Bug ID 547070: ASM configuration may be corrupted upon restart during upgrade

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP ASM, Install/Upgrade(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4

Fixed In:
12.1.0

Opened: Sep 21, 2015
Severity: 3-Major

Symptoms

After upgrading you notice that there are no longer any signatures, even default signatures. ASM configuration may be corrupted upon restart during upgrade; however, BIGIP might be in Active state and there is no indication about the possibly corrupted ASM config.

Impact

ASM configuration may be corrupted upon restart during upgrade. BIG-IP might be in Active state and there is no indication about the possibly corrupted ASM config.

Conditions

This can happen if the BIG-IP is rebooted during upgrade to any version prior to 12.1.0

Workaround

Re-upgarding will fix the problem.

Fix Information

We added a visible warning, notifying the user of the potentially broken ASM configuration during an upgrade. The following persistent warning notification will appear in the Security GUI top bar (when the Security tab is available), in case an ASM upgrade was interrupted (ungracefully killed, say by a reboot): ------------------------------------ "An upgrade process was interrupted. It is very likely that ASM will start with a severe inconsistent internal state and critical errors."; ------------------------------------ The following persistent error message, will appear in '/avr/log/asm', each time when ASM is started after an ASM upgrade was interrupted (ungracefully killed, say by a reboot): ------------------------------------ "An upgrade process, executed by PID '<pid>', was interrupted on '<date>'. It is very likely that ASM will start with a severe inconsistent internal state and critical errors"; ------------------------------------ The GUI message overrides all other ASM messages; no other warnings or messages will be displayed in Security GUI top bar. However, the Security GUI will be available and functional, to the extent that it can function after an interrupted upgrade. To clear these messages, one needs to perform ONE of the following: -------------------- (1) tmsh load sys config default tmsh save sys config <...wait for the system to first get to the 'INOPERATIVE' state and then wait for the system to get to either 'REBOOT REQUIRED' or 'Active' state...> <...NO NEED TO REBOOT...> tmsh modify sys provision asm level nominal tmsh save sys config <...wait for the system to first get to the 'INOPERATIVE' state and then wait for the system to get to 'Active' state...> (2) tmsh load a (any) UCS file, that has ASM provisioned in it (3) re-upgrade --------------------

Behavior Change