Last Modified: Jul 01, 2025
Affected Product(s):
F5OS F5OS-A, F5OS-C, Velos
Known Affected Versions:
F5OS-A 1.5.1, F5OS-A 1.5.2, F5OS-A 1.5.3, F5OS-C 1.6.0, F5OS-C 1.6.1, F5OS-C 1.6.2
Fixed In:
F5OS-C 1.8.0, F5OS-A 1.8.0
Opened: Apr 04, 2024 Severity: 2-Critical
If a key migration is in progress (initiated via the ConfD action 'system aaa primary-key set'), and while it is in progress the status of the key migration is checked ('show system aaa primary-key state status'), this can intermittently cause the key migration to fail. Possible symptoms include: - Running 'show system aaa primary-key' returns 'application communication failure'. - Running 'show system aaa primary-key' shows a status of RECOVERY_RESTORE_KEY_FAILED.
In the less severe case, further attempts to run 'show system aaa primary-key' may return 'application communication error', but the primary key is intact. In the worst case, the key migration may fail part way through, leaving encrypted ConfD elements in a corrupted state with little chance of recovery.
1. A ConfD primary key migration is initiated on a VELOS Controller or F5OS Appliance system. 2. While the key migration is in progress, the status of the migration is checked.
If running 'show system aaa primary-key' returns 'application communication error', try to recover it by logging into the controller as 'root' and running: docker restart confd-key-migration-mgr If running 'show system aaa primary-key' shows a status of RECOVERY_RESTORE_KEY_FAILED, please contact F5 Support for assistance.
Fixed issue where checking status of key migration could cause the migration to fail.