I’m trying to import a UCS file obtained from the existing device (i2800 v12.1.5.2) into the VE version V12.1.5.2, but it’s not going smoothly.
The command I execute during import is: load sys ucs [i2800 UCS File] no-license platform-migrate
Upon checking the log (/var/log/ltm), I found the following errors:
[Errors]
err mcpd[4653]: 0107178a:3: Modifying license.maxcores to a value other than 2 is not allowed.
err loaddb[25057]: 01080023:3: Error return while getting reply from mcpd: 0x107178a, 0107178a:3: Modifying license.maxcores to a value other than 2 is not allowed.
err 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure
err Decryption of the field (secret) for object (/Common/system_auth_name1) failed.
err tmsh[25642]: 01420006:3: Loading configuration process failed.
emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all platform-migrate" - failed. -- 01071769:3: Decryption of the field (secret) for object (/Common/system_auth_name1) failed. Unexpected Error: Loading configuration process failed.
I only need to verify the configurations from the old model; it’s acceptable if maxcore decreases. My goal is to successfully complete the load sys command. Any support on how to address these errors would be greatly helpful.
@igssv It looks like you did not migrate the master key from the old F5 to the new F5. This can be done easily if you have access to both devices. The following document has the steps which can be found if you search for "f5mku -K" when the page loads.
Thank you for your quick response! Since the old F5 is still in operation and we want to avoid elevating security risks for our clients, we would prefer not to migrate the master key. Is there a way to review the configurations without migrating the master key?
@igssv Migrating the master key will not cause any disruption on your existing F5. All you are doing for this is you are retreiving the master key value from the old F5s and then taking that key and configuring it on the new F5s. After that you should be able to import the configuration on the new F5s.
Thank you once again for your prompt response. So, retrieving the master key itself won't have any impact on the operations. I'll discuss with our client about obtaining it. Thank you.
I successfully loaded the UCS. Thank you! However, now I'm unable to log in because the passwords for the root and admin accounts are unknown.
I have been referring to the URL https://my.f5.com/manage/s/article/K73551536. However, after booting in Single User Mode and running the mount -a command, nothing is mounted, and I can't use the passwd command.
Ideally, I’d like to reset the passwords and log in. Alternatively, I'm wondering if there is a way to load sys without importing the user account information.
Hi, Paulius, As expected, then. Without asking our client, we won't know the account information for the old F5 device. We were hoping to find an approach that wouldn't inconvenience them, like a method of not importing user information. If it's difficult, I'll consider consulting with the client. Thank you so much for all of your responses!
@igssv If you have access to the old F5s you can change the admin and root password, then create a UCS, and finally import that new UCS which should have the new usernames and passwords. Sadly, sometimes in order to get the job done correct you will have to ask for additional information. It's better to inconvenience them a small amount now then a large amount in the future.
Thank you for the advice! Unfortunately, it’s already Saturday here in Japan, so I resolved the issue by customizing the UCS as follow.
``` On the Virtual Edition (VE), the following steps were executed: - Ran `f5mku -r <old master key>` - Executed `tmsh save sys conf` to save the system configuration - Obtained the UCS
In old UCS: - Added `fallback true` to the `auth source` section in `bigip.conf` (which was initially set to `type radius`) - Copied the `encrypted-password` for `auth user admin/root` from the UCS on the VE over to `bigip_user.conf` - Changed `sys httpd` in `bigip_base.conf` to `ALL` ```
Thank you so much for your consistent guidance! With your help, I've successfully reached a point where I can review the client’s configurations without any issues!
I would also like to extend my gratitude to you! As written in my response to Paulius, I was able to accomplish what I needed by tweaking the contents of the UCS! Thank you!
Thank you so much for the comprehensive explanation regarding the ”platform_migrate" option! Your insights were super helpful. For this particular instance, our primary goal was simply to deploy the current device UCS to the Virtual Edition and validate the settings, so it looks like we can afford to overlook any potential issues. I might reach out again for advice if we run into any hurdles down the road—hope that’s okay!
