Forum Discussion

GavinW_29074's avatar
GavinW_29074
Icon for Nimbostratus rankNimbostratus
Oct 14, 2016

iApp Config updates not applying

Morning all...

 

Been a while since I've posted on here... :)

 

I've got a couple of pairs of 11.6.0 F5 devices, which appear to have developed a rather strange issue with applying iApp template updates.

 

We've got various in-house iApp templates that we've written and use to deploy our various services. The majority of these services are delivered over HTTPS.

 

Recently, we've implemented some changes to allow the client-ssl Parent profile to be selected when deploying/updating services. This is in order to disable of SSLv3.

 

This functionality works fine when creating a new service, and the correct parent profile gets applied.

 

However when we try and update an existing service with the new template version, it doesn't work as expected. The client-ssl config in the GUI and TMSH correctly shows the new parent client-ssl profile.

 

However the new client-ssl config isn't applied to the running config, as I can still use SSLv3 against the virtual server.

 

I've raised this with F5 support, and they initially came up with a work-around of opening the parent client-ssl profile, and clicking the update button without changing anything on screen. This appears to trigger a full config reread and the new client-ssl config gets applied to the virtual server.

 

Unfortunately, that's about as much use as F5 support have been, as they've now pulled the 'you're using a custom iApp, we don't support those' card, and are unwilling to even exercise the possibility that this is a bug :(

 

So, has anyone seen this behaviour before? Any ideas on possible fixes, short of telling users to 'update the service, and then click update on the parent client-ssl profile'?

 

Thanks in advance.

 

Gavin

 

application delivery
iApps
LTM

4 Replies

Sort By
  • Leonardo_Souza's avatar
    Leonardo_Souza
    Icon for Cirrocumulus rankCirrocumulus
    Oct 14, 2016

    This is an suggestion, but is up to you how you want to proceed.

     

    F5 support will not fully support a custom iApp, the same way they will not fully support a custom iRule. However, they must support a bug in functionality.

     

    My suggestion is that you remove all possible code from the iApp, and have only the part necessary to show the bug. Reopen the case (if within 2 weeks), or open a new one and reference the old case number. Provide the minimal iApp version, explain the behavior, and how to reproduce.

     

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Oct 14, 2016

    Hi Gavin, if you manually disable SSLv3 on the profile via the tmsh command line, does the change take immediately? iApps generally use tmsh to do their work, so if you still see the issue, it's not an iApp problem.

     

    • Fred_Slater_856's avatar
      Fred_Slater_856
      Historic F5 Account
      Oct 14, 2016
      This minimal iapp proves that it works as an iapp template:
implementation {
    iapp::conf create ltm profile client-ssl child defaults-from $::x__parent
}
presentation {
    section x {
        choice parent tcl { 
            iapp::get_items ltm profile client-ssl
        }
    }
}
With this template, I was able to create a profile based on clientssl, and then reconfigure with a parent that contains options { no_sslv3 }.  The new iapp-created profile also had no_sslv3.
    • Fred_Slater_856's avatar
      Fred_Slater_856
      Historic F5 Account
      Oct 14, 2016

      Galvin- In support of Mike's comment above, I would eliminate the iapp from the problem. Execute the following tmsh commands and if sslv3 traffic still flows, you have a much more concise case for F5 support.

      (tmos) create ltm profile client-ssl parent1 options { no-sslv3 }
(tmos) create ltm profile client-ssl child1
(tmos) modify ltm profile client-ssl child1 defaults-from parent1