Last Modified: Nov 05, 2024
Affected Product(s):
BIG-IP All, F5OS, F5OS-A, LTM, TMOS
Known Affected Versions:
15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4
Opened: Jan 30, 2023 Severity: 3-Major
When a VLAN configured in the tenant does not have the same name as the VLAN on in F5OS or the VLAN in the tenant is created in a partition other than "Common", VLANs may not pass traffic properly without manual configuration. If any such VLANs exist, newly-configured VLANs may also exhibit this issue, even if the VLAN is in Common and has a name that matches the name in F5OS. The system will have log messages similar to the following; these errors will still occur even once the workaround has been applied. Feb 15 15:39:49 r4000-1.example.com err mcpd[19522]: 01070094:3: Referenced vlan (/Common/external) is hidden, does not exist, or is already on another instance. Feb 15 15:39:49 r4000-1.example.com err chmand[19520]: 012a0003:3: hal_mcp_process_error: result_code=0x1070094 for result_operation=eom result_type=eom Tenants running on an r2000 or r4000-series appliance need to know the VLAN<>interface associations, but the system is not able to populate this information when the VLAN is not in the Common partition. VLANs may not have any 'interfaces' referenced, or will have 'interfaces' that are not in-sync with the configuration on the F5OS host. For example: R2000# show running-config interfaces interface LAG; show running-config vlans vlan 47 interfaces interface LAG config type ieee8023adLag config description "" aggregation config lag-type LACP aggregation config distribution-hash src-dst-ipport aggregation switched-vlan config trunk-vlans [ 42 47 ] ! vlans vlan 47 config vlan-id 47 config name vlan_47 ! R2000# [root@tenant:Active:Standalone] config # tmsh list net vlan /ottersPart/vlan_47 net vlan /ottersPart/vlan_47 { dag-adjustment none if-index 240 # <-- interfaces is not listed partition ottersPart [...] tag 47 } [root@tenant:Active:Standalone] config # [root@tenant:Active:Standalone] config # tmsh list net vlan /ottersPart/vlan_47 net vlan /ottersPart/vlan_47 { dag-adjustment none if-index 240 partition ottersPart interfaces { # <-- configuration with a workaround in place LAG { tagged } } [...] tag 47 }
Partitions other than the Common partition cannot have VLANs. VLANs created in other partitions will not be operational in the data path. If such VLANs exist in the tenant, newly added VLANs will also exhibit this issue.
- BIG-IP tenant running on r2000 and r4000-series platforms - VLANs moved to partitions other than "Common", or renamed so that the name does not match between hypervisor and tenant.
In the BIG-IP tenant, modify all VLAN objects to have 'interfaces' that align with the configuration on the host. For example, for the VLAN 47 described above, the VLAN should be listed as being 'tagged' on the 'LAG' trunk: tmsh modify net vlan /ottersPart/vlan_47 interfaces replace-all-with { LAG { tagged } } tmsh save sys config
None