DO Deployment results in a 200 Success, however Trust does not work.

Lsmitherman commented 1 year ago

Environment

Declarative Onboarding Version:1.38.0 Build 7
BIG-IP Version: 16.1.2.2

Summary

We deploy our F5 JSON scripts by using Ansible AAP, which picks up the relevant file and applies the configuration to the F5. The configuration file configures pretty much everything on the F5 for us (VLANS, IP Addressing, DNS). However, the trust element does not seem to take. It will not form a trust in the between the two F5`s. The deployment comes back as 200 successful. No errors in the restjavad and restnoded logs or the basic F5 logs. A case was raised with F5 and this was all reviewed and they could not fix it and suggested a loged a case in Github!

Interestingly, if I use the GUI or postman just for the Trust element it works

Steps To Reproduce

I default the F5 configuration so only the licence and management IP remains.

Submit the following declaration:

The ansible task which deploys the code to the F5 is

name: 7:Deploy the Code to the F5 bigip_do_deploy: content: "{{ lookup('template', '{{ffullpath}}') }}" dry_run: "{{dryrun}}" register: result

The Json file I use for this F5 is below.

{ "schemaVersion": "1.38.0", "class": "Device", "async": true, "label": "XXXXXXXXX", "Common": { "class": "Tenant", "mySystem": { "class": "System", "hostname": "XXXXXXXX", "cliInactivityTimeout": {{ syscliInactivityTimeout }}, "consoleInactivityTimeout": {{ sysconsoleInactivityTimeout }}, "autoPhonehome": {{ sysautoPhonehome }}, "guiSecurityBanner": {{ sysguiSecurityBanner }}, "guiSecurityBannerText": "{{ sysguiSecurityBannerText }}" }, "default": { "class": "ManagementRoute", "gw": "XXXXXX", "network": "default" }, "DNS1": { "class": "ManagementRoute", "gw": "XXXX", "network": "XXXX" }, "DNS2": { "class": "ManagementRoute", "gw": "XXXX", "network": "XXXX" }, "DNS3": { "class": "ManagementRoute", "gw": "XXXX", "network": "XXXX" }, "DNS4": { "class": "ManagementRoute", "gw": "XXXX", "network": "XXXX }, "NTP1": { "class": "ManagementRoute", "gw": "XXXX", "network": "XXXX" }, "NTP2": { "class": "ManagementRoute", "gw": "XXXX", "network": "XX" }, "NTP3": { "class": "ManagementRoute", "gw": "XXX", "network": "XXXX" }, "TACACS1": { "class": "ManagementRoute", "gw": "XXXX", "network": "XXXX" }, "TACACS2": { "class": "ManagementRoute", "gw": "XXXX", "network": "XXXX" }, "myDns": { "class": "DNS", "nameServers": {{ dns }} , "search": {{ dnssearch }} }, "myNtp": { "class": "NTP", "servers": {{ ntp }} , "timezone": "Australia/XXXX" }, "sshSettings": { "class": "SSHD", "allow": {{ ssh_httpd }} , "banner": "{{ sshbannertext }}", "inactivityTimeout": {{ sshinactivityTimeout }}, "ciphers": {{ sshciphers }} , "loginGraceTime": 100, "MACS": {{ sshmacs }} , "maxAuthTries": {{ sshmaxAuthTries }}, "maxStartups": {{ sshmaxStartups }}, "protocol": {{ sshprotocol }} }, "httpdSettings": { "class": "HTTPD", "allow": {{ssh_httpd}} , "authPamIdleTimeout": {{ httpdauthPamIdleTimeout }}, "maxClients": {{ httpdmaxClients }}, "sslCiphersuite": {{ httpdsslCiphersuite }} , "sslProtocol": "{{ httpdsslProtocol }}" }, "myAuth": { "class": "Authentication", "enabledSourceType": "tacacs", "fallback": {{ authfallback }}, "remoteUsersDefaults": { "partitionAccess": "{{ authpartitionAccess }}", "terminalAccess": "{{ authterminalAccess }}", "role": "{{ authrole }}" }, "tacacs": { "accounting": "{{ tacacsaccounting }}", "authentication": "{{ tacacsauthentication }}", "debug": {{ tacacsdebug }}, "encryption": {{ tacacsencryption }}, "protocol": "ip", "secret": "{{ tacacssecret }}", "servers": {{ tacacsservers }} , "service": "ppp" } }, "appEd": { "class": "RemoteAuthRole", "attribute": "XXXXX", "console": "tmsh", "lineOrder": 6, "role": "application-editor", "remoteAccess": true, "userPartition": "all" }, "f5adm_group": { "class": "RemoteAuthRole", "attribute": "XXXX", "console": "tmsh", "lineOrder": 1, "role": "admin", "remoteAccess": true, "userPartition": "all" }, "f5man_group": { "class": "RemoteAuthRole", "attribute": XXXXX", "console": "tmsh", "lineOrder": 4, "role": "manager", "remoteAccess": true, "userPartition": "all" }, "f5ops_group": { "class": "RemoteAuthRole", "attribute": "XXXX", "console": "tmsh", "lineOrder": 2, "role": "operator", "remoteAccess": true, "userPartition": "all" }, "XXXX":{ "class": "VLAN", "tag": 1415, "mtu": 1500, "interfaces": [ { "name":"1.1", "tagged":true } ], "cmpHash": "default" }, "V1415-Static": { "class": "SelfIp", "address": "XXXX", "vlan": "XXXX", "allowService": "none", "trafficGroup": "traffic-group-local-only" }, "V1415-Floating": { "class": "SelfIp", "address": "XXXX", "vlan": "XXXX", "allowService": "none", "trafficGroup": "traffic-group-1" }, "V1416-X":{ "class": "VLAN", "tag": 1416, "mtu": 1500, "interfaces": [ { "name":"1.2", "tagged":true } ], "cmpHash": "default" }, "V1416-Static": { "class": "SelfIp", "address": "XXXX", "vlan": "XXXX", "allowService": "default", "trafficGroup": "traffic-group-local-only" }, "V1416-Floating": { "class": "SelfIp", "address": "XXXX", "vlan": "XXXX", "allowService": "default", "trafficGroup": "traffic-group-1" }, "HA-Only": { "class": "VLAN", "tag": 1418, "mtu": 1500, "interfaces": [ { "name":"1.3", "tagged":false } ], "cmpHash": "default" }, "V1418-Static": { "class": "SelfIp", "address": "XXXX", "vlan": "HA-Only", "allowService": "default", "trafficGroup": "traffic-group-local-only" }, "external_default_gateway": { "class": "Route", "gw": XXXX2", "mtu": 1500 }, "mySnmpAgent": { "class": "SnmpAgent", "contact": "{{ snmpcontact }}", "location": "{{ snmplocation }}", "allowList": {{ snmpallowList }} }, "Reipyul6": { "class": "SnmpCommunity", "source": "XXXX" }, "geccyo258": { "class": "SnmpCommunity" }, "Syslog1": { "class": "SyslogRemoteServer", "host": "XXXX", "remotePort": XXX }, "Syslog2": { "class": "SyslogRemoteServer", "host": "XXXX", "remotePort": XXXX }, "Syslog3": { "class": "SyslogRemoteServer", "host": "XXXX", "remotePort": XXXX }, "dbvars": { "class": "DbVariables", "ui.advisory.enabled": {{ dbuiadvisoryenabled }}, "ui.advisory.color": "{{ dbuiadvisorycolor }}", "ui.advisory.text": "XXXXXX" }, "deviceCertificate": { "class": "DeviceCertificate", "certificate": { "base64": "{{ public_key }}" }, "privateKey": { "base64": "{{ private_key}}" } }, "Provision": { "class": "Provision", "ltm": "nominal" }, "XXXX": { "source": "XXX", "class": "SnmpCommunity", "name": "XXXX", "access": "ro" }, "XXXX": { "class": "SnmpCommunity", "name": "XXXX", "access": "ro" }, "admin": { "class": "User", "shell": "none", "userType": "regular", "partitionAccess": { "all-partitions": { "role": "admin" } } }, "trust": { "class": "DeviceTrust", "localUsername": XXX", "localPassword": "XXX", "remoteHost": "Partner F5 MGMT IP", "remoteUsername": "XXX", "remotePassword": "XXX" }, "configsync": { "class": "ConfigSync", "configsyncIp": "XXX"
}, "failoverUnicast": { "class": "FailoverUnicast", "addressPorts": [ { "address": "XXX", "port": XXX }, { "address": "XXX", "port": XXX } ] }, "Failover_Sync_Group": { "class": "DeviceGroup", "type": "sync-failover", "members": [ "xxx", "xxx" ], "owner": "/Common/Failover_Sync_Group/members/0", "autoSync": true, "saveOnAutoSync": false, "networkFailover": true, "fullLoadOnSync": false, "asmSync": false }, "myMirror": { "class": "MirrorIp", "primaryIp": "XXX8", "secondaryIp": "any6" } } }

RESULT "Message: success", "Class: Result", "Code: 200", "Status: OK", "Errors: ", "Notes: []"

To clarify, the above works perfectly, apart from the Trust not forming. I get a 200 Success back.

If I run the same again I get the exact same result.

If I then use postman to post the following...

URL : https://XXX/mgmt/shared/declarative-onboarding

{ "schemaVersion": "1.38.0", "class": "Device", "async": true, "label": "XXXX", "Common": { "class": "Tenant", "trust": { "class": "DeviceTrust", "localUsername": "admin", "localPassword": "XXX", "remoteHost": "Partner F5 MGMT IP", "remoteUsername": "admin", "remotePassword": "XXXXX" } } }

I get the following... and the trust forms ok.

"result": { "class": "Result", "code": 200, "status": "OK", "message": "success", "warnings": []

In the interest of making things easier. I have removed all variables from the trust class elements such as local and remote credentials as well as the host using the IP address. That way the Ansible and postman config is exactly the same.

Expected Behavior

The trust should form between the two F5`s. I get a 200 Success but no trust

Actual Behavior

The trust does not form using Ansible.. I get a 200 Success.

vsnine commented 1 year ago

Also am getting this issue on 15.1.8.2 and tested with DO 1.36.1 and DO 1.39.0.

epineda08 commented 2 months ago

Has anyone been able to find a fix for this? My Big IPs are not forming a trust between the two as well. I am running 17.1.1.3 and I've tried with DO 1.45.0

epineda08 commented 2 months ago

I got it to work and formed my HA pair with using DO version 1.37.0

F5Networks / f5-declarative-onboarding