F5 license activation or reactivation is very simple. There are basically two reason why you reactivate your license. You are adding a new module to your device with an add-on key. Jun 14, 2021 F5 has announced End of Sale of Application Security Manager, effective April 01, 2021. Existing ASM, or BEST bundle customers, under a valid support contract running BIG-IP version 14.1 or greater can reactivate the licenses to upgrade to Advanced WAF (Adv WAF).
Introduction
In this article we will see how we can reactivate a F5 BIG-IP VE (Virtual Edition) Appliance that has an expired license. When the license is expired the BIG-IP Configuration utility gets stuck in “Configuration Utility restarting…” and you cannot login. We will focus on one of the latest VE versions 11.6.x where most of the usual methods to reactivate will not work.
Lab Environment
- May 18, 2021 The F5 license server returns a license. On the BIG-IP use a text editor, such as such as pico or vi, to edit the previously truncated /config/bigip.license file, or, in the case of activating a new license, to create a new /config/bigip.license file. If using vi, enter the following command.
- F5 Networks - Product Licensing / Activate F5 Product. Activate F5 Product. Use this license activation page for current F5 products.
The full lab logical design can be seen HERE.
Problem
Recently I had an issue where my BIG-IP Local Traffic Manager (LTM) and Global Traffic Manager (GTM) devices had an expired license. I was using a 45 days license which I failed to reactivate it got expired. I first noticed that there was an issue with the appliance when I tried to open the BIG-IP Configuration utility. As shown in the following screenshot it got stuck in “Configuration Utility restarting…” and I wasn’t able to login.
Luckily I had a user with SSH access to the F5 BIG-IP VE appliance. If you don’t have SSH access to the appliance you are in big trouble. In such cases I wasn’t able to find a solution and had to reinstall the BIG-IP device and redo all the configurations. As said I was lucky enough to have SSH access to I logged to the appliance and check the license by running [show sys license] . As you can see from the following screenshot the license was expired.
Using username 'admin'.
Using keyboard-interactive authentication.
Password:
Last login: Thu Jun 25 23:10:38 2015 from 192.168.1.1
admin@(f5-ltm-b-01)(cfg-sync Standalone)(INOPERATIVE)(/Common)(tmos)# show sys license
Warning: license has expired
Sys::License
Licensed Version 11.6.0
Registration key ABCDE- ABCDE – ABCDE – ABCDE – ABCDEF
Licensed On 2015/06/10
License Start Date 2015/06/09
License End Date 2015/07/26
Service Check Date 2015/06/08
Platform ID Z100
Active Modules
APM, Base, VE (XCPDPCE-PJTQEGD)
Anti-Virus Checks
Base Endpoint Security Checks
Firewall Checks
Network Access
Secure Virtual Keyboard
APM, Web Application
Machine Certificate Checks
Protected Workspace
Remote Desktop
You will also notice other signs that there is something wrong like the work INOPERATIVE.
The expired license also causes a lot of other issue that can manifest in different ways. For example when running [load sys config] it will fails:
admin@(f5-ltm-b-01)(cfg-sync Standalone)(INOPERATIVE)(/Common)(tmos)# load sys config
Loading system configuration…
/defaults/asm_base.conf
/defaults/config_base.conf
/defaults/ipfix_ie_base.conf
/defaults/ipfix_ie_f5base.conf
/defaults/low_profile_base.conf
/defaults/low_security_base.conf
/defaults/policy_base.conf
/defaults/wam_base.conf
/defaults/analytics_base.conf
/defaults/apm_saml_base.conf
/defaults/app_template_base.conf
/defaults/classification_base.conf
/defaults/daemon.conf
/defaults/profile_base.conf
/defaults/sandbox_base.conf
/defaults/security_base.conf
/defaults/urldb_base.conf
/usr/share/monitors/base_monitors.conf
Loading configuration…
/config/bigip_base.conf
/config/bigip_user.conf
/config/bigip.conf
01070356:3: Load balancing feature not licensed.
Unexpected Error: Loading configuration process failed.
Generally you can find a lot of F5 articles and forum posts describing how to install a license again and activate the device.
Some articles describe the use of commands like the following to achieve activation:
- cat /config/RegKey.license
- tmsh show /sys hardware | grep ‘Registration Key’
- grep -i 'Registration Key' /config/bigip.license
- cp /config/bigip.license /config/bigip.license.sol2595
- get_dossier -b ABCDE-ABCDE-ABCDE-ABCDE-ABCDEFG
- reloadlic
Ref: sol2595: Activating and installing a license file from the command line
Unfortunately the BIG-IP VE appliance has not bash shell access, therefore you cannot execute any of these commands. In the BIG-IP Virtual Edition Appliance you only have access to the Traffic Management Shell (tmsh) utility. the BASH shell is disabled. Even if you try to grant bash access to your user, the command will run successfully, but you will not be granted access.
Others describe that such problems might be resolved by restoring a F5 configuration with commands such as:
- tmsh load sys ucs [ucs file name] no-license
Ref: sol13132: Backing up and restoring BIG-IP configuration files (11.x – 12.x)
This again doesn’t work because the license has already expired so the load cannot complete and fails.
Solution
You might find further articles that describe the use of the [install sys license registration-key] command to activate the BIG-IP.
Solution involves the following steps:
- Use the [get-dossier –b <product_key>] to generate a dossier.
- Go to the https://activate.f5.com/license/dossier.jsp website and generate a license file.
- Run the [install sys license registration-key] command to activate the device. Alternatively if you do not have direct access to internet from the appliance you can use the [csp] command from second linux appliance to copy the license file to the F5 BIG-IP device.
Using the [get-dossier –b <product_key>] you can generate a dossier. Note that the command is [get-dossier] and not [get_dossier] as described on multiple F5 articles. Once you run it copy the generated dossier:
Go to the Go to the https://activate.f5.com/license/dossier.jsp website and paste the dossier. Accept the license agreement and generete the license file. LIke we mentioned if your F5 device has internet connection you do no need to download the license.
Run the [install sys license registration-key <product_key> verbose] command to activate the device
Using username 'admin'.
Using keyboard-interactive authentication.
Password:
Last login: Mon Jan 4 22:30:41 2016 from 192.168.1.1
admin@(f5-ltm-b-01)(cfg-sync Standalone)(INOPERATIVE)(/Common)(tmos)# install sys license registration-key ABCDE-ABCDE-ABCDE-ABCDE-ABCDEF verbose
+++++ Debug +++++
Target : https://104.219.104.132:443/license/services/urn:com.f5.license.v5b.ActivationService
—————–
EULA is required. Sending EULA to license server…
License is successfully returned.
Saving existing license to '/config/bigip.license.bak'…
Writing new license to '/config/bigip.license'…
New license has successfully loaded.
admin@(f5-ltm-b-01)(cfg-sync Standalone)(INOPERATIVE)(/Common)(tmos)#
Before installing the license you must first generate a dossier and accept the EULA online on the F5 site. Otherwize when you try to run the command above you migth receive error simmilar to the following:
# install sys license registration-key DKADI-OFIOI-CQKCV-NRVVC-OBXSHGC verbose
+++++ Debug +++++
Target : https://104.219.107.132:443/license/services/urn:com.f5.license.v5b.ActivationService
—————–
EULA is required. Sending EULA to license server…
Unknown exception
admin@(f5-gtm-b-01)(cfg-sync Disconnected (Trust Domain Only))(INOPERATIVE)(/Common)(tmos)#
After running the command I had to reboot the appliance.
After reboot I run again [show sys license] and now I see the new license applied:
admin@(f5-ltm-b-01)(cfg-sync Standalone)(INOPERATIVE)(/Common)(tmos)# show sys license
Sys::License
Licensed Version 11.6.0
Registration key ABCDE-ABCDE-ABCDE-ABCDE-ABCDEF
Licensed On 2016/01/04
License Start Date 2016/01/03
License End Date 2016/02/19
Service Check Date 2016/01/04
Platform ID Z100
Active Modules
Global Traffic Manager, VE (BRPOACS-TBGZJHS)
IPV6 Gateway
Ram Cache
STP
DNSSEC
App Mode (TMSH Only, No Root/Bash)
DNS Express
DNS Services
External Interface and Network HSM, VE
SDN Services, VE
Routing Bundle, VE
SSL, Forward Proxy, VE
SSL, VE
Max Compression, VE
BIG-IP VE, Multicast Routing
GTM Licensed Objects, Unlimited
DNS Rate Fallback, Unlimited
DNS Licensed Objects, Unlimited
GTM Rate Fallback, (UNLIMITED)
DNS Rate Limit, Unlimited QPS
GTM Rate, Unlimited
Time Limited Modules
IPI Subscription, 3Yr, VE|KSHUQNC-RAKBKRE|20160104|20160405|SUBSCRIPTION
Alternatively if your device does not have access to internet you can download the license after you have accepted the EULA agreement.
Name the license file bigip.license
Copy it to a linux appliance of your choice.
From that linux appliance use command similar to the following to copy the license into the /config/ folder on the F5 BIG-IP device.
vco-a-01:~ # scp /tmp/bigip.license admin@f5-ltm-a-01.vmware.com:/config/bigip.license
Reboot the appliance.
Final Step
If all went well, go grab a beer.
F5 Reactivate License Cli
DISCLAIMER; This is a personal blog. Any views or opinions represented in this blog are personal and belong solely to the blog owner and do not represent those of people, institutions or organizations that the owner may or may not be associated with in professional or personal capacity, unless explicitly stated. Any views or opinions are not intended to malign any religion, ethnic group, club, organization, company, or individual.
All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.
Photos
Unless stated, all photos are the work of the blog owner and are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. If used with watermark, no need to credit to the blog owner. For any edit to photos, including cropping, please contact me first.
Recipes
Unless stated, all recipes are the work of the blog owner and are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. Please credit all recipes to the blog owner and link back to the original blog post.
Downloadable Files
Any downloadable file, including but not limited to pdfs, docs, jpegs, pngs, is provided at the user’s own risk. The owner will not be liable for any losses, injuries, or damages resulting from a corrupted or damaged file.
Comments
Comments are welcome. However, the blog owner reserves the right to edit or delete any comments submitted to this blog without notice due to
– Comments deemed to be spam or questionable spam
– Comments including profanity
– Comments containing language or concepts that could be deemed offensive
– Comments containing hate speech, credible threats, or direct attacks on an individual or group
The blog owner is not responsible for the content in comments.
This policy is subject to change at anytime.
F5 license activation or reactivation is very simple. There are basically two reason why you reactivate your license.
1. You are adding a new module to your device with an add-on key.
F5 Reactivate License Online
2. You want to do an upgrade. The Software image needs to know that you have an active support contract to successfully install. You will see that there is a service check date in the install. If your support contract runs out/ your license expires you won’t be able to do any upgrades beyond that date.
To reactivate the license on your device follow these easy steps:
Click on License under the System menu. You will see the type of license. The license and expiration date, the licensed modules and the optional modules that can be activated with an add-on key. At the bottom of the screen click activate.
If your F5 has internet access and DNS setup, you can select automatic activation. In all likelihood you will need to chose the manual method. The timeout takes a while for automatic if its going to fail, so I usually just go with manual from the start.
The easiest way is the Copy/Paste Text option. I like to just copy and paste the license. Under Step 1: Dossier select and copy the contents of the text box. Next click on the link under Step 2.
You will be taken to the F5 license activation server. Paste the Dossier you copied from your F5 into the text box and click next.
F5 will now generate your license. Copy the entire content of the textbox and return to your F5 GUI.
Paste the license text into the text box under Step 3 and click next at the bottom of the screen.
Your F5 will reload the license.
And you’re all done! Easy, right?
Want to try on the CLI? Use the get_dossier command to create the dossier as above:
F5 Reactivate License Renewal
And follow the steps above to F5 License Activation server
F5 Reactivate License Cli
Copy the license that the F5 license activation server generates and overwrite your /config/bigip.license file using your favorite text editor and use the reloadlic command to read the new license(In vi its “dGi” to delete the whole contents and enter insert mode, and then CTRL-V or Command-V to paste the whole file in and type the Escape key, :wq to save):