Bug ID 720001: Using custom default gateway in AWS makes instance metadata endpoint 169.254.169.254 inaccessible.

Last Modified: May 23, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.4, 14.1.0.5, 15.0.0

Opened: May 14, 2018
Severity: 3-Major
Related AskF5 Article:
K43503050

Symptoms

There are multiple symptoms that a BIG-IP system shows when affected by this issue: -- License fails on bootup with the following error : halGetDossier returned error (7): Dossier generation failed. -- Failover between BIG-IP instances fails abruptly with the following error: Unable to retrieve domain name from ec2 metadata.

Impact

- License inoperable after bootup. - Failover between BIG-IP systems does not complete successfully.

Conditions

-- Both the licensing and Failover/HA in AWS depends on access to the instance metadata provided by the EC2 cloud via the http endpoint at 169.254.169.254. -- The default gateway provided by AWS through DHCP ensures access to this metadata endpoint without any additional configuration. However, when using a custom default gateway, the access to the instance metadata endpoint might not work.

Workaround

Configure a route for 169.254.169.254/32 to get to the AWS subnet default gateway. And then run a startup script after mcpd is up to reload the license. The workaround has two parts. WORKAROUND: ---------- Before upgrade: Part 1: ------- On the BIG-IP system, create a management-route for the link-local destination 169.254.169.254. 1) Set db key to allow route for link-local address: tmsh modify sys db config.allow.rfc3927 value enable 2) Create management-route for 169.254.169.254/32 that points to the AWS-provided subnet default gateway: tmsh create sys management-route meta-endpoint network 169.254.169.254/32 gateway <AWS subnet GW IP> 3) Save the config: tmsh save sys config 4) Create a qkview: qkview -f /var/tmp/before_upgrade PART 2 ------- Workaround: ---------- Reload the license by running a script once the system is up. (This process is fully documented in K11948: Configuring the BIG-IP system to run commands or scripts upon system startup :: https://support.f5.com/csp/article/K11948.)

Fix Information

None

Behavior Change