Forum Discussion
Boot into the upgraded partition.
Log in via ssh
From the bash prompt, run
# tmsh load sys config verify
This should show the config element that is causing the config load error.
- SubrunMar 01, 2020Cirrostratus
It shows output similar to below when I boot with Unsuccessful Load
[admin@F5_Box_1:Offline:Disconnected] ~ # tmsh load sys config verify
Validating system configuration...
/defaults/asm_base.conf
/defaults/config_base.conf
/defaults/ipfix_ie_base.conf
/defaults/ipfix_ie_f5base.conf
/defaults/low_profile_base.conf
/defaults/low_security_base.conf
/defaults/policy_base.conf
/defaults/wam_base.conf
/defaults/analytics_base.conf
/defaults/apm_base.conf
/defaults/apm_oauth_base.conf
/defaults/apm_saml_base.conf
/defaults/app_template_base.conf
/defaults/classification_base.conf
/var/libdata/dpi/conf/classification_update.conf
/defaults/ips_base.conf
/var/libdata/ips/ips_update.conf
/defaults/daemon.conf
/defaults/pem_base.conf
/defaults/profile_base.conf
/defaults/sandbox_base.conf
/defaults/security_base.conf
/defaults/urldb_base.conf
/usr/share/monitors/base_monitors.conf
/defaults/cipher.conf
/defaults/ilx_base.conf
Validating configuration...
Loading schema version: 13.1.0.5
/config/bigip_base.conf
/config/bigip_user.conf
/config/bigip.conf
Broadcast message from systemd-journald@F5_Box_1.emera.root.local (Sun 2020-03-01 10:10:48 AST):
logger[13348]: Re-starting tmm
2020 Mar 1 10:10:48 F5_Box_1.emera.root.local logger[13348]: Re-starting tmm
Broadcast message from systemd-journald@F5_Box_1.emera.root.local (Sun 2020-03-01 10:10:48 AST):
logger[13357]: Re-starting tmm1
2020 Mar 1 10:10:48 F5_Box_1.emera.root.local logger[13357]: Re-starting tmm1
/config/bigip_script.conf
Loading schema version: 14.1.0.6
Broadcast message from systemd-journald@F5_Box_1.emera.root.local (Sun 2020-03-01 10:10:48 AST):
logger[13366]: Re-starting tmm2
2020 Mar 1 10:10:48 F5_Box_1.emera.root.local logger[13366]: Re-starting tmm2
Broadcast message from systemd-journald@F5_Box_1.emera.root.local (Sun 2020-03-01 10:10:48 AST):
logger[13375]: Re-starting tmm3
2020 Mar 1 10:10:48 F5_Box_1.emera.root.local logger[13375]: Re-starting tmm3
Broadcast message from systemd-journald@F5_Box_1.emera.root.local (Sun 2020-03-01 10:10:48 AST):
logger[13384]: Re-starting tmm4
2020 Mar 1 10:10:48 F5_Box_1.emera.root.local logger[13384]: Re-starting tmm4
Broadcast message from systemd-journald@F5_Box_1.emera.root.local (Sun 2020-03-01 10:10:48 AST):
logger[13393]: Re-starting tmm5
2020 Mar 1 10:10:48 F5_Box_1.emera.root.local logger[13393]: Re-starting tmm5
Broadcast message from systemd-journald@F5_Box_1.emera.root.local (Sun 2020-03-01 10:10:48 AST):
logger[13402]: Re-starting tmm6
2020 Mar 1 10:10:48 F5_Box_1.emera.root.local logger[13402]: Re-starting tmm6
Broadcast message from systemd-journald@F5_Box_1.emera.root.local (Sun 2020-03-01 10:10:48 AST):
logger[13411]: Re-starting tmm7
2020 Mar 1 10:10:48 F5_Box_1.emera.root.local logger[13411]: Re-starting tmm7
01070311:3: Ciphers list '!EXPORT:!DH:RSA+RC4:RSA+AES:RSA+DES:RSA+3DES:ECDHE+AES:ECDHE+3DES:@SPEED' for profile /Common/serverssl-insecure-compatible denies all clients
Unexpected Error: Validating configuration process failed.
[admin@F5_Box_1:INOPERATIVE:Disconnected] ~ #
Broadcast message from systemd-journald@F5_Box_1.emera.root.local (Sun 2020-03-01 10:11:08 AST):
logger[14393]: Re-starting tmm
2020 Mar 1 10:11:08 F5_Box_1.emera.root.local logger[14393]: Re-starting tmm
Broadcast message from systemd-journald@F5_Box_1.emera.root.local (Sun 2020-03-01 10:11:09 AST):
logger[14402]: Re-starting tmm1
2020 Mar 1 10:11:09 F5_Box_1.emera.root.local logger[14402]: Re-starting tmm1
Broadcast message from systemd-journald@F5_Box_1.emera.root.local (Sun 2020-03-01 10:11:09 AST):
logger[14411]: Re-starting tmm2
2020 Mar 1 10:11:09 F5_Box_1.emera.root.local logger[14411]: Re-starting tmm2
Broadcast message from systemd-journald@F5_Box_1.emera.root.local (Sun 2020-03-01 10:11:09 AST):
logger[14420]: Re-starting tmm3
2020 Mar 1 10:11:09 F5_Box_1.emera.root.local logger[14420]: Re-starting tmm3
Broadcast message from systemd-journald@F5_Box_1.emera.root.local (Sun 2020-03-01 10:11:09 AST):
logger[14429]: Re-starting tmm4
2020 Mar 1 10:11:09 F5_Box_1.emera.root.local logger[14429]: Re-starting tmm4
Broadcast message from systemd-journald@F5_Box_1.emera.root.local (Sun 2020-03-01 10:11:09 AST):
logger[14438]: Re-starting tmm5
2020 Mar 1 10:11:09 F5_Box_1.emera.root.local logger[14438]: Re-starting tmm5
Broadcast message from systemd-journald@F5_Box_1.emera.root.local (Sun 2020-03-01 10:11:09 AST):
logger[14447]: Re-starting tmm6
2020 Mar 1 10:11:09 F5_Box_1.emera.root.local logger[14447]: Re-starting tmm6
Broadcast message from systemd-journald@F5_Box_1.emera.root.local (Sun 2020-03-01 10:11:09 AST):
logger[14456]: Re-starting tmm7
2020 Mar 1 10:11:09 F5_Box_1.emera.root.local logger[14456]: Re-starting tmm7
- SubrunMar 01, 2020Cirrostratus
Is it because of following error ? Just note that This SSL Profile is no where we called explicitely.
