.crt/server.crt ssl-certkeyfile /etc/httpd/conf/ssl.key/server.key }'
*************************************************************
May  7 13:19:57 LB-Pri.sharjah.ac.ae confpp[12913]: syntax check command FAILURE for unix_config_httpd  returned: '2304'
Shutting down ntpd: [  OK  ]
Starting ntpd: [  OK  ]

Unexpected Error: Loading configuration process failed.
[root@LB-Pri:Active:Standalone] config
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    May 07, 2015

    I hope that I understood what you mean exactly and got the right information.

     

    yes, you are right. it is what i want.

     

    The certificate does not match the key. To change them try 'tmsh modify sys httpd { ssl-certfile /etc/httpd/conf/ssl.crt/server.crt ssl-certkeyfile /etc/httpd/conf/ssl.key/server.key }'

     

    it seems httpd's certificate and key do not match. can you correct it? and then re-load configuration (tmsh load sys config).

     

    sol13349: Verifying SSL certificate and key pairs from the command line (11.x)

     

    https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13349.html

     

    sol14620: Managing SSL certificates for BIG-IP systems using the Configuration utility

     

    https://support.f5.com/kb/en-us/solutions/public/14000/600/sol14620.html

     

  • kridsana's avatar
    kridsana
    Icon for Cirrocumulus rankCirrocumulus
    Sep 02, 2015

    Hi

     

    I've experience the same problem and we can't do anything because httpd daemon not running even though we try to start it (include can't modify httpd cert or access configuration utility)

     

    Did you get the solution about this problem?

     

    Thank you