I’m trying to import a UCS file obtained from the existing device (i2800 v22.214.171.124) into the VE version V126.96.36.199, but it’s not going smoothly.
The command I execute during import is:
load sys ucs [i2800 UCS File] no-license platform-migrate
Upon checking the log (/var/log/ltm), I found the following errors:
I only need to verify the configurations from the old model; it’s acceptable if maxcore decreases. My goal is to successfully complete the load sys command. Any support on how to address these errors would be greatly helpful.
Thank you for your quick response! Since the old F5 is still in operation and we want to avoid elevating security risks for our clients, we would prefer not to migrate the master key. Is there a way to review the configurations without migrating the master key?
@igssv Migrating the master key will not cause any disruption on your existing F5. All you are doing for this is you are retreiving the master key value from the old F5s and then taking that key and configuring it on the new F5s. After that you should be able to import the configuration on the new F5s.
I successfully loaded the UCS. Thank you! However, now I'm unable to log in because the passwords for the root and admin accounts are unknown.
I have been referring to the URL https://my.f5.com/manage/s/article/K73551536. However, after booting in Single User Mode and running the mount -a command, nothing is mounted, and I can't use the passwd command.
Ideally, I’d like to reset the passwords and log in. Alternatively, I'm wondering if there is a way to load sys without importing the user account information.
Could you please help with the above? Thank you!
As expected, then. Without asking our client, we won't know the account information for the old F5 device. We were hoping to find an approach that wouldn't inconvenience them, like a method of not importing user information. If it's difficult, I'll consider consulting with the client. Thank you so much for all of your responses!
@igssv If you have access to the old F5s you can change the admin and root password, then create a UCS, and finally import that new UCS which should have the new usernames and passwords. Sadly, sometimes in order to get the job done correct you will have to ask for additional information. It's better to inconvenience them a small amount now then a large amount in the future.
Thank you for the advice! Unfortunately, it’s already Saturday here in Japan, so I resolved the issue by customizing the UCS as follow.
On the Virtual Edition (VE), the following steps were executed:
- Ran `f5mku -r <old master key>`
- Executed `tmsh save sys conf` to save the system configuration
- Obtained the UCS
In old UCS:
- Added `fallback true` to the `auth source` section in `bigip.conf` (which was initially set to `type radius`)
- Copied the `encrypted-password` for `auth user admin/root` from the UCS on the VE over to `bigip_user.conf`
- Changed `sys httpd` in `bigip_base.conf` to `ALL`
Thank you so much for your consistent guidance! With your help, I've successfully reached a point where I can review the client’s configurations without any issues!
I see, I should save sys config first. I tried it, and during the load, I received a message saying:
usermod: no changes
I thought it worked well, but it turns out the password has changed. Thank you for your advice!
Thank you so much for the comprehensive explanation regarding the ”platform_migrate" option! Your insights were super helpful. For this particular instance, our primary goal was simply to deploy the current device UCS to the Virtual Edition and validate the settings, so it looks like we can afford to overlook any potential issues. I might reach out again for advice if we run into any hurdles down the road—hope that’s okay!
Thanks again and have a great day!