Bug ID 1073429: Auth partition definition is incorrectly synchronized to peer and then altered.

Last Modified: Sep 29, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP All(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2

Opened: Jan 16, 2022
Severity: 3-Major

Symptoms

An auth partition definition with "device-group none" and "traffic-group none" is incorrectly synchronized to other devices during a full config-sync. Specifically, the partition is incorrectly synchronized to all other devices that belong to the device-group to which the /Common partition is associated. Furthermore, the receiving devices incorrectly alter the definition of said partition, in such a way that the definition no longer specifies "device-group none" and "traffic-group none". Instead, this partition will now have inheritance (from the root folder) enabled for both the device-group and traffic-group properties.

Impact

The definition of an auth partition that was meant to remain local to a given BIG-IP system is incorrectly synchronized to peer devices. Additionally, its device-group and traffic-group properties are altered so that inheritance from the root folder is now enabled. Initially, this has no other negative consequences, as the configuration objects contained in the "local partition" of the source device are not synchronized. However, a further config sync from the initial receiving device to the initial source device will overwrite the device-group and traffic-group properties there. Once in this state, the unit that contains configuration objects in the "local partition" will synchronize them to the peers during the next config-sync. This can impact the application traffic based on the objects synchronized.

Conditions

Creating an auth partition (for example /Example) which specifies "device-group none" and "traffic-group none" on redundant units, and then issuing a full config sync to the device-group. Note that even if your device-group is configured to perform incremental syncs, sometimes performing a full sync between devices is a natural and unavoidable event.

Workaround

You cannot work around this issue. However, you may be able to achieve your goal of having a repository for local-only objects by creating a subfolder to the /Common partition rather than creating a new partition. For example: tmsh create sys folder /Common/local device-group none traffic-group none

Fix Information

None

Behavior Change