Bug ID 1161913: Upgrades from BIG-IP versions 15.1.8, 15.1.8.1, 15.1.8.2, or v15.1.9 to 16.1.1, 16.1.2, 16.1.3 (not 16.1.4) or 17.0.x (but not 17.1.x) fail, and leaves the device INOPERATIVE

Last Modified: Feb 07, 2024

Affected Product(s):
BIG-IP All, Install/Upgrade, TMOS(all modules)

Known Affected Versions:
16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 17.0.0, 17.0.0.1, 17.0.0.2

Fixed In:
16.1.4

Opened: Sep 28, 2022

Severity: 1-Blocking

Symptoms

The loading configuration process fails after an upgrade from 15.1.8, 15.1.8.1, 15.1.8.2, or v15.1.9 to any 16.x (prior to 16.1.4), or to any 17.0.x release. Upgrades to 16.1.4 or 17.1.x are not affected. The system posts errors similar to the following: -- crit tmsh[16188]: 01420001:2: Can't load keyword definition (vlan.dag_adjustment) : framework/SchemaCmd.cpp, line 825 -- crit tmsh[25644]: 01420001:2: Can't load keyword definition (vlan.nti) : framework/SchemaCmd.cpp, line 825 -- Can't find matched schema tag for association's attribute fw_zone_log_profile.pzname during loading cli version syntax: 15.1.8 -- Can't find matched schema tag for association's attribute fw_protected_zone.pzname during loading cli version syntax: 15.1.8 -- Unexpected Error: "Can't load keyword definition (vlan.dag_adjustment)" -- fatal: (Can't load keyword definition (vlan.nti)) (framework/SchemaCmd.cpp, line 825), exiting... -- emerg load_config_files[16186]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- Loading schema version: 15.1.8 -- err mcpd[10702]: 01070422:3: Base configuration load failed.

Impact

After the upgrade, the configuration does not load. The system hangs at the base configuration load failure status and leaves the system inoperative.

Conditions

The issue occurs when an upgrade happens from one of the following releases: -- BIG-IP version 15.1.8 or later in the v15.1.x branch. to any of the following releases: -- BIG-IP version 16.0 through v16.1.3.4 -- BIG-IP version 17.0 through v17.0.0.2

Workaround

It is not possible to avoid running into a config load failure when attempting the upgrade or restoring a UCS archive from v15.1.8 or v15.1.8.1 or v15.1.8.2 or v15.1.9 on one of the listed versions. However, as long as the system is not using the zone-based DDoS AFM functionality, it is possible to load the configuration after the upgrade via the manual workaround shown below. If upgrading to 16.1.4 or a later version there is no need to use this workaround, and it should not be used. 1. While the system is inoperative, log into the system as root or an administrative user and launch bash. 2. Copy and paste the following series of commands and run them in bash ### BEGIN COMMANDS (shopt -s nullglob; sed -E -i.workaround.bak -e '/dag-adjustment /d' /config/bigip_base.conf /config/partitions/*/bigip_base.conf) (shopt -s nullglob; sed -E -i -e '/^KEYWORD dag-adjustment/d' -e '/^KEYWORD nti/d' /var/libdata/tmsh/syntax/15.1.{8,9,10}*/auto_schema_data_net_cli.dat) for dir in /var/libdata/tmsh/syntax/15.1.{8,9,10}*; do [ -d "$dir" ] || continue /bin/mv "$dir"/auto_schema_data_security_cli.dat{,.workaround.bak} awk ' /^<REF_CMD fw-protected-zone / { refcmd=1; depth=1; next } /^<CMD fw-protected-zone/ { cmd=1; depth=1; next } /^<ASSOCIATION.*fw-protected-zone/ { depth=depth+1; next } /^>/ { if (refcmd || cmd) { if (!--depth) { refcmd = 0; cmd = 0; } next; } } /.?/ { if (refcmd || cmd) next print }' < "$dir"/auto_schema_data_security_cli.dat.workaround.bak > "$dir"/auto_schema_data_security_cli.dat /bin/rm "$dir"/auto_schema_data_security_cli.dat.workaround.bak done ### END COMMANDS 3. Load the configuration again: tmsh load sys config 4. If the config loads successfully, save it once: tmsh save sys config

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips