Last Modified: May 29, 2024
Affected Product(s):
BIG-IP Install/Upgrade, TMOS
Known Affected Versions:
13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1
Fixed In:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4
Opened: Dec 10, 2019 Severity: 3-Major
When you upgrade an 11.x/12.x device with route advertisement enabled, you might discover a difference between the running configuration and the saved configuration post upgrade, which might result in route advertisement becoming disabled. -- In the running configuration, the virtual-addresses route advertisement setting 'enabled' changes to 'selective'. -- In bigip.conf, the virtual-addresses route advertisement setting is still set to 'enabled'. -- After config load or after re-licensing, the virtual-addresses route advertisement reverts to disabled.
The route-advertisement setting is 'enabled' in the config file, but 'selective' in the running configuration. This has the following impact: If you save the configuration and then reload it, the route advertisement is changed to 'selective' in the config file and 'disabled' in the running config.
-- Upgrading an 11.x/12.x device with route advertisement enabled. -- After saving the config, both the running-config and bigip.conf have the same value: i.e., 'selective'. -- Loading the configuration (tmsh load sys config) results in route advertisement becoming disabled.
You can identify whether systems running v13.0.0 or higher are at risk of encountering this issue by checking a legacy internal setting, ROUTE_ADVERTISEMENT: Procedure to identify whether virtual-addresses are affected, that have an incorrect setting in the legacy ROUTE_ADVERTISEMENT artifact: Virtual-addresses may be affected by this issue on v13.0.0 and higher if ROUTE_ADVERTISEMENT=true in mcpd. You can check this value with the guishell command: guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address"; Example: guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address"; ----------------------------------------------------------- | NAME | ROUTE_ADVERTISEMENT | RA_OPTION | ----------------------------------------------------------- | /Common/10.32.101.41 | false | 0 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement disabled | /Common/10.32.101.42 | false | 2 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement selective | /Common/10.32.101.43 | false | 1 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement enabled | /Common/10.32.101.47 | true | 0 | <<< MEDIUM RISK virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement not in use | /Common/10.32.101.49 | true | 1 | <<< HIGH RISK virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement enabled Any virtual address that shows ROUTE_ADVERTISEMENT=true is at risk. If true but route-advertisement is not in use, there is no risk until route-advertisement is configured later. ------------------------------------------------------------------------------------------ Procedure to remove the legacy ROUTE_ADVERTISEMENT artifact from the config on systems found to be affected: 1. Review Standby system (if available) and ensure Route Advertisement in running configuration is configured and functioning as desired with "tmsh list ltm virtual-address route-advertisement". If not, manually correct Route Advertisement to desired configuration and confirm functionality. 2. Fail over Active system to Standby status: tmsh run sys failover standby 3. Review former Active (now Standby) system and ensure Route Advertisement in running configuration is configured and functioning as desired. If not, manually correct Route Advertisement to desired configuration. 4. Save the config to disk: tmsh save sys config 5. Load the config from disk. This may temporarily cause route-advertisement to revert to disabled on at risk virtual-addresses: tmsh load sys config 6. Load the config a 2nd time. This removes the legacy artifact, re-enables route-advertisement as per the configuration, and leaves the system in a not-at-risk state: tmsh load sys config 7. Verify it worked: guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address"; Example of a fixed config: guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address"; ----------------------------------------------------------- | NAME | ROUTE_ADVERTISEMENT | RA_OPTION | ----------------------------------------------------------- | /Common/10.32.101.41 | false | 0 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement disabled | /Common/10.32.101.42 | false | 2 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement selective | /Common/10.32.101.43 | false | 1 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement enabled | /Common/10.32.101.47 | false | 0 | <<< no risk, virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement not in use | /Common/10.32.101.49 | false | 1 | <<< no risk, virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement enabled ------------------------------------------------------------------------------------------ If you encounter this issue and route-advertisement becomes disabled before cleaning the legacy ROUTE_ADVERTISEMENT artifact from the config, reload the configuration again using the following command to set the running config and saved config to 'selective': tmsh load sys config
None