Introduction
In this article we will see how we can reactivate a F5 BIG-IP VE (Virtual Edition) Appliance that has an expired license. When the license is expired the BIG-IP Configuration utility gets stuck in “Configuration Utility restarting…” and you cannot login. We will focus on one of the latest VE versions 11.6.x where most of the usual methods to reactivate will not work.
Lab Environment
The full lab logical design can be seen HERE.
Problem
Recently I had an issue where my BIG-IP Local Traffic Manager (LTM) and Global Traffic Manager (GTM) devices had an expired license. I was using a 45 days license which I failed to reactivate it got expired. I first noticed that there was an issue with the appliance when I tried to open the BIG-IP Configuration utility. As shown in the following screenshot it got stuck in “Configuration Utility restarting…” and I wasn’t able to login.
Luckily I had a user with SSH access to the F5 BIG-IP VE appliance. If you don’t have SSH access to the appliance you are in big trouble. In such cases I wasn’t able to find a solution and had to reinstall the BIG-IP device and redo all the configurations. As said I was lucky enough to have SSH access to I logged to the appliance and check the license by running [show sys license] . As you can see from the following screenshot the license was expired.
Using username "admin".
Using keyboard-interactive authentication.
Password:
Last login: Thu Jun 25 23:10:38 2015 from 192.168.1.1
admin@(f5-ltm-b-01)(cfg-sync Standalone)(INOPERATIVE)(/Common)(tmos)# show sys license
Warning: license has expired
Sys::License
Licensed Version 11.6.0
Registration key ABCDE- ABCDE – ABCDE – ABCDE – ABCDEF
Licensed On 2015/06/10
License Start Date 2015/06/09
License End Date 2015/07/26
Service Check Date 2015/06/08
Platform ID Z100
Active Modules
APM, Base, VE (XCPDPCE-PJTQEGD)
Anti-Virus Checks
Base Endpoint Security Checks
Firewall Checks
Network Access
Secure Virtual Keyboard
APM, Web Application
Machine Certificate Checks
Protected Workspace
Remote Desktop
You will also notice other signs that there is something wrong like the work INOPERATIVE.
The expired license also causes a lot of other issue that can manifest in different ways. For example when running [load sys config] it will fails:
admin@(f5-ltm-b-01)(cfg-sync Standalone)(INOPERATIVE)(/Common)(tmos)# load sys config
Loading system configuration…
/defaults/asm_base.conf
/defaults/config_base.conf
/defaults/ipfix_ie_base.conf
/defaults/ipfix_ie_f5base.conf
/defaults/low_profile_base.conf
/defaults/low_security_base.conf
/defaults/policy_base.conf
/defaults/wam_base.conf
/defaults/analytics_base.conf
/defaults/apm_saml_base.conf
/defaults/app_template_base.conf
/defaults/classification_base.conf
/defaults/daemon.conf
/defaults/profile_base.conf
/defaults/sandbox_base.conf
/defaults/security_base.conf
/defaults/urldb_base.conf
/usr/share/monitors/base_monitors.conf
Loading configuration…
/config/bigip_base.conf
/config/bigip_user.conf
/config/bigip.conf
01070356:3: Load balancing feature not licensed.
Unexpected Error: Loading configuration process failed.
Generally you can find a lot of F5 articles and forum posts describing how to install a license again and activate the device.
Some articles describe the use of commands like the following to achieve activation:
- cat /config/RegKey.license
- tmsh show /sys hardware | grep ‘Registration Key’
- grep -i "Registration Key" /config/bigip.license
- cp /config/bigip.license /config/bigip.license.sol2595
- get_dossier -b ABCDE-ABCDE-ABCDE-ABCDE-ABCDEFG
- reloadlic
Ref: sol2595: Activating and installing a license file from the command line
Unfortunately the BIG-IP VE appliance has not bash shell access, therefore you cannot execute any of these commands. In the BIG-IP Virtual Edition Appliance you only have access to the Traffic Management Shell (tmsh) utility. the BASH shell is disabled. Even if you try to grant bash access to your user, the command will run successfully, but you will not be granted access.
Others describe that such problems might be resolved by restoring a F5 configuration with commands such as:
- tmsh load sys ucs [ucs file name] no-license
Ref: sol13132: Backing up and restoring BIG-IP configuration files (11.x – 12.x)
This again doesn’t work because the license has already expired so the load cannot complete and fails.