01070311:3: Ciphers list '!EXPORT:!DH:RSA+RC4:RSA+AES:RSA+DES:RSA+3DES:ECDHE+AES:ECDHE+3DES:@SPEED' for profile /Common/serverssl-insecure-compatible denies all clients
Unexpected Error: Validating configuration process failed.
- Simon_BlakelyMar 01, 2020Employee
This could be a problem, but it looks like tmm is restarting as well, which I wouldn't expect if this was just a config load issue.
I recommend raising a Support case with F5. They can assist with the validation issue, and then further diagnose a tmm restart issue if that is still occurring.
If you don't want to do that, then the solution is quite complex ...
/Common/serverssl-insecure-compatible is a default profile, but (like all default profiles) it can be modified. If it has been modified, then after an upgrade some assumptions about the contents of the default profiles can cause configuration conflicts like this one.
The solution requires editing the /config/bigip.conf configuration file, and removing the config definition stanzas for any default profiles. This needs to be done carefully, as making an error when editing the bigip.conf could cause further configuration load issues.
Also, unilaterally deleting a modified default profile may change the configuration for Virtual Servers, causing unintended problems with website security and functionality. It is best to make such changes under the direction of F5 Support who can review the config and make suggestions that allow for safe modification of the config.
If you want to try this yourself,
you need to find the config stanza for
/Common/serverssl-insecure-compatible in /config/bigip.conf
It will look something like
ltm profile server-ssl serverssl-insecure-compatible { ciphers !EXPORT:!DH:RSA+RC4:RSA+AES:RSA+DES:RSA+3DES:ECDHE+AES:ECDHE+3DES:@SPEED defaults-from /Common/serverssl ... }
It may not be there, in which case, the modified default profile will be the parent profile
/Common/serverssl
This looks like
ltm profile server-ssl serverssl { ... }
Modify the profile name to my-serverssl
ltm profile server-ssl my-serverssl { ... }
In the bigip.conf, change all references to serverssl to my-serverssl in virtual servers and server-ssl profiles.
There are also per-partition bigip.conf files in /config/partitions/<partition name>
It is a pretty easy job if you know how to read the bigip config files, but it is also very easy to get it wrong and end up with a config that will not load.
As I said, I recommend getting F5 Support to assist ...
- SubrunJul 12, 2020Cirrostratus
Your example of ltm profile server-ssl serverssl-insecure-compatible has CIPHERS entry which I do not have.
my server-insecure-compatible entry is as below
ltm profile server-ssl /Common/serverssl-insecure-compatible {
app-service none
cipher-group /Common/f5-default
ciphers none
defaults-from /Common/serverssl-newdefault
secure-renegotiation request
serverssl-newdefault profile I created where I called serverssl as Parent Profile. Both has Cipher entry as
cipher-group /Common/f5-default
ciphers none
But still I got below error when I tried to patch into new code and below command while it booted with new code where from GUI it says config did not load properly.
[Host:Offline:Disconnected] ~ # tmsh load sys config verify
Validating system configuration...
/defaults/asm_base.conf
/defaults/config_base.conf
/defaults/ipfix_ie_base.conf
/defaults/ipfix_ie_f5base.conf
/defaults/low_profile_base.conf
/defaults/low_security_base.conf
/defaults/policy_base.conf
/defaults/wam_base.conf
/defaults/analytics_base.conf
/defaults/apm_base.conf
/defaults/apm_oauth_base.conf
/defaults/apm_saml_base.conf
/defaults/app_template_base.conf
/defaults/classification_base.conf
/var/libdata/dpi/conf/classification_update.conf
/defaults/ips_base.conf
/var/libdata/ips/ips_update.conf
/defaults/daemon.conf
/defaults/pem_base.conf
/defaults/profile_base.conf
/defaults/sandbox_base.conf
/defaults/security_base.conf
/defaults/urldb_base.conf
/usr/share/monitors/base_monitors.conf
/defaults/cipher.conf
/defaults/ilx_base.conf
Validating configuration...
Loading schema version: 13.1.0.5
/config/bigip_base.conf
/config/bigip_user.conf
/config/bigip.conf
/config/bigip_script.conf
Loading schema version: 14.1.0.6
01070311:3: Ciphers list '!EXPORT:!DH:RSA+RC4:RSA+AES:RSA+DES:RSA+3DES:ECDHE+AES:ECDHE+3DES:@SPEED' for profile /Common/serverssl-insecure-compatible denies all clients
Unexpected Error: Validating configuration process failed.