Manual Chapter : Upgrading from previous F5 SSL Orchestrator versions using the recovery procedure

Applies To:

Show Versions Show Versions

F5 SSL Orchestrator

  • 16.0.0
Manual Chapter

Upgrading from previous F5 SSL Orchestrator versions using the recovery procedure

Overview: Upgrade from previous F5 SSL Orchestrator versions using the recovery procedure

If you need to recover from a failed recommended upgrade procedure and still need to undeploy your previous SSL Orchestrator deployments, as well as uninstall your previous version of the application, manual steps are required to reset your environment and undeploy the previous version.
Depending on your previous SSL Orchestrator version and current access to the BIG-IP Applications LX menu, use one of the following upgrade paths:
  • Upgrading from SSL Orchestrator versions 12.x.x, 13.x.x using recovery procedure
  • Upgrading from SSL Orchestrator versions 14.0.x using recovery procedure with Applications LX menu access
  • Upgrading from SSL Orchestrator versions 14.0.x using recovery procedure without Applications LX menu access

Upgrading from F5 SSL Orchestrator versions 12.x.x, 13.x.x using recovery procedure

  • Access to log on to the BIG-IP console as root or equivalent privileges.
  • Access to user credentials so to enter a curl command.
To upgrade from SSL Orchestrator version 12.x.x or 13.x.x, follow the procedure in this section to cleanup your environment. When you complete this procedure, your environment will be clean and you can log in to BIG-IP and start using SSL Orchestrator Guided Configuration by clicking
SSL Orchestrator
Configuration
.
Steps to cleanup your environment:
  • Cleaning up forwarding database (FDB) entries
  • Cleaning up nodes
  • Cleaning up iApp application service
  1. Either SSH to BIG-IP as a root user or as a user with equivalent or higher privileges.
    For example, SSH
    root@<Management IP>
    .
  2. Enter the following command to get the SSL Orchestrator block and write down the value for the
    id
    ,
    name
    , and
    state
    attribute from the output of the command.
    curl --insecure -XGET 'https://<<BigIp management IP>>/mgmt/shared/iapp/blocks?$select=id,name,state&$filter=presentationHtmlReference/link%20eq%20%27https://localhost/iapps/f5-iappslx-ssl-orchestrator/index.html%27%20and%20state%20eq%20%27*%27%20and%20state%20ne%20%27TEMPLATE%27' -u <<userID>>:<<password>> | python -m json.tool
    For example, note down the details:
    "id": "2f00771a-48c1-4c0d-a907-b586164177d7", "name": "ssloAppName", "state": "BOUND" [root@localhost:Active:Standalone] config # curl --insecure -XGET 'https://10.192.225.215/mgmt/shared/iapp/blocks?$select=id,name,state&$filter=presentationHtmlReference/link%20eq%20%27https://localhost/iapps/f5-iappslx-ssl-orchestrator/index.html%27%20and%20state%20eq%20%27*%27%20and%20state%20ne%20%27TEMPLATE%27' -u admin:admin | python -m json.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 265 100 265 0 0 884 0 --:--:-- --:--:-- --:--:-- 904 { "generation": 57, "items": [ { "id": "2f00771a-48c1-4c0d-a907-b586164177d7", "name": "ssloAppName", "state": "BOUND" } ], .... }
  3. Cleaning up forwarding database (FDB) entries
  4. To delete and cleanup the FDB entries, F5 recommends that you first map the MAC addresses and VLAN names so to properly determine the TMUI command to delete the FDB entries. We recommend creating a table to track the required information.
    MAC Address
    VLAN Name
    TMUI Command to delete FDB entry
  5. To retrieve the MAC addresses, enter the following command and populate the table with the correct information.
    curl --insecure -XGET 'https://<<BigIP Management IP>>/mgmt/shared/iapp/blocks?$select=id,name,inputProperties/value/receiveOnlyServices/macAddress&$filter=state%20eq%20%27*%27%20and%20state%20ne%20%27TEMPLATE%27' -u <<userID>>:<<password>>| python -m json.tool
    Update the table with the MAC address details.
    MAC Address
    VLAN Name
    TMUI Command to delete FDB entry
    11:22:33:44:55:66
    77:88:99:11:22:33
    The MAC address information would come from this source:
    [root@localhost:Active:Standalone] config # curl --insecure -XGET 'https://10.192.225.215/mgmt/shared/iapp/blocks?$select=id,name,inputProperties/value/receiveOnlyServices/macAddress&$filter=state%20eq%20%27*%27%20and%20state%20ne%20%27TEMPLATE%27' -u admin:admin | python -m json.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 390 100 390 0 0 2502 0 --:--:-- --:--:-- --:--:-- 2635 { "generation": 57, "items": [ { "id": "2f00771a-48c1-4c0d-a907-b586164177d7", "inputProperties": [ { "value": { "receiveOnlyServices": [ { "macAddress": "11:22:33:44:55:66" }, { "macAddress": "77:88:99:11:22:33" } ] } }, { "value": true } ], "name": "ssloAppName" } ], ....... }
  6. To retrieve the VLAN names, enter the following command and populate the table with the correct information.
    curl --insecure -XGET 'https://<<Big Ip Management IP>>/mgmt/tm/net/fdb/vlan?$select=name,records/name' -u <<User ID>>:<<Password>> | python -m json.tool
    Update the table with the VLAN name details.
    MAC Address
    VLAN Name
    TMUI Command to delete FDB entry
    11:22:33:44:55:66
    v1
    77:88:99:11:22:33
    v1
    Ignore "v3" because the mapped MAC address in not present in the above table.
    Ignore the MAC address fa:18:4a:ca:c1:4d from any "v1" VLAN name.
    The VLAN name information would come from this source:
    [root@localhost:Active:Standalone] config # curl --insecure -XGET 'https://10.192.225.215/mgmt/tm/net/fdb/vlan?$select=name,records/name' -u admin:admin | python -m json.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 434 100 434 0 0 1254 0 --:--:-- --:--:-- --:--:-- 1280 { "items": [ { "name": "ssloAppName-70-0-D" }, { "name": "ssloAppName-70-0-S" }, { "name": "ssloAppName-71-0-D" }, { "name": "ssloAppName-71-0-S" }, { "name": "v1", "records": [ { "name": "11:22:33:44:55:66" }, { "name": "77:88:99:11:22:33" }, { "name": "fa:18:4a:ca:c1:4d" } ] }, { "name": "v2", }, { "name": "v3", "records": [ { "name": "fa:16:3e:cb:d1:8d" } ] }, { "name": "v4" } ], ...... }
  7. Use the following command to build the delete commands for cleaning up the FDB entries and update the table.
    modify net fdb vlan <<vlan name>> records delete { <<macaddress>> }
    Update the table with the delete command details.
    MAC Address
    VLAN Name
    TMUI Command to delete FDB entry
    11:22:33:44:55:66
    v1
    modify net fdb vlan v1 records delete { 11:22:33:44:55:66 }
    77:88:99:11:22:33
    v1
    modify net fdb vlan v1 records delete { 77:88:99:11:22:33 }
  8. Enter all of the delete commands for deleting FDB entries. For example:
    tmsh modify net fdb vlan v1 records delete { 11:22:33:44:55:66 }
    tmsh modify net fdb vlan v1 records delete { 77:88:99:11:22:33 }
  9. Cleaning up nodes
  10. To delete the necessary nodes used in different services and objects created through the SSL Orchestrator application, you must identify the list of IP addresses that map to each node. F5 recommends you populate a table to track the information using information output from commands detailed in the steps below. For example:
    IP Address
    TMUI command for deleting nodes
  11. Enter the following command and populate the table with the values in the IP address column. Ignore all duplicates when listing all IP addresses for
    explicitProxyConfiguration
    ,
    ingressDeviceEgressConfiguration
    ,
    ingressDeviceConfiguration
    ,
    egressDeviceEgressConfiguration
    , and
    decryptZone
    .
    curl --insecure -XGET 'https://<<BigIP Management IP>>/mgmt/shared/iapp/blocks?$select=inputProperties/value/generalSection/ingressDeviceEgressConfiguration/ipv4OutboundGateways/ip,inputProperties/value/generalSection/ingressDeviceEgressConfiguration/ipv6OutboundGateways/ip,inputProperties/value/generalSection/egressDeviceEgressConfiguration/ipv4OutboundGateways/ip,inputProperties/value/generalSection/egressDeviceEgressConfiguration/ipv6OutboundGateways/ip&$filter=state%20eq%20%27*%27%20and%20state%20ne%20%27TEMPLATE%27' -u <<userID>>:<<password>> | python -m json.tool
    For example:
    IP Address
    TMUI command for deleting nodes
    90.90.90.94
    90.90.90.95
    2001:0db8:85a3:0000:0000:8a2e:0370:7334
    The
    explicitProxyConfiguration
    ,
    ingressDeviceEgressConfiguration
    ,
    ingressDeviceConfiguration
    ,
    egressDeviceEgressConfiguration
    , and
    decryptZone
    IP address information would come from this source:
    [root@localhost:Active:Standalone] config # curl --insecure -XGET 'https://10.192.225.215/mgmt/shared/iapp/blocks?$select=inputProperties/value/generalSection/ingressDeviceEgressConfiguration/ipv4OutboundGateways/ip,inputProperties/value/generalSection/ingressDeviceEgressConfiguration/ipv6OutboundGateways/ip,inputProperties/value/generalSection/egressDeviceEgressConfiguration/ipv4OutboundGateways/ip,inputProperties/value/generalSection/egressDeviceEgressConfiguration/ipv6OutboundGateways/ip&$filter=state%20eq%20%27*%27%20and%20state%20ne%20%27TEMPLATE%27' -u admin:admin | python -m json.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 534 100 534 0 0 3144 0 --:--:-- --:--:-- --:--:-- 3296 { "generation": 57, "items": [ { "inputProperties": [ { "value": { "generalSection": { "egressDeviceEgressConfiguration": { "ipv4OutboundGateways": [ { "ip": "" } ], "ipv6OutboundGateways": [ { "ip": "" } ] }, "ingressDeviceEgressConfiguration": { "ipv4OutboundGateways": [ { "ip": "90.90.90.94" }, { "ip": "90.90.90.95" } ], "ipv6OutboundGateways": [ { "ip": "2001:0db8:85a3:0000:0000:8a2e:0370:7334" } ] } } } }, { "value": true } ] } ], "kind": "shared:iapp:blocks:blockcollectionstate", ...... }
  12. List all IP addresses for
    receiveOnlyServices
    and update the IP addresses in the table by entering the following command:
    curl --insecure -XGET 'https://<<BigIP Management IP>>/mgmt/shared/iapp/blocks?$select=inputProperties/value/receiveOnlyServices/ipAddress&$filter=state%20eq%20%27*%27%20and%20state%20ne%20%27TEMPLATE%27' -u <<userID>>:<<password>> | python -m json.tool
    For example:
    IP Address
    TMUI command for deleting nodes
    90.90.90.94
    90.90.90.95
    2001:0db8:85a3:0000:0000:8a2e:0370:7334
    10.10.10.10
    20.20.20.20
    The
    receiveOnlyServices
    IP address information would come from this source:
    [root@localhost:Active:Standalone] config # curl --insecure -XGET 'https://10.192.225.215/mgmt/shared/iapp/blocks?$select=inputProperties/value/receiveOnlyServices/ipAddress&$filter=state%20eq%20%27*%27%20and%20state%20ne%20%27TEMPLATE%27' -u admin:admin | python -m json.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 311 100 311 0 0 1800 0 --:--:-- --:--:-- --:--:-- 1884 { "generation": 57, "items": [ { "inputProperties": [ { "value": { "receiveOnlyServices": [ { "ipAddress": "10.10.10.10" }, { "ipAddress": "20.20.20.20" } ] } }, { "value": true } ] } ], "kind": "shared:iapp:blocks:blockcollectionstate", ...... }
  13. List all IP addresses for
    icapServices
    and update the IP addresses in the table by entering the following command:
    curl --insecure -XGET 'https://<<BigIP Management IP>>/mgmt/shared/iapp/blocks?$select=inputProperties/value/icapServices/inspectionDevices/ipAddress,inputProperties/value/icapServices/backupItem/inspectionDevices/ipAddress&$filter=state%20eq%20%27*%27%20and%20state%20ne%20%27TEMPLATE%27' -u <<userID>>:<<password>> | python -m json.tool
    For example:
    IP Address
    TMUI command for deleting nodes
    90.90.90.94
    90.90.90.95
    2001:0db8:85a3:0000:0000:8a2e:0370:7334
    10.10.10.10
    20.20.20.20
    30.30.30.30
    40.40.40.40
    50.50.50.50
    The
    icapServices
    IP address information would come from this source:
    [root@localhost:Active:Standalone] config # curl --insecure -XGET 'https://10.192.225.215/mgmt/shared/iapp/blocks?$select=inputProperties/value/icapServices/inspectionDevices/ipAddress,inputProperties/value/icapServices/backupItem/inspectionDevices/ipAddress&$filter=state%20eq%20%27*%27%20and%20state%20ne%20%27TEMPLATE%27' -u <<userID>>:<<password>> | python -m json.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 538 100 538 0 0 3987 0 --:--:-- --:--:-- --:--:-- 4014 { "generation": 57, "items": [ { "inputProperties": [ { "value": { "icapServices": [ { "backupItem": { "inspectionDevices": [ { "ipAddress": "30.30.30.30" }, { "ipAddress": "40.40.40.40" } ] }, "inspectionDevices": [ { "ipAddress": "30.30.30.30" }, { "ipAddress": "40.40.40.40" } ] }, { "backupItem": { "inspectionDevices": [ { "ipAddress": "50.50.50.50" } ] }, "inspectionDevices": [ { "ipAddress": "50.50.50.50" } ] } ] } }, { "value": true } ] } ], "kind": "shared:iapp:blocks:blockcollectionstate", ..... }
  14. Create the delete commands for cleaning up FDB entries and update the IP addresses in the table by entering the following command:
    delete ltm node <<IP Address>>
    For example:
    IP Address
    TMUI command for deleting nodes
    90.90.90.94
    delete ltm node 90.90.90.94
    90.90.90.95
    delete ltm node 90.90.90.95
    2001:0db8:85a3:0000:0000:8a2e:0370:7334
    delete ltm node 2001:0db8:85a3:0000:0000:8a2e:0370:7334
    10.10.10.10
    delete ltm node 10.10.10.10
    20.20.20.20
    delete ltm node 20.20.20.20
    30.30.30.30
    delete ltm node 30.30.30.30
    40.40.40.40
    delete ltm node 40.40.40.40
    50.50.50.50
    delete ltm node 50.50.50.50
  15. Enter all of the delete commands built in the table.
    Ignore the following error message if any delete commands fail since the node may be getting used somewhere else.
    "Node address '/Common/<<IP Address>>' is referenced by a member of pool '/Common/<<Pool Name>>'"
    Example of delete commands:
    tmsh delete ltm node 90.90.90.94 tmsh delete ltm node 90.90.90.95 tmsh delete ltm node 2001:0db8:85a3:0000:0000:8a2e:0370:7334 tmsh delete ltm node 10.10.10.10 tmsh delete ltm node 20.20.20.20 tmsh delete ltm node 30.30.30.30 tmsh delete ltm node 40.40.40.40 tmsh delete ltm node 50.50.50.50
  16. Cleaning up iApp application service
  17. Enter the following command using the SSL Orchestrator application name noted down in Step 4:
    tmsh delete sys application service <<SSLO App Name>>.app/<<SSLO App Name>>
    For example, "name":"ssloAppName" would look much like this:
    delete sys application service ssloAppName.app/ssloAppName
  18. Enter the following command while replacing the
    <<block id>>
    with the
    id
    value noted down in Step 2:
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://<<BigIP Management IP>>/mgmt/shared/iapp/blocks/<<block Id>>' -u <<userID>>:<<password>>
    For example:
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://10.192.225.215/mgmt/shared/iapp/blocks/2f00771a-48c1-4c0d-a907-b586164177d7' -u admin:admin
  19. Wait at least two to three minutes before attempting to execute the following command so to check the status of the iApp block. Repeat this command until the status value changes to
    ERROR/UNBOUND
    .
    curl --insecure -XGET 'https://<<BigIP Management IP>>/mgmt/shared/iapp/blocks?$select=state,id&$filter=id%20eq%20%27<<Block Id>>%27' -u <<userID>>:<<password>> | python -m json.tool
    In this example, the
    id
    that was noted down in Step 2 is:
    2f00771a-48c1-4c0d-a907-b586164177d7
    .
    curl --insecure -XGET 'https://10.192.225.215/mgmt/shared/iapp/blocks?$select=state,id&$filter=id%20eq%20%27
    2f00771a-48c1-4c0d-a907-b586164177d7
    %27' -u admin:admin | python -m json.tool
  20. Enter the following command to delete the iApp block. The block must be in
    EROR
    state before executing this command. Refer to step 16 to check the block state.
    curl --insecure -X DELETE 'https://<<BigIP Management IP>>/mgmt/shared/iapp/blocks/2f00771a-48c1-4c0d-a907-b586164177d7' -u <<userID>>:<<password>>
    For example:
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/2f00771a-48c1-4c0d-a907-b586164177d7' -u admin:admin
You have now cleaned the device of SSL Orchestrator deployments. Log in to the BIG-IP and start using SSL Orchestrator by clicking
SSL Orchestrator
Configuration
.

Upgrading from F5 SSL Orchestrator versions 14.0.x using recovery procedure with Applications LX menu access

To upgrade from SSL Orchestrator versions 14.0.x while you have access to the
Applications LX
menu, follow the procedure in this section to cleanup your environment. When you complete this procedure your environment will be clean and you can log in to BIG-IP and start using SSL Orchestrator Guided Configuration by clicking
SSL Orchestrator
Configuration
.
  1. Login to BIG-IP and navigate to
    iApps
    Application Services
    Applications LX
    .
  2. Select all deployed SSL Orchestrator applications in the table.
  3. Click
    Undeploy
    .
  4. Delete all SSL Orchestrator applications which have the below template type:
    • f5-ssl-orchestrator-storage
    • f5-ssl-orchestrator-network
    • f5-ssl-orchestrator-policy
    • f5-ssl-orchestrator-service
    • f5-ssl-orchestrator-tls
    • f5-ssl-orchestrator
  5. Click
    iApps
    Package Management LX
    . The Package Management LX screen opens.
  6. Select the
    f5-iappslx-ssl-orchestrator
    package and click
    uninstall
    .
You have now cleaned the device of any SSL Orchestrator deployments. Log in to the BIG-IP and start using SSL Orchestrator by clicking
SSL Orchestrator
Configuration
.

Upgrading from F5 SSL Orchestrator versions 14.0.x using recovery procedure without Applications LX menu access

To upgrade from SSL Orchestrator versions 14.0.x and you do not have access to the
Applications LX
menu, follow the procedure in this section to cleanup your environment. When you complete this procedure your environment will be clean and you can log in to BIG-IP and start using SSL Orchestrator Guided Configuration by clicking
SSL Orchestrator
Configuration
.
  1. Enter the following command and note down the
    name
    and
    id
    .
    curl --insecure -XGET 'https://<<BigIP Management IP>>/mgmt/shared/iapp/blocks?$select=id,name&$filter=configurationProcessorReference/link%20eq%20%27https://localhost/mgmt/shared/iapp/processors/f5-iappslx-ssl-orchestrator%27%20and%20state%20ne%20%27TEMPLATE%27' -u <<userID>>:<<password>> | python -m json.tool
    For example, note down the
    name
    and
    id
    details:
    [root@localhost:Active:Standalone] config # curl --insecure -XGET 'https://10.192.225.215/mgmt/shared/iapp/blocks?$select=id,name&$filter=configurationProcessorReference/link%20eq%20%27https://localhost/mgmt/shared/iapp/processors/f5-iappslx-ssl-orchestrator%27%20and%20state%20ne%20%27TEMPLATE%27' -u admin:admin | python -m json.tool % Total % Received % Xferd Average Speed Time Time Time Current . Dload Upload Total Spent Left Speed 100 257 100 257 0 0 1771 0 --:--:-- --:--:-- --:--:-- 1889 { "generation": 11569, "items": [ { "id": "c670eb32-89a5-4555-a2bf-e7a82c743ff6", "name": "sslo_TestSsloApp" } ], ..... }
  2. To delete and cleanup the forwarding database (FDB) entries, F5 recommends you first map the MAC addresses and VLAN names so to properly determine the TMUI command to delete the FDB entries. We recommend creating a table to track the required information.
    MAC Address
    VLAN Name
    TMUI Command to delete FDB entry
  3. To retrieve all of the MAC addresses used for FDB entries, enter the following command and populate the table with the correct information.
    curl --insecure -XGET 'https://<<BigIP Management IP>>/mgmt/shared/iapp/blocks?$select=id,state,name,inputProperties/value/customService/serviceSpecific/macAddress,inputProperties/value/customService/serviceSpecific/vlan&$filter=configurationProcessorReference/link%20eq%20%27https://localhost/mgmt/shared/iapp/processors/f5-iappslx-ssl-orchestrator-service%27%20and%20inputProperties/value/customService/serviceType%20eq%20%27tap%27%20and%20%20state%20ne%20%27TEMPLATE%27' -u <<userID>>:<<password>> | python -m json.tool
    Populate the table with the MAC addresses.
    MAC Address
    VLAN Name
    TMUI Command to delete FDB entry
    fa:16:3e:cb:d1:8d
    fa:16:3e:5d:fe:58
    For example, the MAC address information would come from this source:
    [root@localhost:Active:Standalone] config # curl --insecure -XGET 'https://10.192.225.215/mgmt/shared/iapp/blocks?$select=id,state,name,inputProperties/value/customService/serviceSpecific/macAddress,inputProperties/value/customService/serviceSpecific/vlan&$filter=configurationProcessorReference/link%20eq%20%27https://localhost/mgmt/shared/iapp/processors/f5-iappslx-ssl-orchestrator-service%27%20and%20inputProperties/value/customService/serviceType%20eq%20%27tap%27%20and%20%20state%20ne%20%27TEMPLATE%27' -u admin:bigip123 | python -m json.tool % Total % Received % Xferd Average Speed Time Time Time Current . Dload Upload Total Spent Left Speed 100 645 100 645 0 0 752 0 --:--:-- --:--:-- --:--:-- 761 { "generation": 13107, "items": [ { "id": "9bf2efe3-db82-4c1a-8dd4-52bc23b9d5eb", "inputProperties": [ { "value": { "customService": { "serviceSpecific": { "macAddress": "fa:16:3e:5d:fe:58", "vlan": "/Common/ssloN_vLan3Sslo.app/ssloN_vLan3Sslo" } } } } ], "name": "ssloS_TapService_2", "state": "BOUND" }, { "id": "6e161941-826d-424e-865e-3defbfdfd116", "inputProperties": [ { "value": { "customService": { "serviceSpecific": { "macAddress": "fa:16:3e:cb:d1:8d", "vlan": "/Common/vLan1" } } } } ], "name": "ssloS_TapService", "state": "BOUND" } ], .... }
  4. To retrieve the VLAN names, enter the following command and populate the table with the correct information.
    curl --insecure -XGET 'https://<<BigIP Management IP>>/mgmt/tm/net/fdb/vlan?$select=name,records/name' -u <<userID>>:<<password>> | python -m json.tool
    Update the table with the VLAN name details.
    MAC Address
    VLAN Name
    TMUI Command to delete FDB entry
    fa:16:3e:cb:d1:8d
    vLan1
    fa:16:3e:cb:d1:8d
    ssloN_ssloVlan_1
    fa:16:3e:5d:fe:58
    ssloN_vLan3Sslo
    If the same MAC address is associated with multiple VLANs, note the multiple VLAN names against each of the MAC addresses.
    For example, the information would come from this source:
    [root@localhost:Active:Standalone] config # curl --insecure -XGET 'https://10.192.225.215/mgmt/tm/net/fdb/vlan?$select=name,records/name' -u admin:bigip123 | python -m json.tool % Total % Received % Xferd Average Speed Time Time Time Current . Dload Upload Total Spent Left Speed 100 372 100 372 0 0 1252 0 --:--:-- --:--:-- --:--:-- 1261 { "items": [ { "name": "ssloN_ssloVlan_1", "records": [ { "name": "fa:16:3e:cb:d1:8d" } ] }, { "name": "ssloN_vLan3Sslo", "records": [ { "name": "fa:16:3e:5d:fe:58" } ] }, { "name": "vLan1", "records": [ { "name": "fa:16:3e:cb:d1:8d" } ] }, { "name": "vLan2" }, { "name": "vLan3" }, { "name": "vLan4" } ], .... }
  5. Use the following command to build the delete commands for cleaning up the FDB entries and update the table.
    modify net fdb vlan <<vlan name>> records delete { <<macaddress>> }
    MAC Address
    VLAN Name
    TMUI Command to delete FDB entry
    fa:16:3e:cb:d1:8d
    vLan1
    modify net fdb vlan vLan1 records delete { fa:16:3e:cb:d1:8d }
    fa:16:3e:cb:d1:8d
    ssloN_ssloVlan_1
    modify net fdb vlan ssloN_ssloVlan_1.app/ssloN_ssloVlan_1 records delete {fa:16:3e:cb:d1:8d }
    fa:16:3e:5d:fe:58
    ssloN_vLan3Sslo
    modify net fdb vlan ssloN_vLan3Sslo.app/ssloN_vLan3Sslo records delete {fa:16:3e:5d:fe:58 }
    If you receive a strictness warning (Protcted/Unprotected Configurations) while deleting FDB entries, enter the following command and try to enter the delete command again.
    modify sys application service <<vLan Name>>.app/<<vLan Name>> strict-updates disabled
    For example, the information would come from this source:
    root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify net fdb vlan ssloN_vLan3Sslo.app/ssloN_vLan3Sslo records delete {fa:16:3e:5d:fe:58 } 010715bc:3: The application service (/Common/ssloN_vLan3Sslo.app/ssloN_vLan3Sslo) has strict updates enabled, the object (VLAN /Common/ssloN_vLan3Sslo.app/ssloN_vLan3Sslo) must be updated using an application management interface. root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify sys application service ssloN_vLan3Sslo.app/ssloN_vLan3Sslo strict-updates disabled root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify net fdb vlan ssloN_vLan3Sslo.app/ssloN_vLan3Sslo records delete {fa:16:3e:5d:fe:58 } root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)#
  6. Enter all of the delete commands for deleting FDB entries. For example:
    tms modify net fdb vlan vLan1 records delete { fa:16:3e:cb:d1:8d }
    tmsh modify net fdb vlan ssloN_ssloVlan_1.app/ssloN_ssloVlan_1 records delete {fa:16:3e:cb:d1:8d }
    tmsh modify net fdb vlan ssloN_vLan3Sslo.app/ssloN_vLan3Sslo records delete {fa:16:3e:5d:fe:58 }
  7. Enter the following command on the BIG-IP:
    tmsh
    For example:
    [root@localhost:Active:Standalone] config # tmsh
    root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)#
  8. Enter the following command and press
    tab
    to view the list of deployed application services. The resulting information from this step will be used in step 9.
    delete sys application service
    For example:
    [root@localhost:Active:Standalone] config # tmsh root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service Options: recursive Configuration Items: ssloN_ssloVlan_1.app/ ssloN_vLan3Sslo.app/ ssloS_HttpService.app/ ssloS_L2Service_1.app/ ssloS_L3Service_2.app/ ssloS_TapService_2.app/ ssloS_iCapService_2.app/ ssloT_sslSettings_1.app/ ssloN_vLan2Sslo.app/ ssloP_PRP1.app/ ssloS_HttpService_1.app/ ssloS_L3Service_1.app/ ssloS_TapService.app/ ssloS_iCapService_1.app/ ssloT_SSL3.app/ sslo_TestSsloApp.app/
  9. Populate a table based on the output from the command used in step 8. For example:
    • Deployment App
      : Name which matches the format <<SSLO deployed App>>.app here <<SSLO deployed App>> is the name which is noted down in step 1.
    • Policy App
      : Name which starts with ssloP_.
    • Services App
      : Name which starts with ssloS_.
    • Network App
      : Name which starts with ssloN_.
    • SSL App
      : Name which starts with ssloT_.
    Deployment App
    Policy App
    Services App
    Network App
    SSL App
    sslo_TestSsloApp.app/
    ssloP_PRP1.app/
    ssloS_HttpService.app/
    ssloS_L2Service_1.app/
    ssloS_L3Service_2.app/
    ssloS_TapService_2.app/
    ssloS_iCapService_2.app/
    ssloS_HttpService_1.app/
    ssloS_L3Service_1.app/
    ssloS_TapService.app/
    ssloS_iCapService_1.app/
    ssloN_ssloVlan_1.app/
    ssloN_vLan3Sslo.app/
    ssloN_vLan2Sslo.app/
    ssloT_SSL3.app/
    ssloT_sslSettings_1.app/
  10. Enter the following command for all of the apps listed in step 9.
    Make sure to enter the TMSH command before starting this step on the BIG-IP device.
    The order in which the commands are entered is important. F5 recommends that you start with Deployment App, followed by Policy App, and so on based on the suggested table headings.
    If a command fails due to a dependency, determine what the dependency is from the message and delete it before proceeding.
    delete sys application service <<appName>>/ <<press TAB to complete the command>>
    For example:
    root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service sslo_TestSsloApp.app/sslo_TestSsloApp root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service ssloP_PRP1.app/ssloP_PRP1 root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service ssloS_HttpService.app/ssloS_HttpService root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service ssloS_HttpService_1.app/ssloS_HttpService_1 root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service ssloS_L2Service_1.app/ssloS_L2Service_1 root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service ssloS_L3Service_2.app/ssloS_L3Service_2 root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service ssloS_TapService_2 root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service ssloS_TapService_2.app/ssloS_TapService_2 root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service ssloS_iCapService_2.app/ssloS_iCapService_2 root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service ssloS_L3Service_1.app/ssloS_L3Service_1 root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service ssloS_TapService.app/ssloS_TapService root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service ssloS_iCapService_1.app/ssloS_iCapService_1 root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service ssloN_ssloVlan_1.app/ssloN_ssloVlan_1 root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service ssloN_vLan3Sslo.app/ssloN_vLan3Sslo root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service ssloN_vLan2Sslo.app/ssloN_vLan2Sslo root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service ssloT_SSL3.app/ssloT_SSL3 root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys application service ssloT_sslSettings_1.app/ssloT_sslSettings_1
  11. Enter the following command:
    curl --insecure -XGET 'https://<<BigIP Management IP>>mgmt/shared/iapp/blocks?$select=id,state,name&$filter=state%20eq%20%27*%27%20and%20state%20ne%20%27TEMPLATE%27' -u <<userID>>:<<password>> | python -m json.tool
    For example:
    [root@localhost:Active:Standalone] config # curl --insecure -XGET 'https://10.192.225.215/mgmt/shared/iapp/blocks?$select=id,state,name&$filter=state%20eq%20%27*%27%20and%20state%20ne%20%27TEMPLATE%27' -u admin:admin | python -m json.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 3550 100 3550 0 0 20938 0 --:--:-- --:--:-- --:--:-- 21005 { "generation": 46597, "items": [ { "id": "c670eb32-89a5-4555-a2bf-e7a82c743ff6", "name": "sslo_TestSsloApp", "state": "BOUND" }, { "id": "35947fc5-3152-4ee9-94be-d98cc3c32059", "name": "ssloT_sslSettings_1", "state": "BOUND" }, { "id": "c8ff1bcd-451a-4614-a9e0-8a3a02df7dc2", "name": "ssloS_L3Service_1", "state": "BOUND" }, { "id": "9bf2efe3-db82-4c1a-8dd4-52bc23b9d5eb", "name": "ssloS_TapService_2", "state": "BOUND" }, { "id": "22841137-9d38-4176-ad75-362748f7067b", "name": "ssloS_HttpService", "state": "BOUND" }, { "id": "0cf207ce-0460-49b3-b0f3-a140bb265fa9", "name": "ssloN_vLan3Sslo", "state": "BOUND" }, { "id": "aef17b81-929c-4c12-90e6-a70931952ff9", "name": "ssloT_SSL3", "state": "BOUND" }, { "id": "5c8f3039-d6cc-45db-88a1-6d030dac686b", "name": "7684d4ac-00d0-4f43-a0ba-921f459113bc-1538161044915", "state": "ERROR" }, { "id": "2f952eba-4331-4a3e-995d-644f5a01b045", "name": "ssloS_L3Service_2", "state": "BOUND" }, { "id": "46e05e4e-c350-4e33-8ffc-fa2671acac80", "name": "ssloS_iCapService_1", "state": "BOUND" }, { "id": "75800f9c-f8c8-46e4-9e71-1c7b11fff5fd", "name": "ssloN_vLan2Sslo", "state": "BOUND" }, { "id": "7684d4ac-00d0-4f43-a0ba-921f459113bc", "name": "ssloP_PRP1", "state": "BOUND" }, { "id": "41697b7c-c059-47f2-b13a-b574d2b858f8", "name": "ssloS_L2Service_1", "state": "BOUND" }, { "id": "e44a78c0-4efd-45cc-a3f1-a7d79302004e", "name": "ssloN_ssloVlan_1", "state": "BOUND" }, { "id": "e47a45fb-7422-4ab3-a59a-deafe257660c", "name": "ssloS_iCapService_2", "state": "BOUND" }, { "id": "69ba205f-e618-479e-b355-ae8010219b5f", "name": "ssloS_HttpService_1", "state": "BOUND" }, { "id": "6e161941-826d-424e-865e-3defbfdfd116", "name": "ssloS_TapService", "state": "BOUND" }, { "id": "df843553-dcbb-4239-a3f7-fbf4cf5ccf22", "name": "c670eb32-89a5-4555-a2bf-e7a82c743ff6-1538161044915", "state": "ERROR" }, { "id": "ab0584b4-e8dd-461d-a3c9-f7585c42fdc7", "name": "22841137-9d38-4176-ad75-362748f7067b-1538161044915", "state": "ERROR" }, { "id": "2037b09f-dfaf-4c60-bef9-52b7e1f74ba7", "name": "69ba205f-e618-479e-b355-ae8010219b5f-1538161044915", "state": "ERROR" }, { "id": "ead269a0-43a8-4fd4-88cf-471cd287a6d5", "name": "2f952eba-4331-4a3e-995d-644f5a01b045-1538161044915", "state": "ERROR" }, { "id": "38c5b1af-3f6b-4498-93fc-6380affd1483", "name": "41697b7c-c059-47f2-b13a-b574d2b858f8-1538161044915", "state": "ERROR" }, { "id": "1e97e0ff-955b-43f2-b43f-fa9f806273bc", "name": "9bf2efe3-db82-4c1a-8dd4-52bc23b9d5eb-1538161044915", "state": "ERROR" }, { "id": "f705eb0a-3e8e-4434-8bcc-8bd9135e5383", "name": "6e161941-826d-424e-865e-3defbfdfd116-1538161044915", "state": "ERROR" }, { "id": "3f31c864-d2ca-4b15-baf2-47f4d490f84c", "name": "c8ff1bcd-451a-4614-a9e0-8a3a02df7dc2-1538161044915", "state": "ERROR" }, { "id": "1356eb55-53c4-4eee-86a2-c647228d5cae", "name": "e47a45fb-7422-4ab3-a59a-deafe257660c-1538161044915", "state": "ERROR" }, { "id": "e778bcb2-697f-4238-a76d-169894304d44", "name": "46e05e4e-c350-4e33-8ffc-fa2671acac80-1538161044915", "state": "ERROR" }, { "id": "e75c0952-8838-4484-817d-2cded5d7e63c", "name": "35947fc5-3152-4ee9-94be-d98cc3c32059-1538161044915", "state": "ERROR" }, { "id": "f9c38383-a5a7-46fc-8fca-4196f021a64e", "name": "aef17b81-929c-4c12-90e6-a70931952ff9-1538161044915", "state": "ERROR" }, { "id": "d65877b5-20d2-4c81-9723-0151aa5a51a1", "name": "75800f9c-f8c8-46e4-9e71-1c7b11fff5fd-1538161044915", "state": "ERROR" }, { "id": "05131174-faf2-42a7-8b98-85718e4676d5", "name": "e44a78c0-4efd-45cc-a3f1-a7d79302004e-1538161044915", "state": "ERROR" }, { "id": "67a567c1-f711-45bc-94ac-232121030aa2", "name": "0cf207ce-0460-49b3-b0f3-a140bb265fa9-1538161044915", "state": "ERROR" } ], ..... }
  12. F5 recommends creating a table to track the required information based on the output from the command entered in step 11.
    ID
    State
    Patch Command
    Delete Command
    <<block Id>>
    BOUND
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://<<BigIP Management IP>>/mgmt/shared/iapp/blocks/<<block Id>>' -u <<userID>>:<<password>>
    curl --insecure -X DELETE 'https://<<BigIP Management IP>>/mgmt/shared/iapp/blocks/<<block Id>>' -u <<userID>>:<<password>>
    <<block Id>>
    ERROR
    NO NEED FOR ERROR
    For example:
    ID
    State
    Patch Command
    Delete Command
    c670eb32-89a5-4555-a2bf-e7a82c743ff6
    BOUND
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    c670eb32-89a5-4555-a2bf-e7a82c743ff6'
    -u admin:admin
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    c670eb32-89a5-4555-a2bf-e7a82c743ff6'
    -u admin:admin
    35947fc5-3152-4ee9-94be-d98cc3c32059
    BOUND
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    35947fc5-3152-4ee9-94be-d98cc3c32059'
    -u admin:admin
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    35947fc5-3152-4ee9-94be-d98cc3c32059'
    -u admin:admin
    c8ff1bcd-451a-4614-a9e0-8a3a02df7dc2
    BOUND
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    c8ff1bcd-451a-4614-a9e0-8a3a02df7dc2'
    -u admin:admin
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    c8ff1bcd-451a-4614-a9e0-8a3a02df7dc2'
    -u admin:admin
    9bf2efe3-db82-4c1a-8dd4-52bc23b9d5eb
    BOUND
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    9bf2efe3-db82-4c1a-8dd4-52bc23b9d5eb'
    -u admin:admin
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    9bf2efe3-db82-4c1a-8dd4-52bc23b9d5eb'
    -u admin:admin
    22841137-9d38-4176-ad75-362748f7067b
    BOUND
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    22841137-9d38-4176-ad75-362748f7067b'
    -u admin:admin
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    22841137-9d38-4176-ad75-362748f7067b'
    -u admin:admin
    0cf207ce-0460-49b3-b0f3-a140bb265fa9
    BOUND
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    0cf207ce-0460-49b3-b0f3-a140bb265fa9'
    -u admin:admin
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    0cf207ce-0460-49b3-b0f3-a140bb265fa9'
    -u admin:admin
    aef17b81-929c-4c12-90e6-a70931952ff9
    BOUND
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    aef17b81-929c-4c12-90e6-a70931952ff9'
    -u admin:admin
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    aef17b81-929c-4c12-90e6-a70931952ff9'
    -u admin:admin
    5c8f3039-d6cc-45db-88a1-6d030dac686b
    ERROR
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    5c8f3039-d6cc-45db-88a1-6d030dac686b'
    -u admin:admin
    2f952eba-4331-4a3e-995d-644f5a01b045
    BOUND
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    2f952eba-4331-4a3e-995d-644f5a01b045'
    -u admin:admin
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    2f952eba-4331-4a3e-995d-644f5a01b045'
    -u admin:admin
    46e05e4e-c350-4e33-8ffc-fa2671acac80
    BOUND
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    46e05e4e-c350-4e33-8ffc-fa2671acac80'
    -u admin:admin
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    46e05e4e-c350-4e33-8ffc-fa2671acac80'
    -u admin:admin
    75800f9c-f8c8-46e4-9e71-1c7b11fff5fd
    BOUND
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    75800f9c-f8c8-46e4-9e71-1c7b11fff5fd'
    -u admin:admin
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    75800f9c-f8c8-46e4-9e71-1c7b11fff5fd'
    -u admin:admin
    7684d4ac-00d0-4f43-a0ba-921f459113bc
    BOUND
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    7684d4ac-00d0-4f43-a0ba-921f459113bc'
    -u admin:admin
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    7684d4ac-00d0-4f43-a0ba-921f459113bc'
    -u admin:admin
    41697b7c-c059-47f2-b13a-b574d2b858f8
    BOUND
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    41697b7c-c059-47f2-b13a-b574d2b858f8'
    -u admin:admin
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    41697b7c-c059-47f2-b13a-b574d2b858f8'
    -u admin:admin
    e44a78c0-4efd-45cc-a3f1-a7d79302004e
    BOUND
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    e44a78c0-4efd-45cc-a3f1-a7d79302004e'
    -u admin:admin
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    e44a78c0-4efd-45cc-a3f1-a7d79302004e'
    -u admin:admin
    e47a45fb-7422-4ab3-a59a-deafe257660c
    BOUND
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    e47a45fb-7422-4ab3-a59a-deafe257660c'
    -u admin:admin
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    e47a45fb-7422-4ab3-a59a-deafe257660c'
    -u admin:admin
    69ba205f-e618-479e-b355-ae8010219b5f
    BOUND
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    69ba205f-e618-479e-b355-ae8010219b5f'
    -u admin:admin
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    69ba205f-e618-479e-b355-ae8010219b5f'
    -u admin:admin
    6e161941-826d-424e-865e-3defbfdfd116
    BOUND
    curl --insecure --data '{state:"UNBINDING"}' -X PATCH 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    6e161941-826d-424e-865e-3defbfdfd116'
    -u admin:admin
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    6e161941-826d-424e-865e-3defbfdfd116'
    -u admin:admin
    df843553-dcbb-4239-a3f7-fbf4cf5ccf22
    ERROR
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    df843553-dcbb-4239-a3f7-fbf4cf5ccf22'
    -u admin:admin
    ab0584b4-e8dd-461d-a3c9-f7585c42fdc7
    ERROR
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    ab0584b4-e8dd-461d-a3c9-f7585c42fdc7'
    -u admin:admin
    2037b09f-dfaf-4c60-bef9-52b7e1f74ba7
    ERROR
    curl --insecure -X DELETE 'https://10.192.225.215/mgmt/shared/iapp/blocks/
    2037b09f-dfaf-4c60-bef9-52b7e1f74ba7'
    -u admin:admin
You have now cleaned the device of SSL Orchestrator deployments. Log in to the BIG-IP and start using SSL Orchestrator by clicking
SSL Orchestrator
Configuration
.