Jun 14, 2021 F5 has announced End of Sale of Application Security Manager, effective April 01, 2021. Existing ASM, or BEST bundle customers, under a valid support contract running BIG-IP version 14.1 or greater can reactivate the licenses to upgrade to Advanced WAF (Adv WAF). Service Check Date is the date when you last reactivated your license and it gets updated every time you reactivate your license (assuming that there is an active service contract with F5 for this BIG-IP system). For example, if you have reactivate your license on June 30, 2018 then it will show as 20180630.
Introduction
In this article we will see how we can reactivate a F5 BIG-IP VE (Virtual Edition) Appliance that has an expired license. When the license is expired the BIG-IP Configuration utility gets stuck in “Configuration Utility restarting…” and you cannot login. We will focus on one of the latest VE versions 11.6.x where most of the usual methods to reactivate will not work.
Lab Environment
The full lab logical design can be seen HERE.
Problem
Recently I had an issue where my BIG-IP Local Traffic Manager (LTM) and Global Traffic Manager (GTM) devices had an expired license. I was using a 45 days license which I failed to reactivate it got expired. I first noticed that there was an issue with the appliance when I tried to open the BIG-IP Configuration utility. As shown in the following screenshot it got stuck in “Configuration Utility restarting…” and I wasn’t able to login.
Luckily I had a user with SSH access to the F5 BIG-IP VE appliance. If you don’t have SSH access to the appliance you are in big trouble. In such cases I wasn’t able to find a solution and had to reinstall the BIG-IP device and redo all the configurations. As said I was lucky enough to have SSH access to I logged to the appliance and check the license by running [show sys license] . As you can see from the following screenshot the license was expired.
Using username 'admin'.
Using keyboard-interactive authentication.
Password:
Last login: Thu Jun 25 23:10:38 2015 from 192.168.1.1
admin@(f5-ltm-b-01)(cfg-sync Standalone)(INOPERATIVE)(/Common)(tmos)# show sys license
Warning: license has expired
Sys::License
Licensed Version 11.6.0
Registration key ABCDE- ABCDE – ABCDE – ABCDE – ABCDEF
Licensed On 2015/06/10
License Start Date 2015/06/09
License End Date 2015/07/26
Service Check Date 2015/06/08
Platform ID Z100
Active Modules
APM, Base, VE (XCPDPCE-PJTQEGD)
Anti-Virus Checks
Base Endpoint Security Checks
Firewall Checks
Network Access
Secure Virtual Keyboard
APM, Web Application
Machine Certificate Checks
Protected Workspace
Remote Desktop
You will also notice other signs that there is something wrong like the work INOPERATIVE.
The expired license also causes a lot of other issue that can manifest in different ways. For example when running [load sys config] it will fails:
admin@(f5-ltm-b-01)(cfg-sync Standalone)(INOPERATIVE)(/Common)(tmos)# load sys config
Loading system configuration…
/defaults/asm_base.conf
/defaults/config_base.conf
/defaults/ipfix_ie_base.conf
/defaults/ipfix_ie_f5base.conf
/defaults/low_profile_base.conf
/defaults/low_security_base.conf
/defaults/policy_base.conf
/defaults/wam_base.conf
/defaults/analytics_base.conf
/defaults/apm_saml_base.conf
/defaults/app_template_base.conf
/defaults/classification_base.conf
/defaults/daemon.conf
/defaults/profile_base.conf
/defaults/sandbox_base.conf
/defaults/security_base.conf
/defaults/urldb_base.conf
/usr/share/monitors/base_monitors.conf
Loading configuration…
/config/bigip_base.conf
/config/bigip_user.conf
/config/bigip.conf
01070356:3: Load balancing feature not licensed.
Unexpected Error: Loading configuration process failed.
Generally you can find a lot of F5 articles and forum posts describing how to install a license again and activate the device.
Some articles describe the use of commands like the following to achieve activation:
- cat /config/RegKey.license
- tmsh show /sys hardware | grep ‘Registration Key’
- grep -i 'Registration Key' /config/bigip.license
- cp /config/bigip.license /config/bigip.license.sol2595
- get_dossier -b ABCDE-ABCDE-ABCDE-ABCDE-ABCDEFG
- reloadlic
Ref: sol2595: Activating and installing a license file from the command line
Unfortunately the BIG-IP VE appliance has not bash shell access, therefore you cannot execute any of these commands. In the BIG-IP Virtual Edition Appliance you only have access to the Traffic Management Shell (tmsh) utility. the BASH shell is disabled. Even if you try to grant bash access to your user, the command will run successfully, but you will not be granted access.
Others describe that such problems might be resolved by restoring a F5 configuration with commands such as:
- tmsh load sys ucs [ucs file name] no-license
Ref: sol13132: Backing up and restoring BIG-IP configuration files (11.x – 12.x)
This again doesn’t work because the license has already expired so the load cannot complete and fails.
F5 Reactivate License Requirements
Solution
You might find further articles that describe the use of the [install sys license registration-key] command to activate the BIG-IP.
Solution involves the following steps:
- Use the [get-dossier –b <product_key>] to generate a dossier.
- Go to the https://activate.f5.com/license/dossier.jsp website and generate a license file.
- Run the [install sys license registration-key] command to activate the device. Alternatively if you do not have direct access to internet from the appliance you can use the [csp] command from second linux appliance to copy the license file to the F5 BIG-IP device.
Using the [get-dossier –b <product_key>] you can generate a dossier. Note that the command is [get-dossier] and not [get_dossier] as described on multiple F5 articles. Once you run it copy the generated dossier:
Go to the Go to the https://activate.f5.com/license/dossier.jsp website and paste the dossier. Accept the license agreement and generete the license file. LIke we mentioned if your F5 device has internet connection you do no need to download the license.
Run the [install sys license registration-key <product_key> verbose] command to activate the device
Using username 'admin'.
Using keyboard-interactive authentication.
Password:
Last login: Mon Jan 4 22:30:41 2016 from 192.168.1.1
admin@(f5-ltm-b-01)(cfg-sync Standalone)(INOPERATIVE)(/Common)(tmos)# install sys license registration-key ABCDE-ABCDE-ABCDE-ABCDE-ABCDEF verbose
+++++ Debug +++++
Target : https://104.219.104.132:443/license/services/urn:com.f5.license.v5b.ActivationService
—————–
EULA is required. Sending EULA to license server…
License is successfully returned.
Saving existing license to '/config/bigip.license.bak'…
Writing new license to '/config/bigip.license'…
New license has successfully loaded.
admin@(f5-ltm-b-01)(cfg-sync Standalone)(INOPERATIVE)(/Common)(tmos)#
F5 Reactivate License Number
Before installing the license you must first generate a dossier and accept the EULA online on the F5 site. Otherwize when you try to run the command above you migth receive error simmilar to the following:
# install sys license registration-key DKADI-OFIOI-CQKCV-NRVVC-OBXSHGC verbose
+++++ Debug +++++
Target : https://104.219.107.132:443/license/services/urn:com.f5.license.v5b.ActivationService
—————–
EULA is required. Sending EULA to license server…
Unknown exception
admin@(f5-gtm-b-01)(cfg-sync Disconnected (Trust Domain Only))(INOPERATIVE)(/Common)(tmos)#
After running the command I had to reboot the appliance.
After reboot I run again [show sys license] and now I see the new license applied:
admin@(f5-ltm-b-01)(cfg-sync Standalone)(INOPERATIVE)(/Common)(tmos)# show sys license
Sys::License
Licensed Version 11.6.0
Registration key ABCDE-ABCDE-ABCDE-ABCDE-ABCDEF
Licensed On 2016/01/04
License Start Date 2016/01/03
License End Date 2016/02/19
Service Check Date 2016/01/04
Platform ID Z100
Active Modules
Global Traffic Manager, VE (BRPOACS-TBGZJHS)
IPV6 Gateway
Ram Cache
STP
DNSSEC
App Mode (TMSH Only, No Root/Bash)
DNS Express
DNS Services
External Interface and Network HSM, VE
SDN Services, VE
Routing Bundle, VE
SSL, Forward Proxy, VE
SSL, VE
Max Compression, VE
BIG-IP VE, Multicast Routing
GTM Licensed Objects, Unlimited
DNS Rate Fallback, Unlimited
DNS Licensed Objects, Unlimited
GTM Rate Fallback, (UNLIMITED)
DNS Rate Limit, Unlimited QPS
GTM Rate, Unlimited
Time Limited Modules
IPI Subscription, 3Yr, VE|KSHUQNC-RAKBKRE|20160104|20160405|SUBSCRIPTION
Alternatively if your device does not have access to internet you can download the license after you have accepted the EULA agreement.
Name the license file bigip.license
Copy it to a linux appliance of your choice.
From that linux appliance use command similar to the following to copy the license into the /config/ folder on the F5 BIG-IP device.
vco-a-01:~ # scp /tmp/bigip.license admin@f5-ltm-a-01.vmware.com:/config/bigip.license
Reboot the appliance.
Final Step
If all went well, go grab a beer.
How To Activate F5 License
DISCLAIMER; This is a personal blog. Any views or opinions represented in this blog are personal and belong solely to the blog owner and do not represent those of people, institutions or organizations that the owner may or may not be associated with in professional or personal capacity, unless explicitly stated. Any views or opinions are not intended to malign any religion, ethnic group, club, organization, company, or individual.
All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.
Photos
Unless stated, all photos are the work of the blog owner and are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. If used with watermark, no need to credit to the blog owner. For any edit to photos, including cropping, please contact me first.
Recipes
Unless stated, all recipes are the work of the blog owner and are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. Please credit all recipes to the blog owner and link back to the original blog post.
Downloadable Files
Any downloadable file, including but not limited to pdfs, docs, jpegs, pngs, is provided at the user’s own risk. The owner will not be liable for any losses, injuries, or damages resulting from a corrupted or damaged file.
Comments
Comments are welcome. However, the blog owner reserves the right to edit or delete any comments submitted to this blog without notice due to
– Comments deemed to be spam or questionable spam
– Comments including profanity
– Comments containing language or concepts that could be deemed offensive
– Comments containing hate speech, credible threats, or direct attacks on an individual or group
The blog owner is not responsible for the content in comments.
This policy is subject to change at anytime.