How to backup an F5 BIG-IP, without falling victim to some of the potential pitfalls

How to backup an F5 BIG-IP, without falling victim to some of the potential pitfalls

F5 / Citrix / Kemp Published on 7 mins Last updated

This article describes how to back up and restore your F5 BIG-IP* 11.x through 17.x configuration data using a UCS configuration archive. In the meantime, check out this blog: How to manage all your load balancers from one platform, if you're wondering why Loadbalancer.org is talking about F5!

Things to know before you start backing up an F5 BIG-IP

The UCS archive, by default, contains all of the files you need to restore your current configuration to a new system, including configuration files, the product license, local user accounts, and SSL certificate/key pairs...  

So it’s very important to take a backup of this configuration. We can take a backup of the configuration files of F5 BIG-IP and restore them using two possible methods:

  • Configuration Utility (GUI)
  • Command Line Interface (CLI)

Both methods (GUI and CLI) work well. However, in my experience, the Configuration Utility (GUI) method is the easiest procedure to use to create a manual backup because it allows you to follow the progress of the backup being created. I'd recommend the Common Line Interface (CLI) method when there is a need to create and schedule automatic backups.

How to create an F5 BIG-IP backup

1. How to backup configuration data using the GUI method

💡 PRO TIP

Follow this procedure to avoid any negative impact on your system!

  1. Log in to the Configuration Utility
  2. Go to System > Archives:
  1. To initiate the process of creating a new UCS archive, select Create:
  1. In the File Name box, enter a name for the file:

💡 PRO TIP

You MUST use a unique file name.

Be aware that if a file with the same name already exists, the system will not create the UCS archive file and will display a warning message such as: "The file already exists on your system".

  • Optional step: If you want to encrypt the UCS archive file for Encryption, select Enabled and enter a passphrase. You must supply the passphrase to restore the encrypted UCS archive file.
  • Optional step: If you want to exclude SSL private keys from the UCS archive, for Private Keys, select Exclude. For example, exclude the private keys if you are sending the UCS to F5 Support.
  1. To create the UCS archive file, select Finished:
  1. When the system completes the backup process, examine the status page for any reported errors before proceeding to the next step:
  1. To return to the Archive List page, select OK:
  1. Copy the .ucs file to another system by selecting Download button:

And there you have it!

2. How to backup configuration data using Traffic Management Shell and the CLI method

💡 PRO TIP

Follow the below procedure to avoid any negative impact on your system!

  1. Log into tmsh by entering the following command:
tmsh
  1. Create the UCS archive file by using the following command syntax, replacing <path/to/UCS> with the full path to the UCS archive file:
save /sys ucs <path/to/UCS>

For example:

save /sys ucs /var/tmp/MyBackup.ucs
  • Optional step: You can encrypt the UCS archive with a passphrase by using the following command syntax, replacing <path/to/UCS> with the full path to the UCS archive file and replacing <password> with the passphrase you want to use to encrypt the UCS archive: save /sys ucs <path/to/UCS> passphrase <password>. For example:
save /sys ucs /var/tmp/MyUCS.ucs passphrase password
  • Optional step: You can exclude SSL private keys from the UCS archive. For example, exclude the private keys if you are sending the UCS to F5 Support. To do so, use the following command syntax, replacing <path/to/UCS> with the full path to the UCS archive file: save /sys ucs <path/to/UCS> no-private-key. For example:
save /sys ucs /var/tmp/MyUCS.ucs no-private-key
  1. Copy the .ucs file to another system using any SCP client (Winscp, for example).

And you're done. But, of course, that's not the end of it. You'll also need to know how to recover your backups!

How to restore an F5 BIG IP backup

1. How to restore configuration data using the Configuration utility

💡 PRO TIP

Make sure to perform this procedure during a maintenance window.

The BIG-IP system replaces any existing configuration with the UCS archive file configuration. Specific system services restart, and the device may temporarily lose network failover connectivity if it is a member of a device group. F5 recommends that you perform this procedure during a maintenance window and when the system is a member of a device group when it is in the standby state.

If you are restoring a UCS archive on a BIG-IP 6400, 6800, 8400, or 8800 hardware platform, and it is not the system from which you created the backup, such as when you are replacing an RMA system, you must perform the procedure in the Restoring configuration data from the command line by using the tmsh section of this article to restore the configuration.

To restore a configuration in a UCS archive using the Configuration utility, review the considerations described in the Considerations for restoring configuration data section of this article before performing the following procedure:

  1. Log in to the Configuration utility.
  2. Go to System > Archives:
  1. Upload the UCS Archive:
  1. Choose the UCS file and select Upload
  1. Select the UCS archive you want to restore.
  2. If the UCS archive is encrypted, enter the passphrase for the encrypted UCS archive file for Restore Passphrase. If the UCS archive is not encrypted, you can skip this step.
  3. To initiate the UCS archive restore process, select Restore:
  1. When the system completes the restore process, examine the status page for any reported errors before proceeding to the next step.
  2. To return to the Archive List page, select OK:

  1. If you restored the UCS archive on a different device and received the errors noted in the Considerations for restoring configuration data section of this article, you must reactivate the BIG-IP system license.
  2. After relicensing the system, restart the system to ensure that the configuration is fully loaded. To restart the system, go to System > Configuration:
  1. And then select Reboot:

2. How to restore configuration data from the command line using tmsh

💡 PRO TIP

Make sure to perform this procedure during a maintenance window.

The BIG-IP system replaces any existing configuration with the UCS archive file configuration. Specific system services restart, and the device may temporarily lose network failover connectivity if it is a member of a device group. F5 recommends that you perform this procedure during a maintenance window and when the system is a member of a device group when it is in the standby state.

  1. Log in to tmsh by entering the following command:
tmsh

Restore the UCS archive file by using the following command syntax, replacing <path/to/UCS> with the full path of the UCS archive file you want to restore:load /sys ucs <path/to/UCS>. For example:

load /sys ucs /var/tmp/MyBackup.ucs

If you don't specify the path, the BIG-IP system performs as if the UCS archive file is located in the default /var/local/ucs directory.

  • Optional step: If you encrypted the UCS archive file with a passphrase during the backup, the system prompts you to enter the passphrase for the archive file.

3. Restore configuration data on a replacement RMA unit

💡 PRO TIP

Use this method when restoring the archive on a different device.

F5 recommends that you use the following procedure when you restore the archive on a different device than the system on which the backup was created, such as an RMA system. If you do not use this procedure when restoring the archive on a different device, the configuration load may fail and the mcpd process generates an error message that appears similar to the following example on the /var/log/ltm file:

mcpd[2395]: 01070608:0: License is not operational(expired or digital signature does not match contents)

F5 expects this message, and you can correct the issue by re-licensing the system and following the steps that follow.

💡 PRO TIP

How to fix the device error message.

The BIG-IP system replaces any existing configuration with the UCS archive file configuration without the license on the UCS archive.

  1. Log in to tmsh by entering the following command:
tmsh
  1. Manually copy the UCS archive file to the target system.
  2. Restore the UCS archive file by using the following command syntax, replacing <path/to/UCS> with the full path of the UCS archive file you want to restore: load /sys ucs <path/to/UCS> no-license. For example:
load /sys ucs /var/tmp/MyBackup.ucs no-license

And there you have it! You're done!!

I hope this was helpful. Got issues or outstanding questions? Feel free to comment below.

*F5 and BIG-IP are trademarks of F5, Inc. Loadbalancer.org Ltd has no affiliation with F5, Inc. so use of these names, trademarks and brands does not imply endorsement by either party.

The new ADC Portal centralized management platform

Find out what a vendor-agnostic solution looks like