Bug ID 514815: Configuration does not validate unused encrypted items.

Last Modified: Feb 13, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP All(all modules)

Known Affected Versions:
11.4.0, 11.4.1

Opened: Mar 27, 2015
Severity: 3-Major
Related AskF5 Article:
K03773000

Symptoms

Configuration loads but cannot re-key. This is sometimes seen as a configuration that is successfully synced but a device that cannot join a trust group.

Impact

Unable to set device master key. In some cases this has no impact, but it prevents installing a UCS file containing an encrypted passphrase (as described in SOL9420, available here: https://support.f5.com/kb/en-us/solutions/public/9000/400/sol9420.html), and is somewhat difficult to detect as no other operations fail.

Conditions

This occurs when the following conditions are met: -- Configuration includes unused, encrypted items. -- Host is not configured with the correct master key for those items. -- Configuration is loaded under the wrong key. -- An attempt is made to change the master key for any reason.

Workaround

Remove all encrypted items from the config. Re-sync the key either manually with f5mku or with device trust. Re-install the desired configuration.

Fix Information

None

Behavior Change