Forum Discussion

Craigus_200691's avatar
Craigus_200691
Icon for Nimbostratus rankNimbostratus
Feb 25, 2016

No AD authentication after upgrading to BigIP-V12HF1

Hi,

 

I am in the middle of an upgrade of our BigIP units (HA pair) from 11.6HF4 to 12HF1

 

the units have taken the previous configuration and did so without any errors, post upgrade we are unable to log into the units with our AD credentials only with the local admin account.

 

has anyone experienced this before and if so how do I get round it?

 

Thanks

 

5 Replies

  • Neroposting this years later. I recently had this issue, upgrading from 13.x to 14.x From tmsh I enabled the admin user: modify auth user admin prompt-for-password

     

    Once I logged in to the GUI as admin, I could manually re-add the users for the GUI. This is not optimum. I am working with support now for a resolution.

     

  • wlopez's avatar
    wlopez
    Icon for Cirrocumulus rankCirrocumulus

    Were you originating AD authentication from the management port before the upgrade?

     

    I've seen cases on earlier versions where administrative traffic that was previously being originated from the management port, started using the service interfaces on the default route on the default routed domain %0 after the upgrade, instead of the default route on the management interface.

     

    Have you done any packet captures to see the F5 attempts to connect to AD?

     

    If you do the captures and validate that's the situation, you can use this article:

     

    https://support.f5.com/csp/article/K13284

     

  • Thanks for the answer. I did a capture and sent it to support, have not yet heard back. I can look at the management port on the one that is online (this is a HA pair):

     

    root@(dc2-bigip-test)(cfg-sync Disconnected)(Active)(/Common)(tmos) list /sys management-ip sys management-ip 10.10.29.60/24 { description configured-statically

     

    And this is the management port of the one that is offline (that we are working on).

     

    root@(dc1-bigip-test)(cfg-sync Disconnected)(ForcedOffline)(/Common)(tmos) list /sys management-ip sys management-ip 10.10.29.59/24 { description configured-statically }

     

    So, they at least exist! Looking at the pcap file I generated/sent, I can at least see LDAP communication between our BigIP and the domain controller (for our AD) that says, "success".

     

    • ssmbs_284761's avatar
      ssmbs_284761
      Icon for Nimbostratus rankNimbostratus

      I did just now hear back from support:

       

      the BIG-IP is using TMM interfaces to communicate to the configured LDAP AD servers and we don't see any issue in term of connectivity between them.

       

      It seems that is not the problem, but thanks for the information.