search

F5Networks / f5-appsvcs-extension

F5 BIG-IP Application Services 3 Extension
Apache License 2.0
163 stars 52 forks source link

Snat translation address is still referenced by a snat pool #761

Closed c4lcifer closed 9 months ago

c4lcifer commented 9 months ago

Environment

Summary

After Upgrade from 3.44.0 to LTS 3.46.1 we get an error when we try to post a declaration that worked fine before. We testet with 3.44 and 3.45 were it works. It broke with 3.46.1 ( didnt test 3.46 )

Steps To Reproduce

Steps to reproduce the behavior:

  1. Configure a SNAT Pool in the Common partition using the GUI ( not AS3 ) and put in one IP address ( im using 172.21.98.14 )

  2. First Test: Submit the following declaration:

    {
"$schema": "https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/master/schema/latest/as3-schema.json",
"class": "AS3",
"action": "deploy",
"updateMode": "selective",
"trace": true,
"persist": true,
"declaration": {
    "class": "ADC",
    "schemaVersion": "3.44.0",
    "id": "20230918T120916",
    "Common": {
        "class": "Tenant",
        "Shared": {
            "class": "Application",
            "template": "shared",
            "VA_1_1_1_1": {
                "class": "Service_Address",
                "virtualAddress": "1.1.1.1",
                "trafficGroup": "/Common/traffic-group-1"
            }
        }
    }
}
}

  3. Observe the following error response:

    {
"id": "3bd65833-cdce-4f6b-b212-ddeb0f273059",
"results": [
    {
        "code": 200,
        "message": "success",
        "lineCount": 16,
        "host": "localhost",
        "tenant": "Common",
        "runTime": 2030
    },
    {
        "code": 422,
        "message": "declaration failed",
        "response": "01070321:3: Snat translation address /Common/172.21.98.14 is still referenced by a snat pool.",
        "host": "localhost",
        "tenant": "Common",
        "runTime": 2083
    }
],
"declaration": {
    "class": "ADC",
    "schemaVersion": "3.44.0",
    "id": "20230918T120916",
    "controls": {
        "class": "Controls",
        "userAgent": "vscode-f5/3.14.0",
        "archiveTimestamp": "2023-09-18T18:15:06.720Z"
    },
    "updateMode": "selective"
}
}

  4. Delete SNAT Pool again

  5. Submit the following declaration ( same as step 2 ):

    {
"$schema": "https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/master/schema/latest/as3-schema.json",
"class": "AS3",
"action": "deploy",
"updateMode": "selective",
"trace": true,
"persist": true,
"declaration": {
    "class": "ADC",
    "schemaVersion": "3.44.0",
    "id": "20230918T120916",
    "Common": {
        "class": "Tenant",
        "Shared": {
            "class": "Application",
            "template": "shared",
            "VA_1_1_1_1": {
                "class": "Service_Address",
                "virtualAddress": "1.1.1.1",
                "trafficGroup": "/Common/traffic-group-1"
            }
        }
    }
}
}

  6. Observe the following response:

    {
"id": "88d40333-04c5-44ad-b11b-c540d56d745a",
"results": [
    {
        "code": 200,
        "message": "no change",
        "host": "localhost",
        "tenant": "Common",
        "runTime": 1611
    },
    {
        "code": 200,
        "message": "no change",
        "host": "localhost",
        "tenant": "Common",
        "runTime": 1341
    }
],
"declaration": {
    "class": "ADC",
    "schemaVersion": "3.44.0",
    "id": "20230918T120916",
    "Common": {
        "class": "Tenant",
        "Shared": {
            "class": "Application",
            "template": "shared",
            "VA_1_1_1_1": {
                "class": "Service_Address",
                "virtualAddress": "1.1.1.1",
                "trafficGroup": "/Common/traffic-group-1"
            }
        }
    },
    "controls": {
        "class": "Controls",
        "userAgent": "vscode-f5/3.14.0",
        "archiveTimestamp": "2023-09-18T18:17:51.682Z"
    },
    "updateMode": "selective"
}
}

  7. Virtual address VA_1_1_1_1 is now available. Submit the following declaration:

    {
"$schema": "https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/master/schema/latest/as3-schema.json",
"class": "AS3",
"action": "deploy",
"updateMode": "selective",
"trace": true,
"persist": true,
"declaration": {
    "class": "ADC",
    "schemaVersion": "3.44.0",
    "id": "20230918T120916",
    "AS3_Prod": {
        "class": "Tenant",
        "test": {
            "class": "Application",
            "template": "generic",
            "test_80_vs": {
                "class": "Service_HTTP",
                "virtualAddresses": [
                    {
                        "use": "/Common/Shared/VA_1_1_1_1"
                    }
                ],
                "virtualPort": 80,
                "profileTCP": {
                    "bigip": "/Common/f5-tcp-lan"
                },
                "iRules": [
                    {
                        "bigip": "/Common/_sys_https_redirect"
                    }
                ]
            }
        }
    }
}
}

  8. Observe the following response:

    {
"id": "f1319fed-8e5d-4bb1-b188-180c9cee5c19",
"results": [
    {
        "code": 200,
        "message": "no change",
        "host": "localhost",
        "tenant": "Common",
        "runTime": 1685
    },
    {
        "code": 200,
        "message": "success",
        "lineCount": 21,
        "host": "localhost",
        "tenant": "AS3_Prod",
        "runTime": 742
    },
    {
        "code": 200,
        "message": "no change",
        "host": "localhost",
        "tenant": "Common",
        "runTime": 1446
    }
],
"declaration": {
    "Common": {
        "class": "Tenant",
        "Shared": {
            "class": "Application",
            "template": "shared",
            "VA_1_1_1_1": {
                "class": "Service_Address",
                "virtualAddress": "1.1.1.1",
                "trafficGroup": "/Common/traffic-group-1"
            }
        }
    },
    "class": "ADC",
    "schemaVersion": "3.44.0",
    "id": "20230918T120916",
    "AS3_Prod": {
        "class": "Tenant",
        "test": {
            "class": "Application",
            "template": "generic",
            "test_80_vs": {
                "class": "Service_HTTP",
                "virtualAddresses": [
                    {
                        "use": "/Common/Shared/VA_1_1_1_1"
                    }
                ],
                "virtualPort": 80,
                "profileTCP": {
                    "bigip": "/Common/f5-tcp-lan"
                },
                "iRules": [
                    {
                        "bigip": "/Common/_sys_https_redirect"
                    }
                ]
            }
        }
    },
    "controls": {
        "class": "Controls",
        "userAgent": "vscode-f5/3.14.0",
        "archiveTimestamp": "2023-09-18T18:21:03.632Z"
    },
    "updateMode": "selective"
}
}

  9. Create SNAT Pool again via GUI ( not AS3 )

  10. Submit the following declaration ( same as in step 6 ):

    {
"$schema": "https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/master/schema/latest/as3-schema.json",
"class": "AS3",
"action": "deploy",
"updateMode": "selective",
"trace": true,
"persist": true,
"declaration": {
    "class": "ADC",
    "schemaVersion": "3.44.0",
    "id": "20230918T120916",
    "AS3_Prod": {
        "class": "Tenant",
        "test": {
            "class": "Application",
            "template": "generic",
            "test_80_vs": {
                "class": "Service_HTTP",
                "virtualAddresses": [
                    {
                        "use": "/Common/Shared/VA_1_1_1_1"
                    }
                ],
                "virtualPort": 80,
                "profileTCP": {
                    "bigip": "/Common/f5-tcp-lan"
                },
                "iRules": [
                    {
                        "bigip": "/Common/_sys_https_redirect"
                    }
                ]
            }
        }
    }
}
}

  11. Observe the following error response:

    {
"id": "d372c465-325a-4e7d-9654-656d061e3d57",
"results": [
    {
        "code": 200,
        "message": "success",
        "lineCount": 16,
        "host": "localhost",
        "tenant": "Common",
        "runTime": 2491
    },
    {
        "code": 200,
        "message": "no change",
        "host": "localhost",
        "tenant": "AS3_Prod",
        "runTime": 394
    },
    {
        "code": 422,
        "message": "declaration failed",
        "response": "01070321:3: Snat translation address /Common/172.21.98.14 is still referenced by a snat pool.",
        "host": "localhost",
        "tenant": "Common",
        "runTime": 2449
    }
],
"declaration": {
    "Common": {
        "class": "Tenant",
        "Shared": {
            "class": "Application",
            "template": "shared",
            "VA_1_1_1_1": {
                "class": "Service_Address",
                "virtualAddress": "1.1.1.1",
                "trafficGroup": "/Common/traffic-group-1"
            }
        }
    },
    "AS3_Prod": {
        "class": "Tenant",
        "test": {
            "class": "Application",
            "template": "generic",
            "test_80_vs": {
                "class": "Service_HTTP",
                "virtualAddresses": [
                    {
                        "use": "/Common/Shared/VA_1_1_1_1"
                    }
                ],
                "virtualPort": 80,
                "profileTCP": {
                    "bigip": "/Common/f5-tcp-lan"
                },
                "iRules": [
                    {
                        "bigip": "/Common/_sys_https_redirect"
                    }
                ]
            }
        }
    },
    "class": "ADC",
    "schemaVersion": "3.44.0",
    "id": "20230918T120916",
    "controls": {
        "class": "Controls",
        "userAgent": "vscode-f5/3.14.0",
        "archiveTimestamp": "2023-09-18T18:23:48.354Z"
    },
    "updateMode": "selective"
}
}

  12. Use not the Virtual address but define it directly:

    {
"$schema": "https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/master/schema/latest/as3-schema.json",
"class": "AS3",
"action": "deploy",
"updateMode": "selective",
"trace": true,
"persist": true,
"declaration": {
    "class": "ADC",
    "schemaVersion": "3.44.0",
    "id": "20230918T120916",
    "AS3_Prod": {
        "class": "Tenant",
        "test": {
            "class": "Application",
            "template": "generic",
            "test_80_vs": {
                "class": "Service_HTTP",
                "virtualAddresses": [
                    "1.1.1.2"
                ],
                "virtualPort": 80,
                "profileTCP": {
                    "bigip": "/Common/f5-tcp-lan"
                },
                "iRules": [
                    {
                        "bigip": "/Common/_sys_https_redirect"
                    }
                ]
            }
        }
    }
}
}

  13. Observe the following response

    {
"id": "19d95d1f-8293-4471-883c-3c92ac0325c8",
"results": [
    {
        "code": 200,
        "message": "success",
        "lineCount": 19,
        "host": "localhost",
        "tenant": "AS3_Prod",
        "runTime": 1236
    }
],
"declaration": {
    "AS3_Prod": {
        "class": "Tenant",
        "test": {
            "class": "Application",
            "template": "generic",
            "test_80_vs": {
                "class": "Service_HTTP",
                "virtualAddresses": [
                    "1.1.1.2"
                ],
                "virtualPort": 80,
                "profileTCP": {
                    "bigip": "/Common/f5-tcp-lan"
                },
                "iRules": [
                    {
                        "bigip": "/Common/_sys_https_redirect"
                    }
                ]
            }
        }
    },
    "class": "ADC",
    "schemaVersion": "3.44.0",
    "id": "20230918T120916",
    "controls": {
        "class": "Controls",
        "userAgent": "vscode-f5/3.14.0",
        "archiveTimestamp": "2023-09-18T18:30:55.248Z"
    },
    "updateMode": "selective"
}
}

Expected Behavior

The declaration should work as it does version < 3.46

Actual Behavior

Error gets thrown. As soon as you create the SNAT pool in common. It breaks. You cant use shared addresses either, as this also breaks. We roled it out on our production. All virtual servers went to unavailable after the declaration was send. This had an impact on traffic! Retestet it on the standby F5 with the same result!

sunitharonan commented 9 months ago

Hi @c4lcifer, this has been fixed in the current sprint. If you need an early build, please reach out to us at automation_toolchain_pm@f5.com. Thanks