Solution
You might find further articles that describe the use of the [install sys license registration-key] command to activate the BIG-IP.
Solution involves the following steps:
- Use the [get-dossier –b <product_key>] to generate a dossier.
- Go to the https://activate.f5.com/license/dossier.jsp website and generate a license file.
- Run the [install sys license registration-key] command to activate the device. Alternatively if you do not have direct access to internet from the appliance you can use the [csp] command from second linux appliance to copy the license file to the F5 BIG-IP device.
Using the [get-dossier –b <product_key>] you can generate a dossier. Note that the command is [get-dossier] and not [get_dossier] as described on multiple F5 articles. Once you run it copy the generated dossier:
Go to the Go to the https://activate.f5.com/license/dossier.jsp website and paste the dossier. Accept the license agreement and generete the license file. LIke we mentioned if your F5 device has internet connection you do no need to download the license.
Run the [install sys license registration-key <product_key> verbose] command to activate the device
Using username "admin".
Using keyboard-interactive authentication.
Password:
Last login: Mon Jan 4 22:30:41 2016 from 192.168.1.1
admin@(f5-ltm-b-01)(cfg-sync Standalone)(INOPERATIVE)(/Common)(tmos)# install sys license registration-key ABCDE-ABCDE-ABCDE-ABCDE-ABCDEF verbose
+++++ Debug +++++
Target : https://104.219.104.132:443/license/services/urn:com.f5.license.v5b.ActivationService
—————–
EULA is required. Sending EULA to license server…
License is successfully returned.
Saving existing license to "/config/bigip.license.bak"…
Writing new license to "/config/bigip.license"…
New license has successfully loaded.
admin@(f5-ltm-b-01)(cfg-sync Standalone)(INOPERATIVE)(/Common)(tmos)#
Before installing the license you must first generate a dossier and accept the EULA online on the F5 site. Otherwize when you try to run the command above you migth receive error simmilar to the following:
# install sys license registration-key DKADI-OFIOI-CQKCV-NRVVC-OBXSHGC verbose
+++++ Debug +++++
Target : https://104.219.107.132:443/license/services/urn:com.f5.license.v5b.ActivationService
—————–
EULA is required. Sending EULA to license server…
Unknown exception
admin@(f5-gtm-b-01)(cfg-sync Disconnected (Trust Domain Only))(INOPERATIVE)(/Common)(tmos)#
After running the command I had to reboot the appliance.
After reboot I run again [show sys license] and now I see the new license applied:
admin@(f5-ltm-b-01)(cfg-sync Standalone)(INOPERATIVE)(/Common)(tmos)# show sys license
Sys::License
Licensed Version 11.6.0
Registration key ABCDE-ABCDE-ABCDE-ABCDE-ABCDEF
Licensed On 2016/01/04
License Start Date 2016/01/03
License End Date 2016/02/19
Service Check Date 2016/01/04
Platform ID Z100
Active Modules
Global Traffic Manager, VE (BRPOACS-TBGZJHS)
IPV6 Gateway
Ram Cache
STP
DNSSEC
App Mode (TMSH Only, No Root/Bash)
DNS Express
DNS Services
External Interface and Network HSM, VE
SDN Services, VE
Routing Bundle, VE
SSL, Forward Proxy, VE
SSL, VE
Max Compression, VE
BIG-IP VE, Multicast Routing
GTM Licensed Objects, Unlimited
DNS Rate Fallback, Unlimited
DNS Licensed Objects, Unlimited
GTM Rate Fallback, (UNLIMITED)
DNS Rate Limit, Unlimited QPS
GTM Rate, Unlimited
Time Limited Modules
IPI Subscription, 3Yr, VE|KSHUQNC-RAKBKRE|20160104|20160405|SUBSCRIPTION
Alternatively if your device does not have access to internet you can download the license after you have accepted the EULA agreement.
Name the license file bigip.license
Copy it to a linux appliance of your choice.
From that linux appliance use command similar to the following to copy the license into the /config/ folder on the F5 BIG-IP device.
vco-a-01:~ # scp /tmp/bigip.license admin@f5-ltm-a-01.vmware.com:/config/bigip.license
Reboot the appliance.
Final Step
If all went well, go grab a beer.
include TEMPLATEPATH."/../../../itBlogDisclaimer.php"; ?>