Affected Product:
BIG-IP All, Install/Upgrade, TMOS
Known Affected Versions:
16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 17.0.0, 17.0.0.1, 17.0.0.2
Opened: Sep 28, 2022
Severity: 1-Blocking
Symptoms
Loading configuration process fails after an upgrade from 15.1.8 or 15.1.8.1 to any release 16.0 or above.
The system posts errors similar to the following:
- crit tmsh[16188]: 01420001:2: Can’t load keyword definition (vlan.dag_adjustment) : framework/SchemaCmd.cpp, line 825
- crit tmsh[25644]: 01420001:2: Can’t load keyword definition (vlan.nti) : framework/SchemaCmd.cpp, line 825
- Can’t find matched schema tag for association’s attribute fw_zone_log_profile.pzname during loading cli version syntax: 15.1.8
- Can’t find matched schema tag for association’s attribute fw_protected_zone.pzname during loading cli version syntax: 15.1.8
- Unexpected Error: “Can’t load keyword definition (vlan.dag_adjustment)”
- fatal: (Can’t load keyword definition (vlan.nti)) (framework/SchemaCmd.cpp, line 825), exiting…
- emerg load_config_files[16186]: “/usr/bin/tmsh -n -g -a load sys config partitions all base ” – failed. — Loading schema version: 15.1.8
- err mcpd[10702]: 01070422:3: Base configuration load failed.
Impact
After upgrade, config does not load. The system hangs at the base configuration load failure status. The system is inoperative.
Conditions
Upgrade from one of the following releases:
- v15.1.8 or later in the v15.1.x branch.
to any of the following releases:
- v16.0 through v16.1.3.3
- v17.0 through v17.0.0.2
Workaround
It is not possible to avoid running into a config load failure when attempting the upgrade or restoring a UCS archive from v15.1.8 or v15.1.8.1 on one of the listed versions. However, as long as the system is not using the ZBDDOS AFM functionality, it is possible to load the configuration after the upgrade via a manual workaround:
1.While the system is inoperative, log into the system as root or an administrative user and launch bash.
2.Copy and paste the following series of commands and run them in bash
### BEGIN COMMANDS
(shopt -s nullglob; sed -E -i.workaround.bak -e '/dag-adjustment /d' /config/bigip_base.conf /config/partitions/*/bigip_base.conf)
sed -E -i -e '/^KEYWORD dag-adjustment/d' -e '/^KEYWORD nti/d' /var/libdata/tmsh/syntax/15.1.8*/auto_schema_data_net_cli.d
for dir in /var/libdata/tmsh/syntax/15.1.8*; do
mv "$dir"/auto_schema_data_security_cli.dat{,.workaround.bak}
awk '
/^<REF_CMD fw-protected-zone / { refcmd=1; depth=1; next }
/^<CMD fw-protected-zone/ { cmd=1; depth=1; next }
/^<ASSOCIATION.*fw-protected-zone/ { depth=depth+1; next }
/^>/ {
if (refcmd || cmd) {
if (!--depth) {
refcmd = 0;
cmd = 0;
}
next;
}
}
/.?/ {
if (refcmd || cmd) next
print
}' < "$dir"/auto_schema_data_security_cli.dat.workaround.bak > "$dir"/auto_schema_data_security_cli.dat
rm "$dir"/auto_schema_data_security_cli.dat.workaround.bak
done
### END COMMANDS3. Load the configuration again:
tmsh load sys config
4. If the config loads successfully, save it once:
tmsh save sys config
Fix information
None
