Forum Discussion

Pstryk_372935's avatar
Pstryk_372935
Icon for Nimbostratus rankNimbostratus
Oct 18, 2018

Sync failed: ClientSSL profile (/Common/clientssl) cannot get its defaults from ()

After some config changes (also in clientssl), I want to sync, but it looks like it does not work:

Sync Failed
A validation error occurred while syncing to a remote device

Sync error on DCLB01: Load failed from /Common/DCLB02 01071a12:3: ClientSSL profile (/Common/clientssl) cannot get its defaults from (), as it doesn't exist.

Recommended action: Review the error message and determine corrective action on the device

I've tried to revert all changes in clientssl profile, but it does not work. I've tried to overwrite the config, by the second device in HA group, but id doesn't work either.

Any help much appreciated.

  • What does the following return?

    tmsh list ltm profile client-ssl clientssl defaults-from
    
  • Thank you for reply.

    [root@DCLB02:Active:Sync Failed] config  tmsh list ltm profile client-ssl clientssl defaults-from
    ltm profile client-ssl clientssl {
        defaults-from none
    }
    
    
    
    
    [root@DCLB01:Standby:Sync Failed] config  tmsh list ltm profile client-ssl clientssl defaults-from
    ltm profile client-ssl clientssl {
        defaults-from none
    }
    

    Hope that helps

  • Looking through some case notes there's only a small mention of this error message. Two questions?

     

    • What hardware and software versions are you on?
    • Are you deploying applications via iApps, and if so, do you see any "tmp" folders in /var/config/rest/iapps?

    In any case, you'll very likely need to open a support case for this one.

     

  • It's VM. BIG-IP 14.0.0.1 Build 0.0.2 Point Release 1 Yes, via iApps. The folder contain only RPMS folder (which is empty)

     

    It's was working config, until I've made some changes in clientssl directly and in some ssl profiles for some sites.

     

    I've seen, that it's better to have one more template in between, and do not touch clientssl.

     

    Is there is a way to cleanup clientssl maybe? I think I revert all changes, but it want work either.

     

    Probably I will open support case later today.

     

    Thank you for your time.

     

  • I do as instructed in the other article. I promise I won't touch parent profile 😉

    But no luck.

    After deleted the profile from file, it wasn't sync from the other.

    I;ve tried to manually copy the profile from working machine, and i'm getting error after

    tmsh load /sys config

    01071a12:3: ClientSSL profile (/Common/clientssl) cannot get its defaults from (), as it doesn't exist.
    Unexpected Error: Loading configuration process failed.
    

    So it's looks the same.

    Where (How) I can get "clean" profile clientssl for my "BIG-IP 14.0.0.1 Build 0.0.2 Point Release 1"?

    Maybe I can try just copy/paste clean profile to get it work?

  • Here's what the parent clientssl profile looks like in 14.0.0.1:

    root@(bigip1)(cfg-sync Standalone)(TimeLimitedModules::Active)(/Common)(tmos) list ltm profile client-ssl clientssl
    ltm profile client-ssl clientssl {
        alert-timeout indefinite
        allow-dynamic-record-sizing disabled
        app-service none
        authenticate once
        authenticate-depth 9
        ca-file none
        cache-size 262144
        cache-timeout 3600
        cert default.crt
        cert-extension-includes { basic-constraints subject-alternative-name }
        cert-key-chain {
            default {
                cert default.crt
                key default.key
            }
        }
        chain none
        cipher-group none
        ciphers DEFAULT
        client-cert-ca none
        crl-file none
        handshake-timeout 10
        inherit-ca-certkeychain false
        inherit-certkeychain false
        key default.key
        maximum-record-size 16384
        mod-ssl-methods disabled
        mode enabled
        options { dont-insert-empty-fragments no-tlsv1.3 }
        passphrase none
        peer-cert-mode ignore
        peer-no-renegotiate-timeout 10
        renegotiate-max-record-delay indefinite
        renegotiate-period indefinite
        renegotiate-size indefinite
        renegotiation enabled
        secure-renegotiation require
        strict-resume disabled
        unclean-shutdown enabled
    }