Bug ID 637811: Upgrade failure when Common Criteria Mode is enabled

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP Install/Upgrade(all modules)

Known Affected Versions:
11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.1, 11.6.2, 11.6.3,,,,, 11.6.4, 11.6.5,,,, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3,,,,,,,, 12.1.4,, 12.1.5,,,, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Opened: Jan 09, 2017

Severity: 3-Major


When the software is in "Common Criteria Mode", an upgrade via the Web UI is not possible, because the upgrade process automatically generates a UCS file, but Common Criteria requires that a password be supplied whenever a UCS is generated. The Web UI does not take this in to account, and never asks for a password for the UCS file.


Software cannot be updated using the Web UI. The install fails with no indication as to why.


Common criteria mode is enabled (i.e., the db variable security.commoncriteria is set to true).


To work around this issue, you can disable Common Criteria mode before upgrading. To do so, perform the following procedure: 1. Log in to the BIG-IP system as an administrator user. 2. Log in to the Traffic Management Shell (tmsh) by typing the following command: tmsh 3. Set the database variable to false by typing the following command: modify sys db security.commoncriteria value false 4. Perform the system upgrade. 5. To turn Common Criteria mode back on, set the security.commoncriteria database variable to true by typing the following command: modify sys db security.commoncriteria value true

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips