Bug ID 997021: Upgrade may fail when using duplicate IP addresses in the Application DoS Allowlist

Last Modified: Jan 20, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP ASM, Install/Upgrade(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 17.0.0, 17.0.0.1, 17.0.0.2

Opened: Feb 24, 2021
Severity: 3-Major

Symptoms

When performing a BIG-IP upgrade, the upgrade could fail if any of the DoS profiles include duplicate IP addresses in the allowlist (whitelist). When loading the upgraded configuration, an error such as this may appear: -- 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (bot_defense_profile_whitelist) object ID (/Common/bot-defense-upgraded-from-whitelist_ip_upgraded_from_dos_12). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:bot_defense_profile_whitelist status:13) -- Unexpected Error: Loading configuration process failed.

Impact

Upgrade failure.

Conditions

Duplicate IP addresses are configured in the allowlist (whitelist) of the DoS Application Profile.

Workaround

Edit the configuration of the device before the upgrade: Remove all duplicates from the DoS profile either on the GUI/TMSH or by editing the bigip_base.conf file and loading config. Example of configuration which includes duplicates, taken from bigip_base.conf: security firewall address-list allowlist1 { addresses { 10.1.2.3/32 { } 10.1.2.3%0/32 { } } } In this case, remove the line with the %0, keeping only "10.1.2.3/32 { }". After loading config, perform the upgrade again.

Fix Information

None

Behavior Change