f5-appsvcs-extension
f5-appsvcs-extension copied to clipboard
Published
20 hours ago •
F5Networks
F5Networks
More than two AFM rule lists causes error message and unable to delete or deploy any further declarations
Environment
- Application Services Version: 3.53.0
- BIG-IP Version: 17.1.1.3 AFM
Summary
When posting complex AFM rules, polices, and shared address/port lists, if 3 or more AFM rule lists are configured future DELETE and POST actions produce an error message and fail. The configuration successfully posts, but not able to DELETE or POST. Workaround is to remove the BIG-IP configurations manually, update the AS3 declaration and repost.
Steps To Reproduce
Steps to reproduce the behavior:
- Submit the following declaration:
{
"class": "AS3",
"action": "deploy",
"declaration": {
"class": "ADC",
"schemaVersion": "3.53.0",
"id": "urn:uuid:aa0b634e-b54a-4d88-9652-0f2265085b84",
"Common": {
"class": "Tenant",
"enable": true,
"Shared": {
"class": "Application",
"template": "shared",
"enable": true,
"Metabase": {
"addresses": [
"10.11.68.55"
],
"class": "Firewall_Address_List"
},
"Admin_VPN": {
"addresses": [
"10.11.68.59"
],
"class": "Firewall_Address_List"
},
"CP_TKG_Wkld": {
"addresses": [
"10.10.112.192/26"
],
"remark": "CP cluster",
"class": "Firewall_Address_List"
},
"Country_Blacklist": {
"remark": "List of country to block",
"geo": [
"AE",
"AF",
"ZA"
],
"class": "Firewall_Address_List"
},
"Asia_Pacific": {
"remark": "Asia Pacific geo block list",
"geo": [
"AP"
],
"class": "Firewall_Address_List"
},
"External_NTP": {
"addresses": [
"10.12.15.28",
"10.12.15.29",
"10.12.15.30"
],
"class": "Firewall_Address_List"
},
"External_Networks": {
"addresses": [
"10.11.68.40",
"10.11.68.55",
"10.11.68.59"
],
"class": "Firewall_Address_List"
},
"External_WAF_Servers": {
"addresses": [
"10.11.68.52",
"10.11.68.54",
"10.11.68.55",
"10.11.68.56",
"10.11.68.57",
"10.11.68.59",
"10.11.68.60",
"10.11.68.61",
"10.11.68.62"
],
"class": "Firewall_Address_List"
},
"GIT_Whitelist": {
"addresses": [
"65.118.147.2",
"10.13.147.18"
],
"class": "Firewall_Address_List"
},
"HackTheBox": {
"addresses": [
"146.190.139.22"
],
"remark": "IP(s) for HTB, wanted by UKI stuff",
"class": "Firewall_Address_List"
},
"SEMs_00": {
"addresses": [
"10.0.20.14",
"10.0.99.14",
"10.0.99.15"
],
"class": "Firewall_Address_List"
},
"SEMs_06": {
"addresses": [
"10.6.20.14",
"10.6.99.14",
"10.6.99.15"
],
"class": "Firewall_Address_List"
},
"SEMs_08": {
"addresses": [
"10.20.20.13",
"10.20.101.13",
"10.20.101.14"
],
"class": "Firewall_Address_List"
},
"SEMs_GSLAB": {
"addresses": [
"10.10.101.13",
"10.10.101.14",
"10.10.101.15",
"10.10.111.3"
],
"class": "Firewall_Address_List"
},
"GSLAB_External": {
"addresses": [
"15.205.171.56"
],
"class": "Firewall_Address_List"
},
"Chasm": {
"addresses": [
"10.11.68.40",
"10.11.68.56"
],
"class": "Firewall_Address_List"
},
"NSX_Managemnt_Networks": {
"addresses": [
"10.10.101.0/24"
],
"class": "Firewall_Address_List"
},
"Management_Network": {
"addresses": [
"10.10.50.0/24",
"10.10.200.0/23"
],
"class": "Firewall_Address_List"
},
"OCP": {
"addresses": [
"10.11.68.51"
],
"class": "Firewall_Address_List"
},
"Pypi": {
"addresses": [
"192.101.0.223",
"192.101.64.223",
"192.101.128.223",
"192.101.192.223"
],
"class": "Firewall_Address_List"
},
"NOC_Blacklist": {
"addresses": [
"10.14.17.220",
"10.15.4.147"
],
"class": "Firewall_Address_List"
},
"SSO": {
"addresses": [
"10.11.68.54"
],
"class": "Firewall_Address_List"
},
"NOC_IP_Blacklist": {
"addresses": [
"10.13.62.8",
"10.13.95.115"
],
"class": "Firewall_Address_List"
},
"White_List": {
"geo": [
"AU",
"CA",
"GB",
"NZ",
"US"
],
"class": "Firewall_Address_List"
},
"SEM_TCP": {
"ports": [
"53",
"80",
"88",
"389",
"443",
"464",
"636"
],
"class": "Firewall_Port_List"
},
"SEM_UDP": {
"ports": [
"53"
],
"class": "Firewall_Port_List"
},
"IPSEC": {
"ports": [
"500",
"4500"
],
"class": "Firewall_Port_List"
},
"P443_8443": {
"ports": [
"443",
"8443"
],
"class": "Firewall_Port_List"
},
"Satellite_Ports": {
"ports": [
"53",
"80",
"443"
],
"class": "Firewall_Port_List"
},
"Blacklist": {
"remark": "Rules that limit traffic into the GSLAB",
"rules": [
{
"action": "drop",
"source": {
"addresses": [
"192.30.2.0/24"
]
},
"protocol": "any",
"name": "IP_Blacklist"
}
],
"class": "Firewall_Rule_List"
},
"Inside_GSLAB": {
"remark": "Rules that control Internal traffic",
"rules": [
{
"action": "accept",
"destination": {
"addresses": [
"10.10.51.0/24"
]
},
"source": {
"addressLists": [
{
"use": "/Common/Shared/NSX_Managemnt_Networks"
}
]
},
"protocol": "any",
"name": "Internal"
},
{
"action": "accept",
"destination": {
"addresses": [
"10.10.51.0/24"
]
},
"source": {
"addressLists": [
{
"use": "/Common/Shared/Management_Network"
}
]
},
"protocol": "any",
"name": "Internal_2"
},
{
"action": "accept",
"destination": {
"addressLists": [
{
"use": "/Common/Shared/Management_Network"
}
]
},
"source": {
"addresses": [
"10.10.51.0/24"
]
},
"protocol": "any",
"name": "Internal_2_temp_1"
},
{
"action": "accept",
"destination": {
"addressLists": [
{
"use": "/Common/Shared/NSX_Managemnt_Networks"
}
]
},
"source": {
"addresses": [
"10.10.51.0/24"
]
},
"protocol": "any",
"name": "Internal_2_temp_2"
},
{
"action": "accept",
"destination": {
"addresses": [
"192.16.2.0/28"
]
},
"source": {
"addresses": [
"10.10.0.0/16"
]
},
"protocol": "any",
"name": "Internal_TEMP"
},
{
"action": "accept",
"destination": {
"addresses": [
"192.16.1.0/28"
]
},
"source": {
"addresses": [
"10.10.0.0/16"
]
},
"protocol": "any",
"name": "Internal_temp_2"
},
{
"action": "accept",
"destination": {
"addresses": [
"10.10.0.0/16"
]
},
"source": {
"addresses": [
"192.16.2.0/28"
]
},
"protocol": "any",
"name": "TEMP_Internal_"
},
{
"action": "accept",
"destination": {
"addresses": [
"10.10.0.0/16"
]
},
"source": {
"addresses": [
"192.16.1.0/28"
]
},
"protocol": "any",
"name": "TEMP_Internal_3"
},
{
"action": "accept",
"destination": {
"addresses": [
"10.10.0.0/16"
]
},
"source": {
"addresses": [
"10.10.0.0/16"
]
},
"protocol": "any",
"name": "Catch_all"
},
{
"action": "accept",
"destination": {
"addresses": [
"192.16.2.0/28"
]
},
"source": {
"addresses": [
"192.16.2.0/28"
]
},
"protocol": "any",
"name": "Internal_Internal"
},
{
"action": "accept",
"destination": {
"addresses": [
"192.16.1.0/28"
]
},
"source": {
"addresses": [
"192.16.1.0/28"
]
},
"protocol": "any",
"name": "Internal_2_Internal"
},
{
"action": "accept",
"destination": {
"addresses": [
"192.168.160.0/20"
],
"ports": [
"22",
"4444",
"5555",
"8080"
]
},
"source": {
"addresses": [
"10.10.51.0/24"
]
},
"remark": "Console Testing Scalability",
"protocol": "tcp",
"name": "VMware_Console_Test"
},
{
"action": "accept",
"destination": {
"addresses": [
"224.0.0.18"
]
},
"source": {
"addresses": [
"192.16.2.5"
]
},
"protocol": "any",
"name": "VRRP_Multicast"
},
{
"action": "accept",
"destination": {
"addresses": [
"224.0.0.22"
]
},
"source": {
"addresses": [
"192.16.2.4"
]
},
"protocol": "any",
"name": "VRRP_Multicast_2"
}
],
"class": "Firewall_Rule_List"
},
"Outside-GSLAB": {
"rules": [
{
"action": "accept",
"destination": {
"addresses": [
"224.0.0.22"
]
},
"source": {
"addresses": [
"192.16.2.4"
]
},
"protocol": "any",
"name": "VRRP_Multicast_3"
}
],
"class": "Firewall_Rule_List"
},
"GSLAB": {
"rules": [
{
"use": "/Common/Shared/Blacklist"
},
{
"use": "/Common/Shared/Inside_GSLAB"
},
{
"action": "drop",
"name": "Explicit_Deny",
"protocol": "any"
}
],
"class": "Firewall_Policy"
}
}
}
}
}
- Observe the following error response:
"results": [
{
"code": 200,
"message": "success",
"lineCount": 51,
"host": "localhost",
"tenant": "Common",
"runTime": 5367,
"declarationId": "urn:uuid:aa0b634e-b54a-4d88-9652-0f2265085b84"
},
{
"message": "failure querying config for tenant Common (Cannot read property 'name' of undefined)",
"host": "localhost",
"tenant": "Common",
"code": 422,
"declarationId": "urn:uuid:aa0b634e-b54a-4d88-9652-0f2265085b84"
}
],
Expected Behavior
Remove
"Outside-GSLAB": {
"rules": [
{
"action": "accept",
"destination": {
"addresses": [
"224.0.0.22"
]
},
"source": {
"addresses": [
"192.16.2.4"
]
},
"protocol": "any",
"name": "VRRP_Multicast_3"
}
],
"class": "Firewall_Rule_List"
},
And it is successful
"results": [
{
"code": 200,
"message": "success",
"lineCount": 48,
"host": "localhost",
"tenant": "Common",
"runTime": 4112,
"declarationId": "urn:uuid:aa0b634e-b54a-4d88-9652-0f2265085b84"
},
{
"code": 200,
"message": "success",
"lineCount": 18,
"host": "localhost",
"tenant": "Common",
"runTime": 4700,
"declarationId": "urn:uuid:aa0b634e-b54a-4d88-9652-0f2265085b84"
}
],
Actual Behavior
Trying to REPOST or DELETE get the follow error.
{
"results": [
{
"message": "failure querying config for tenant Common (Cannot read property 'name' of undefined)",
"host": "localhost",
"tenant": "Common",
"code": 422,
"declarationId": "1731616042801"
},
{
"message": "failure querying config for tenant Common (Cannot read property 'name' of undefined)",
"host": "localhost",
"tenant": "Common",
"code": 422,
"declarationId": "1731616042801"
}
],
I am experiencing exactly the same in lab env. But I was not able get it working again. I factory reset my VE everytime I run into this error.
However, my scenario little differs from yours. I deployed two forwarding VS in Common with firewall policies attached - no problem. Even re-deploying was no problem. The first the time the problem occured was when I added a standard VS with a firewall policy attached.
The first deployment of the declaration is sucessfully. A redeployment with exactly the same declaration fails with this error message.
[
{
"message": "failure querying config for tenant tenant-test (Cannot read property 'name' of undefined)",
"host": "localhost",
"tenant": "tenant-test",
"code": 422,
"declarationId": "autogen_9bc848d9-136f-43d3-aa4a-be39cbfc68fb"
}
]
Further re-deployments fail, deletion, too. I always made a factory reset. But thanks to Rob I got it working again deleting all the AS3 config items manually. Thanks @F5Rob
No problem, two forwarding VS only
{
"$schema": "https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/main/schema/latest/as3-schema.json",
"tenant-test": {
"class": "Tenant",
"app-tentant-test": {
"class": "Application",
"template": "generic",
"vs-tcp-anyport-forward-proxy.example.com": {
"class": "Service_L4",
"remark": "TCP forward-proxy.example.com",
"virtualAddresses": [
"10.2.0.1"
],
"virtualPort": 0,
"redirect80": false,
"snat": "auto",
"profileL4": {
"bigip": "/Common/fastL4"
},
"allowVlans": [
{
"bigip": "/Common/external"
}
]
},
"vs-udp-anyport-forward-proxy.example.com": {
"class": "Service_L4",
"remark": "UDP forward-proxy.example.com",
"virtualAddresses": [
"10.1.0.1"
],
"virtualPort": 0,
"redirect80": false,
"snat": "auto",
"layer4": "udp",
"profileL4": {
"bigip": "/Common/fastL4"
},
"allowVlans": [
{
"bigip": "/Common/external"
}
]
}
}
},
"class": "ADC",
"schemaVersion": "3.53.0"
}
No problem, two forwarding VS with firewall policies attached
{
"$schema": "https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/main/schema/latest/as3-schema.json",
"tenant-test": {
"class": "Tenant",
"app-tentant-test": {
"class": "Application",
"template": "generic",
"vs-tcp-anyport-forward-proxy.example.com": {
"class": "Service_L4",
"remark": "TCP forward-proxy.example.com",
"virtualAddresses": [
"10.2.0.1"
],
"virtualPort": 0,
"redirect80": false,
"snat": "auto",
"profileL4": {
"bigip": "/Common/fastL4"
},
"allowVlans": [
{
"bigip": "/Common/external"
}
],
"policyFirewallEnforced": {
"use": "firewall-policy-tcp-forward-proxy.example.com"
}
},
"firewall-rule-list-tcp-forward-proxy.example.com": {
"class": "Firewall_Rule_List",
"rules": [
{
"name": "rule-5.6.7.8",
"remark": "test",
"loggingEnabled": true,
"protocol": "tcp",
"source": {
"addressLists": [
{
"use": "host-5.6.7.8"
}
]
},
"destination": {
"addressLists": [
{
"use": "group-ip-group"
}
],
"ports": [
"443"
]
},
"action": "accept"
},
{
"name": "rule-deny-any",
"loggingEnabled": true,
"action": "drop"
}
]
},
"group-ip-group": {
"class": "Firewall_Address_List",
"addresses": [
"1.1.1.1/32",
"1.1.1.2/32",
"1.1.1.3/32",
"1.1.1.4/32",
"1.1.1.5/32"
]
},
"host-5.6.7.8": {
"class": "Firewall_Address_List",
"addresses": [
"5.6.7.8"
]
},
"firewall-policy-tcp-forward-proxy.example.com": {
"rules": [
{
"use": "firewall-rule-list-tcp-forward-proxy.example.com"
}
],
"class": "Firewall_Policy"
},
"vs-udp-anyport-forward-proxy.example.com": {
"class": "Service_L4",
"remark": "UDP forward-proxy.example.com",
"virtualAddresses": [
"10.1.0.1"
],
"virtualPort": 0,
"redirect80": false,
"snat": "auto",
"layer4": "udp",
"profileL4": {
"bigip": "/Common/fastL4"
},
"allowVlans": [
{
"bigip": "/Common/external"
}
],
"policyFirewallEnforced": {
"use": "firewall-policy-udp-forward-proxy.example.com"
}
},
"firewall-rule-list-udp-forward-proxy.example.com": {
"class": "Firewall_Rule_List",
"rules": [
{
"name": "rule-stuff",
"loggingEnabled": true,
"protocol": "udp",
"source": {
"addressLists": [
{
"use": "host-7.6.5.4"
},
{
"use": "host-5.6.7.8"
},
{
"use": "host-2.3.4.5"
}
]
},
"destination": {
"addressLists": [
{
"use": "group-public-dns"
}
],
"ports": [
"53"
]
},
"action": "accept"
},
{
"name": "rule-deny-any",
"loggingEnabled": true,
"action": "drop"
}
]
},
"group-public-dns": {
"class": "Firewall_Address_List",
"addresses": [
"1.1.1.1/32",
"8.8.8.8/32"
]
},
"host-7.6.5.4": {
"class": "Firewall_Address_List",
"addresses": [
"7.6.5.4/32"
]
},
"host-2.3.4.5": {
"class": "Firewall_Address_List",
"addresses": [
"2.3.4.5/32"
]
},
"firewall-policy-udp-forward-proxy.example.com": {
"rules": [
{
"use": "firewall-rule-list-udp-forward-proxy.example.com"
}
],
"class": "Firewall_Policy"
}
}
},
"class": "ADC",
"schemaVersion": "3.53.0"
}
Problem occurs with another standard VS and firewall policy attached
{
"$schema": "https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/main/schema/latest/as3-schema.json",
"tenant-test": {
"class": "Tenant",
"app-tentant-test": {
"class": "Application",
"template": "generic",
"vs-tcp-anyport-forward-proxy.example.com": {
"class": "Service_L4",
"remark": "TCP forward-proxy.example.com",
"virtualAddresses": [
"10.2.0.1"
],
"virtualPort": 0,
"redirect80": false,
"snat": "auto",
"profileL4": {
"bigip": "/Common/fastL4"
},
"allowVlans": [
{
"bigip": "/Common/external"
}
],
"policyFirewallEnforced": {
"use": "firewall-policy-tcp-forward-proxy.example.com"
}
},
"firewall-rule-list-tcp-forward-proxy.example.com": {
"class": "Firewall_Rule_List",
"rules": [
{
"name": "rule-5.6.7.8",
"remark": "test",
"loggingEnabled": true,
"protocol": "tcp",
"source": {
"addressLists": [
{
"use": "host-5.6.7.8"
}
]
},
"destination": {
"addressLists": [
{
"use": "group-ip-group"
}
],
"ports": [
"443"
]
},
"action": "accept"
},
{
"name": "rule-deny-any",
"loggingEnabled": true,
"action": "drop"
}
]
},
"group-ip-group": {
"class": "Firewall_Address_List",
"addresses": [
"1.1.1.1/32",
"1.1.1.2/32",
"1.1.1.3/32",
"1.1.1.4/32",
"1.1.1.5/32"
]
},
"host-5.6.7.8": {
"class": "Firewall_Address_List",
"addresses": [
"5.6.7.8"
]
},
"firewall-policy-tcp-forward-proxy.example.com": {
"rules": [
{
"use": "firewall-rule-list-tcp-forward-proxy.example.com"
}
],
"class": "Firewall_Policy"
},
"vs-udp-anyport-forward-proxy.example.com": {
"class": "Service_L4",
"remark": "UDP forward-proxy.example.com",
"virtualAddresses": [
"10.1.0.1"
],
"virtualPort": 0,
"redirect80": false,
"snat": "auto",
"layer4": "udp",
"profileL4": {
"bigip": "/Common/fastL4"
},
"allowVlans": [
{
"bigip": "/Common/external"
}
],
"policyFirewallEnforced": {
"use": "firewall-policy-udp-forward-proxy.example.com"
}
},
"firewall-rule-list-udp-forward-proxy.example.com": {
"class": "Firewall_Rule_List",
"rules": [
{
"name": "rule-stuff",
"loggingEnabled": true,
"protocol": "udp",
"source": {
"addressLists": [
{
"use": "host-7.6.5.4"
},
{
"use": "host-5.6.7.8"
},
{
"use": "host-2.3.4.5"
}
]
},
"destination": {
"addressLists": [
{
"use": "group-public-dns"
}
],
"ports": [
"53"
]
},
"action": "accept"
},
{
"name": "rule-deny-any",
"loggingEnabled": true,
"action": "drop"
}
]
},
"group-public-dns": {
"class": "Firewall_Address_List",
"addresses": [
"1.1.1.1/32",
"8.8.8.8/32"
]
},
"host-7.6.5.4": {
"class": "Firewall_Address_List",
"addresses": [
"7.6.5.4/32"
]
},
"host-2.3.4.5": {
"class": "Firewall_Address_List",
"addresses": [
"2.3.4.5/32"
]
},
"firewall-policy-udp-forward-proxy.example.com": {
"rules": [
{
"use": "firewall-rule-list-udp-forward-proxy.example.com"
}
],
"class": "Firewall_Policy"
},
"vs-tcp443-more-example.com": {
"class": "Service_TCP",
"remark": "more-example.com",
"virtualAddresses": [
"1.2.3.4"
],
"virtualPort": 443,
"redirect80": false,
"snat": "none",
"profileTCP": "lan",
"allowVlans": [
{
"bigip": "/Common/external"
}
],
"pool": {
"use": "pool-tcp12345-more-example.com"
},
"persistenceMethods": [ ],
"policyFirewallEnforced": {
"use": "firewall-policy-more-example.com"
}
},
"pool-tcp12345-more-example.com": {
"class": "Pool",
"loadBalancingMode": "round-robin",
"monitors": [
{
"use": "monitor-tcp54321-more-example.com"
}
],
"minimumMonitors": 1,
"members": [
{
"shareNodes": true,
"remark": "OpenShift Worker Node",
"servicePort": 12345,
"serverAddresses": [
"10.1.2.18",
"10.1.2.19",
"10.1.2.20"
]
}
]
},
"monitor-tcp54321-more-example.com": {
"class": "Monitor",
"interval": 5,
"monitorType": "tcp",
"targetAddress": "",
"timeout": 16,
"adaptive": false,
"send": "",
"receive": "",
"targetPort": 30842
},
"firewall-rule-list-more-example.com": {
"class": "Firewall_Rule_List",
"rules": [
{
"name": "rule-https-only",
"loggingEnabled": true,
"protocol": "tcp",
"destination": {
"addressLists": [
{
"use": "host-more-example.com-7.5.6.2"
}
],
"ports": [
"443"
]
},
"action": "accept"
},
{
"name": "rule-deny-any",
"loggingEnabled": true,
"action": "drop"
}
]
},
"host-more-example.com-7.5.6.2": {
"class": "Firewall_Address_List",
"addresses": [
"7.5.6.2"
]
},
"firewall-policy-more-example.com": {
"rules": [
{
"use": "firewall-rule-list-more-example.com"
}
],
"class": "Firewall_Policy"
}
}
},
"class": "ADC",
"schemaVersion": "3.53.0"
}
Any plans fixing this? Maybe raising an official support issue will help in this case?
Any plans fixing this? Maybe raising an official support issue will help in this case?
I submitted a support case and F5 fixed it with a new .rpm, but will incorporate the fix in v3.54.0.
Any plans fixing this? Maybe raising an official support issue will help in this case?
I submitted a support case and F5 fixed it with a new .rpm, but will incorporate the fix in v3.54.0.
Sounds great! Any idea when the new rpm will be released?
Got feedback from F5 support team. The fix will be included in 3.54 which will be released Jan 15. Will get back here after some testing.
Got feedback that 3.54 will be released in February week 2. Fingers crossed
Well, it seems the bug has been fixed. I used my declaration I posted above. Declaring, removing, declaring, removing, declaring, declaring the same again, removing, declaring worked. I did not test to declare items in /Common yet. Anyone here who did some tests on this?