Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IQ ADC
Known Affected Versions:
7.0.0, 7.0.0.1, 7.0.0.2, 7.1.0.1, 7.1.0.2, 7.1.0.3, 7.1.6, 7.1.6.1, 7.1.7, 7.1.7.1, 7.1.7.2, 7.1.8, 7.1.8.1, 7.1.8.2, 7.1.8.3, 7.1.8.4, 7.1.8.5, 7.1.9, 7.1.9.7, 7.1.9.8, 7.1.9.9
Opened: Nov 28, 2020 Severity: 3-Major
Full deployment of BIG-IQ fails when attempting to delete the profile "/Common/shape-api-ssl". Starting on BIG-IP v15.1.1, F5 introduced a new system server-ssl profile named "/Common/shape-api-ssl". System profiles can be modified, but can't be deleted. BIG-IQ does not recognize this new profile, and tries to delete it when you try to launch a full deployment with the "Remove Unused Options" enabled.
Deployment fails with error: "Transaction <transaction number> on BIG-IP <BIG-IP discovery IP> failed after 1 seconds: 01070295:3: Default system profile (/Common/shape-api-ssl) cannot be deleted."
BIG-IP >= v15.1.1* BIG-IP >= v16.1.0* BIG-IQ <= 7.1.0.2 * The new profile is not included in BIG-IP v16.0
There are two options to work around this problem: 1- Select the "Keep Unused Objects" option when creating an evaluation 2- Use pinning policies to attach the profile to BIG-IP where it exists. Pinned profiles are not removed, even if they're not in use. The second option can be automated by running the following script on the BIG-IQ CM. #------------ cut here ------------------# #!/bin/bash # Script to identify all devices running v15.1.1 and pin the newly included shape-api-ssl system profile. shapeUUID=$( restcurl /cm/adc-core/working-config/ltm/profile/server-ssl/ | jq '.items[]|{id,name}' -c | grep shape-api-ssl | jq .id -r ) echo eyJpZCI6ICJVVUlEIiwia2luZCI6ICJjbTphZGMtY29yZTp3b3JraW5nLWNvbmZpZzpsdG06cHJvZmlsZTpzZXJ2ZXItc3NsOmFkY3Byb2ZpbGVzZXJ2ZXJzc2xzdGF0ZSIsImxpbmsiOiJodHRwczovL2xvY2FsaG9zdC9tZ210L2NtL2FkYy1jb3JlL3dvcmtpbmctY29uZmlnL2x0bS9wcm9maWxlL3NlcnZlci1zc2wvVVVJRCIsIm5hbWUiOiAic2hhcGUtYXBpLXNzbCIsInRhZ3MiOiBbInVzZXIiXSwicGFydGl0aW9uIjogIkNvbW1vbiJ9Cg== | base64 -d | jq . | sed -e "s/UUID/$shapeUUID/g" > f5debug-shape-prof.json echo "Including the following profile:" cat f5debug-shape-prof.json restcurl /cm/adc-core/working-config/root-node/ | jq '.items[]|{id,dev:.deviceReference.id}' -c > f5debug-all-root.json restcurl /cm/system/machineid-resolver/ | jq '.items[]|{hostname,uuid,version}' -c | grep -e "15.1.1" | while read BIG-IP ; do echo "Working on: $( echo $bip | jq .hostname)" node=$(cat f5debug-all-root.json | grep $(echo $bip | jq .uuid -r) | jq .id -r) if [ -z "$node" ] ; then echo "Can't find root node, skipping" continue fi echo "root-node is: $node" curl -su admin: "localhost:8100/cm/adc-core/working-config/root-node/$node" | jq ".|del(.generation,.lastUpdateMicros,.profileServerSslReferences)" > f5debug-base curl -su admin: "localhost:8100/cm/adc-core/working-config/root-node/$node" | jq ".|{profileServerSslReferences:.profileServerSslReferences}" | jq ".profileServerSslReferences[.profileServerSslReferences|length] |= . + $(cat f5debug-shape-prof.json)" > plus-shape.json cat f5debug-base | jq ".|= . + $(cat plus-shape.json)" > final-plus-shape.json curl -su admin: "localhost:8100/cm/adc-core/working-config/root-node/$node" -X PATCH -d @final-plus-shape.json -so /dev/null echo "result:" curl -su admin: "localhost:8100/cm/adc-core/working-config/root-node/$node" | jq '.profileServerSslReferences[]|{name}' -c done echo "Removing temp files" \rm f5debug-shape-prof.json f5debug-base final-plus-shape.json f5debug-all-root.json #---------------- cut here ------------------#
None