Closed LukaszBrzoskof5 closed 3 years ago
mdditt2000
commented
3 years ago @LukaszBrzoskof5 thanks for filing these issues. I will file a issue to get this resolved. Using /Common/Shared was ACC orginal thought of how the configuration would be played back to BIG-IP. By the use a shared policy in Common. Since then we received a-lot of feedback.
Should be /Common/https_test_ssl_profile
Please let me know if you see any others
PM Task: Submit Jira
mdditt2000
commented
3 years ago Filed CHARON-464 for PM tracking
azahajkiewicz
commented
3 years ago Hi Mark, same issue for ca-file:
ltm profile client-ssl /tenant_1/application_1/CLIENTSSL {
app-service none
ca-file /Common/CERTBUNDLE-V6.crt
cert /Common/default.crt
cert-key-chain {
default_default {
cert /Common/default.crt
chain /Common/CERTBUNDLE-V6.crt
key /Common/default.key
}
}
chain /Common/CERTBUNDLE-V6.crt
defaults-from /Common/clientssl
inherit-certkeychain false
key /Common/default.key
passphrase none
}
sys file ssl-cert /Common/CERTBUNDLE-V6.crt {
cache-path /config/filestore/files_d/Common_d/certificate_d/:Common:CERTBUNDLE-V6.crt_36621_1
revision 1
}AS3 output:
{
"class": "ADC",
"schemaVersion": "3.30.0",
"id": "urn:uuid:416fadf7-ed2d-426d-8508-af5b840e4a9b",
"label": "Converted Declaration",
"remark": "Auto-generated by AS3 Config Converter",
"tenant_1": {
"class": "Tenant",
"application_1": {
"class": "Application",
"template": "generic",
"certificate_default": {
"class": "Certificate",
"certificate": {
"bigip": "/Common/default.crt"
},
"privateKey": {
"bigip": "/Common/default.key"
}
},
"CLIENTSSL": {
"authenticationTrustCA": {
"use": "/Common/Shared/CERTBUNDLE-V6.crt" ............> wrongly referenced object
},
"certificates": [
{
"certificate": "certificate_default"
}
],
"class": "TLS_Server",
"insertEmptyFragmentsEnabled": true
}
}
}
}Two issues here:
Proper output should be: "bigip": "/Common/CERTBUNDLE-V6.crt"
Could you please add this case to Jira, so it's also fixed?
mdditt2000
commented
3 years ago thanks Alex. I have updated the Jira
lukaszbrzosko
commented
3 years ago Hi, another object with same symptoms: config file:
ltm virtual /tenant_19/application_19/vs__proxy01_egress-ANY {
destination /tenant_19/application_19/0.0.0.0:0
fw-enforced-policy /Common/policy_proxy01_egress-ANY
last-modified-time 2020-01-31:15:17:15
mask any
pool /tenant_19/application_19/p_Internet-GW
profiles {
/Common/fastL4 { }
}
source 192.25.0.0/16
source-address-translation {
type automap
}
translate-address disabled
translate-port disabled
vlans {
/Common/zone-0
}
vlans-enabled
}
ltm pool /tenant_19/application_19/p_Internet-GW {
members {
/tenant_19/application_19/BGP_1_GW:0 {
address 10.1.1.1
priority-group 50
}
/tenant_19/application_19/BGP_2_GW:0 {
address 10.1.1.2
priority-group 100
}
}
min-active-members 1
}
ltm node /tenant_19/application_19/BGP_1_GW {
address 10.1.1.1
monitor /Common/gateway_icmp
}
ltm node /tenant_19/application_19/BGP_2_GW {
address 10.1.1.2
monitor /Common/gateway_icmp
}Result in declaration:
{
"class": "ADC",
"schemaVersion": "3.30.0",
"id": "urn:uuid:7885c8c5-8f07-49fd-99b7-125b469411d7",
"label": "Converted Declaration",
"remark": "Auto-generated by AS3 Config Converter",
"tenant_19": {
"class": "Tenant",
"application_19": {
"class": "Application",
"template": "generic",
"vs__proxy01_egress-ANY": {
"policyFirewallEnforced": {
"use": "/Common/Shared/policy_proxy01_egress-ANY". <-----------------------------!!!!!
},
"pool": "p_Internet-GW",
"translateServerAddress": false,
"translateServerPort": false,
"class": "Service_L4",
"profileL4": {
"bigip": "/Common/fastL4"
},
"virtualAddresses": [
[
"0.0.0.0/0",
"192.25.0.0/16"
]
],
"virtualPort": 0,
"persistenceMethods": [],
"snat": "auto",
"allowVlans": [
{
"bigip": "/Common/zone-0"
}
],
"layer4": "any"
},
"p_Internet-GW": {
"members": [
{
"addressDiscovery": "static",
"servicePort": 0,
"priorityGroup": 50,
"serverAddresses": [
"10.1.1.1"
],
"shareNodes": true
},
{
"addressDiscovery": "static",
"servicePort": 0,
"priorityGroup": 100,
"serverAddresses": [
"10.1.1.2"
],
"shareNodes": true
}
],
"class": "Pool"
}
}
}
}Can you handle it here also ar new bug is needed ?
mdditt2000
commented
3 years ago @lukaszbrzosko The ACC team has determined that the outputting to /Common/Shared was the intended behavior. Its up the migration tool or person whom is doing the migration to make the modification prior to declaring the JSON back to BIG-IP or they will get a 422
lukaszbrzosko
commented
3 years ago I spoke internally with my colleagues as for my initial message ssl profile "use": "/Common/Shared/https_test_ssl_profile" can be places in shared we can agree, but we think policy listed in other partition: "policyEndpoint": "/CDP_300/Shared/policy_internal" should not.
mdditt2000
commented
3 years ago Please open an issue for "policyEndpoint": "/CDP_300/Shared/policy_internal" should not. Thank you!
Environment
Summary
Some objet in configuration gets reference to Shared location - despite they are not in initial config.
Steps To Reproduce
Steps to reproduce the behavior:
ltm profile client-ssl /CDP_300_1/application_3/clientssl_test.com { app-service none cert /Common/default.crt cert-key-chain { Intermediate_0 { cert /Common/default.crt key /Common/default.key } } defaults-from /Common/clientssl inherit-ca-certkeychain true inherit-certkeychain false key /Common/default.key passphrase none } ltm node /CDP_300_1/application_3/n_nide2_v4 { address 1.1.1.2 } ltm profile http /CDP_300_1/application_3/http_f5std { app-service none defaults-from /Common/http insert-xforwarded-for enabled proxy-type reverse } ltm profile server-ssl /Common/https_test_ssl_profile { app-service none cert none cipher-group none ciphers DEFAULT defaults-from /Common/serverssl key none options { dont-insert-empty-fragments no-dtlsv1.2 } } ltm snat-translation /CDP_300_1/application_3/10.10.10.112 { address 10.10.10.112 inherited-traffic-group true traffic-group /Common/traffic-group-1 } ltm snatpool /CDP_300_1/application_3/spool_pool_com { members { /CDP_300_1/application_3/10.10.10.112 } } ltm virtual-address /CDP_300_1/application_3/10.10.10.112%300 { address 10.10.10.112 arp enabled icmp-echo enabled mask 255.255.255.255 traffic-group /Common/traffic-group-1 } ltm monitor https /CDP_300_1/application_3/m_monitor_HTTPS { adaptive disabled cipherlist DEFAULT compatibility enabled defaults-from /Common/https destination : interval 25 ip-dscp 0 recv "200 OK" recv-disable none send "GET /Harmony/ HTTP/1.1\r\nHost: test.local.com\r\nUser-Agent: Big-IP Monitor\r\nConnection: Close\r\n" ssl-profile /Common/https_test_ssl_profile time-until-up 0 timeout 76 }
brzosko@WRW-ML-00011994 ~/Downloads/AS3/test_manual curl -k -u admin:admin -X POST -H "Content-Type: application/json" -H "Expect:" -d "@shared_charon_removed.json" https://10.1.1.1/mgmt/shared/appsvcs/declare | jq % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 2153 100 193 100 1960 140 1429 0:00:01 0:00:01 --:--:-- 1569 { "code": 422, "errors": [ "/CDP_300_1/application_3/vs_test_internal_v4_443/policyEndpoint: contains path to non-existent object CDP_300" ], "declarationFullId": "", "message": "declaration is invalid" }
{ "class": "ADC", "schemaVersion": "3.30.0", "id": "urn:uuid:1874dcae-276d-4a18-a684-d6d2a264a552", "label": "Converted Declaration", "remark": "Auto-generated by AS3 Config Converter", "CDP_300_1": { "class": "Tenant", "application_3": { "class": "Application", "template": "generic", "vs_test_internal_v4_443": { "layer4": "tcp", "persistenceMethods": [ "cookie" ], "pool": "p_pool_v4_443", "translateServerAddress": true, "translateServerPort": true, "class": "Service_HTTPS", "serverTLS": "clientssl_test.com", "profileHTTP": { "use": "/CDP_300_1/application_3/http_f5std" }, "clientTLS": { "bigip": "/Common/serverssl-insecure-compatible" }, "redirect80": false, "virtualAddresses": [ "10.10.10.112%300" ], "snat": { "use": "/CDP_300_1/application_3/spool_pool_com" }, "allowVlans": [ { "bigip": "/Common/cdp_300_internal" } ], "policyEndpoint": "/CDP_300/Shared/policy_internal" <---------------------------!!!!!!! why Shared is added??!!!!! }, "p_pool_v4_443": { "members": [ { "addressDiscovery": "static", "servicePort": 443, "serverAddresses": [ "1.1.1.2", "1.1.1.1" ], "shareNodes": true } ], "monitors": [ { "use": "/CDP_300_1/application_3/m_monitor_HTTPS" } ], "class": "Pool" }, "certificate_default": { "class": "Certificate", "certificate": { "bigip": "/Common/default.crt" }, "privateKey": { "bigip": "/Common/default.key" } }, "clientssl_test.com": { "certificates": [ { "certificate": "certificate_default" } ], "class": "TLS_Server", "insertEmptyFragmentsEnabled": true }, "http_f5std": { "class": "HTTP_Profile" }, "spool_pool_com": { "snatAddresses": [ "10.10.10.112" ], "class": "SNAT_Pool" }, "m_monitor_HTTPS": { "adaptive": false, "ciphers": "DEFAULT", "interval": 25, "dscp": 0, "receive": "200 OK", "send": "GET /Harmony/ HTTP/1.1\r\nHost: test.local.com\r\nUser-Agent: Big-IP Monitor\r\nConnection: Close\r\n", "clientTLS": { "use": "/Common/Shared/https_test_ssl_profile" <---------------------------!!!!!!! why Shared is added??!!!!! }, "timeout": 76, "class": "Monitor", "monitorType": "https", "targetPort": 0, "transparent": false, "reverse": false } } }, "Common": { "class": "Tenant", "Shared": { "class": "Application", "template": "shared", "https_test_ssl_profile": { "ciphers": "DEFAULT", "class": "TLS_Client" } } } }