Bug ID 435555: Cannot load UCS from different BIG-IP system using Secure Vault

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
11.0.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.5.1 HF1, 11.6.1 HF1, 11.5.1 HF2, 11.6.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.6.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.1.0, 11.2.0, 11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.1, 11.6.2, 11.6.3,,,,, 11.6.4, 11.6.5,,,, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:

Opened: Oct 28, 2013

Severity: 2-Critical

Related Article: K15835


If a BIG-IP system uses in Secure Vault to encrypt secure fields, you cannot load that UCS to another BIG-IP system.


UCS load fails.


This occurs when a UCS originates on a BIG-IP system whose secure fields are encrypted using Secure Vault. The reason is that the Master Key to the Secure Vault has been encrypted with the Unit key of the originating BIG-IP system. The Unit key is unique to each system.



Fix Information

Although in this case, you cannot load a UCS from one device to another without intervention, the admin can now change the master key and then successfully load the configuration onto a different device. 1. Before taking the UCS to a different system, set the master key from a passphrase using the following command: tmsh modify sys crypto master-key prompt-for-password. 2. On the system where the UCS will be restored, load the UCS. (Here, it fails to load due to encrypted attributes which cannot be decrypted.) 3. On the new system with the failed UCS load, set the master key using the previously specified passphrase, by running the command: tmsh modify sys crypto master-key prompt-for-password. 4. Load the configuration with the command: tmsh load sys config. The configuration loads and the encrypted attributes are accessible.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips