Forum Discussion
Zuke
Cirrostratus
CirrostratusRestoring VCMP guest from UCS
I'm recreating a VCMP guest from a UCS. This is a new virtual disk on the host. I followed the steps to reset the master key. After uploading the UCS and issuing "load sys ucs archive.ucs include-chassis-level-config reset-trust" the process errors out:
load_config_files[8300]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure
Unexpected Error: Loading configuration process failed.
2021 Jun 9 15:38:40 bigip1 load_config_files[8300]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure
Jun 9 15:38:40 bigip1 emerg load_config_files[8300]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure
Jun 9 15:38:40 bigip1 err mcpd[5935]: 01070422:3: Base configuration load failed.
Jun 9 15:38:44 bigip1 info install_ucs.pm[32165]: Configuration loading error: base-config-load-failed
Jun 9 15:38:48 bigip1 notice logger[9127]: /bin/sh /usr/lib/csyncd/reloadnamed.sh /var/named/config/named.conf change ==> /bin/bigstart start zrd
Jun 9 15:39:01 bigip1 info install_ucs.pm[32165]: ERROR: UCS installation failed.
Jun 9 15:39:01 bigip1 err tmsh[12777]: 01110001:3: Error running config install
I opened a ticket with F5 support and Peter (from London) helped me out.
The procedure I was using to reset the master key was to issue the command "tmsh modify sys crypto master-key prompt-for-password" and then use the hash from the guest as the password. The correct procedure is to use "f5mku -r <hash>" on the new guest. After doing that, the UCS file was able to load.
Additionally some cool optimizations that I learned from Peter that really helped with the performance of AVR and the GUI:
tmsh modify sys db avr.stats.internal.maxentitiespertable value 1024
tmsh modify sys db provision.extramb value 2048;tmsh save sys config
tmsh modify sys db restjavad.useextramb value true
tmsh modify sys db provision.tomcat.extramb value 100
spalandeNacreous
- Recently during our BCP process I encountered the same and reboot fixed it. Did you already try a reboot? Also, do you need to issue no-license no-platform-check as well?
ZukeThanks Sanjay. Unfortunately rebooting the guest isn't the fix in this situation. The UCS wouldn't load at all, the guest would be in an INOPERATIONAL state, and I'd delete and recreate the guest.
- Zuke
I opened a ticket with F5 support and Peter (from London) helped me out.
The procedure I was using to reset the master key was to issue the command "tmsh modify sys crypto master-key prompt-for-password" and then use the hash from the guest as the password. The correct procedure is to use "f5mku -r <hash>" on the new guest. After doing that, the UCS file was able to load.
Additionally some cool optimizations that I learned from Peter that really helped with the performance of AVR and the GUI:
tmsh modify sys db avr.stats.internal.maxentitiespertable value 1024
tmsh modify sys db provision.extramb value 2048;tmsh save sys config
tmsh modify sys db restjavad.useextramb value true
tmsh modify sys db provision.tomcat.extramb value 100
mouloudNimbostratus
Hello Zuke,
I have the same issue... Can you please detail how to use the procedure "f5mku -r <hash>"
Thanks in advance
- Albert_Coll
Cirrus
I also came across the problem "Symmetric Unit Key decrypt failure" when uploading the ucs file when attempting to move a config in V15.1.7 from a LTM vcmp guest to another. But this provided solution didn't work for me.
Fortunately I solved it after applying BOTH workarounds: K08689542 AND K36822000
1) Edit file /config/bigip_base.conf and comment out the line key M$Mxxxxxxxxxxxxxxxx after the line "set dynad key" by setting a '#' char to the left. AND ALSO:
2) Edit file /config/bigip.conf and comment out all lines containing $M$ passwords encrypted for user accounts.
After modifying BOTH files as described, the command tmsh load sys config completed up successfully.
- Albert_Coll
I also came across the problem "Symmetric Unit Key decrypt failure" when uploading the ucs file V15.1.7. But this provided solution didn't work for me.