Bug ID 639619: UCS may fail to load due to Master key decryption failure on EEPROM-less systems

Last Modified: Oct 17, 2023

Affected Product(s):
BIG-IP All, Install/Upgrade(all modules)

Known Affected Versions:
11.6.3,,,,, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3,,,,,,,, 12.1.4, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0,,,,,,,,, 13.1.1,,, 14.0.0,,,,,, 14.0.1, 14.1.0,

Fixed In:
15.0.0,,,,, 11.6.4

Opened: Jan 16, 2017

Severity: 3-Major


The following error: 'Symmetric Unit Key decrypt failure - decrypt failure' is logged to /var/log/ltm when attempting to load a UCS. Configuration fails then to load due to a secure attribute decryption failure.


The configuration fails to load.


1. UCS contains secure attributes. 2. UCS contains a '/config/bigip/kstore/.unitkey' file. 3. The current '/config/bigip/kstore/.unitkey' file does not match the '.unitkey' file within UCS. 4. System does not utilize an EEPROM for storing its unitkey. (For more information, see K73034260: Overview of the BIG-IP system Secure Vault feature :: https://support.f5.com/csp/article/K73034260.)


Perform the following procedure: 1. Stop the system: # bigstart stop 2. Replace the '/config/bigip/kstore/.unitkey' file with the '.unitkey' file from the UCS 3. Replace the '/config/bigip/kstore/master' file with the 'master' file from the UCS 4. Remove the mcp db to forcibly reload the keys: # rm -f /var/db/mcpd.bin # rm -f /var/db/mcpd.info 5. Restart the system and reload the configuration: # bigstart start # tmsh load sys config or # reboot

Fix Information

The system now always reload the .unitkey from storage when loading other keys, so the UCS loads as expected.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips