Dears,I’m trying to import a UCS file obtained from the existing device (i2800 v12.1.5.2) into the VE version V12.1.5.2, but it’s not going smoothly.The command I execute during import is:load sys ucs [i2800 UCS File] no-license platform-migrateUpon checking the log (/var/log/ltm), I found the following errors:[Errors]err mcpd[4653]: 0107178a:3: Modifying license.maxcores to a value other than 2 is not allowed.err loaddb[25057]: 01080023:3: Error return while getting reply from mcpd: 0x107178a, 0107178a:3: Modifying license.maxcores to a value other than 2 is not allowed.err 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failureerr mcpd[4653]: 0107102b:3: Master Key decrypt failure - decrypt failure - finalerr Decryption of the field (secret) for object (/Common/system_auth_name1) failed.err tmsh[25642]: 01420006:3: Loading configuration process failed.emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all platform-migrate" - failed. -- 01071769:3: Decryption of the field (secret) for object (/Common/system_auth_name1) failed. Unexpected Error: Loading configuration process failed.I only need to verify the configurations from the old model; it’s acceptable if maxcore decreases. My goal is to successfully complete the load sys command. Any support on how to address these errors would be greatly helpful.

igssv It looks like you did not migrate the master key from the old F5 to the new F5. This can be done easily if you have access to both devices. The following document has the steps which can be found if you search for "f5mku -K" when the page loads. https://my.f5.com/manage/s/article/K9420

igssv Migrating the master key will not cause any disruption on your existing F5. All you are doing for this is you are retreiving the master key value from the old F5s and then taking that key and configuring it on the new F5s. After that you should be able to import the configuration on the new F5s.

igssv The usernames and passwords should be the same as the old F5 device because everything is imported from the UCS into the new F5.

Hi igssv, Please collect master key from existing device first 1. on Existing Device - Go to bash shell > run command "f5mku -K" - Collect output 2. on New device - Go to bash shell > run command "f5mku -r <past output> - Save configuration "tmsh save sys config" - Load sys ucs again

igssv If you have access to the old F5s you can change the admin and root password, then create a UCS, and finally import that new UCS which should have the new usernames and passwords. Sadly, sometimes in order to get the job done correct you will have to ask for additional information. It's better to inconvenience them a small amount now then a large amount in the future.

UCS Import Errors on BIG-IP VE (12.1.5.2) from i2800 – Need Assistance

14 Replies

Paulius
MVP
Oct 04, 2023
igssv It looks like you did not migrate the master key from the old F5 to the new F5. This can be done easily if you have access to both devices. The following document has the steps which can be found if you search for "f5mku -K" when the page loads.

https://my.f5.com/manage/s/article/K9420
- igssv
  Cirrus
  Oct 04, 2023
  Thank you for your quick response! Since the old F5 is still in operation and we want to avoid elevating security risks for our clients, we would prefer not to migrate the master key. Is there a way to review the configurations without migrating the master key?
  - Paulius
    MVP
    Oct 04, 2023
    igssv Migrating the master key will not cause any disruption on your existing F5. All you are doing for this is you are retreiving the master key value from the old F5s and then taking that key and configuring it on the new F5s. After that you should be able to import the configuration on the new F5s.
T-Trust
Cirrostratus
Oct 05, 2023
Hi igssv,

Please collect master key from existing device first

1. on Existing Device

- Go to bash shell > run command "f5mku -K"

- Collect output

2. on New device

- Go to bash shell > run command "f5mku -r <past output>

- Save configuration "tmsh save sys config"

- Load sys ucs again
- igssv
  Cirrus
  Oct 08, 2023
  Hi, T-Trust
  I see, I should save sys config first. I tried it, and during the load, I received a message saying:
  Post-processing...
  usermod: no changes
  I thought it worked well, but it turns out the password has changed. Thank you for your advice!
  - igssv
    Cirrus
    Oct 08, 2023
    Hi, T-Trust,
    I would also like to extend my gratitude to you! As written in my response to Paulius, I was able to accomplish what I needed by tweaking the contents of the UCS! Thank you!
F5_Design_Engineer
MVP
Oct 09, 2023
Hi igssv,

You need to do this for platform migration , glad you are successful, you can refer this process for furure migrations:

modify sys crypto master-key prompt-for-password

https://my.f5.com/manage/s/article/K82540512

==================================

K82540512: Overview of the UCS archive 'platform-migrate' option

Published Date: Oct 1, 2018Updated Date: Jul 12, 2023

Topic

F5 added the "platform-migrate" option to the tmsh load sys ucs command. This option enables you to migrate configurations from older platforms to newer platforms using an existing user configuration set (UCS) file. The new platform can be a newer generation hardware device, an F5OS tenant, a Virtual Clustered Multiprocessing (vCMP) guest, or BIG-IP Virtual Edition (VE).

Description

Starting In BIG-IP12.1.3 and 13.1.0, F5 introduces the platform-migrate option to better facilitate cross-platform configuration migrations. In previous versions, you can create a UCS on one platform type and install it on another using the no-platform-check option. However, the no-platform-check option installs the base configuration, so it may not be optimal when installing to different platforms.

You can enable the platform-migrate option using the following TMOS Shell (tmsh) command syntax:

tmsh load sys ucs <filename> platform-migrate

The platform-migrate option causes the UCS loader to ignore some platform dependent configuration objects when installing the UCS configuration. For example, when you install a UCS file using the platform-migrate option, configuration objects related to the following items may not be installed from the UCS file:

Interfaces

Interface bundles

Management IP and route

Assignments to trunks and VLANs
For example, a trunk is loaded on the new platform but interfaces, interface bundles, and VLANs assigned to it previously are not loaded.
Note: When you install a UCS file using the platform-migrate option, the system saves a list of any configuration objects that it ignores or does not install to the /var/local/ucs/platform_migrate_ignored_objects file.

Limitations

When using the platform-migrate option, consider the following limitations:

The platform-migrate parameter does not work for migrating BIG-IP UCS files from BIG-IP 10.x. If you are migrating the BIG-IP system, you must start with a BIG-IP configuration from a BIG-IP 11.x installation.

After you load the UCS using the platform-migrate parameter, you may need to perform extra steps to get the device fully functional.
For example:

You may need to reassign your new interfaces to VLANs.

In a high-availability (HA) environment, you may need to synchronize the configuration (enter configsync).

You may need to rebuild your device group if your new device's management IP address is changing as part of the migration. You can specify the "keep-current-management-ip" option to the "load sys ucs" command to keep current Management IP when restore ucs archive. For more information, refer to K000132494: Overview of the UCS archive 'keep-current-management-ip' option.

If you use the platform-migrate parameter to bring up a new F5OS tenant or vCMP guest, you configure the VLANs from the host.

If the management IP address on the old platform used Dynamic Host Configuration Protocol (DHCP) relay, and you use the platform-migrate parameter, the management address of the new platform changes to use DHCP.
Recommended Action

Consider using the platform-migrate option if you are migrating from old or obsolete BIG-IP appliances to a newer platform family. F5 recommends that you use the platform-migrate option for:

BIG-IP Appliance-to-appliance migration

BIG-IP Appliance-to-vCMP guest migration

F5OS tenant-to-tenant migration

vCMP guest-to-guest migration
Procedures

To complete a platform migration using the platform-migrate option, perform the following procedures:

Saving UCS files on the device to be replaced

Loading UCS configurations on the new device

Resolving issues
Saving UCS files on the device to be replacedImportant: If your configuration contains DNSSEC keys and you are running BIG-IP version prior to 16.0.0, do not use tmsh modify sys crypto master-key. Use the workaround provided in ID 639606.

Log in to tmsh of the device you are replacing by entering the following command:
tmsh

Set the device master key and password by entering the following command (remember this password because you'll need to use the same password on the destination device):
modify sys crypto master-key prompt-for-password

Create the UCS file on the device to be replaced using the following command syntax:
save sys ucs <file name>

Copy the UCS file to an offline location.

On the device to be replaced, force it offline by entering the following command:
run sys failover offline

This ensures that the system moves the traffic to the other device before shutting it down.

Shut down the old device.
Loading UCS configurations on the new device

Important: Before you load the configuration on the new device, you must first license, provision, and manually configure the low-level configuration on the new system. Before installing the UCS configuration, use tmsh or the Configuration utility to configure the management IP address (unless you are using DHCP) and configure the interface settings required for your environment.

To load the UCS configuration onto the new device, perform the following procedure:

Copy the UCS file that you prepared on the old device, to the new device.
You can do this using the Configuration utility by going to System > Archives > Upload or by manually uploading the configuration to the /var/local/ucs directory on the new device.

Log in to tmsh by entering the following command:
tmsh

Set the master-key password on the new device by entering the following commands:
modify sys crypto master-key prompt-for-password
save sys config

Important: If you configured the management IP address of the new device to use a static IP address, and the old device used DHCP, the management IP address may change when you load the UCS using the platform-migrate option. Make sure you have appropriate console access available that does not require that you use the management IP address.

Load the UCS file from tmsh by entering the following command:
load /sys ucs <filename> no-license platform-migrate

If the platform-migrate command completes successfully, the system displays the following message:

Platform migrate loaded successfully. Saving configuration.

Confirm that the system is in the running state by entering the following command:
show sys mcp

The system displays the following message:

---------------------------------------------------------
Sys::mcpd State:
---------------------------------------------------------
Running Phase running
Last Configuration Load Status full-config-load-succeeded

Confirm the new device joined the trust group and is in Standby mode. If your management IP address changes, you must reconfigure the Failover Unicast address so that it matches the management IP address.

Bring the new device back online in the HA configuration by entering the following command:
run sys failover online

Resolving issues

While installing a UCS with the platform-migrate option greatly reduces the time it takes to migrate from an old or obsolete platform to a new one, installing a UCS with the platform-migrate option does not guarantee that the configuration will successfully load on the new system. You may encounter errors if you do not create the low-level configuration in advance. If you encounter an error, review the error message, make the appropriate changes, and then run the command again.

Warning: The system is not in a running state after it produces an error, and the system will not save the configuration changes.

If the platform-migrate command fails, Master Control Program (MCP) is placed in a non-running state; enter the following command to check the MCP state:

tmsh show sys mcp

This command indicates that the running phase is called platform and the load status is high-config-load-failed.

Example output:

[root@bigip1:Active:Standalone] shared # tmsh show sys mcp
---------------------------------------------------------
Sys::mcpd State:
---------------------------------------------------------
Running Phase platform
Last Configuration Load Status high-config-load-failed

Therefore, the command tmsh save sys config fails to save the configuration and generates an error message. As you add the required low-level configuration objects, note that until the platform-migrate command succeeds, you can change the configuration, but you cannot save it.

Related Content

K14906: Overview of the UCS no-platform-check tmsh option

K4423: Overview of UCS archives

K15496: Migrating new BIG-IP platforms to an existing device group

K13408: Overview of single configuration files (11.x - 14.x)

K9420: Installing UCS files containing encrypted passwords or passphrases (11.5.x and later)

Welcome to the F5 BIG-IP Migration Assistant on DevCentral

K000132494: Overview of the UCS archive 'keep-current-management-ip' option
HTH

F5 Design Engineer

🙏
igssv
Cirrus
Oct 16, 2023
Hi F5_Design_Engineer,
Thank you so much for the comprehensive explanation regarding the ”platform_migrate" option! Your insights were super helpful. For this particular instance, our primary goal was simply to deploy the current device UCS to the Virtual Edition and validate the settings, so it looks like we can afford to overlook any potential issues. I might reach out again for advice if we run into any hurdles down the road—hope that’s okay!
Thanks again and have a great day!

Forum Discussion

UCS Import Errors on BIG-IP VE (12.1.5.2) from i2800 – Need Assistance

14 Replies

K82540512: Overview of the UCS archive 'platform-migrate' option

Related Content

Recent Discussions

Issue with Capturing SYN-ACK Packets on F5 BigIP Virtual Server

/var directory Filling up

Cannot turn off strict updates

SMTPS relay to external MS 365

f5 LTM, Time out issue.

Related Content

Re: Welcome to the F5 BIG-IP Migration Assistant

iRule interpretation assistance

iRule to assist with CVE-2022-22965 mitigation

import f5!

Security for IoT Devices and Why It’s Important