Bug ID 605775: Config sync fails after creating local user matching previously logged in remote user

Last Modified: Mar 12, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
11.2.1, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9

Opened: Jul 19, 2016
Severity: 3-Major

Symptoms

After a remote user logs in to a BIG-IP system that is a member of an HA group, if a local user account is created with a name that matches the remote user, config sync fails attempting to sync the local user account to other devices in the HA group.

Impact

Unable to sync device groups.

Conditions

1. A remotely authenticated user logs in to a BIG-IP HA member. 2. An administrator user creates a local user account on the same BIG-IP HA member with a name that matches the previously logged-in remote user. This problem has been observed using TACACS remote authentication, but is expected to occur with other remote authentication methods as well.

Workaround

1. To avoid this error, create the local user on a different HA member, where the remote user has not previously logged in. 2. To recover from this error: (a) Delete the newly-created local user from the same HA member where it was created: tmsh del auth user <new-local-user-name> (b) Save current config: tmsh save sys config file <recovery-config-filename.scf> (c) Recover the device group sync status: tmsh run cm config-sync recover-sync (d) Restore the saved config: tmsh load sys config file <recovery-config-filename.scf>

Fix Information

None

Behavior Change