Forum Discussion

Zuke's avatar
Zuke
Icon for Cirrostratus rankCirrostratus
Jun 09, 2021
Solved

Restoring VCMP guest from UCS

I'm recreating a VCMP guest from a UCS. This is a new virtual disk on the host. I followed the steps to reset the master key. After uploading the UCS and issuing "load sys ucs archive.ucs include-chassis-level-config reset-trust" the process errors out:

load_config_files[8300]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure
Unexpected Error: Loading configuration process failed.

2021 Jun  9 15:38:40 bigip1 load_config_files[8300]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure
Jun  9 15:38:40 bigip1 emerg load_config_files[8300]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure
Jun  9 15:38:40 bigip1 err mcpd[5935]: 01070422:3: Base configuration load failed.
Jun  9 15:38:44 bigip1 info install_ucs.pm[32165]: Configuration loading error: base-config-load-failed
Jun  9 15:38:48 bigip1 notice logger[9127]: /bin/sh /usr/lib/csyncd/reloadnamed.sh /var/named/config/named.conf change  ==> /bin/bigstart start zrd
Jun  9 15:39:01 bigip1 info install_ucs.pm[32165]: ERROR: UCS installation failed.
Jun  9 15:39:01 bigip1 err tmsh[12777]: 01110001:3: Error running config install

application delivery
BIG-IP
LTM
ucs
  • Zuke's avatar
    Zuke
    Jun 10, 2021

    I opened a ticket with F5 support and Peter (from London) helped me out.

     

    The procedure I was using to reset the master key was to issue the command "tmsh modify sys crypto master-key prompt-for-password" and then use the hash from the guest as the password. The correct procedure is to use "f5mku -r <hash>" on the new guest. After doing that, the UCS file was able to load.

     

    Additionally some cool optimizations that I learned from Peter that really helped with the performance of AVR and the GUI:

     

    tmsh modify sys db avr.stats.internal.maxentitiespertable value 1024

    tmsh modify sys db provision.extramb value 2048;tmsh save sys config

    tmsh modify sys db restjavad.useextramb value true

    tmsh modify sys db provision.tomcat.extramb value 100

     

     

6 Replies

Sort By
  • SanjayP's avatar
    SanjayP
    Icon for Nacreous rankNacreous
    Jun 09, 2021
    1. Recently during our BCP process I encountered the same and reboot fixed it. Did you already try a reboot​? Also, do you need to issue no-license no-platform-check as well?
    • Zuke's avatar
      Zuke
      Icon for Cirrostratus rankCirrostratus
      Jun 10, 2021

      Thanks Sanjay. Unfortunately rebooting the guest isn't the fix in this situation. The UCS wouldn't load at all, the guest would be in an INOPERATIONAL state, and I'd delete and recreate the guest.

  • Zuke's avatar
    Zuke
    Icon for Cirrostratus rankCirrostratus
    Jun 10, 2021

    I opened a ticket with F5 support and Peter (from London) helped me out.

     

    The procedure I was using to reset the master key was to issue the command "tmsh modify sys crypto master-key prompt-for-password" and then use the hash from the guest as the password. The correct procedure is to use "f5mku -r <hash>" on the new guest. After doing that, the UCS file was able to load.

     

    Additionally some cool optimizations that I learned from Peter that really helped with the performance of AVR and the GUI:

     

    tmsh modify sys db avr.stats.internal.maxentitiespertable value 1024

    tmsh modify sys db provision.extramb value 2048;tmsh save sys config

    tmsh modify sys db restjavad.useextramb value true

    tmsh modify sys db provision.tomcat.extramb value 100

     

     

    • mouloud's avatar
      mouloud
      Icon for Nimbostratus rankNimbostratus
      Aug 25, 2021

      Hello Zuke,

      I have the same issue... Can you please detail how to use the procedure "f5mku -r <hash>"

      Thanks in advance

    • Albert_Coll's avatar
      Albert_Coll
      Icon for Cirrus rankCirrus
      Nov 24, 2022

      I also came across the problem "Symmetric Unit Key decrypt failure" when uploading the ucs file when attempting to move a config in V15.1.7 from a LTM vcmp guest to another. But this provided solution didn't work for me. 

      Fortunately I solved it after applying BOTH workarounds: K08689542 AND K36822000

      1) Edit file /config/bigip_base.conf and comment out the line key M$Mxxxxxxxxxxxxxxxx after the line "set dynad key" by setting a '#' char to the left. AND ALSO:

      2) Edit file /config/bigip.conf and comment out all lines containing $M$ passwords  encrypted for user accounts.

      After modifying BOTH files as described, the command tmsh load sys config completed up successfully.

  • Albert_Coll's avatar
    Albert_Coll
    Icon for Cirrus rankCirrus
    Nov 24, 2022

    I also came across the problem "Symmetric Unit Key decrypt failure" when uploading the ucs file  V15.1.7. But this provided solution didn't work for me.