-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
More than two AFM rule lists causes error message and unable to delete or deploy any further declarations #893
Comments
I am experiencing exactly the same in lab env. But I was not able get it working again. I factory reset my VE everytime I run into this error. However, my scenario little differs from yours. I deployed two forwarding VS in Common with firewall policies attached - no problem. Even re-deploying was no problem. The first the time the problem occured was when I added a standard VS with a firewall policy attached. The first deployment of the declaration is sucessfully. A redeployment with exactly the same declaration fails with this error message. [
{
"message": "failure querying config for tenant tenant-test (Cannot read property 'name' of undefined)",
"host": "localhost",
"tenant": "tenant-test",
"code": 422,
"declarationId": "autogen_9bc848d9-136f-43d3-aa4a-be39cbfc68fb"
}
] Further re-deployments fail, deletion, too. I always made a factory reset. But thanks to Rob I got it working again deleting all the AS3 config items manually. Thanks @F5Rob No problem, two forwarding VS only {
"$schema": "https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/main/schema/latest/as3-schema.json",
"tenant-test": {
"class": "Tenant",
"app-tentant-test": {
"class": "Application",
"template": "generic",
"vs-tcp-anyport-forward-proxy.example.com": {
"class": "Service_L4",
"remark": "TCP forward-proxy.example.com",
"virtualAddresses": [
"10.2.0.1"
],
"virtualPort": 0,
"redirect80": false,
"snat": "auto",
"profileL4": {
"bigip": "/Common/fastL4"
},
"allowVlans": [
{
"bigip": "/Common/external"
}
]
},
"vs-udp-anyport-forward-proxy.example.com": {
"class": "Service_L4",
"remark": "UDP forward-proxy.example.com",
"virtualAddresses": [
"10.1.0.1"
],
"virtualPort": 0,
"redirect80": false,
"snat": "auto",
"layer4": "udp",
"profileL4": {
"bigip": "/Common/fastL4"
},
"allowVlans": [
{
"bigip": "/Common/external"
}
]
}
}
},
"class": "ADC",
"schemaVersion": "3.53.0"
} No problem, two forwarding VS with firewall policies attached {
"$schema": "https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/main/schema/latest/as3-schema.json",
"tenant-test": {
"class": "Tenant",
"app-tentant-test": {
"class": "Application",
"template": "generic",
"vs-tcp-anyport-forward-proxy.example.com": {
"class": "Service_L4",
"remark": "TCP forward-proxy.example.com",
"virtualAddresses": [
"10.2.0.1"
],
"virtualPort": 0,
"redirect80": false,
"snat": "auto",
"profileL4": {
"bigip": "/Common/fastL4"
},
"allowVlans": [
{
"bigip": "/Common/external"
}
],
"policyFirewallEnforced": {
"use": "firewall-policy-tcp-forward-proxy.example.com"
}
},
"firewall-rule-list-tcp-forward-proxy.example.com": {
"class": "Firewall_Rule_List",
"rules": [
{
"name": "rule-5.6.7.8",
"remark": "test",
"loggingEnabled": true,
"protocol": "tcp",
"source": {
"addressLists": [
{
"use": "host-5.6.7.8"
}
]
},
"destination": {
"addressLists": [
{
"use": "group-ip-group"
}
],
"ports": [
"443"
]
},
"action": "accept"
},
{
"name": "rule-deny-any",
"loggingEnabled": true,
"action": "drop"
}
]
},
"group-ip-group": {
"class": "Firewall_Address_List",
"addresses": [
"1.1.1.1/32",
"1.1.1.2/32",
"1.1.1.3/32",
"1.1.1.4/32",
"1.1.1.5/32"
]
},
"host-5.6.7.8": {
"class": "Firewall_Address_List",
"addresses": [
"5.6.7.8"
]
},
"firewall-policy-tcp-forward-proxy.example.com": {
"rules": [
{
"use": "firewall-rule-list-tcp-forward-proxy.example.com"
}
],
"class": "Firewall_Policy"
},
"vs-udp-anyport-forward-proxy.example.com": {
"class": "Service_L4",
"remark": "UDP forward-proxy.example.com",
"virtualAddresses": [
"10.1.0.1"
],
"virtualPort": 0,
"redirect80": false,
"snat": "auto",
"layer4": "udp",
"profileL4": {
"bigip": "/Common/fastL4"
},
"allowVlans": [
{
"bigip": "/Common/external"
}
],
"policyFirewallEnforced": {
"use": "firewall-policy-udp-forward-proxy.example.com"
}
},
"firewall-rule-list-udp-forward-proxy.example.com": {
"class": "Firewall_Rule_List",
"rules": [
{
"name": "rule-stuff",
"loggingEnabled": true,
"protocol": "udp",
"source": {
"addressLists": [
{
"use": "host-7.6.5.4"
},
{
"use": "host-5.6.7.8"
},
{
"use": "host-2.3.4.5"
}
]
},
"destination": {
"addressLists": [
{
"use": "group-public-dns"
}
],
"ports": [
"53"
]
},
"action": "accept"
},
{
"name": "rule-deny-any",
"loggingEnabled": true,
"action": "drop"
}
]
},
"group-public-dns": {
"class": "Firewall_Address_List",
"addresses": [
"1.1.1.1/32",
"8.8.8.8/32"
]
},
"host-7.6.5.4": {
"class": "Firewall_Address_List",
"addresses": [
"7.6.5.4/32"
]
},
"host-2.3.4.5": {
"class": "Firewall_Address_List",
"addresses": [
"2.3.4.5/32"
]
},
"firewall-policy-udp-forward-proxy.example.com": {
"rules": [
{
"use": "firewall-rule-list-udp-forward-proxy.example.com"
}
],
"class": "Firewall_Policy"
}
}
},
"class": "ADC",
"schemaVersion": "3.53.0"
} Problem occurs with another standard VS and firewall policy attached {
"$schema": "https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/main/schema/latest/as3-schema.json",
"tenant-test": {
"class": "Tenant",
"app-tentant-test": {
"class": "Application",
"template": "generic",
"vs-tcp-anyport-forward-proxy.example.com": {
"class": "Service_L4",
"remark": "TCP forward-proxy.example.com",
"virtualAddresses": [
"10.2.0.1"
],
"virtualPort": 0,
"redirect80": false,
"snat": "auto",
"profileL4": {
"bigip": "/Common/fastL4"
},
"allowVlans": [
{
"bigip": "/Common/external"
}
],
"policyFirewallEnforced": {
"use": "firewall-policy-tcp-forward-proxy.example.com"
}
},
"firewall-rule-list-tcp-forward-proxy.example.com": {
"class": "Firewall_Rule_List",
"rules": [
{
"name": "rule-5.6.7.8",
"remark": "test",
"loggingEnabled": true,
"protocol": "tcp",
"source": {
"addressLists": [
{
"use": "host-5.6.7.8"
}
]
},
"destination": {
"addressLists": [
{
"use": "group-ip-group"
}
],
"ports": [
"443"
]
},
"action": "accept"
},
{
"name": "rule-deny-any",
"loggingEnabled": true,
"action": "drop"
}
]
},
"group-ip-group": {
"class": "Firewall_Address_List",
"addresses": [
"1.1.1.1/32",
"1.1.1.2/32",
"1.1.1.3/32",
"1.1.1.4/32",
"1.1.1.5/32"
]
},
"host-5.6.7.8": {
"class": "Firewall_Address_List",
"addresses": [
"5.6.7.8"
]
},
"firewall-policy-tcp-forward-proxy.example.com": {
"rules": [
{
"use": "firewall-rule-list-tcp-forward-proxy.example.com"
}
],
"class": "Firewall_Policy"
},
"vs-udp-anyport-forward-proxy.example.com": {
"class": "Service_L4",
"remark": "UDP forward-proxy.example.com",
"virtualAddresses": [
"10.1.0.1"
],
"virtualPort": 0,
"redirect80": false,
"snat": "auto",
"layer4": "udp",
"profileL4": {
"bigip": "/Common/fastL4"
},
"allowVlans": [
{
"bigip": "/Common/external"
}
],
"policyFirewallEnforced": {
"use": "firewall-policy-udp-forward-proxy.example.com"
}
},
"firewall-rule-list-udp-forward-proxy.example.com": {
"class": "Firewall_Rule_List",
"rules": [
{
"name": "rule-stuff",
"loggingEnabled": true,
"protocol": "udp",
"source": {
"addressLists": [
{
"use": "host-7.6.5.4"
},
{
"use": "host-5.6.7.8"
},
{
"use": "host-2.3.4.5"
}
]
},
"destination": {
"addressLists": [
{
"use": "group-public-dns"
}
],
"ports": [
"53"
]
},
"action": "accept"
},
{
"name": "rule-deny-any",
"loggingEnabled": true,
"action": "drop"
}
]
},
"group-public-dns": {
"class": "Firewall_Address_List",
"addresses": [
"1.1.1.1/32",
"8.8.8.8/32"
]
},
"host-7.6.5.4": {
"class": "Firewall_Address_List",
"addresses": [
"7.6.5.4/32"
]
},
"host-2.3.4.5": {
"class": "Firewall_Address_List",
"addresses": [
"2.3.4.5/32"
]
},
"firewall-policy-udp-forward-proxy.example.com": {
"rules": [
{
"use": "firewall-rule-list-udp-forward-proxy.example.com"
}
],
"class": "Firewall_Policy"
},
"vs-tcp443-more-example.com": {
"class": "Service_TCP",
"remark": "more-example.com",
"virtualAddresses": [
"1.2.3.4"
],
"virtualPort": 443,
"redirect80": false,
"snat": "none",
"profileTCP": "lan",
"allowVlans": [
{
"bigip": "/Common/external"
}
],
"pool": {
"use": "pool-tcp12345-more-example.com"
},
"persistenceMethods": [ ],
"policyFirewallEnforced": {
"use": "firewall-policy-more-example.com"
}
},
"pool-tcp12345-more-example.com": {
"class": "Pool",
"loadBalancingMode": "round-robin",
"monitors": [
{
"use": "monitor-tcp54321-more-example.com"
}
],
"minimumMonitors": 1,
"members": [
{
"shareNodes": true,
"remark": "OpenShift Worker Node",
"servicePort": 12345,
"serverAddresses": [
"10.1.2.18",
"10.1.2.19",
"10.1.2.20"
]
}
]
},
"monitor-tcp54321-more-example.com": {
"class": "Monitor",
"interval": 5,
"monitorType": "tcp",
"targetAddress": "",
"timeout": 16,
"adaptive": false,
"send": "",
"receive": "",
"targetPort": 30842
},
"firewall-rule-list-more-example.com": {
"class": "Firewall_Rule_List",
"rules": [
{
"name": "rule-https-only",
"loggingEnabled": true,
"protocol": "tcp",
"destination": {
"addressLists": [
{
"use": "host-more-example.com-7.5.6.2"
}
],
"ports": [
"443"
]
},
"action": "accept"
},
{
"name": "rule-deny-any",
"loggingEnabled": true,
"action": "drop"
}
]
},
"host-more-example.com-7.5.6.2": {
"class": "Firewall_Address_List",
"addresses": [
"7.5.6.2"
]
},
"firewall-policy-more-example.com": {
"rules": [
{
"use": "firewall-rule-list-more-example.com"
}
],
"class": "Firewall_Policy"
}
}
},
"class": "ADC",
"schemaVersion": "3.53.0"
} |
I've just stumbled across this problem too. |
Any plans fixing this? Maybe raising an official support issue will help in this case? |
I submitted a support case and F5 fixed it with a new .rpm, but will incorporate the fix in v3.54.0. |
Sounds great! Any idea when the new rpm will be released? |
Got feedback from F5 support team. The fix will be included in 3.54 which will be released Jan 15. Will get back here after some testing. |
Environment
Summary
When posting complex AFM rules, polices, and shared address/port lists, if 3 or more AFM rule lists are configured future DELETE and POST actions produce an error message and fail. The configuration successfully posts, but not able to DELETE or POST. Workaround is to remove the BIG-IP configurations manually, update the AS3 declaration and repost.
Steps To Reproduce
Steps to reproduce the behavior:
Expected Behavior
Remove
And it is successful
Actual Behavior
Trying to REPOST or DELETE get the follow error.
The text was updated successfully, but these errors were encountered: