F5 Code Upgrade Problem-- Showing The Configuratio... - DevCentral

Hello,

While doing Code Upgrade for an HA F5 , when I boot with New Code it shows " The Configuration not yet loaded, if this message persists, it may indicate a configuration problem" . 1st started with Standby node after License reactivation and it shows said message.

If I rollback to Old Code, Device Comes back normally.

What could be the problem , attached couple of screenshot related to the problem ?

Whats the available size required for version 14.1.0.6 ? Just note that existing code is 13.1.0 and was trying to upgrade to 14.1.0

8 REPLIES 8

Boot into the upgraded partition.

Log in via ssh

From the bash prompt, run

# tmsh load sys config verify

This should show the config element that is causing the config load error.

It shows output similar to below when I boot with Unsuccessful Load

[admin@F5_Box_1:Offline:Disconnected] ~ # tmsh load sys config verify

Validating system configuration...

/defaults/asm_base.conf

/defaults/config_base.conf

/defaults/ipfix_ie_base.conf

/defaults/ipfix_ie_f5base.conf

/defaults/low_profile_base.conf

/defaults/low_security_base.conf

/defaults/policy_base.conf

/defaults/wam_base.conf

/defaults/analytics_base.conf

/defaults/apm_base.conf

/defaults/apm_oauth_base.conf

/defaults/apm_saml_base.conf

/defaults/app_template_base.conf

/defaults/classification_base.conf

/var/libdata/dpi/conf/classification_update.conf

/defaults/ips_base.conf

/var/libdata/ips/ips_update.conf

/defaults/daemon.conf

/defaults/pem_base.conf

/defaults/profile_base.conf

/defaults/sandbox_base.conf

/defaults/security_base.conf

/defaults/urldb_base.conf

/usr/share/monitors/base_monitors.conf

/defaults/cipher.conf

/defaults/ilx_base.conf

Validating configuration...

Loading schema version: 13.1.0.5

/config/bigip_base.conf

/config/bigip_user.conf

/config/bigip.conf

Broadcast message from systemd-journald@F5_Box_1.emera.root.local (Sun 2020-03-01 10:10:48 AST):

logger[13348]: Re-starting tmm

2020 Mar 1 10:10:48 F5_Box_1.emera.root.local logger[13348]: Re-starting tmm

Broadcast message from systemd-journald@F5_Box_1.emera.root.local (Sun 2020-03-01 10:10:48 AST):

logger[13357]: Re-starting tmm1

2020 Mar 1 10:10:48 F5_Box_1.emera.root.local logger[13357]: Re-starting tmm1

/config/bigip_script.conf

Loading schema version: 14.1.0.6

Broadcast message from systemd-journald@F5_Box_1.emera.root.local (Sun 2020-03-01 10:10:48 AST):

logger[13366]: Re-starting tmm2

2020 Mar 1 10:10:48 F5_Box_1.emera.root.local logger[13366]: Re-starting tmm2

Broadcast message from systemd-journald@F5_Box_1.emera.root.local (Sun 2020-03-01 10:10:48 AST):

logger[13375]: Re-starting tmm3

2020 Mar 1 10:10:48 F5_Box_1.emera.root.local logger[13375]: Re-starting tmm3

Broadcast message from systemd-journald@F5_Box_1.emera.root.local (Sun 2020-03-01 10:10:48 AST):

logger[13384]: Re-starting tmm4

2020 Mar 1 10:10:48 F5_Box_1.emera.root.local logger[13384]: Re-starting tmm4

Broadcast message from systemd-journald@F5_Box_1.emera.root.local (Sun 2020-03-01 10:10:48 AST):

logger[13393]: Re-starting tmm5

2020 Mar 1 10:10:48 F5_Box_1.emera.root.local logger[13393]: Re-starting tmm5

Broadcast message from systemd-journald@F5_Box_1.emera.root.local (Sun 2020-03-01 10:10:48 AST):

logger[13402]: Re-starting tmm6

2020 Mar 1 10:10:48 F5_Box_1.emera.root.local logger[13402]: Re-starting tmm6

Broadcast message from systemd-journald@F5_Box_1.emera.root.local (Sun 2020-03-01 10:10:48 AST):

logger[13411]: Re-starting tmm7

2020 Mar 1 10:10:48 F5_Box_1.emera.root.local logger[13411]: Re-starting tmm7

01070311:3: Ciphers list '!EXPORT:!DH:RSA+RC4:RSA+AES:RSA+DES:RSA+3DES:ECDHE+AES:ECDHE+3DES:@SPEED' for profile /Common/serverssl-insecure-compatible denies all clients

Unexpected Error: Validating configuration process failed.

[admin@F5_Box_1:INOPERATIVE:Disconnected] ~ #

Broadcast message from systemd-journald@F5_Box_1.emera.root.local (Sun 2020-03-01 10:11:08 AST):

logger[14393]: Re-starting tmm

2020 Mar 1 10:11:08 F5_Box_1.emera.root.local logger[14393]: Re-starting tmm

Broadcast message from systemd-journald@F5_Box_1.emera.root.local (Sun 2020-03-01 10:11:09 AST):

logger[14402]: Re-starting tmm1

2020 Mar 1 10:11:09 F5_Box_1.emera.root.local logger[14402]: Re-starting tmm1

Broadcast message from systemd-journald@F5_Box_1.emera.root.local (Sun 2020-03-01 10:11:09 AST):

logger[14411]: Re-starting tmm2

2020 Mar 1 10:11:09 F5_Box_1.emera.root.local logger[14411]: Re-starting tmm2

Broadcast message from systemd-journald@F5_Box_1.emera.root.local (Sun 2020-03-01 10:11:09 AST):

logger[14420]: Re-starting tmm3

2020 Mar 1 10:11:09 F5_Box_1.emera.root.local logger[14420]: Re-starting tmm3

Broadcast message from systemd-journald@F5_Box_1.emera.root.local (Sun 2020-03-01 10:11:09 AST):

logger[14429]: Re-starting tmm4

2020 Mar 1 10:11:09 F5_Box_1.emera.root.local logger[14429]: Re-starting tmm4

Broadcast message from systemd-journald@F5_Box_1.emera.root.local (Sun 2020-03-01 10:11:09 AST):

logger[14438]: Re-starting tmm5

2020 Mar 1 10:11:09 F5_Box_1.emera.root.local logger[14438]: Re-starting tmm5

Broadcast message from systemd-journald@F5_Box_1.emera.root.local (Sun 2020-03-01 10:11:09 AST):

logger[14447]: Re-starting tmm6

2020 Mar 1 10:11:09 F5_Box_1.emera.root.local logger[14447]: Re-starting tmm6

Broadcast message from systemd-journald@F5_Box_1.emera.root.local (Sun 2020-03-01 10:11:09 AST):

logger[14456]: Re-starting tmm7

2020 Mar 1 10:11:09 F5_Box_1.emera.root.local logger[14456]: Re-starting tmm7

Is it because of following error ? Just note that This SSL Profile is no where we called explicitely.

01070311:3: Ciphers list '!EXPORT:!DH:RSA+RC4:RSA+AES:RSA+DES:RSA+3DES:ECDHE+AES:ECDHE+3DES:@SPEED' for profile /Common/serverssl-insecure-compatible denies all clients

Unexpected Error: Validating configuration process failed.

This could be a problem, but it looks like tmm is restarting as well, which I wouldn't expect if this was just a config load issue.

I recommend raising a Support case with F5. They can assist with the validation issue, and then further diagnose a tmm restart issue if that is still occurring.

If you don't want to do that, then the solution is quite complex ...

/Common/serverssl-insecure-compatible is a default profile, but (like all default profiles) it can be modified. If it has been modified, then after an upgrade some assumptions about the contents of the default profiles can cause configuration conflicts like this one.

The solution requires editing the /config/bigip.conf configuration file, and removing the config definition stanzas for any default profiles. This needs to be done carefully, as making an error when editing the bigip.conf could cause further configuration load issues.

Also, unilaterally deleting a modified default profile may change the configuration for Virtual Servers, causing unintended problems with website security and functionality. It is best to make such changes under the direction of F5 Support who can review the config and make suggestions that allow for safe modification of the config.

If you want to try this yourself,

you need to find the config stanza for

/Common/serverssl-insecure-compatible in /config/bigip.conf

It will look something like

ltm profile server-ssl serverssl-insecure-compatible {
    ciphers !EXPORT:!DH:RSA+RC4:RSA+AES:RSA+DES:RSA+3DES:ECDHE+AES:ECDHE+3DES:@SPEED
    defaults-from /Common/serverssl
    ...
}

It may not be there, in which case, the modified default profile will be the parent profile

/Common/serverssl

This looks like

ltm profile server-ssl serverssl {
    ...
}

Modify the profile name to my-serverssl

ltm profile server-ssl my-serverssl {
    ...
}

In the bigip.conf, change all references to serverssl to my-serverssl in virtual servers and server-ssl profiles.

There are also per-partition bigip.conf files in /config/partitions/<partition name>

It is a pretty easy job if you know how to read the bigip config files, but it is also very easy to get it wrong and end up with a config that will not load.

As I said, I recommend getting F5 Support to assist ...

Your example of ltm profile server-ssl serverssl-insecure-compatible has CIPHERS entry which I do not have.

my server-insecure-compatible entry is as below

ltm profile server-ssl /Common/serverssl-insecure-compatible {

app-service none

cipher-group /Common/f5-default

ciphers none

defaults-from /Common/serverssl-newdefault

secure-renegotiation request

serverssl-newdefault profile I created where I called serverssl as Parent Profile. Both has Cipher entry as

cipher-group /Common/f5-default

ciphers none

But still I got below error when I tried to patch into new code and below command while it booted with new code where from GUI it says config did not load properly.

[Host:Offline:Disconnected] ~ # tmsh load sys config verify

Validating system configuration...

/defaults/asm_base.conf

/defaults/config_base.conf

/defaults/ipfix_ie_base.conf

/defaults/ipfix_ie_f5base.conf

/defaults/low_profile_base.conf

/defaults/low_security_base.conf

/defaults/policy_base.conf

/defaults/wam_base.conf

/defaults/analytics_base.conf

/defaults/apm_base.conf

/defaults/apm_oauth_base.conf

/defaults/apm_saml_base.conf

/defaults/app_template_base.conf

/defaults/classification_base.conf

/var/libdata/dpi/conf/classification_update.conf

/defaults/ips_base.conf

/var/libdata/ips/ips_update.conf

/defaults/daemon.conf

/defaults/pem_base.conf

/defaults/profile_base.conf

/defaults/sandbox_base.conf

/defaults/security_base.conf

/defaults/urldb_base.conf

/usr/share/monitors/base_monitors.conf

/defaults/cipher.conf

/defaults/ilx_base.conf

Validating configuration...

Loading schema version: 13.1.0.5

/config/bigip_base.conf

/config/bigip_user.conf

/config/bigip.conf

/config/bigip_script.conf

Loading schema version: 14.1.0.6

01070311:3: Ciphers list '!EXPORT:!DH:RSA+RC4:RSA+AES:RSA+DES:RSA+3DES:ECDHE+AES:ECDHE+3DES:@SPEED' for profile /Common/serverssl-insecure-compatible denies all clients

Unexpected Error: Validating configuration process failed.

Hello,

I actually rollbacked and to try that command I need maintenance window. However I ran same during Pre Upgrade and actually had one error. But I did overlook that as I do not have any active VIP running for that reference. Does this stop me to load the New Code ? And I am actually copying config from Old Volume to New Volume.

[User@F5_Peer :Active:In Sync] ~ # tmsh load /sys config verify

Validating system configuration...

/defaults/asm_base.conf

/defaults/config_base.conf

/defaults/ipfix_ie_base.conf

/defaults/ipfix_ie_f5base.conf

/defaults/low_profile_base.conf

/defaults/low_security_base.conf

/defaults/policy_base.conf

/defaults/wam_base.conf

/defaults/analytics_base.conf

/defaults/apm_base.conf

/defaults/apm_oauth_base.conf

/defaults/apm_saml_base.conf

/defaults/app_template_base.conf

/defaults/classification_base.conf

/var/libdata/dpi/conf/classification_update.conf

/defaults/ips_base.conf

/var/libdata/ips/ips_update.conf

/defaults/daemon.conf

/defaults/pem_base.conf

/defaults/profile_base.conf

/defaults/sandbox_base.conf

/defaults/security_base.conf

/defaults/urldb_base.conf

/usr/share/monitors/base_monitors.conf

/defaults/cipher.conf

/defaults/ilx_base.conf

Validating configuration...

/config/bigip_base.conf

/config/bigip_user.conf

/config/bigip.conf

/config/bigip_script.conf

01070734:3:Configuration error: Can't associate firewall policy (/Common/Host.Domain.com.app/Host.Domain.com_firewall) folder does not exist

Unexpected Error: Validating configuration process failed.

I would open a support case and ask that an engineer be available to assist during your scheduled maintenance window. I've had a similar issue happen and it ended up taking some time to resolve with the tech's assistance.

Can you try with partition all verify... It looks like you have partitions across and the config fails to load others and it stops verify.