Bug ID 755475: Corrupted customization group on target after updating access policy (any agent that is tied to customization group) on source device and config sync

Last Modified: Oct 29, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.4, 14.1.0.5

Fixed In:
15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5

Opened: Jan 14, 2019
Severity: 3-Major

Symptoms

After making changes to the logon page agent field, performing config sync to another device and opening the logon agent in VPE on the sync target device encounters an error. Though this problem described to the logon page agent, this is applicable to any agent that is tied to customization group.

Impact

Config is not synced properly to another device in the device group.

Conditions

1. Form a failover device group with two devices. 2. On one device, create an access policy with logon page agent. Initiate config sync to sync the policy to other devices. Verify everything is correct on target device (specifically: open VPE for the policy, Logon Page is in the policy, click on the agent, and edit box appears without issue). 3. On source device, launch VPE for the policy, click on Logon Page agent, make changes to Agent (e.g., choose 'password' type for field3. Save the change and make a config sync again. 4. Go to target device, open VPE for the policy, and click on Logon Page is in the policy.

Workaround

- Workaround 1: Step1. On Standby (where the problem happens): delete the policy in question. Step2. On Active: modify the access policy and Sync it. * Problem with this workaround: sometimes, you cannot properly delete the access policy in question on the standby (as customization is corrupted, some related config deletion fails). - Workaround 2: Step 1. On Standby (where the problem happens): try to open up access policy item using VPE. Error will show the exact location of the file that is missing, for example: "An error 'customization::getMessages: Unable to get xml dom from /config/filestore/files_d/Common_d/customization_group_d/:Common:MyAccessPolicy_act_logon_page_ag_5678_4' has occured on server... Dialogue loading has failed." Step 2. On Standby: copy the exact file from active unit to standby unit, change the permission (ownership/group, permission flags) of the file so that it looks similar to active.

Fix Information

Target device receives identical configuration as source one after config sync after user updates logon page field in logon agent editing dialog.

Behavior Change