Last Modified: Mar 12, 2025
Affected Product(s):
BIG-IP F5OS-A, F5OS-C, LTM, TMOS, Velos
Known Affected Versions:
15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2, 17.1.2.1
Opened: Aug 02, 2024 Severity: 2-Critical
If using VLAN groups on a tenant running on an rSeries appliance or VELOS chassis, the system may delete the VLAN group or VLAN group members unexpectedly. This will happen when configuration changes to the tenant are made in F5OS or if the interface members of the VLAN change state (i.e. link down) - If the VLAN groups are in a non-"Common" partition, any members of the VLAN group will be removed, but the VLAN group will remain. - If the VLAN groups are in the Common partition, but are not referenced by higher-level objects, the VLAN group will be removed. - If the VLAN groups are in the Common partition and are referenced by higher-level objects, the system will not delete the VLAN group, but will log messages similar to the following: err mcpd[9181]: 01070623:3: The vlangroup (/Common/otters-vlangroup) is referenced by one or more virtual servers. err chmand[4691]: 012a0003:3: hal_mcp_process_error: result_code=0x1070623 for result_operation=eom result_type=eom
Traffic disrupted due to removal of VLAN group objects or VLAN group members.
- BIG-IP tenant running on rSeries appliance or VELOS chassis - VLAN group configured in tenant, and not using virtual wire
To avoid this problem, define an unused VLAN group in the Common partition and assign it to the VLAN list for a virtual server. tmsh create net vlan-group /Common/unused-vg tmsh create ltm virtual /Common/unused-virtual vlans-enabled vlans add { unused-vg } description "Workaround for ID1623325" tmsh save sys config Note the use of "vlans-enabled" and adding the empty VLAN group to the virtual server's VLAN list. This means that the BIG-IP system will never actually process traffic via this virtual server, as it would only accept traffic to the virtual server that arrives over the VLAN group, but the VLAN group will never receive any actual traffic. As a result of implementing this workaround, when the tenant processes any configuration updates from F5OS, the tenant will log error messages similar to the following: err mcpd[10720]: 01070623:3: The vlangroup (/Common/unused-vg) is referenced by one or more virtual servers. err chmand[6781]: 012a0003:3: hal_mcp_process_error: result_code=0x1070623 for result_operation=eom result_type=eom
None