Last Modified: Oct 17, 2023
Affected Product(s):
BIG-IP All, Install/Upgrade
Known Affected Versions:
11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.1.0, 14.1.0.1
Fixed In:
15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.4, 12.1.4.1, 11.6.4
Opened: Jan 16, 2017 Severity: 3-Major
The following error: 'Symmetric Unit Key decrypt failure - decrypt failure' is logged to /var/log/ltm when attempting to load a UCS. Configuration fails then to load due to a secure attribute decryption failure.
The configuration fails to load.
1. UCS contains secure attributes. 2. UCS contains a '/config/bigip/kstore/.unitkey' file. 3. The current '/config/bigip/kstore/.unitkey' file does not match the '.unitkey' file within UCS. 4. System does not utilize an EEPROM for storing its unitkey. (For more information, see K73034260: Overview of the BIG-IP system Secure Vault feature :: https://support.f5.com/csp/article/K73034260.)
Perform the following procedure: 1. Stop the system: # bigstart stop 2. Replace the '/config/bigip/kstore/.unitkey' file with the '.unitkey' file from the UCS 3. Replace the '/config/bigip/kstore/master' file with the 'master' file from the UCS 4. Remove the mcp db to forcibly reload the keys: # rm -f /var/db/mcpd.bin # rm -f /var/db/mcpd.info 5. Restart the system and reload the configuration: # bigstart start # tmsh load sys config or # reboot
The system now always reload the .unitkey from storage when loading other keys, so the UCS loads as expected.