Bug ID 582752: Macrocall could be topologically not connected with the rest of policy.

Last Modified: Feb 13, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP Install/Upgrade(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2

Fixed In:
13.0.0, 12.1.2, 11.6.1 HF2

Opened: Mar 23, 2016
Severity: 3-Major
Related AskF5 Article:
K16273300

Symptoms

It is possible to create macrocall access policy item that: 1. Belongs to policy items list. 2. Correctly connected to ending. 3. Have no incoming rules (i.e., no items pointing at it).

Impact

VPE fails to render this access policy.

Conditions

1. Create access policy with macrocall item in one of the branches. 2. Remove the item which refers to this macrocall item from AP As a result, macrocall item remains.

Workaround

Delete macrocall access policy item manually using tmsh commands.

Fix Information

Any modification of access policy is not allowed if it makes any access policy item non-referenced. At upgrade time, non-referenced access policy items are deleted. All subsequent access policy items are deleted as well. Resulting access policies can be rendered correctly by VPE. Note that only active configuration is corrected, saved configuration file (/config/bigip.conf) contains uncorrected version until any new configuration changes are done. Active configuration can be saved by explicit tmsh command ('tmsh save sys config partitions all").

Behavior Change