Bug ID 811045

Bug Tracker
ID 811045

Bug ID 811045: Tmsh load sys config from-terminal merge: error for config embedded sub profile can have only a single object of any part enabled

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6

Opened: Jul 30, 2019

Severity: 4-Minor

Symptoms

When merging a network sub profile using 'tmsh load sys config from-terminal merge", tmsh reports a config error. 010715e4:3: Security log profile '/Common/logpartition01' can have only a single object of any part enabled. Unexpected Error: Loading configuration process failed.

Impact

New config is not applied. Error is posted.

Conditions

-- AFM is provisioned. -- Using TMSH terminal merge. -- Specifying an existing network log profile name that does not match the name in the configuration. Following is a detailed example: -- TMSH terminal merge works when you provide an existing name under network log profile. For example, if a BIG-IP has the following config in bigip.conf: "security log profile pf-log-01 { network { /Common/logpartition01 { <--- name contains /Common/ filter { log-acl-match-accept enabled } format { type user-defined user-defined "${date_time},${bigip_hostname},${management_ip_address},${src_ip},${src_port},${dest_ip},${dest_port},${translated_src_ip},${translated_dest_ip},${translated_src_port},${translated_dest_port},${date_time},,${protocol},${action}" } publisher lp-hsl-01 } } }" -- Terminal merge does not work, if you specify a different name under network when compared to name in the config. In this case, the name of the log profile under network stored for logpartition01 is '/Common/logpartition01'. When merging a config under network, the following config reports an error: "security log profile pf-log-01 { network { logpartition01 { <--- name is logpartition01, but not '/Common/logpartition01' filter { log-acl-match-accept enabled } format { type user-defined user-defined "${date_time},${bigip_hostname},${management_ip_address},${src_ip},${src_port},${dest_ip},${dest_port},${translated_src_ip},${translated_dest_ip},${translated_src_port},${translated_dest_port},${date_time},,${protocol},${action}" } publisher lp-hsl-01 } } }"

Workaround

While merging the config, specify the exact name of the profile that is already present in the config files. Note: The name of the sub-profile can be found in /config/bigip.conf file on the BIG-IP system.

Fix Information

None

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips