BugZero | F5 BugID 672209 - Upgrade, load config or reboot may fail if IPsec t...

F5 - Defect ID: 672209

Upgrade, load config or reboot may fail if IPsec traffic-selector references default-ipsec-policy

F5 - Defect ID: 672209

Upgrade, load config or reboot may fail if IPsec traffic-selector references default-ipsec-policy

Last updated on 7/13/2024

Overall: 7.17.1

Severity: 7.37.3

Community: 4.14.1

Lifecycle: 7.17.1

What is the BugZero Risk Score?

Vendor details

Priority: 3-Major
Status: Verified
Impact Category: TMOS

Overall: 7.17.1

Severity: 7.37.3

Community: 4.14.1

Lifecycle: 7.17.1

What is the BugZero Risk Score?

Vendor details

Priority: 3-Major
Status: Verified
Impact Category: TMOS

Symptoms

If an IPsec traffic-selector object references the default-ipsec-policy object, an upgrade to a newer version of BIG-IP software might fail during the config load stage with error logs similar to the following: err mcpd[#]: 01070734:3: Configuration error: IPsec policy /Common/default-ipsec-policy does not exist. emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all base " - failed. -- 01070734:3: Configuration error: IPsec policy /Common/default-ipsec-policy does not exist. Unexpected Error: Loading configuration process failed.

Impact

Unable to load configuration.

Conditions

-- IPsec traffic-selector object references the default-ipsec-policy object. -- configuration is loaded from config files, such as: + Performing an upgrade to a later version of BIG-IP software. + Loading configuration from a file (tmsh load sys config file). + Forcing a configuration load from files, as described in K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).

Workaround

To work around this problem, use one of the following preventative actions: -- Before upgrading, create a custom ipsec-policy (with default values) instead of default-ipsec-policy, and reference that IPsec policy in the traffic-selector. -- Before upgrading, delete the traffic-selector attached to any default objects. To recover from a failed upgrade or config load, use one of the following recovery actions, then restart BIG-IP (bigstart restart): -- Edit the /config/BIG-IP_base.conf file, add a custom ipsec-policy with default values, and update the traffic-selector configuration to use this ipsec-policy: net ipsec ipsec-policy /Common/my-ipsec-policy { } net ipsec traffic-selector /Common/iFail { ... ipsec-policy /Common/my-ipsec-policy ... -- Edit the /config/BIG-IP_base.conf file, and delete the traffic-selector configuration that references the default-ipsec-policy.

Fix Information

Now, the IPsec traffic-selector can reference default-ipsec-policy without configuration load errors after upgrade.

Original Vendor Announcement

No bugs this month

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

F5 - Defect ID: 672209

Upgrade, load config or reboot may fail if IPsec traffic-selector references default-ipsec-policy

F5 - Defect ID: 672209

Upgrade, load config or reboot may fail if IPsec traffic-selector references default-ipsec-policy

Last updated on 7/13/2024

Vendor details

Vendor details

Description

Symptoms

Impact

Conditions

Workaround

Fix Information

Links

Top F5 defects by risk score

Ready to prevent the next vendor outage?