Last Modified: Jun 28, 2025
Affected Product(s):
BIG-IP APM
Known Affected Versions:
17.5.0, 17.5.1
Opened: Mar 17, 2025 Severity: 4-Minor
Previous EPSEC packages still reside on the system /shared/apm/images/ even if they are deleted.
Unnecessary retention of outdated EPSEC images.
Even both standby and active are sync old epsec images are not being deleted from /shared/apm/images/ -- VIPRION system -- High availability (HA) environment -- vCMP with multiple blades -- The system is rebooted
1) Look for all epsec files on all blades: clsh find / -path /proc -prune -o -name *epsec-1* -print 2) Delete older non-used epsec images (using UI or tmsh) 3) Verify no references to older epsec exist in bigip.conf. If they do, they need to be removed. grep epsec /config/bigip.conf 4) Delete any orphan non-used epsec images from /config/filestore/files_d/Common_d/epsec_package_d/ (only keep the one listed in bigip.conf): Ex: clsh rm -f /config/filestore/files_d/Common_d/epsec_package_d/\:Common\:EPSEC\:Upload\:epsec-1.0.0-1622.0.iso_126649_1 clsh rm -f /config/filestore/files_d/Common_d/epsec_package_d/\:Common\:EPSEC\:Upload\:epsec-1.0.0-1505.0.iso_126643_1 5) Look again for all epsec files on all blades: clsh find / -path /proc -prune -o -name *epsec-1* -print 6) If some older epsec files are still visible in /shared/apm/images/ 6.1) Stop csyncd (this will prevent rsync from restoring epsec images while you try to delete them): clsh bigstart stop csyncd 6.2) Delete leftover epsec (those not visible in UI): Ex: clsh rm -f /shared/apm/images/epsec-1.0.0-1622.0.iso clsh rm -f /shared/apm/images/epsec-1.0.0-1505.0.iso ... 6.3) Start csyncd: clsh bigstart start csyncd 6) Sync to standby (if manual sync) Once completed, move on to standby. ############# # On standby: ############# 1) Look for all epsec files on all blades: clsh find / -path /proc -prune -o -name *epsec-1* -print 2) Stop csyncd (that will prevent rsync from restoring epsec images while you try to delete them): clsh bigstart stop csyncd 3) Delete leftover epsec (those not visible in UI): Ex: clsh rm -f /shared/apm/images/epsec-1.0.0-1622.0.iso clsh rm -f /shared/apm/images/epsec-1.0.0-1505.0.iso ... 4) Verify no references to older epsec exist in bigip.conf. If any, we need to do a full sync from active to standby again. grep epsec /config/bigip.conf => you should see the same thing as the active 5) Delete any orphan non-used epsec images from /config/filestore/files_d/Common_d/epsec_package_d/ (only keep the one listed in bigip.conf): Ex: clsh rm -f /config/filestore/files_d/Common_d/epsec_package_d/\:Common\:EPSEC\:Upload\:epsec-1.0.0-1622.0.iso_126649_1 clsh rm -f /config/filestore/files_d/Common_d/epsec_package_d/\:Common\:EPSEC\:Upload\:epsec-1.0.0-1505.0.iso_126643_1 ... 6) Start csyncd: clsh bigstart start csyncd 7) Look again for all epsec files on all blades: clsh find / -path /proc -prune -o -name *epsec-1* -print 8) If you need to confirm that older epsec images are not coming back, reboot the standby guest chassis
None