Bug ID 864369: Upgrading from versions 11.5.x or 11.6.x to 13.1.0 or later breaks trust with BIG-IQ

Last Modified: Mar 17, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3

Opened: Dec 21, 2019
Severity: 3-Major

Symptoms

When a BIG-IP system running versions 11.5.x or 11.6.x is upgraded to 13.1.0 or later, if the system is being managed by BIG-IQ, the device can no longer be managed by BIG-IQ (including re-discovery), and reports an error: Error getting resource provisioning from /mgmt/tm/sys/provision on x.y (n.n.n.n), Authorization failure - you may need to remove the device from BIG-IQ and add it again to reestablish trust.

Impact

The device is no longer manageable by BIG-IQ. This occurs because of the underlying mechanism for the issue: when establishing trust with a BIG-IQ device, the BIG-IP keeps a record of that establishment in its REST storage. Upon upgrade from 11.5.x to a higher version, the BIG-IP system does not preserve that piece of information; preserving the information became a part of the upgrade process for 12.0.0 and later. At version 13.1.0, BIG-IP configurations began stricter enforcement of preauthorized devices, as a purposeful security measure. Information vital to 13.1.x authorization requirements is no longer present for BIG-IP devices added to BIG-IQ while at 11.5.x and subsequently upgraded. The end result is that a BIG-IQ device managing a 13.1.x device for which trust was established in the 11.5.x version now is unable to fully validate the trust credentials.

Conditions

-- Adding a BIG-IP system running software versions 11.5.x or 11.6.x to BIG-IQ and upgrading the device to 13.1.0 or later. Note: This issue occurs only on BIG-IP devices running software versions 11.5.x, regardless of BIG-IQ version. BIG-IP devices running versions 12.0.0 or higher are not expected to result in lost trust on upgrade to 13.1.x.

Workaround

The workaround for this issue is to preemptively remove and re-add a problematic BIG-IP device while at version 12.x or 13.0.x prior to the upgrade to version 13.1.x or later. The method for reestablishing trust after upgrade is to remove the device from BIG-IQ and then add it back. In this case, the entire BIG-IP configuration, including all the previously deployed apps, are preserved on upgrade. Once the device is re-added/rediscovered, the BIG-IQ will import its configuration, including the apps.

Fix Information

None

Behavior Change