Release Notes : BIG-IP 11.4.1 LTM and TMOS Release Notes

Applies To:

Show Versions Show Versions


  • 11.4.1
Release Notes
Original Publication Date: 03/18/2018 Updated Date: 04/18/2019


This release note documents the version 11.4.1 release of BIG-IP Local Traffic Manager and TMOS. You can apply the software upgrade to systems running software versions 10.1.0 (or later) or 11.x.


Supported platforms

This version of the software is supported on the following platforms:

Platform name Platform ID
BIG-IP 800 (LTM only) C114
BIG-IP 1600 C102
BIG-IP 3600 C103
BIG-IP 3900 C106
BIG-IP 6900 D104
BIG-IP 8900 D106
BIG-IP 8950 D107
BIG-IP 11000 E101
BIG-IP 11050 E102
BIG-IP 2000s, BIG-IP 2200s C112
BIG-IP 4000s, BIG-IP 4200v C113
BIG-IP 5000s, BIG-IP 5200v

BIG-IP 5x50 (requires 11.4.1 HF3)

BIG-IP 7000s, BIG-IP 7200v

BIG-IP 7x50 (requires 11.4.1 HF3)

BIG-IP 10x50 (requires 11.4.1 HF3) D112
BIG-IP 10000s, BIG-IP 10200v D113
VIPRION B2100 Blade A109
VIPRION B2150 Blade A113
VIPRION B2250 Blade (requires 11.4.1 HF1) A112
VIPRION C2400 Chassis F100
VIPRION B4100, B4100N Blade A100, A105
VIPRION B4200, B4200N Blade A107, A111
VIPRION B4300, B4340N Blade A108, A110
VIPRION C4400, C4400N Chassis J100, J101
VIPRION C4480, C4480N Chassis J102, J103
VIPRION C4800, C4800N Chassis S100, S101
Virtual Edition (VE) Z100
vCMP Guest Z101

These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.

Most of the support guidelines relate to memory on the platform or provisioned guest. For vCMP support and for Policy Enforcement Module (PEM), Carrier-Grade NAT (CGNAT), and the BIG-IP 800 platform, the following list applies for all memory levels:

  • vCMP supported platforms
    • VIPRION B2100, B2150, B2250, B4200, B4300, B4340N
    • BIG-IP 5200v, 7200v, 10200v
  • PEM and CGNAT supported platforms
    • VIPRION B2150, B2250, B4300, B4340N
    • BIG-IP 5200v, 7200v, 10200v
    • BIG-IP Virtual Edition (VE) (Not including Amazon Web Service Virtual Edition)
    • PEM and CGNAT may be provisioned on the VIPRION B4200, but it is not recommended for production, only for evaluation. PEM may be provisioned on the VIPRION B2100, but it is not recommended for production, only for evaluation. Use the B4300 or B4340N instead.
  • BIG-IP 800 platform support
    • The BIG-IP 800 platform supports Local Traffic Manager (LTM) only, and no other modules.

Memory: 12 GB or more

All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory.

Memory: 8 GB

The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)

  • No more than three modules should be provisioned together.
  • On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
  • Note that Global Traffic Manager (GTM) and Link Controller (LC) do not count toward the module-combination limit.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category).

  • No more than three modules (not including AAM) should be provisioned together.
  • Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
  • Note that GTM and LC do not count toward the module-combination limit.
  • Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).

Memory: 4 GB or less

The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests provisioned with 4 GB or less of memory.

  • No more than two modules may be configured together.
  • AAM should not be provisioned, except as Dedicated.

VIPRION and vCMP caching and deduplication requirements

Application Acceleration Manager (AAM) supports the following functionality when configuring vCMP and VIPRION platforms.

  • AAM does not support disk-based caching functionality on vCMP platforms. AAM requires memory-based caching when configuring it to run on vCMP platforms.
  • AAM supports disk-based caching functionality on VIPRION chassis or blades.
  • AAM does not support deduplication functionality on vCMP platforms, or VIPRION chassis or blades.

vCMP memory provisioning calculations

The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory - 3 GB) x (cpus_assigned_to_guest / total_cpus).

As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.

For certain platforms, the vCMP host can allocate a single core to a vCMP guest. However, because a single-core guest has relatively small amounts of CPU resources and allocated memory, F5 supports only the following products or product combinations for a single-core guest:

  • BIG-IP LTM standalone only
  • BIG-IP GTM standalone only
  • BIG-IP LTM and GTM combination only

Configuration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

  • Microsoft Internet Explorer 8.x and 9.x
  • Mozilla Firefox 15.0.x
  • Google Chrome 21.x

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP LTM / VE 11.4.1 Documentation page.

New in 11.4.1

Guest density for vCMP on SSD based platforms

The new hardware support for solid-state drives (SSD) delivers improved virtualized BIG-IP guest density for vCMP-enabled systems on BIG-IP SSD platforms. While previous releases required a minimum of two CPU cores and associated memory allocated to each guest, you can now allocate a single CPU core per LTM guest. This provides more flexibility and increases the number of LTM-only guests that you can create and deploy on a vCMP system, effectively lowering the overall cost per guest.

VIPRION B2150 blade

This release features support for the new VIPRION B2150 blade with double the memory of the B2100 blade, and solid-state drives (SSD), which provides a higher number of virtualized BIG-IP guests to enable organizations to efficiently consolidate and virtualize their application delivery services. For more information, see Platform Guide: VIPRION 2400 Series.

Configuration migration script for B2100-to-B2150 blade upgrades

This release provides a script for upgrading configurations from B2100 blades to the new VIPRION B2150 and B2250 blades. For more information, see VIPRION Systems: Configuration.

VIPRION 4800 DC platform NEBS support

This release provides NEBS support for the VIPRION 4800 DC platform. For more information, see Platform Guide: VIPRION 4800.

VIPRION B2250 blade (requires v11.4.1 HF1)

The 11.4.1 HF1 release features support for the new VIPRION B2250 blade with leading application layer (L7) performance, the highest density multi-tenant ADC solution in the industry, 40GbE ports, and solid-state drives (SSD) to enable organizations to efficiently consolidate and virtualize software defined application services. For more information, see Platform Guide: VIPRION 2400 Series.

Maximized Enterprise Application Delivery Value

To make it easier and more affordable to get the Software Defined Application Services capabilities all organizations need, F5 introduces three software bundle offerings: Good, Better, and Best.
Provides intelligent local traffic management for increased operational efficiency and peak network performance of applications.
Good plus enhanced network security, global server load balancing, and advanced application delivery optimization.
Better plus advanced access management and total application security. Delivers the ultimate in security, performance, and availability for your applications and network.
You can learn more about these new software bundles from your F5 Networks Sales Representative.

5050/7050/10050 Series SSD-based Platforms (requires v11.4.1 HF3)

This release features support for the 5050, 7050, and 10050 Series Platforms, which include solid-state drives (SSDs). For vCMP-enabled SSD platforms, the hypervisor should be running 11.4.1 HF3. vCMP guests should follow existing vCMP backward compatibility for the hardware platform. For more information, see Platform Guide: 5000 Series, Platform Guide: 7000 Series, and Platform Guide: 10000 Series.

New in 11.4.0

Local Traffic Policies

In this release, you can use BIG-IP local traffic policies that comprise a prioritized list of rules matching defined conditions and running specific actions, which you can assign to a virtual server that directs traffic accordingly. For example, you might create a policy that determines whether a client's browser is a Chrome browser and adds an Alternative-Protocols attribute to the header, so that subsequent requests from the Chrome browser are directed to a SPDY virtual server. Or you might create a policy that determines whether a client is using a mobile device, and then redirects its requests to the applicable mobile web site's URL.

Thales nShield Connect integration with BIG-IP system

Thales nShield Connect is an external HSM that is now available for use with BIG-IP systems. Because it is network-based, rather than hardware-based, you can use the Thales nShield Connect solution with all BIG-IP platforms, including VIPRION Series chassis. You can also use the Thales nShield Connect solution with BIG-IP Virtual Edition (VE).

Flexible resource allocation for vCMP systems

This release now provides flexible resource allocation for Virtualized Clustered Multiprocessing (vCMP) systems. Flexible resource allocation optimizes system performance by giving you the ability to configure the vCMP host to allocate resources based on the needs of the specific BIG-IP modules provisioned within each guest. For each guest, you can specify the number of virtual cores that you want the host to allocate to the guest. The more cores allocated, the higher the amount of dedicated CPU and memory that the guest receives. Additionally, for VIPRION platforms, you can configure the specific slots that you want the host to assign to the guest. With flexible allocation, you can customize vCMP resource allocation in granular ways that meet the specific CPU and memory needs of each individual guest.

Rewrite profile

The BIG-IP system now offers a URI translation feature called the Rewrite profile. Using this profile, you can create URI rules that define any URI scheme, host, port, and path modifications that you want the BIG-IP system to apply to HTTP requests and responses passing through the system. You can also create rules to translate information defined in the Set-Cookie header of a request or response.

HTML profile

The BIG-IP system now offers an HTML content modification feature called the HTML profile. Using this profile, you can specify the HTML tags, attributes, and attribute values that you want the BIG-IP system to match on within HTML content, and then specify rules that perform various types of actions such as prepending or removing HTML content as the content passes through the system.

Low-latency electronic trading

You can configure the BIG-IP system to manage traffic for low-latency electronic trading. The BIG-IP system optimizes Financial Information eXchange (FIX) protocol connections to achieve predictable latency and jitter, a critical aspect of successful low-latency electronic trading. When you acquire a special license, you can use the FastL4 profile to optimize the necessary connections, and use the Packet Velocity ASIC (PVA) card to minimize any latency and deliver high performance L4 throughput without software acceleration.

Session resumption without server-side state

A new configuration option has been added to Client SSL and Server SSL profiles that enables the BIG-IP system to issue session tickets during an SSL handshake and resume the session on receipt of a valid ticket. This features supports RFC 5077.

Incremental synchronization for device groups

For both Sync-Failover and Sync-Only device groups, the BIG-IP system can now synchronize the configuration data incrementally whenever possible, rather than synchronizing all of the configuration data on a device whenever a config sync operation is required. Incremental synchronization improves system performance, because in most cases only the data that has changed on a device is synchronized to the other devices. Although incremental synchronization is the default behavior, you can disable this feature and configure the system to perform full synchronization instead.

Automatic synchronization for Sync-Failover device groups

With this release, the BIG-IP system can perform automatic synchronization for Sync-Failover device groups. Prior to this release, automatic synchronization was available for Sync-Only device groups only. When you enable automatic synchronization, the BIG-IP system immediately synchronizes configuration changes to all members of the device group, with no user intervention required.

Load-aware failover for Sync-Failover device groups

Prior to failover, the device that the BIG-IP system chooses as the target failover (next-active) device is now based on a combination of device capacity and application traffic load. The BIG-IP system performs continual calculations to determine the device that has the most available resources, based on capacity and traffic load, and then, for each device, identifies its next-active device accordingly. This feature is most useful when the device group contains heterogeneous hardware platforms.

Ordered failover lists for Sync-Failover device groups

An alternative to the new load-aware failover feature is an ordered list. For each traffic group in the device group, you can specify a list of devices that you want to be the next-active device for the traffic group if failover occurs. If the first device in the list is unavailable, the BIG-IP system chooses the next device in the list to be the next-active device, and so on. This feature is more useful for homogeneous, rather than heterogeneous, platforms in device groups.

Connection mirroring for device groups

Prior to this release, you could only implement connection mirroring between a static pair of BIG-IP devices. Now, connection mirroring is based on traffic groups, so that an active traffic group can mirror its connections to its standby peer on the next-active device, regardless of which device in the device group is the next-active device.


For carrier-grade NAT (CGNAT) configurations, hairpinning is an optional feature that routes traffic from one subscriber's client to an external address of another subscriber's server, where both client and server are located in the same subnet. To each subscriber, it appears that the other subscriber's address is on an external host and on a different subnet. The BIG-IP system can recognize this situation and send, or hairpin, the message back to the origin subnet so that the message can reach its destination. At present, hairpinning works with all BIG-IP CGNAT scenarios except NAT64.

Rate-Limited Licenses Statistics

With this release, DNS Services rate-limited licenses are available. If a BIG-IP system has a rate-limited license, the system displays statistics about the rate limits on the Local Traffic DNS profile statistics page.

Generic Application Services

You can use the Generic Application Services feature to create empty application services (without using an iApps application template), which enables you to group new and existing configuration objects. After creating a generic application service, you can apply a template to create an application service.

iApps Template Macro Section

The macro section of an iApps template allows template developers to create a macro that can create objects, such as virtual servers, and associate them with iRules by means of the graphical user interface (GUI).

SPDY profile

This release provides a production-level version of the Local Traffic Manager SPDY profile. You can use a SPDY profile to minimize latency of HTTP requests by multiplexing streams and compressing headers. When you assign a SPDY profile to an HTTP virtual server, the HTTP virtual server informs clients that a SPDY virtual server is available to respond to SPDY requests.

Enable and Disable Objects

Even with strict updates enabled, it is possible to enable and disable some objects using interfaces (such as tmsh or the Configuration Utility) other than the reentrant template.

Signing an iApps Template

You can sign a template that you created, which enables the BIG-IP system to validate the signature before using the application service.

5000s/5200s/10000v Platforms

This release features support for the 5000s, 5200s and the 10000v platforms, appliance platforms which are key to F5's Intelligent Services Platform delivering industry leading application level performance and flexible scale to enable organizations of all sizes to deploy and consolidate advanced application delivery services. For more information, see Platform Guide: 5000 and Platform Guide: 10000.

IPComp Support in IPsec

IP Payload Compression Protocol (IPComp) provides a compression mechanism for all kinds of IP traffic, to improve performance and avoid fragmentation.

VXLAN Support

With the BIG-IP SDN license, you can configure the BIG-IP device as a Virtual eXtended LAN (VXLAN) gateway to bridge data center virtual networks and the physical external network. In addition to scalability and flexibility, VXLAN with BIG-IP SDN Services provides interoperability with VMWare vCloud Director and vShield Manager 5.1.

IPsec usability enhancements

These enhancements improve the usability of IPsec on the BIG-IP system.

  • Simplified interface for IPsec diagnostics
  • Ability to delete a single IPsec tunnel, without affecting the remaining tunnels
  • Require user to verify (type twice) the preshared key, which reduces the chance for typos
  • Performance improvements

sFlow counters and data

The sFlow counters and informational data that the BIG-IP system sends to sFlow receivers has been expanded. For details, see External Monitoring of BIG-IP Systems: Implementation.

Disabling TSIG verification for NOTIFY messages (ID 388869)

You can disable TSIG verification for NOTIFY messages that the BIG-IP system receives from the Master DNS server for a DNS Express zone. When the BIG-IP system receives a NOTIFY message without a TSIG HMAC included, the system processes the request. To disable TSIG verification for NOTIFY Messages, run the tmsh command: modify ltm dns dns-express zone <zone name> verify-notify-tsig no

WebSocket protocol support in the HTTP filter

WebSocket protocol support has been added to the HTTP filter, so for BIG-IP systems running version 11.4.0 or later, you can use a single virtual server with an HTTP profile to enable bidirectional communication between a client and server using a single TCP connection.

Large external datagroup scaling

External datagroups now scale to greater than 10,000,000 entries, depending on platform hardware and available memory (8 GB or more memory recommended). Note that datagroups with larger data items might be supported at a lower number of entries. You can use the command [class exists xyz] to check whether a datagroup has finished loading. Updates to external datagroups are now completely atomic, for example, only once the load is completely successful does the system update a datagroup referenced in an iRule

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Active-Standby Systems and BIG-IP Systems: Upgrading Active-Active Systems, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.

Installation checklist

Before you begin:

  • Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
  • Update/reactivate your system license, if needed, to ensure that you have a valid service check date.
  • Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
  • Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are running Application Acceleration Manager, set provisioning to Minimum.
  • If you are running Policy Enforcement Manager, set provisioning to Nominal.
  • If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
Installation method Command
Install to existing volume, migrate source configuration to destination tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 11.2.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP- volume HD1.3

Post-installation tasks

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Active-Standby Systems and BIG-IP Systems: Upgrading Active-Active Systems, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.

After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
  3. Log on to the browser-based Configuration utility.
  4. Run the Setup utility.
  5. Provision the modules.
  6. Convert any bigpipe scripts to tmsh. (Version 11.x does not support the bigpipe utility.)
Note: You can find information about running the Setup utility and provisioning the modules in the BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Upgrading from earlier versions

Your upgrade process differs depending on the version of software you are currently running.

Warning: Do not use the 10.x installation methods (the Software Management screens, the b software or tmsh sys software commands, or the image2disk utility) to install/downgrade to 9.x software or operate on partitions. Depending on the operations you perform, doing so might render the system unusable. If you need to downgrade from version 10.x to version 9.x, use the image2disk utility to format the system for partitions, and then use a version 9.x installation method described in the version 9.x release notes to install the version 9.x software.

Upgrading from version 10.1.0 (or later) or 11.x

When you upgrade from version 10.1.0 (or later) or 11.x software, you use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help.

Upgrading from versions earlier than 10.1.0

You cannot roll forward a configuration directly to this version from BIG-IP version 4.x, or from BIG-IP versions 9.0.x through 9.6.x. You must be running version 10.1.0 software. For details about upgrading to those versions, see the release notes for the associated release.

Upgrading to 4th element versions from versions earlier than 11.5.0

You cannot directly update from pre-11.5.0 versions (e.g., v11.4.x, v11.2.x, etc.) to any 4th element version (e.g., v12.1.3.1, v13.1.0.1, etc.). Direct upgrade to 4th element versions is supported only from v11.5.0 and later. For pre-11.5.0 versions, you must first upgrade to v11.5.0 or later. The recommended upgrade path is from v11.4.1 to v12.1.3, and then to v12.1.3.1. For details about upgrading to those versions, see the release notes for the associated release.

Automatic firmware upgrades

If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might reboot additional times to perform all necessary firmware upgrades.

Upgrading earlier configurations

When you upgrade from an earlier versions of the software, you might need to know about or take care of these configuration-specific issues.

ID Number Description
ID 223704 When you import a single configuration file (SCF file) that contain VLANs of the same name that exist in different administrative partitions, the operation fails with a unknown operation error. To work around this issue, before installing an SCF file, run the tmsh load sys config default command. This returns the system to the default configuration, so subsequent configuration import operations should succeed as expected.
ID 366172 A pre-v11.x configuration that was created with the bigpipe cli ip addr option set to name may cause configuration load failure on upgrade due to resolved names saved to the bigp.conf file rather than IP addresses. The workaround is to change the cli setting to 'cli ip addr number', save the config on the pre-v11.x unit, and then run the upgrade.
ID 370964 When upgrading a 10.x standard active/standby pair, the recommendation is to start with the device with the numerically highest management IP address. There is a change in behavior in 11.1.0 that automatically selects the system with the highest management IP address as the active member of the device group. Depending on your configuration, an upgrade could result in lost traffic.
ID 378430 "When upgrading to version 11.x, with a WAM policy containing no nodes, the upgrade fails with the following error message: Tmsh load failed: 01071419:3: Published policy (/Common/empty_policy) must have at least one node. Unexpected Error: Loading configuration process failed. There are two options for working around this problem: 1. Before upgrading, add a new node to the empty policy with the default settings. Publish the policy. Then upgrade. 2. Before upgrading, remove the empty policy from any applications and delete the policy. You may create a copy of the policy before deleting, as long as you do not publish the copied policy. Then upgrade."
ID 384569 "If an object is in a partition with the default route domain set, and that object refers to an object with an IP address in /Common, a config rolled forward from a previous release might not load. - When using the default route domain for a partition, all objects with addresses should be in that partition. To work around this issue, move objects into /Common or edit the config file and for all conflicting objects in common, append %0 to the name/address. For example, if a pool in partition_1 references a member in route-domain 0: ... shell write partition Common node { addr } ... shell write partition partition_1 pool rd0-pool1 { members {} } ... change it to: ... shell write partition Common node { addr } ... shell write partition partition_1 pool rd0-pool1 { members {} } ..."
ID 394873 The upgrade process does not update Tcl scripts (such as iRules) in the configuration. This might cause issues when iRule syntax changes between releases. After upgrading, you might need to modify iRules to reflect any changes in iRule syntax.
ID 398067 As of version 11.0 a check is performed to ensure a failover unicast address actually exists. In configurations using the management port for failover, the management IP and unicast failover IP must be identical for failover to function properly. They must also be identical before upgrading. Releases preceding and including 11.3.0 do not automatically modify the unicast failover IP when the management IP is changed or vice-versa. This can cause failures when loading the config after an upgrade. This is an example error: 0107146f:3: Self-device unicast source address cannot reference the non-existent Self IP (a failover IP); Create it in the /Common folder first. Before upgrading, ensure that the management IP and unicast failover IP are identical.
ID 399013 On 10.x-to-11.x upgrade, the UCS restore lowers the cache size by 25% for all web-acceleration profiles.
ID 399510 "On BIG-IP Virtual Edition systems running software prior to 11.3.0 with statically configured management port IP addresses only, disable the DHCP service with the command ""tmsh modify sys global-setting mgmt-dhcp disabled"" prior to upgrading to this release of BIG-IP software. Disabling the DHCP service prior to upgrading will preserve the static IP address configuration as part of the installation. Statically configured management port IP addresses on BIG-IP hardware platforms are not required to have this configuration change prior to upgrading."
ID 401367 Version 11.x added validation around the use of CACHE:: commands on virtual servers with RAM cache enabled. The result is that upgrading from version 10.x to 11.x fails under certain configuration conditions, for example, if the configuration contains a CACHE_RESPONSE event in an iRule, and there is not an associated Web Acceleration profile applied to that virtual server. To work around the upgrade failure, locate and remove the applicable iRules and virtual servers in the configuration, and try loading the configuration again.
ID 401828 "Problem: The below configurations are invalid for a SIP VS a)tcp virtual with a udp profile+sip profile b) udp virtual with a tcp profile+sip profile Result: If such a configuration exists in previous versions, it will load in 11.3 but may cause a core. Solution: Customer must fix their configuration manually - a) A SIP tcp virtual must have TCP as one of its profile type. b) A SIP udp virtual must have UDP as one of its profile type."
ID 402528 There is now more stringent validation on protocol profile combinations. You cannot configure UDP, TCP, and SCTP protocol profiles for handling the same client-side or server-size traffic. In addition, the following profiles are mutually exclusive: SIP, RTSP, HTTP, Diameter, RADIUS, FTP, and DNS. If one of these profiles is assigned to a virtual server, you cannot assign another one. In the past, the BIG-IP system did not prevent such invalid combinations; now it does. If you have previous configurations containing this invalid combination of profiles, you must correct the configuration before the upgrade can succeed. When you upgrade from pre-11.3.x versions, if you see such an error message during configuration load, fix those invalid combinations and try the upgrade again.
ID 403592 Platforms with less than 6.5 GB memory cannot be upgraded to version 11.3.0 if three or more modules are provisioned. Note that upgrades from version 10.0.x display only an "upgrade failed" message as a software status. All other versions show a clear error message, guiding the users to SOL13988. Before upgrading, make sure you have only one or two modules provisioned if the BIG-IP system has less than 6.5 GB of memory.
ID 403667 In this release, improved validation does not allow users to upgrade or configure VLANs with names greater than 64 characters. This mitigates system instability found when this validation was not present. During upgrade from 10.x to 11.x, this new validation code prevents VLANs with names longer than 64 characters from passing validation. The problem is complicated by the fact that the BIG-IP system prefixes partition_path to vlan_name. That means that a VLAN named vlan_site6 in the Common partition is actually named /Common/vlan_site6. If you have VLANs with names longer than 64 characters, upgrade fails. To work around this, change the VLAN names before upgrading. This involves changing the VLAN name as well as any configuration objects that refer to that VLAN.

Fixes in 11.4.1

ID Number Description
  The contents of TMOS v11.4.0 HF3 are merged into 11.4.1.
ID 355193 "This change enables the user to set the pva acceleration variable on both the global db variable ( pva.acceleration ) and the profile setting ( pva_acceleration ). If either are set to none this overrides any other setting. Otherwise if either is set to guaranteed that over rides the assist or full setting. If both are assist or full then the per-virtual setting is applied. Settings table : DB variable | per virtual setting | result --------------------------------------------------------- None | any | no acceleration Guaranteed | none | no acceleration Guaranteed | any but not-none | Guaranteed Not-none | GUARANTEED | Guaranteed"
ID 387009 Fixed an issue in TMM so it does not crash when memory is exhausted.
ID 389325 This release adds four BigDB variables to control the behavior of the HTTP filter when it encounters invalid HTTP traffic. These new options are disabled by default. Important: The last three of these should be used only in a transparent proxy configuration. No checking is done once the HTTP filter switches to pass-through mode, and arbitrary traffic could proceed down the now open tunnel. Tmm.HTTP.passthru.truncated_redirect - For invalid HTTP redirects with missing trailing carriage returns, forwards the redirects to the client instead of dropping them. Tmm.HTTP.passthru.invalid_header - For traffic with invalid HTTP headers, passes through the traffic instead of dropping it. Tmm.HTTP.passthru.unknown_method - Treats unknown HTTP extension methods as 'invalid.' You can combine this method with the previous flag to cause unknown HTTP extension methods to be passed through. Tmm.HTTP.passthru.pipeline - Upon receipt of pipelined data, the HTTP filter switches to pass-through mode. This is useful when HTTP non-compliant traffic breaks the request-response idiom, for example, by sending binary data after a GET, and expecting that the data is sent to the server before that server responds to the earlier GET request.
ID 404819 If a primary blade is successful at disk provisioning, a secondary blade that fails will mark the cluster member offline. This will allow users to delete any unused application volumes from the primary and re-enable the cluster member.
ID 407084 BIG-IP does not evaluate hardware sensor alert packets which have been marked with an error status, to avoid misinterpretation of such packets.
ID 409219 IPv6 packet reassembly now succeeds
ID 416693 Beginning with software version 11.4.1, the ACPI _SDD operation fails silently, which is the correct behavior. The original diagnostic that produced the message was incorrect, and has been corrected with new, correct diagnostics.
ID 420330 Fixed an issue on TMM SSL traffic handling to avoid crashing when TMM memory is exhausted.
ID 421117 Handling SSL traffic with a SAML Access profile on a BIG-IP 2000-series or 4000-series platform no longer causes TMM to core.
ID 421571 HTTP::respond with a zero-length body now works correctly with SPDY.
ID 421768 Fixed a TMM SIGSEGV crash that can occur on BIG-IP 4000-series or 2000-series platforms that are low on memory and processing heavy amounts of compression and/or encrypted traffic.
ID 422328 The use of sideband connections no longer incorrectly causes TMM to leak memory.
ID 422359 The TMM no longer crashes when stalled SPDY streams are aborted.
ID 422800 F5 OPT-0011-00 1Gb LX fiber SFPs are now enabled successfully when inserted into an SFP port in a BIG-IP 2000-/4000-series appliance.
ID 423327 The connection stats now show correct and consistent numbers
ID 423332 A race condition involving tmm during startup with regard to db variables and license handling is now resolved.
ID 423745 vCMP guests will no longer process broadcast traffic from another guest and the log messages relating to address conflicts will no longer appear.
ID 424021 Installation now occurs without error.
ID 424060 SPDY no longer causes a core in certain low-memory situations.
ID 424186 Guest backplane broadcast traffic is no longer processed by the vCMP hypervisor tmm while a vCMP guest is stopping.
ID 424554 HTTP status codes generated by HTTP::respond that are larger than 511 are no longer corrupted.
ID 424561 Virtual server configured with preserve_port_strict now functions correctly with CMP.
ID 424880 "Policies with only a default rule no longer will have some actions executed more than once. Policies with a default rule that has both request and response action now have all those actions executed at the right time."
ID 425313 iRule expressions like [POLICY::target nonsense] or [POLICY::controls abracadabra] no longer cause a crash when they are executed, but rather cause a Tcl error to be logged in the LTM log.
ID 425580 By setting the confg.allow.rfc3927 database variable to "enable," addresses in the range can be configured on a BIG-IP.
ID 427448 The code mistake was corrected, and the memory leak no longer occurs.

Fixes in 11.4.0

ID Number Description
ID 227189 Now, the system counts only provisioned and feature-enabled time limited modules towards the evaluation and evaluation-expired indicators.
ID 247008 A new set of command-line options have been implemented for the bladectl utility to control the F5 Ball state, and options to flash the blade LEDs have been removed.
ID 247802 The system will properly reject the reserved names "mgmt_bp" and "tmm_bp" on vlans.
ID 247909 New CentOS6 version of NTP used in 11.4.0 handles arrival of interfaces after NTP has started, and does not require ntpd to be restarted to use the correct source address when communicating with a NTP server on a TMM VLAN.
ID 333367 In this version, SNMP traps are available for node down and virtual_server status changes.
ID 337768 HTTP::respond and HTTP::redirect in iRules now have an "auto" option for the "-version" flag. "-version auto" forces the outgoing HTTP version to that used by the client.
ID 337824 As of 11.0, the system no longer allows you to create a server with leading or trailing white space. The upgrade from 10.x to 11.0 will strip trailing white space.
ID 342873 Provided an updated certificate bundle from Mozilla's certificate store, which eliminates known invalid certificates that Mozilla's CA bundle contained. Also updated the process whereby the certificate bundle is generated, to match Mozilla's process.
ID 345930 "IPv6 NoError Response" and "IPv6 NoError TTL" fields were added to Link Controller Inbound Wide IPs.
ID 346354 The user may will no longer see invalid options to specify for the cli admin-partition
ID 354188 Connection mirroring is now supported when there are more than two devices in a failover device group.
ID 360270 RESOLV::lookup -ptr and NAME::lookup -ptr are now caching returned records, which resolves the performance issue.
ID 360290 If a blade's PDE interfaces are in an error state, this is now caught at the time the guest is provisioned instead of when it is deployed. In this case, the error message "Insufficient PDE interfaces to allocate for vCMP (<guest_name>). The system is in an unexpected error state. Please contact support." will be returned when attempting to move the guest into a state that causes it to be provisioned. If possible, it is still recommended to reboot the blade to recover the interfaces from the error state, and then to re-try provisioning the guest.
ID 360477 If a guest that's assigned to slot B is migrating a virtual-disk from slot A, and slot A is added back to the guest, the migration is canceled to allow the guest to boot into the original virtual-disk on slot A without corrupting the copy that's being transferred to slot B. The guest then proceeds to install a new virtual-disk on slot B. Conversely, if a guest that's assigned to both slot A and B is performing a virtual-disk install on slot B, and is then unassigned from slot A, the guest will cancel the installation and begin a virtual-disk migration from slot A to slot B.
ID 360741 "HTTP::disable will ensure that the connection can not be reused as it is now transparent to HTTP traffic. Reusing it again will require explicitly indicating so."
ID 361758 tmsh will complete these configuration item names correctly now.
ID 362619 A memory leak in real-time statistics (rtstats) has been fixed.
ID 363405 When cancelling a vCMP guest migration or vdisk installation, the guest disk resources will now be properly re-allocated and deleted where applicable. All interfaces used to report the status of vCMP operations will now show consistent status.
ID 364973 BIG-IP now correctly sends SetMemberState messages to SASP global workload managers upon SASP-monitored pool member state changes.
ID 364981 Changing "Idle time before automatic logout" to any non-default value no longer causes the CPU usage to increase.
ID 365341 The GUI now controls selection so that the control for adding a Request Logging Profile to a virtual server is now only available when the virtual server type is set to Standard. Also this control is only available for Standard virtual servers using either the TCP or UDP protocol (not SCTP).
ID 365342 Upon upgrading from 11.3, having a request logging profile attached to a Forwarding (IP) Virtual will break rolling forward the previous configuration. Remove any request logging profile attached to a Forwarding (IP) Virtual to allow the configuration to roll forward.
ID 365545 NGFIPS cards can now handle large number of key deletion operations.
ID 365766 "We have significantly mitigated the possibility a TMM core and failover event that manifests with the following panic log message in /var/log/tmm: - Assertion ""rt_entry ref valid"" failed."
ID 367216 The online help for logging profiles now lists attributes to use to craft Template and Error Template.
ID 368757 Notification is now available in SNMP and syslog for virtual server status changes.
ID 368813 A fix for out of order messages during renegotiation with ProxySSL and tls session tickets has been included.
ID 369460 "After the fix. SNMP default configuration is in /config/bigip_base.conf. User can modify and delete it. Loading will be consistent with user's change."
ID 372858 tmsh now includes a log-level setting for the ike-daemon component. To adjust the log level to one of the pre-defined values, run the command 'tmsh modify net ipsec ike-daemon log-level <level>'.
ID 374792 "Added the global DB variable ARP.ReapTimeout, analogous to IPv6.Nbr.ReapTimeout, to control expiration of ARP table entries. Note the default value remains the current 20 seconds, which is substantially smaller than the IPv6 default of 3600 seconds."
ID 374969 "A defect has been fixed which could cause master key decryption failures upon syncing configuration between devices. The following message in /var/log/ltm indicates such a failure condition: ""Master Key decrypt failure - decrypt failure - final"""
ID 375040 Creating and modifying GTM wideip/pool/prober-pool in the same transaction no longer causes MCPd to crash with this fix.
ID 379111 Files with spaces in their filenames which are included in the UCS are now rolled forward correctly.
ID 381333 Packets handled by mirrored Standard (L7) virtual servers during a failover event are now processed in a more timely fashion by the newly-Active system.
ID 382052 Setting 'Retain Certificate' under 'Client/Server' SSL profile to Disabled will reduce memory usage when not using APM. This setting is enabled by default i.e. certificates will be retained adding to memory usage.
ID 382682 Mid-stream SSL renegotiation now functions correctly for Virtual Servers with clientssl and serverssl profiles that have Proxy SSL enabled.
ID 383104 iControl can now handle a password parameter for private keys when creating an SSL profile.
ID 383649 After reprovisioning a chassis from vCMP-dedicated to non-vCMP, a manual system reboot is no longer required.
ID 384356 MCPD now disallows white-space, ascii control characters, and non-ascii characters in file-object names. Note that it is still best practice to create object names of fewer than 63 characters (including the partition name), and that contain no special characters other than underscore ( _ ), or hyphen ( - ).
ID 384463 Use NTP or some other form of time synchronization across all devices in a device group.
ID 384924 Now, the admin user is logged out of GUI on load sys config default and no longer have the continuous messages.
ID 385328 Support for Relayed DHCP requests sent from the VLAN and/or interface with which it was received has been added to this release of BIG-IP software.
ID 385457 IPSec traffic now works correctly over IPv6.
ID 386032 Modifying the BIG-IP management interface media type to any value other than auto or 1000baseT full no longer disables Auto-MDIX.
ID 386566 The problem of processing remote user causes the secondaries to restart has been fixed.
ID 386635 Subject Alternative Name can now accept and display larger size values.
ID 386742 This fixes a corner case where newly added trunk members, not associated with a vlan, was incorrectly added to this vlan.
ID 386873 In previous release, halcmd will fail if a device has a short name. The problem is fixed.
ID 387361 The system now correctly syncs status after device reboot.
ID 387692 IKE daemon racoon no longer posts vague messages in its log file under /var/log/racoon.log.
ID 387917 On secondary blades, mcpd no longer exits when persist records are deleted outside /Common on cluster-enabled systems.
ID 388869 "There is a new option for a DNS Express zone which allows one to disable TSIG verification for NOTIFY messages it receives from the Master DNS server. To accomplish this, issue the following command: tmsh modify /sys db dnsexpress.verifynotifytsig value false"
ID 388883 AOM now logs faulted or out of range fan, temperature, and voltage sensors.
ID 389078 "An issue that causes an iRule hang in the following circumstances has been corrected: * The virtual server has no default pool and is cmp-enabled. * You have an iRule that issues a [persist lookup uie {$value any pool}] before a pool is selected. * A request comes in that is handled by a TMM other than tmm0."
ID 389593 Previously, when using the iRule "drop" command on a UDP virtual server, in an LB_SELECTED or LB_FAILED event, the TMM would core with the message 'Assertion "tclrule ctx not in progress" failed.' This condition has been corrected.
ID 390540 Packet filters no longer cause issues with internal traffic, and using them should no longer cause blades in chassis-based systems to erroneously go offline or otherwise fail to communicate with other blades.
ID 393183 ARL hash table is rewritten to be an open hash table with chained list and hash collision will not result in arl entry loss any more.
ID 393211 After configuring a gateway-failsafe-device on a pool in a chassis environment and restarting the system, the secondary blade(s) no longer fail to load their configuration.
ID 393787 This behavior (dropping the TCP connection on early HTTP responses that are not part of connection-based authentication, e.g. NTLM or Negotiate) is intended to deal with poor HTTP servers that behave badly after sending 4xx errors. Future BIG-IP releases may make this behavior conditional, but starting with 11.4.0, the HTTP Connection: close header will be sent toward the client as a courtesy.
ID 394117 The system now correctly matches a virtual address name to its actual address when working with objects in another partition while that partition has a default route domain set.
ID 394740 Prior to this (11.3) if a 'none' monitor was set on a GTM Pool, iControl would return an mcp error message saying that 'none' monitors were not allowed. Now iControl silently removes the 'none' monitor and adjusts the rule accordingly.
ID 395171 Gateway Failsafe pool members are no longer incorrectly updated for devices that they do not belong to.
ID 395353 Virtual servers with SIP profiles now correctly forward well-formed SDP messages that do not end with a newline.
ID 395558 auto-complete for source-address-translation pool correctly shows available pools base on source-address-translation type.
ID 396064 Fixed a defect that could cause previously in-sync device groups to become out of sync when one device is rebooted.
ID 396116 Users with a "manager" role can now create and update https monitors from the command-line or the GUI, whether or not the monitors contain keys and certificates.
ID 397939 When a 4200v box is powered up, the system no longer posts a false negative, power-on event message. Also, messages reporting a system power-supply event now correctly identify the appropriate power supply as the source of the report.
ID 398010 Fixed non-numeric characters being accepted as numeric in the AOM Command Menu.
ID 398059 Fixed a TMM core which could be triggered by, among other things, FastL4 and persistence profiles on a virtual server.
ID 398092 Big-IP 2000 no longer outputs "Invalid core affinity settings" errors on bootup. These were cosmetic and did not indicate any failure.
ID 398414 Certificate Revocation List verification now functions correctly when the client certificate being verified and the CRL are signed by different Certificate Authorities.
ID 398448 "Six new stats were added to indicate rate limiting. The following three stats for both DNS and GTM: * Effective Rate Limit * Object Count * Rate Rejects"
ID 398931 When add/removing a trunk member, the percentage-up members of the trunk is now updated accordingly.
ID 399464 Copper 1Gbps SFP interfaces configured for requested speeds of 10Mbps or 100Mbps no longer cause configuration load errors.
ID 400008 BFD sessions are now timed out in the TMM if ZebOS is not periodically querying for session statistics. This fixes the issue.
ID 400264 AOM now supports tracking and reporting of latched events/errors or out-of-range sensors. The AOM Command Menu now includes an option (E) to display these errors.
ID 400799 The DIAMETER::state command is now implemented for the diameter-endpoint profile and any profiles derived from it (such as the gx-endpoint profile).
ID 401010 To optimize the size of the log message, if the subscriber id type is one of user-name(E164) or imsi, then that corresponding field is left blank in the 3gpp parameters list.
ID 401196 "A fix was added to the code that increases the CAN ID de-bounce period from 2 seconds to 4 seconds. This matches the de-bouncing period for the other controllers. The calculated CAN ID must remain the same value for up to 4 seconds in the de-bouncing loop or the loop will be reset for another 4 seconds."
ID 401220 "Translation Mapping Request Count" should correctly include unsuccessful translation requests.
ID 401392 ZXFRD can now reload zone database when a single active slot VCMP or Chassis updates a DNS Express zone.
ID 402249 A fix was added to the micro-controller firmware that checks for the diagnostic "benchtop" ID condition when the blade is fully seated. If the diagnostic ID was selected due to a slow blade insertion, the micro-controllers will reset themselves and then obtain the correct, non-diagnostic CAN ID.
ID 402290 Adding support for the BIG-IP 2000 platform.
ID 402669 In this release, firewall rules on route domains now sync. Previously, they did not. Note that firewall rules that reference a route-domain will not synchronize correctly unless the route-domain exists on all BIG-IP devices in the device-group. Historically, route-domains have not been synchronized, to allow for each BIG-IP device within a device-group, which may reside in different geographical locations, to configure a route-domain with a different set of VLANs or tunnels, possibly for site-specific reasons. Therefore, please keep in mind that there continues to be a requirement that each route-domain must be created separately on each BIG-IP within a device-group.
ID 402843 Bandwidth control for VIP targeting VIP via an IRULE was not working. This has been fixed for a single VIP targeting VIP.
ID 403008 Multiple Bandwidth control instances were being created instead of reusing an existing one. This problem has been corrected.
ID 403022 As of TMOS 11.4.0 it is possible to enable automatic sync on a sync-failover device group.
ID 403182 Some missing default diameter attribute-value pairs (AVPs) for Called Station ID have been added.
ID 403579 Validation will now disallow setting of preview-size = 0 and service-down-action = ignore on 'ltm profile request-adapt' and 'ltm profile response-adapt'.
ID 403627 tmctl gpa_classification_stats could be off by as much as 15%. This problem has been corrected.
ID 403970 The RIP routes are not all deleted if one ECMP nexthop is removed.
1036 "The following rate-shaper debug log message was incorrectly logging at the critical level, which could lead to system instability including TMM restarts: ""Error: Trying to dequeue from empty queue for class 'rateclass'"" This problem has been corrected."
ID 404037 Rate shaper accounting was being done by bytes. This accounting has been modified to be done by packets to avoid error situations.
ID 404107 Now without restarting tmm when the Gx server IP is changed, the changes take effect and BIG-IP connects to the new PCRF.
ID 404116 A newly enabled pool member is now immediately used in this condition.
ID 404123 There was a possible memory leak related to the rate-shaper discovered by code review. This defect has been corrected.
ID 404157 Configured NATs now correctly forward packets.
ID 404220 Fixed a defect that we are not checking the SNI extension information when sni-require is configured for the virtual but the client does not send SNI extension at all.
ID 404255 This has fixed the issue - when setting Sync Leader, the packet-filter-trusted settings are incorrectly cleared.
ID 404407 This fixes a kernel panic under some conditions during shutdown.
ID 404535, 406561 Status LED now turns Green as expected after AOM reset on a VIPRION chassis.
ID 404548 LSN::Port iRule and source-port=preserve-strict setting in virtual server configuration now works if inbound connections are enabled on the LSN pool
ID 404577 The dpid process may core rarely at the time of restarting tmm or rebooting the system. This should fix the problem.
ID 404706 Fixed a timing issue where, in some rare circumstances, not all blades in a chassis system will become active when the chassis comes from standby to active.
ID 404871 Connections established by clients through a DSLite tunnel and LSN will work(if mirroring is enabled) even after a blade failover
ID 404986 "When PCRF (Over Gx) tries to update thresholds or trigger usage reports for a particular subscriber for more than one monitoring key, Only one of them used to work. Now, this is fixed."
ID 405201 AOM now restores the SSH server timeout to the default value (0) when a non-numeric value is entered.
ID 405284 Inserting and removing SSD sleds from a running BIG-IP 11000 appliance no longer results in the system detecting and reporting the disks incorrectly on the Disk Management page of the Traffic Management User Interface. After inserting or removing SSD sleds from the BIG-IP 11000 appliance, it is no longer necessary to reboot the device for them to be detected correctly.
ID 405366 IPsec no longer stops handling incoming ESP packets after rekey.
ID 405391 A tmm crash related to Gx configuration has been corrected.
ID 405400 mcpd no longer loops waiting on input from background processes, avoiding a situation where it could drop a core file after receiving a heartbeat timeout.
ID 405418 Fixed a TMM core which could happen while running ASM or other plugin modules.
ID 405638 GTM/big3d now correctly identifies LTM virtuals in traffic group 'none' and 'traffic-group-local-only' as HA active.
ID 405652 Default routes are now correctly propagated via IS-IS to peer devices when "metric-style wide" is configured.
ID 405839 Improvements in hard drive error detection and correction have been made.
ID 405939 HA actions will be triggered upon HW accelerated SSL failures.
ID 406206 BIND has been updated to address CVE-2012-5688.
ID 406587 This fixes a large known set of ntlmconnpool and possibly tmm crash conditions related to ntlmconnpool referencing deallocated memory in some error cases.
ID 406831 Updating GTM Globals no longer throws an error.
ID 407028 A Linux kernel bug causing unpredictable errors up to and including crashes after 208.5 days of uptime has been fixed.
ID 407145 BIG-IP no longer drops tunnel packets when the traffic group has an HA MAC masquerade configuration.
ID 407187 "The following are enforced on a VIP with the DNS profile 1. IP-proto is set properly 2. Either UDP or TCP is an included profile 3. Other compatible profiles are: DNS DOS, IP Intelligence, Statistics, AVR and Persist."
ID 407505 Enterprise Manager no longer marks as impaired BIG-IP devices running version 11.3.0 that contain a Request Adapt, Response Adapt, or Diameter Endpoint profile.
ID 407674 Sync will succeed
ID 407706 BIG-IP is no longer susceptible to the attacks described in CVE-2013-0169.
ID 407744 Connections are no longer reset when accessing a virtual server with an adapt profile and an ASM HTTPClass.
ID 407901 Time to failover in the event of a TMM core in an active unit has been reduced.
ID 407904 In this release LTM TCP monitor does not pause sending SYNs if a backend server drops a few of them.
ID 407930 Under low memory conditions, TMM no longer cores when trying to log certain iRule-related error messages.
ID 408080 Changes to LSN pools unrelated to route advertisement no longer stop the advertisement of an LSN pool's LSN prefixes.
ID 408110 For some BIG-IP configurations, big3d can send an improperly formatted error message when responding to iQuery messages from Enterprise Manager or the F5 Management Pack. The error message has been reformatted to be proper XML.
ID 408169 "The following voltage errors are no longer erroneously logged: slot1/hostname emerg system_check[<pid>]: 010d0009:0: Mezzanine 1.0V IDT voltage: voltage (1103) is too high. slot1/hostname emerg system_check[<pid>]: 010d0009:0: Blade 0.75V voltage: voltage (839) is too high."
ID 408198 "1. When should the units get their master keys into sync? When ever a HA pair gets established MasterKey and all the subscribed objects get synced during the first sync and everything is good to go. Only MasterKey gets synced (not the subscribed objects) when the MasterKey is explicitly modified on any of the peer in HA. 2. When should customer have to perform configsync manually on HA Pair? The addition manual sync is required only if someone changes the MasterKey explicitly on any of the peer in an established HA environment in which case we need to explicitly propagates the subscribed objects."
ID 408249 BIG-IP no longer gets into performance degradation situations when tcpdump instances are started and stopped repeatedly.
ID 408276 "We have added a new profile option for http: server-agent-name You can set this to change the name used in the ""Server:"" header in output generated by the BIG-IP system. i.e. root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos.ltm.profile.http)# modify http server-agent-name TestServer will use ""Server: TestServer"" By default, the server name is ""BigIP"". If you don't want any server header used at all, use an empty string: root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos.ltm.profile.http)# modify http server-agent-name """" If this is done, then the server header will be elided from BIG-IP-generated content."
ID 408493 "Running the qkview command no longer results in the following error message and core file under rare circumstances: tmstat_subscribe_cols: Assertion `tmtable->col_count < tmtable->td->cols' failed. Aborted (core dumped)"
ID 408605 No longer floods the log when lacpd drops slow protocols.
ID 408678 Fixed a TMM core seen while handling traffic in a Carrier-Grade NAT configuration.
ID 408753 TMM no longer cores when enabling the dns-cache feature.
ID 409004 "HTTP::respond now works correctly from a HTTP_REQUEST iRule in SPDY. Invalid TCL within a SPDY iRule will now return an error instead of causing a crash."
ID 409170 Neighbor cache entry transition has been fixed when the ECHO packets are queued on the non-primary TMM. The entry state is now correctly transitioned to DELAY and then PROBE once the queued ECHO packets are sent.
ID 409218 TCP traffic from the TMOS host (e.g., health monitors) is no longer blocked for the following destination ports: 1028, 6123, 6124, 6125, 6126, 6127, 6128, 6698, 6699, 9090, 9781, and 10001.
ID 409321 Fixed a defect which could cause compression-enabled configurations to leak TMM memory and eventually cause a crash and failover.
ID 409645 Tunnel profile objects are now synchronized across device groups.
ID 409706 All modified http response data from the ICAP server is returned to the http client and the connection is terminated normally.
ID 410041 Route-domains can be added to a transaction at any time.
ID 410368 This fix allows all 1.x ports on the 2x00 and 4x00 platforms to be enabled and disabled separately without impacting other ports.
ID 410445 When cloning an LTM Policy, the policy will be created in the currently selected folder, and, not necessarily the same folder that the original policy was created in. For example if the original policy was created by an iApp and the user is working in the 'Common' folder, the new policy will be created in 'Common', not the folder used by the iApp.
ID 410542 Enabling DNS logging no longer results in messages being lost or delayed under some circumstances.
ID 410738 Modifying the vlan settings on a virtual server no longer causes packets to fail to correctly match the virtual server and get dropped.
ID 410891 While generating ICMPv6 messages BIGIP now uses a self-ip with global scope if the destination address scope is global
ID 411405 TMM no longer fails to re-use source ports for virtual servers with immediate timeouts when another processing unit is handling a connection with the same port.
ID 411408 Fixed a potential TMM crash when the OneConnect profile is enabled.
ID 411788 No solution. Reboot the system to reset the limit.
ID 411873 Fixed an lldpd issue that made lldpd fail to link to mcpd after mcpd restart.
ID 412107 TMM does not core on running "tmsh show net fdb all" with the fix.
ID 412233 Extended label domain names are now interpreted and processed correctly.
ID 412251 Static bandwidth controller policies now function correctly on virtual servers with FastL4 profiles and packet filters.
ID 412331 "The following errors are no longer erroneously logged on VIPRION B2100 blades: slot1/xyz123 err clusterd[4401]: 013a0009:3: Blade 1: blade 2 powered DOWN. slot1/xyz123 notice clusterd[4401]: 013a0010:5: Blade 1: blade 2 powered up. slot2/xyz123 err lopd[3803]: 013d0004:3: Not connected to LOP (retrying) : LopDev: Assuming LOP is in bootloader mode slot2/xyz123 notice lopd[3803]: 013d0006:5: Connected to LOP"
ID 412879 ICMP_ECHO_TOO_BIG processing has been fixed in the case that the packet is forwarded to another TMM.
ID 413213 CPU usage is no longer adversely affected when HTTP cookie encryption is used.
ID 413217 The ability to boot BIG-IP Virtual Edition or vCMP guests with less memory than they had previously been allocated has been made more robust.
ID 413477 BIG-IP no longer fails to load-balance to a pool member when a pool is chosen from an iRule, fallback persistence is configured, and the virtual server has no default pool. Multiple (beyond the first) iRule [persist] commands also now work as expected when the persist record exists on a remote TMM.
ID 414211 TMM will no longer send ARP or neighbor advertisements for proxied hosts to the same child VLAN that a request was received on.
ID 414399 Fixed a defect where ICMP unreachable error packets might be sent out erroneously to clients from a UDP or DTLS virtual server.
ID 414469 This is a known issue. No fix is expected in a future release.
ID 414676 "The error message was enhanced. Example, { ""error"":{ ""code"":404, ""message"":""The configuration was updated successfully but could not be retrieved. The error is \""01020036:3: The requested application (/Common/mytestservice) was not found.\"""" } }"
ID 414847 Cookie encryption now correctly updates the header cache used by module plugins and the iRules [HTTP::header] command when multiple cookies are being encrypted.
ID 415334 Fixed a TMM core.
ID 415338 Improved the handling of traffic for DNS profiles with the query-logging feature enabled.
ID 415814 BIG-IP decrements the TTL when forwarding ICMP error packet instead of setting the TTL to 255.
ID 416636 BIND has been updated to address CVE-2013-2266.
ID 416702 "A check was put in to prevent accepting invalid input - i.e. the route domain must match in both GUI fields. The error will be similar to the following: ""Node name foo encodes IP address which differs from supplied address field"""
ID 416856 TMM crash no longer occurs.
ID 416898 RHI information now correctly is added or withdrawn according to the availability of the virtual address.
ID 417057 When DNS cache is enabled, TMM will not crash when processing a malformed DNS query with name compression since the malformed DNS query is will not send to DNS cache. It will be processed according to the "Unhandled Query Actions" configured in the profile.
ID 417157 iControl now reports a non-zero prefix length on addresses with value zero that have a non-zero prefix length (e.g., 0:0:0:0:0:0:0:0/104). For example, for a zero IPv4 address with prefix length 24, iControl previously returned "", and now returns "". Such addresses might appear in firewall address lists.
ID 417210 TMM no longer cores when FTP or RTSP virtual servers are configured with rate classes.
ID 417241 "Now the deduplication config object is made syncable and this triggers ""changes pending"" whenever there is a change in deduplication setting on either of the machines in a HA pair. If codec is changed from SDDv2 to SDDv3 or vice versa, then 'tmsh save sys config' and 'bigstart restart' should be applied on the HA pair to take affect."
ID 418121 Fixed a crash that can occur after modifying web application resource item configuration.
ID 418205 When a client sends a message containing a Destination-Host or Destination-Realm AVP to the BIG-IP, the rewrite values for these AVPs when the BIG-IP sends the message to the server now include the appropriate server's identity.
ID 419698 "This fix populates the SNMP Management Information Base (MIB) with the correct OID for BIG-IP 2000-series platforms. # snmpwalk -v2c -c public localhost sysObjectID.0 SNMPv2-MIB::sysObjectID.0 = OID: F5-BIGIP-SYSTEM-MIB::bigip2000 # snmpget -c public localhost . SNMPv2-MIB::sysObjectID.0 = OID: F5-BIGIP-SYSTEM-MIB::bigip2000"
ID 420428 In version 11.3.0HF3 and later, the systems now honors the existing setting.
ID 420575 Fixed an issue in TMM so it does not crash when memory is exhausted.
ID 427679 The user can now modify HA group pool weight in the UI.

Behavior changes in 11.4.1

There are no behavior changes specific to Local Traffic Manager.

Behavior changes in 11.4.0

ID Number Description
ID 224168 The login ldap attribute is now added/displayed in the GUI under the Advanced option.
ID 227271 "The log message for pool member and node address statuses has changed. It now contains information on the states of each monitor instance. Before: ------- Pool /Common/p1 member /Common/ monitor status down. [ was up for 0hr:2mins:37sec ] After: ------ Pool /Common/p1 member /Common/ monitor status down. [ /Common/http: down, /Common/tcp: up ] [ was up for 0hr:2mins:37sec ]"
ID 359078 A new DB variable configsync.copyonswitch has been added to non-clustered platforms in 11.4. This is a boolean with a default value of 'disabled'. When enabled, and the system is shutting down, and the next boot will be to a different location, the current configuration is copied to the new boot location. If the configuration copy fails, the reboot proceeds but the default boot location is set back to the (formerly) active location, so the system just boots back to the same location.
ID 364625 There is a new option for Virtual Addresses, which allows the user to define whether they are persistent or ephemeral. The default behavior has not changed, and Virtual Addresses are deleted when the last associated Virtual Server is deleted.
ID 370927 In this release, there is a new option, lifetime, for the create key command (sys crypto key). Lifetime specifies the number of days the certificate will be valid for, and is useful in conjunction with the gen-certificate option when generating a key as well as a certificate.
ID 371961 There is a new way of handling files with external data group definitions. Before assigning it to an external class, the file must be imported using options on the System :: File Management :: Data Group File List screen. The online help incorrectly indicates that files must exist in a specific subdirectory.
ID 372531 This is an APL grammar addition that allows specifying all text in the presentation in the localized text sections.
ID 377568 "TMSH aliases for all utilities are now included in the default configuration. For example, previously, the TMSH command to run ping was: # run /util ping <destination> Now one can just simply say: # ping <destination> Note that the user must have the proper permissions to run the utility, otherwise the shell won't recognize the command."
ID 378180 "This change adds a new keyword to the APL grammar so that multiple elements can be grouped together into a single user defined type to facilitate better reuse within the app template presentation. Comment #1 contains a link to a wiki page that should have all the necessary information for this change."
ID 382974 The qkview file extension has changed from .tar.gz to .qkview in this release of BIG-IP software.
ID 383868 "Old behavior: tmsh allow merge all config which can be loaded. User can merge an entire SCF saved from system without any modification. Changed to: Config saved in config files can be loaded. Only config which can be changed through ""tmsh modify"" should be able to merge. User can't merge an entire SCF saved from system without any modification."
ID 386381 The default value of Log.AlertBwThreshold is now changed to 75 from 0. 0 means the logging is disabled. By default it now alters users if the throughput goes above 75% of the licensed limit.
ID 386483 "Authenticate to First Server is modified: Documentation for Change goes From: Specifies that the system sends authentication attempts to only the first server in the list. To: Specifies that the system sends authentication attempts and will use the first server that responds as authoritative. So prior to this change if you had server A and server B in the list in that order and server A was down, we would stop with the authentication request when we failed to contact server A. Now we will see that server A is not communicating and since it is a communication/network issue, allow the system to continue to contact server B."
ID 388083 Wam logs captured in qkview may be truncated. This is consistent with other log files captured from /var/log/.
ID 391351 With new access profiles and access policies that include logon page and authentication actions, there is a random delay in error response to a user when authentication fails. By default, the delay is between 2 and 5 seconds. You can change these values in access profile settings. To disable this behavior, set the minimum and maximum authentication failure delay value settings to 0 in the access profile.
ID 397330 "Supported hotfixes may be directly installed into vCMP guests. Hotfixes released prior to this date are not supported and will incur guest installation timeouts if attempted."
ID 403618 In order to use the new DNS security features in this release, including DNS Protocol Security profiles (query-type filtering and header opcode exclusion) and the DNS portion of DoS Protection profiles (alerting), you must have a valid DNS services license (by purchasing GTM, DR, LC, or a DNS Services add-on) and a valid PSM license (by purchasing AFM). In addition, to enable configuration of these features, you must provision either ASM or PSM.
ID 404758 Fixed the GUI to adjust properly to the platform time zone for firewall schedule date start and date end field
ID 405295 In the AFM module, the IP Intelligence Event Log pages now show one additional field: Virtual Server.
ID 405513 In the AFM module, the DoS Network and DoS Protocol (DNS) Event Log pages now show two additional fields: Packets In / sec and Dropped Packets.
ID 405584 The new DHCP LCD menu option allows the operator to enable/disable DHCP via LCD on appliance boxes.
ID 405918 Prior to this CL, the maximum number of user-defined arguments permitted on monitors was 50. Now it is set to 1024, and bigd doesn't core.
ID 408235 "The new flexible allocation feature changes the tmsh command syntax used to configure guests. Previously you could use the words 'single' or 'all' when defining a guest's blade allocations. With this feature release, you must use an integer to describe the guest's blade allocations instead of words. The integer is the number of blades you want the guest to occupy."
ID 411104 This change allows the TCP retransmission timeout value to be specified on a per TCP profile basis allowing finer grain control over flow behavior in a lossy network.
ID 411879 For serverssl profiles, the system uses TLS in the following way: TLS1.2, then TLS1.1 and TLS1.0. Previously, it was TLS1, TLS1.2 and TLS1.1. This might result in unexpected status settings for existing virtual servers configured in previous releases.
ID 412679 Upgrades will fail if WAM, WOM, or WOML is provisioned with one other module.
ID 413094 "Before: there is tmsh command, ""net fdb"" which is for vlan. After: old ""net fdb"" command has been replaced by ""net fdb vlan""."
ID 417696 "For those using iControl in combination with folders (or partitions) and delete_all_x methods, the system now treats delete_all_x in a more standard way than before with respect to folders. When folders were introduced, the delete_all_x behavior was not fully specified (the API did not define which objects in which folders are deleted by these methods). The iControl delete_all_x methods (for example, delete_all_pools) no longer delete all objects in the entire partition (the whole folder tree, from the top-level folder on down, even above the active folder). The system now deletes only objects in the active folder. To delete all objects in the active folder and below, call System::Session::set_recursive_query_state before deletion. To delete all objects in a partition, set the active folder to the partition (top-level folder), and call set_recursive_query_state, then proceed with deletion."
ID 419886 "In this release, installs and UCS restores will fail if there is a HTTP Class profile event or command in the iRule or the profile cannot be upgraded. For iRules see solution SOL14381. For HTTP Class profiles see solution SOL14409. If you see the ""Skipping Loading"" message the error is not related to BIG-IP configuration. The user should manually load the config."
ID 420912 The BIG-IP now acts like there is a separate copy of the persistence DB and session DB for each traffic group. Data in one traffic-group cannot be accessed by any others.

Known issues

ID Number Description
ID 221917 When the bd process restarts, the system stops all internal connections. If the next event that arrives on a halted connection is an HTTP request, the attempt to disable the plugin in HTTP_REQUEST fails, which logs a Tcl error to the /var/log/ltm file. This is a benign error message that you can safely ignore. Workaround: None.
ID 221946 When you specify the cluster management IP address, the netmask defaults to /32, or In order to use cluster member addresses, the netmask must be no more than /30, or Always specify the netmask when specifying the cluster management IP address if you plan ever to use cluster member addresses. That way, the address always gets set correctly, and you can configure the cluster member addresses on the same network. Workaround: None.
ID 221956 Beginning with version 10.0.0, the system reports module memory mixed in with memory used by all processes. To determine actual memory usage, you must use standard Linux commands, such as ps, top, and other similar commands. Workaround: None.
ID 221963 When you are logged on to a cluster management address, and you or another user subsequently promotes one of the secondary blades to the primary, you and the other user might need to log on again. Workaround: None.
ID 222005 "On boot, the following message might be seen. It is innocuous and can be ignored: err ti_usb_3410_5052.c: ti_interrupt_callback - DATA ERROR, port 0, data 0x6C" Workaround: None.
ID 222034 If HTTP::respond is called in LB_FAILED with large headers and/or body, the response may be truncated. TCP congestion-control state determines the threshold. For example, with slow-start enabled, and no data sent to the client yet, the response will be truncated after two packets. Workaround: None.
ID 222184 When the license expires, if you are on the License Summary page on a partition other than Common, the system automatically returns you to the Common partition, but does not activate the Reactivate button. The workaround is to select a different partition and then reselect the Common partition. This should reset the Reactivate button to an active state. Workaround: None.
ID 222221 "TCP::close doesn't work properly with SSL-related iRules. To work around this, remove tcp::close from the iRule. Although the SSL connection works, it will not be closed until a timeout." Workaround: None.
ID 222273 Many load balancing methods are implemented so that the system divides the connection limit among running Traffic Management Microkernel (TMM) services. If you set the connection limit to low values, the results you see might not be what you expect. For example, some nodes might receive more connections than you expect, and other nodes that you expect to receive connections might not receive any. These apparent anomalies are discernible only with small numbers of connections, and disappear with large numbers of connections. Workaround: None.
ID 222287 On multi-core platforms running in CMP mode, rates configured in a rate class are internally divided between the active TMM instances. As a result, each flow is restricted to bandwidth equal to the configured rate divided by the number of active TMM instances. In order to achieve the actual rate set on the rate class, the system must be processing at least one flow on each active TMM instance. For more information, see SOL10858: Rate classes on CMP systems are divided among active TMM instances. Workaround: None.
ID 222344 "Dynamic routes might override static management routes. If a route learned via any dynamic routing protocol exactly matches a management static route, traffic from the Linux host will follow the dynamic route. NOTE: Regarding affected modules, the problem affects any module provisioned in TMOS as the root cause is in the core functionality shared by all modules." Workaround: None.
ID 222438 "PVA2 might return corrupted data in response to a virtual server stats query. When this happens, you might see messages in /var/log/ltm such as: pvad[2099]: mra_lbdb_vxo_basic_::deserialize(): wrong type 1 pvad[2099]: 01130004:4: ../Pva2AsicFactory.cpp:724 - Dropping stats msg. VSO deserialize failed. This can usually be fixed by running the command ""bigstart restart pvad"" Note that doing so will disrupt traffic for a short interval." Workaround: None.
ID 222806 "If an httpclass selects a pool other than the default pool associated with the virtual, and the subsequent request on the same connection matches no httpclass, then the default pool is not applied; the previously selected pool continues to be used. Enabling OneConnect is a workaround for the base scenario. However, a similar issue resurfaces if RamCache is used in conjunction with OC. Either of the following should work, regardless of whether OC or RC are in use. 1. At the end of the httpclass list, include a catch-all httpclass (all selectors set to ""none"") which selects the desired default pool. 2. Configure the default in the virtual, as usual, but add the following iRule: when CLIENT_ACCEPTED priority 900 { set default_pool [LB::server pool] } when HTTP_CLASS_FAILED priority 100 { pool $default_pool }" Workaround:
ID 223031 If you run the tcpdump utility from a Puma I blade on a VIPRION chassis containing a mix of Puma I and Puma II blades, the process does not show packets from the Puma II blades. To work around this issue, run the tcpdump operation from the Puma II blade. Workaround: None.
ID 223191 (CR128182) If you remove all remote endpoints from a configuration, any active dashboard continues to show the last remote endpoint as connected. To refresh the screen, close the dashboard and then reopen it. Workaround: None.
ID 223412 "When configuring a ConfigSync peer IP address, the IP address must reside in the default route domain. The default route domain has an implicit value of zero (0). ConfigSync operations will fail if you configure a peer address that contains an explicit route domain ID. For example: When a ConfigSync operation fails due to this issue, the BIG-IP system returns error messages that appear similar to the following example (in older versions of the software): Checking configuration on local system and peer system... Peer's IP address: Caught SOAP exception: Error calling getaddrinfo for (Temporary failure in name resolution) Error: There is a problem accessing the peer system. BIGpipe parsing error: 01110034:3: The configuration for running config-sync is incorrect. Or, for versions 11.0 and beyond: Apr 19 14:15:04 beaker-vm2 err mcpd[5766]: 01071430:3: Cannot create CMI listener socket on address, port 6699, Cannot assign requested address" Workaround: None.
ID 223426 Enabling the TCP option for MD5 signatures does not cause TCP connections without MD5 signatures to be rejected or ignored. Enabling MD5 signatures allows the MD5 signature to be validated when it is present. Note that the problem does not affect TCP connections established from the host (for example, BGP connections). Workaround: None.
ID 223542 You cannot simply change the speed of an existing interface in a trunk, you must either delete all the interfaces and add them back at the new speed, or delete the trunk and recreate it. Workaround: None.
ID 223634 If you are in the tmsh utility, you can run the bigpipe utility to view dynamic Address Resolution Protocol (ARP) entries for a different route domain. To do so, run the command run util bigpipe arp <args...> at the tmsh command line. Workaround:
ID 223651 An SSH File Transfer Protocol (SFTP) client may emit an error message containing "Received message too long" when the user is unprivileged and may not use SFTP. Workaround: None.
ID 223720 If you restart the mcpd process and try to create a FIPS key, the operation occasionally fails with the message "Key generation failed: error 11 - Would overwrite file" Workaround: To work around this, restart mcpd and try the operation again.
ID 223796 When an SFP is not inserted in a VIPRION interface socket, the interface status should show "MS" (missing); instead, the interface status might show "DN" (down). Workaround: None.
ID 223830 It is possible that with increased throughput, SNMP stats might report lower TMM CPU usage values than top. Workaround: None.
ID 223885 The hash persist profile was extended in 10.0 with new options, but is no longer supported in combination with FastL4 virtuals. The workaround is to use universal persist instead. You can also use the TCP or UDP profile instead of FastL4. Workaround: None.
ID 223890 "In v10.0, LB-related ratio values of up to 65535 were allowed in configs and via iControl. Currently, validation prevents any value greater than 100." Workaround:
ID 223954 The system does not include the .tmshrc file in a ConfigSync operation. That means that each unit in a high availability configuration might have a different set of remote users. You can manually sync the files by using a utility to copy the file from one system to the others. Workaround: None.
ID 223959 A BIG-IP system has limits to the number of objects that may be configured when the configuration contains virtual servers for which Packet Velocity ASIC (PVA) acceleration is required. If more than the specified maximum number of objects is configured, virtual servers that otherwise qualify for PVA acceleration are demoted to wire mode (no PVA acceleration). For more information about the maximum number of objects allowed for the PVA, refer to SOL11038: Configuration sizing and PVA acceleration. Workaround: None.
ID 223961 "You can create an external monitor that references an executable in the /usr/share/monitors directory. On a VIPRION system, when the system attempts to validate the monitor on a secondary blade (for example, when the primary blade loads a secondary blade), the system posts an error message similar to the following: emerg mcpd[2822]: 0107094e:0: File cache: fatal error (can't create backup file for (/usr/bin/monitors/builtins/SYSLOG_monitor), Read-only file system) (FileCache.cpp:1523) For the monitor to function properly and to prevent this error on VIPRION systems, copy any executable used by an external monitor to the /config/monitors directory." Workaround: None.
ID 224069 "Hardware accelerated flows are timed out by software if there is no activity observed during a configurable period, which was recommended to be 60 seconds in a previous solution. In the worst case scenario, BIG-IP software probably can't receive flow status reports for both hardware flows in less than 88 seconds. Therefore, it is recommended to use 90 seconds as the configuration value." Workaround: None.
ID 224073 Floating route domain self IP addresses do not respond to ping utility commands from the Linux host. If you need to access floating IP addresses using the ping utility, use an external source. Workaround: None.
ID 224142 There is a pause negotiation mismatch in a trunk containing a mix of fiber and copper. To work around this issue, do not mix fiber and copper in the same trunk. Workaround: None.
ID 224195 The system does not prevent you from deleting a self IP address that an EtherIP tunnel uses, or from creating an EtherIP tunnel using nonexistent IP addresses. Doing so, however, results in an inoperable tunnel. To ensure that an EtherIP tunnel operates as expected, do not delete any of the self IP addresses that are associated with VLAN "wan" and specified in the EtherIP tunnel object. Workaround: None.
ID 224294 "SASP monitor validates timeout and interval although these values are not used by the monitor." Workaround: None.
ID 224372 When you are connected using the serial console to a multi-drive platform, you might see messages similar to the following: warning kernel: RAID1 conf printout and warning kernel: disk 0, wo:0, o:1, dev:dm-14. The messages are also logged in /var/log/kern.log file. These messages appear during the time a drive is rebuilding, and you can safely ignore them. Note that the messages appear only when you are directly connected by serial console. They do not appear when you are logged in using SSH. Workaround: None.
ID 224402 When you specify a custom ConfigSync user (that is, an account other than admin), if you have specified a maximum number of password failures, the ConfigSync account is subject to the password lockout after the specified number of failures. To work around this issue, use the admin account as the ConfigSync user, or reset the non-standard account that is locked out. Workaround: None.
ID 224406 The dashboard cannot handle numbers that exceed 32 bits. If a statistic goes above that number, dashboard values will be incorrect. Workaround: None.
ID 224520 The bcm56xxd service's small form-factor pluggable (SFP) plug_check mechanism (for example, bs_i2c_sfp_plug_check()) looks for module-detect signal changes every five seconds, and can miss a pluggable media type swap (that is, a swap from fiber SFP to copper SFP or SFP+) because the check does not look at pluggable media type changes. This can result in link failures, due to internal media settings that are still associated with a previously populated pluggable module. Workaround: None.
ID 224665 VLAN groups are partitionable objects, so that a VLAN group created in one partition cannot be modified in another partition. Proxy exclusion is a VLAN group setting, so the partition restrictions should be in effect. However, the system does not prevent you from adding proxy exclusion for a VLAN group in another partition. Doing so results in issues for VLAN groups, so you should not attempt such a configuration. Workaround: None.
ID 224680 When you use the Wireshark program to view a packet from an EtherIP tunnel, the Wireshark program displays the EtherIP version as 0 rather than 3, as it should. This occurs because Wireshark evaluates the version based on the bottom four bits rather than the top. The Linux EtherIP implementation follows the same format used by coding developer David Kushi, which is correct according to RFC 3378 - EtherIP: Tunneling Ethernet Frames in IP Datagrams. Workaround: None.
ID 224698 Plugin-initiated connections do not use a SNAT pool, if configured (formerly CR 137381). Workaround: None.
ID 224881 On AOM-equipped platforms, changing the management IP via the front-panel LCD multiple times might result in fields on the LCD being displayed with a value of The correct values will be displayed after a system restart. Workaround:
ID 225242 The nodes are not marked up until after the timeout has elapsed for default UDP monitors. Workaround: None.
ID 225358 Both units probe both gateway fail-safe pools regardless of their unit IDs. Workaround: None.
ID 225417 The installer allows you to install version 9.x software onto 8950 (D107) or 11050 (E102) platforms; however, version 9.x software does not support the 8950 or 11050 platform. Installing 9.x software onto 8950 or 11050 platforms might result in a nonfunctional system, so do not install version 9.x software onto 8950 or 11050 platforms. Workaround: None.
ID 225431 Disabling the LCD display is not persistent across system restarts. This is for diagnostic purposes. Workaround: None.
ID 225521 "On a partitioned system, if a 9.x installation operation fails or halts for any reason, including being canceled by the customer, subsequent installation operations fail and post the following messages to the liveinstall.log file: info: /dev/sda5 is mounted; will not make a filesystem here! error: VolumeSet_rebuild_fs(sda, 1) failed Terminal error: Failed to install. See log file. To work around this issue, always reboot the system after a failed installation operation, and then try the operation again. Note that this occurs only with halted version 9.x installation operations. Halted version 10.x installation operations do not exhibit the issue." Workaround: To work around this issue, always reboot the system after a failed installation operation, and then try the operation again. Note that this occurs only with halted version 9.x installation operations. Halted version 10.x installation operations do not exhibit the issue.
ID 225588 Error conditions such as unreachable IP addresses, and unavailable TACACS+/RADIUS services, are not logged to /var/log/ltm for the TACACS+ RADIUS audit forwarding accounting feature. Workaround: None.
ID 225851 "tmsh does not have a facility for removing ""missing"" array members. When an array member is physically removed from a system, the serial number will remain on the system, listed as a ""missing"" disk. If you need to remove this serial number from the list, you will have to use the GUI or the ""array"" command on the CLI. On the CLI, use array, as follows: array --erase <serial number> The GUI also has the option to remove missing disk serial numbers in the System > Disk Management. The missing array member is listed just as it was before, but all we list is the serial number. Remove that from the array just as you would with an installed array disk and it will forget that missing serial number." Workaround: None.
ID 226564 "The LTM Statistics and GTM Statistics dashboard components might perform very slowly and/or cause out of memory errors when used in environments with large configurations (e.g., thousands of LTM and/or GTM objects)." Workaround: None.
ID 226791 Due to screen limitations, the BIG-IP system LCD cannot display serial numbers larger than 16 characters. To see larger serial numbers, use the GUI or a tmsh command. Workaround: None.
ID 226892 With the packet filter enabled and its default action set to discard or reject, IP fragments matching an established connection may be dropped. Workaround: None.
ID 226964 "Node marked down by a monitor that is waiting for a manual resume mistakenly displays ""Enabled"" state in its GUI properties while it stays down. In v11.0.0, the workaround is to click the Update button, which truly enables the node." Workaround:
ID 227272 If you replace a tri-speed copper small form-factor pluggable (SFP) module with a fiber SFP, you may have to reinsert the fiber SFP module a second time before it accurately reports link status. To work around this, remove and reseat the fiber SFP module. Workaround: None.
ID 227281 When a full-proxy HTTP virtual with ramcache, fallback, and deferred accept configured executes reject command in CLIENT_ACCEPTED event, TMM restarts. Workaround:
ID 227319 Ramcache configurations which approach the limit of total memory allowed for use by ramcache might cause caching to be disabled for one or more virtual servers. Workaround: None.
ID 227358 Using the source port preserve strict option requires special considerations to ensure proper traffic flow and distribution. Workaround: None.
ID 227362 When you are using Fast L4 profiles, make sure to set the PVA Acceleration setting to None if you also specify the Mimic setting for IP ToS to Client or IP ToS to Server. Otherwise, the system cannot perform the mimic functionality. Workaround:
ID 227369 Generating a SIGINT or SIGQUIT on the serial console during login causes all services to halt and restart. Further, SIGQUIT may cause chmand and get caught in a loop of failed restarts, requiring a host reboot. This occurs when at any point while the password prompt is displayed, there is a signal generated, for example: -- For SIGINT, press Ctrl-C. -- For SIGQUIT, press Ctrl-4, Ctr-\, or (in some cases) SysReq. All services halt and restart. Further, SIGQUIT may cause chmand and get caught in a loop of failed restarts, requiring a host reboot. Workaround: None. But the problem no longer occurs after the first successful login from the console.
ID 246825 When you click the Clear Performance Data button in any view, the operation clears data for all historical statistics, not just the data for the specific view you are in. Workaround: None.
ID 246871 When you are on the license summary general properties screen and you refresh the browser after you reactivate a license, the system prompts you to log on again. There is no workaround for this issue. Workaround: None.
ID 246943 In a redundant configuration that has Global Traffic Manager provisioned on only one unit, you must provision Global Traffic Manager on all units. Failure to do so risks Global Traffic Manager becoming unprovisioned or unconfigured after a ConfigSync operation. Workaround: None.
ID 246962 The system counts route domain health check traffic as part of IPv6 traffic statistic totals. If your configuration has a monitor on a pool in a routing domain, you will see an increase in IPv6 traffic. If you remove the monitor from the pool, the IPv6 statistics freeze (assuming there is no actual IPv6 traffic). There is no workaround for this issue. Workaround: None.
ID 246978 When you reboot a system from the serial console, the system reports the following message modprobe: modprobe: Can't locate module tun6to4... during the shutdown sequence. This message is benign, and you can safely ignore it. Workaround:
ID 246983 A display issue in the browser-based Configuration utility makes it appear as if users can modify user settings that they should not be able to access. For example, a user logs on using an account assigned a non-administrator role. When that user changes the password and clicks Update, the screen temporarily redisplays with available settings for file, partition, and shell access. The user can manipulate the controls, and select different settings. However, the system does not accept the change. Workaround: None.
ID 247011 "Unlike in SSL profiles, the system does not validate keys and certificates used for SIP and HTTPS monitors. That means that you can specify non-matching or invalid keys and certificates. There is no checking on the command line or in the browser-based Configuration utility to make sure keys and certificates are valid and usable." Workaround: None.
ID 247012 If you use a SIP or HTTPS monitor on a server that requires authentication using a certificate signed by a certificate authority (CA), the monitor must use certificates signed by a CA that the server recognizes. Do not configure a monitor using certificates signed by an Intermediate CA because the monitor does not send such certificates to the server. Workaround: None.
ID 247076 The BIG-IP 8800 platform supports a maximum of 30,000 monitors in a single configuration. If you create more than 30,000 monitors, the BIG-IP 8800 might halt in a switchboard-failsafe state when you load the configuration. Workaround: None.
ID 247094 If you have state mirroring enabled, when you upgrade one unit of a redundant system, the system post messages until all systems are running the same version of the software. tmm tmm[1917]: 01340001:3: HA Connection with peer established. There is no workaround for this condition. All units in a redundant system must be running the same version of the software. Workaround: None.
ID 247099 After an import default operation, the prompt is set to reboot, but the operation does not instigate the reboot operation on the primary blade, although it does on the secondary blade. This is intentional behavior: the operation causes a reboot on secondary blades, but the primary blade does not reboot automatically in this case. To activate the imported configuration, reboot the primary blade. Workaround: None.
ID 247135 Linux represents long VLAN names using the first 13 characters and an appended ~1. If you use the Linux system command ifconfig to retrieve the interface configuration of a VLAN with a name longer than 9 characters, the operation truncates the name to 8 or 9 characters. Workaround: To work around this issue, use the ip addr show command to retrieve the VLAN using the IP address.
ID 247200 When a user configured for one role is logged on to the browser-based Configuration utility, and you change that user's role to another type, also using the Configuration utility, the system logs off that user. When that user logs back on, the system writes to the catalina.out file error messages such as Error while reading message at. These messages are benign, and you can safely ignore them. Workaround: None.
ID 247216 The help frame crops the right edge of some of the formula definitions on the Performance statistics screen. As a workaround, you can click the Launch button to view the full text. Workaround: None.
ID 247241 "Occasionally, when you create an installation repository on a USB thumb drive from the BIG-IP system, the operation fails while copying the repository files to the thumb drive. (The failure might also occur when reading or writing any large file to the thumb drive from the BIG-IP system.) When the failure occurs, the system reboots and writes a log entry similar to the following in the /var/log/ltm file: Dec 10 11:13:12 local/8900 notice overdog[2401]: 01140108:5: Overdog scheduling exceeded 1/2 timeout of 5 seconds (measured:8060 ms) The workaround is to create the installation repository on a USB thumb drive using a Linux workstation, as documented in the BIG-IP Systems: Getting Started Guide. In any case, do not perform the operation on a BIG-IP system that is actively in production to prevent the potential failure from affecting live traffic." Workaround: None.
ID 247247 "In the browser-based Configuration utility, if you try to set the provisioning level to Dedicated on a module when another module already has the Dedicated provisioning level, the system allows the change and sets the provisioning level to None on all other modules. When you use the command line for the same operation, the system presents an error: When a Dedicated provision level is set, all other module's provision levels must be set to None. To accomplish the change, you can use the Configuration utility, or you can use the command line to set the provisioning level to None for all other modules, and then set the Dedicated provisioning level on the module you want to configure. To do so, use the tmsh utility to issue the following commands (substituting your module names for <module-A> and <module-B>): (tmos)# create transaction batch mode](tmos)# modify sys provision <module-A> level dedicated batch mode](tmos)# modify sys provision <module-B> level none batch mode](tmos)# submit transaction" Workaround: None.
ID 247300 "You should not use the SSL::respond method with a CLIENTSSL_CLIENTCERT iRule event with a COMPAT mode cipher, as it can result in a handshake failure." Workaround:
ID 247310 There is an extremely rare chance that, if the high-availability mirroring connection fails and recovers, the result might be a new persistence record and an expired record using the same key to send their respective messages. For example, if a record comes in that would have matched an old one on the active system, it is possible that the old record's expiration action might arrive after the new record's update action. If the key matching the old record expires, the standby system incorrectly deletes the corresponding new record. Workaround: None.
ID 247709 "When you change the idle timeout in System :: Preferences, the system must restart the httpd process. This results in a set of error messages similar to the following example: err httpd[6246]: [error] [client] Invalid method in request OPTIONS * HTTP/1.0 err httpd[6320]: [error] (9)Bad file descriptor: apr_socket_accept: (client socket) warning httpd[3064]: [warn] RSA server certificate CommonName (CN) `dhcp-137' does NOT match server name!? warning fcgi-[6376]: [warn] FastCGI: server ""/usr/local/www/mcpq/mcpq"" started (pid 6377) err httpd[6379]: [error] [client] Invalid method in request OPTIONS * HTTP/1.0 warning httpd[3064]: [warn] long lost child came home! (pid 6239) These messages occur primarily as a result of the process restart, and you can safely ignore them." Workaround: None.
ID 247727 When you create a new profile or edit an existing profile using the all-properties option of the tmsh utility, unless you remove some options, all properties become custom; that is, profile properties no longer inherit parent settings. The workaround is to use the tmsh utility create and modify commands operations. When you do so, the system preserves the profile's properties inheritance. Workaround: None.
ID 247894 "iRule substr function is not able to use a string with a number in it as a terminating string. Instead it converts that string to integer and mistakenly uses it as a substring length." Workaround: None.
ID 247918 TMM might crash if you run the commands b import default or tmsh load sys config default on a BIG-IP system with dynamic routing configured and active. Removal of a self-IP address on a VLAN with dynamic routing peers also might trigger the same problem. The system indicates the problem by presenting TMM panic messages containing the following text: Assertion "link route present" failed. In order to avoid the problem, do not run the commands b import default or tmsh load sys config default if dynamic routing is configured and active on the BIG-IP system, and do not remove self-IP addresses on VLANs with dynamic routing peers. Workaround: None.
ID 248216 "The SOAP monitor now allows configuring the SOAPAction HTTP header. This allows specifying the intent of a SOAP request in the form of a URI, as documented at [1]. The default value is the empty string (the header is still sent, but with no content). 1:" Workaround: None.
ID 248489 If the user configuration set (UCS) file you roll forward at installation time contains a problem, subsequent system load operations can fail. If this happens, the remote users and administrators cannot log on to the system. To work around the situation, log on to the system as the root user or as the admin local user. Workaround: None.
ID 248750 Many load balancing methods are implemented so that the system divides the connection limit among running Traffic Management Microkernel (TMM) services. If you set the connection limit to low values, the results you see might not be what you expect. For example, some nodes might receive more connections than you expect, and other nodes that you expect to receive connections might not receive any. These apparent anomalies are discernible only with small numbers of connections, and disappear with large numbers of connections. Workaround: None.
ID 248932 "Occasionally, a system restart might result in the system posting to the console messages of the following type: sshd(pam_audit)[4559]: user=root(pqizzjl1l) tty=/def/pts/1 host= attempts=1 start=""Tue Aug 5 17:25:09 2008"" end=""Tue Aug 5 17:27:54 2008"". sshd(pam_audit)[4559]: 01070417:0: AUDIT - user root - RAW: sshd(pam_audit): user=root(pqizzjl1l) tty=/def/pts/1 host= attempts=1 start=""Tue Aug 5 17:25:09 2008"" end=""Tue Aug 5 17:27:54 2008"". These messages occur when the system shuts down logging to the syslog-ng file before all users who are logged on have logged off. Should this error occur, when the system comes back up, you can use the boot marker in the audit files to confirm that the system logged out the remaining users." Workaround: None.
ID 248958 Running the tmsh or bigpipe command persist show on a cluster might return incomplete results in certain avoidable situations. To ensure complete results, leave the tmsh bigpipe shell read partition at all, and log on as a user who is authorized to view all partitions. Workaround: None.
ID 249083 Address wildcard virtual server has to be deleted and re-created when changed from IPv6 to IPv4. Without the intervening deletion, neither IPv6 nor IPv4 traffic matches the virtual. It works as expected when changing from IPv4 to IPv6 (formerly CR 98831). Workaround: None.
ID 249311 "(CR118392, CR118496) If you initialize the Federal Information Processing Standards (FIPS) card and convert non-FIPS keys to FIPS keys, you must restart the tmm process before the system starts using the keys. Assuming you have an SSL profile that uses the newly converted FIPS key, here is the command sequence to run: fipsutil -f init convert non fips key to fips b load If you try to run the system without restarting the tmm process, the system issues the following errors: 01260009:7: Connection error: ssl_hs_vfy_pms:2128: invalid pre-master secret (80) Connection error: ssl_basic_rx:232: mac miscompare (20)" Workaround: None.
ID 283445 "(CR98760) When you convert an encrypted key to Federal Information Processing Standards (FIPS) key, the system presents the error ""Unsupported key size"", and does not perform the conversion. To perform a successful conversion in this case, you must use the command-line utility to decrypt the key, and then convert the key to a FIPS-type key." Workaround: None.
ID 284910 Once you configure the BIG-IP system to use the base FastHTTP profile, the profile continues to prime server-side connections, even if there are no virtual servers currently configured to use the FastHTTP profile. Workaround: None.
ID 285008 If the active unit in a redundant system reboots, the standby unit goes active and handles any established connections that were mirrored. However, when the previously active box comes back up, it does not re-synchronize the state for the mirrored connections. This means that the mirrored connections are lost in a subsequent failure or a forced fail-back. This does not affect connections that end before the second restart and failover. Also, this does not apply to Fast L4 profiles. Workaround: None.
ID 291260 If you are viewing a statistics screen, the user session logged in to the system does not time out as it does when viewing other screens. If you need to maintain the regular timeout interval for logged in users, then navigate away from a statistics screen. Workaround: None.
ID 291272 If you attempt to mirror virtual servers that have RAM Cache enabled, depending on the cache state, the system leaks the connection on the standby unit when the connection is closed on the active unit. Workaround: None.
ID 291327 Configuring a virtual server for multicast communications inside a route domain does not work. Do not configure a virtual server for multicast communications inside a route domain. Workaround: None.
ID 291541 If there are static Address Resolution Protocol (ARP) entries targeted to the management network in either the existing configuration or in the configuration being installed or used in a ConfigSync operation, the configuration may fail to load. To work around the issue, first delete any static ARP entries targeted at the management network and then complete the configuration load or ConfigSync operation. Workaround:
ID 291689 "When you use the Weighted Least Connections (Node) load balancing method, you must set a connection limit for each node prior to adding the pool member to the pool. In this release, you must use the following process to accomplish this. 1. Create a pool that uses the Weighted Least Connections (Node) load balancing method. 2. Explicitly create the node entries for the pool members on the Local Traffic Nodes Node List (create) screen. 3. For each node, specify a value other than 0 (zero) in the Connection Limit box. 4. Return to the pool configuration screen by clicking its link in the Local Traffic Pools Pool List. 5. Select the Members tab and add the pool members to the pool, using the same IP addresses as the nodes that you configured in the earlier step. If you fail to specify the connection limit for the node prior to adding the pool members, the system presents a configuration validation error." Workaround: None.
ID 291704 If you replace a copper (Cu) small form-factor pluggable (SFP) with a fiber SFP, the link might remain down, even when connected to an active peer. The workaround is to issue a bigstart restart bcm56xxd command. From the command line, 'bigstart restart bcm56xxd'. Workaround: None.
ID 291719 "When the Configuration Utility restarts, the system writes the following messages to catalina.out: log4j:ERROR A ""org.apache.log4j.ConsoleAppender"" object is not assignable to a ""org.apache.log4j.Appender"" variable. log4j:ERROR The class ""org.apache.log4j.Appender"" was loaded by log4j:ERROR [org.apache.catalina.loader.StandardClassLoader@1359c1b] whereas object of type log4j:ERROR ""org.apache.log4j.ConsoleAppender"" was loaded by [WebappClassLoader These messages are benign, and you can safely ignore them." Workaround: None.
ID 291723 "At system startup, you might see messages similar to the following: mdadm: Unrecognised md component device - /dev/mapper/ mdadm: Unrecognised md component device - /dev/mapper/ This occurs because datastor volumes are not intended to be combined into a redundant array. The disk management subsystem unintentionally tries to join them into an array, but fails. No adverse result occurs, and you can safely ignore these messages." Workaround: None.
ID 291742 In the ltm.log file, you might see mcpd warning messages similar to the following:" warning mcpd[3002]: 01070156:4: Could not remove file /config/bigip/auth/pam.d/tmm_ldap. Please remove this file manually." When you navigate to the specified directory, you do not find the files. These messages are incorrect, and you can safely ignore them. Workaround: None.
ID 291756 On a multi-drive system, if the LED is flashing when you remove a drive from the unit, the LED status does not turn green (as it should) when disk replication begins. If the LED is not flashing, the LED turns green immediately in the transition to replicating a drive. This is a cosmetic issue only, and has no effect on functionality. Workaround: None.
ID 291761 When you complete a new installation, the Firefox browser may not recognize the SSL certificate. When this occurs, the browser-based Configuration utility posts the message Please wait while this BIG-IP device reboots, shutting down device. This spins forever and never returns. This behavior is Firefox-browser specific, so when the certificate is no longer viewed as valid, the Firefox browser ignores subsequent HTTP requests. The issue happens only when doing a fresh install. A configuration you roll forward includes the device certificates, so this is not an issue. The Microsoft Internet Explorer browser posts an accept-certificate dialog box when you restart the system. Workaround: None.
ID 291768 If you create VLANs in an administrative partition other than Common, but do not create a route domain in that partition, then the VLANs you create in that partition are automatically assigned to route domain 0. If you later change the default route domain of that partition, the VLAN stays in its existing route domain, unless the VLAN has a self IP address or virtual IP address assigned to it. In that case, the VLAN moves to the new default route domain. Workaround: None.
ID 291776 You might see an intermittent blank top banner in the browser-based configuration utility after an upgrade or installation operation. This might be especially likely when you use Microsoft Internet Explorer version 7 on a VIPRION system, and you leave the browser window open between the end of installation and the completion of the reboot operation. In this case, when you log on, the top banner is blank. You can use the browser refresh operation (F5 or Ctrl + F5) to redisplay the banner correctly. Workaround: None.
ID 291777 The software does not support running small form-factor pluggable (SFP)+ on SFP ports on VIPRION systems that contain PB100 blades, even if the ports are running at 1 GB. Although the system does not prevent you from doing so, and you might find such a configuration functional, we do not support nor recommend running in this configuration. Workaround: None.
ID 291782 Running tmsh load sys config operation (on version 11.0.0 and 11.1.0), or b load (on version 10.x), fails when pool member are configured with port numbers 63, 66, 172, 211, 564, and 629. In version 11.2.0, although the tmsh load operation completes for such configurations, the command "tmsh list ltm pool members" fails. The workaround is to use numbers other than these for pool member port configuration. If you want to use those ports, you can disable the utility from converting service names by running the command "tmsh modify sys db bigpipe.displayservicenames value false" (on version 11.x), or "bigpipe db bigpipe.displayservicenames false" (on version 10.x). Workaround: None.
ID 291784 If you set the import save value to 1 and import a single configuration file (SCF), the import operation halts and does not resume. To work around this issue, set the import save value to 2 or more. Workaround: None.
ID 291786 When you use the domaintool utility to delete a domain when you are configuring Kerberos delegation, if that domain serves as the default, the system removes the domain but leaves it as the designated default. To work around this issue, change the default to a different domain before the delete operation. Workaround: None.
ID 291788 "Certain packet-size related events can result in messages similar to the following: crit tmm4[5689]: 01010025:2: Device error: hsb internal error PIM_RX_PORT_0_ERRS address 0x0000103c status 0x004e0100 These messages are benign, and you can safely ignore them." Workaround: None.
ID 305069 "Using the COMPRESS::disable call in an HTTP_REQUEST event in an iRule does not work. As a workaround, use the COMPRESS::disable call in an HTTP_RESPONSE event instead." Workaround: None.
ID 305091 You can create duplicate virtual servers with same address space that are enabled on different VLANs in the same partition. But you cannot create duplicate virtual servers with same address space enabled on different VLANs if the VLANs are in different partition. Workaround: None.
ID 305096 When using the vi editor to edit files on the BIG-IP 6900, you might have to enter as many as three escapes to return to command mode from insert mode. Workaround:
ID 305319 SNMP queries for ltmUserStatProfileStat values do not return accurate values for user stat profile fields. Instead, the system returns a 0 (zero) or a negative number as the value. There is no workaround for this issue. Workaround: None.
ID 305320 Thumb drive installation fails when the drive contains two product installation images. To work around this issue, use thumb drives that contain only one image for installation. Workaround: None.
ID 305380 "If you initialize the Federal Information Processing Standards (FIPS) card and convert non-FIPS keys to FIPS keys, you must reload the configuration (using the tmsh load command) or restart the tmm process (using the bigstart restart command) before the system starts using the keys. Assuming you have an SSL profile that uses the newly converted FIPS key and you plan to reload the configuration, here is the command sequence to run: fipsutil -f init convert non fips key to fips load /sys If you try to run the system without reloading the configuration or restarting the tmm process, the system issues the following errors: 01260009:7: Connection error: ssl_hs_vfy_pms:2128: invalid pre-master secret (80) Connection error: ssl_basic_rx:232: mac miscompare (20)" Workaround: None.
ID 307982 Which platform you are using determines how the system calculates the hash to distribute packets to the trunk. On the VIPRION platform, the BIG-IP 6900, and the BIG-IP 8900, the system includes the port in the hash. On the other systems, the system calculates the hash using only the IP address. So when you specify source/destination IP address for the trunk distribution command, if the platform is one of the ones listed previously, the system creates the hash from the source/destination IP address and the TCP/UDP port. Otherwise, the system creates the hash from the source/destination IP address only. Workaround: None.
ID 315650 "In order to change the baud rate when you are using a serial terminal console server on the VIPRION platform, you must follow a specific sequence to change the baud rate in three places, or you can lose communication with the system. 1- On each blade in the system, run the following command: bigpipe baud rate <your_baud_rate_value> Make sure to complete this change on all blades in the system before proceeding to step 2. 2- Next, change the Serial Port Redirector (SPR) baud rate by pressing ESC( to access the SPR Command Menu. When the menu opens, select B -- Set baud rate, and select from the six settings displayed. 3- Finally, change the baud rate of your serial terminal server. The syntax for completing this step varies depending on the terminal server you are using, so you should consult your serial terminal server documentation for more specific information." Workaround: None.
ID 315763 When the pvad service queries a very large number of objects (for example, 2000 nodes), the pvad service might use as much as 27% of CPU. This condition is intermittent, and might have other requisites. There is no workaround. Workaround:
ID 317544 "After installing, you might see a message similar to the following in the ltm log file. "" Apr 23 11:38:16 slot3/p4-019 err clusterd[2707]: 013a0004:3: Error deleting cluster mgmt addr, HAL error 7 "" This message is benign, and you can safely ignore it." Workaround: None.
ID 323632 When you delete an interface that is configured for interface mirroring, the system halts mirroring on all other configured interfaces. To work around this issue, when you delete an interface-mirroring configuration, recreate the configuration using all interfaces. As an alternative, after deleting an interface, save the configuration and issue the command bigstart restart. Workaround: None.
ID 326906 When you swap a blade to the same slot in a different VIPRION chassis, the system uses VLAN MAC addresses based on the old chassis. The workaround is to avoid moving a blade to the same slot in another chassis. If necessary, shift blades around in the target chassis so that the incoming blade always goes into a slot that is different from the one it came out of. Workaround: None.
ID 333357 On first boot after initial installation on VIPRION systems, occasionally the system needs to reboot. In these cases, during the shutdown preceding reboot, you may see warnings from bigstart about getdb failing. In this context, these messages are harmless and may be ignored. Workaround: None.
ID 335619 Occasionally during system startup, you might see an error message similar to the following: err : Could not make connection with MCP, err 16908360 The error is benign, and you can safely ignore it. Workaround: None.
ID 336885 There is a memory leak that affects Firefox 3.6 but not Internet Explorer 8. The leak occurs because of an interaction between the dashboard and the web browser. The workaround is to use Internet Explorer to view the dashboard. Workaround: If running the dashboard for a long time, use Internet Explorer instead of Firefox.
ID 336986 If a hard drive is in the process of replicating and an install to a non-existent volume set is started, the array status for the replicating drive will transition to "failed" while the volume sets are created. They are created at the very beginning of the installation, so this failed status should last no more than 1 minute. After the volume set is created, the status will go back to "replicating", as expected. Workaround: None.
ID 337774 When you tab-complete the command "tmsh show sys raid bay", the results show eight bays. This only affects platforms in the Apollo family, which have 4 bays. Workaround: None.
ID 338426 Clusterd can core on shutdown under certain circumstances, seen only so far with vCMP. It only happens when clusterd is shutting down, after it has taken care of all notifications to other system components, so the core can be safely ignored. Workaround: None.
ID 338450 "On VIPRION blades, the BIG-IP system might log error messages about kernel-owned interfaces similar to the following messages (these are innocuous and can be ignored): slot1/mychassis notice chmand[3782]: 012a0005:5: Tmstat::updateMgmtIf: HAL Svc error: MiiNic: failed to send cmd to driver: readPseMii ioctl on: eth2Phy & Reg:1e:1a returns:Invalid argument slot1/mychassis notice chmand[3782]: 012a0005:5: Tmstat::updateMgmtIf: HAL Svc error: MiiNic: failed to send cmd to driver: getStatusReg: timeout wait for result" Workaround: None.
ID 338799 "If a pool has all members down/disabled but is enabled itself, it shows up as green with the error message ""The children pool members(s) might be disabled."" There is no workaround for this issue." Workaround: None.
ID 342319 The parameters "recursion yes" and "forward only" are not being updated in named.conf when creating entries in the BIND Forwarder Server List from the GUI. For more information, see SOL12224: Configuring the BIND forwarder server list does not correctly set additional options for the named.conf file, Workaround:
ID 342325 If username and password have not been configured for a RADIUS accounting monitor, it will try to connect with a <NULL> username-password. Workaround:
ID 342423 "The statsd process computes the value for system-wide CPU usage using a formula: process ""A"" CPU usage divided by the number of CPUs on the chassis. Assuming a chassis is fully populated with PUMA I blades, the average is divided by 16. If a blade drops out, the number of CPUs is now 12, so while that blade is out of circulation, the data is divided by 12. However, even for the 5-second window: it is possible that the average might be calculated incorrectly. Example =========== From time1 to time4, there are 16 CPUs on the box, and processA is using 96% of its CPU. At time5, one of the blades drops out. The calculation to compute CPU and system usage happens at this time. Before the blade dropped out, the system-wide average was 96/16 = 6. When the blade drops out, the system-wide average is 96/12 = 8. That is a small difference. Although blades going down should not happen often, when it does happen, it is only the first 5-second system-wide average that is affected. The next average will be correct." Workaround: None.
ID 342670 Some disk management interfaces show the shelves with letters and some use numbers. For now, shelf 1 == a and shelf 2 == b between interfaces. Workaround: None.
ID 344226 Trying to create a CRLDP server using a name that already exists fails with the message "An error has occurred while trying to process your request." A more accurate message is "The requested CRLDP server (<crldp_server_name>) already exists in <partition_name>.". Workaround: None.
ID 345092 "When a RAID system is booting, the system posts the message: Press <CTRL-I>; to enter Configuration Utility... However, pressing Ctrl+I has no effect. It is not possible to enter the Configuration utility this way. This is a hardware constraint. Instead, you can configure RAID parameters through TMOS." Workaround: None.
ID 345529 The BIG-IP Configuration utility may incorrectly allow you to assign certain health monitors to pools while their pool members are configured with a wildcard service port. To workaround this issue, make sure to specify an Alias Port on a monitor when it needs to probe a specific service port on wildcard pool members. For more information, see SOL12400 at Workaround:
ID 347073 Configuration changes to objects are not immediately reflected in the LTM Statistics and GTM Statistics widgets in the dashboard. To work around this issue, relaunch the dashboard. Workaround: None.
ID 347174 "When starting BIG-IP VE on a Hyper-V platform, the BIG-IP VE system posts multiple Advanced Configuration and Power Interface (ACPI) messages such as: ""ACPI: LAPIC (acpi_id[0x3f] lapic_id[0x3e] disabled)"" These messages are expected and you can ignore them." Workaround: None.
ID 348502 It is highly recommended to only use tmsh commands or iControl to delete vdisks. Deleting or renaming a vdisk from the file system (e.g., using bash) will not be detected by vcmpd and can lead to unexpected behavior if the system later attempts to use that vdisk. Workaround: None.
ID 348503 "WMI monitor reports ""not found"" for LoadPercentage, CurrentConnection, GETRequestsPerSec, and POSTRequestsPerSec when probing IIS 7.5 on Windows 7." Workaround: None.
ID 349062 In this release, we removed the SSL peer certification mode "auto" from all BIG-IP interfaces. The upgrade script contains logic to change "auto" to "ignore" in configuration files. However, we have not made a similar conversion for iRules because it is our policy not to alter iRules during upgrade. If you have iRules that use SSL peer certification mode "auto", you must change them to use "ignore". Otherwise, they will not work. There is no functional change incurred by doing so. Workaround:
ID 349242 The load balancing method 'Ratio Least Connections (node)' does not perform correctly with 'Performance (Layer 4)' virtuals. Workaround: None.
ID 349340 "Hotfix installation and formatting for volumes (ID 349340) You cannot simultaneously move to logical volume management (LVM) and install a hotfix. If you run the image2disk command with both the --hotfix and --format=volumes options, the system completes the hotfix installation, but does not format the drives. To work around this issue, format the system for volumes first, and then install the hotfix update." Workaround: None.
ID 349753 An empty sub-folder, even after saving, might not properly load during the tmsh command "load sys config partitions all". If you delete an empty folder and then load the sys config, please create the folder again. Workaround: None.
ID 350109 It is strongly recommended to remove the "dont-insert-empty-fragments" option from the SSL profiles when enabling Proxy SSL. This is done automatically when creating a profile through the GUI, but might require a manual step when the profile is created from the command-line interface. Workaround: None.
ID 351519 The configuration files used by pam and tamd are changing names between 10.2.x and this release. The files are currently being saved and then restored on upgrade, and in addition, the new files are being created when the associated mcp objects are created, which results in both the old and new versions of the files being present after upgrade. Workaround: None.
ID 351650 On 11000 platforms with SSD drives, the LCD incorrectly shows the SSD drives in bay 3 and 4 as part of its RAID status. As the SSDs are not part of RAID, they display a status of "Unknown" or "Undefined" for the SSD sled bays 3 and 4. A more accurate status is "Not part of RAID." Workaround: None.
ID 351874 When importing an ISO image into the Software Management screens in the Configuration utility, some browsers (for example, Microsoft Internet Explorer and Google Chrome), show /fakepath/ instead of the actual file path. This is expected behavior for HTML5-compatible browsers. You can work around this by adding the site to Trusted Sites. In addition, in Internet Explorer by setting the option Include local directory path when uploading files to a server in Internet Explorer :: Tools :: Internet Option :: Security :: Custom properties. Workaround: None.
ID 351934 Booting with SSD installed, you will be able to see the SSD sled activity light blinking while the other spinning media sleds do not. This is normal. Workaround:
ID 352560 SplitSSL is incompatible with persistence profiles. Workaround: None.
ID 352840 When using partition default route domains, an attempt to load a previously saved configuration which had a different default route domain on a VIPRION may result in the secondary daemons restarting. To work around this, load the default configuration before loading a config that has a different default route domain on any partition. Workaround: None.
ID 352925 Updating a suspended iRule assigned via profile causes the TMM process to restart when trying to return to the suspended iRule.
ID 352957 Established flows via virtual servers with iRules using the "node <addr>" command to set the nexthop to a different address than the gateway returned in route lookup, or transparent flows to a pool member, might fail (due to mis-routing of packets) after a route table change, even if the change does not affect any of the addresses used in the flow. New flows established after the route table change will work as expected. There is no workaround for the problem. Workaround: None.
ID 353154 Creating an instance of an ltcfg object from iControl might fail with a field validation error. The workaround is to create the new class instance using a transaction. Workaround: None.
ID 353249 LTM Virtual Server Bytes in/out and Packets in/out values may be larger than expected on PVA platforms, when using FastL4 profile with PVA in 'Assisted' mode. Workaround: None.
ID 353621 You can get an error from tmsh when adding a device to the trust-domain that says the device cannot be found: "The requested device ( was not found." This error actually indicates the "name" parameter was not specified in the command. Workaround: None.
ID 353623 In SNMP, the average MaxConns in sysGlobalStat always reports 0: F5-BIGIP-SYSTEM- MIB::sysStat{Client,Server}MaxConns{5s,1m,5m}.0 Workaround: None.
ID 353686 You cannot delete devices from the trust-domain using their IP addresses, even though that is how they are added. You need to use the device object name to delete devices from the trust-domain. Workaround: None.
ID 353812 "There is no way to show/modify the global VLAN Group Proxy Exclusion List via tmsh. If you have config objects named ""all"", you must rename them before upgrade." Workaround: None.
ID 354149 The tmsh tab complete feature incorrectly adds a space to the command line when finishing a folder name for property items inside a single command. Workaround:
ID 354467 When you create an opaque VLAN group before creating the route domain to assign it to, opaque mode does not work. To work around this issue, you can add the VLAN group to the route domain and then set its mode to opaque, or if you are already in this state, you can restart tmm. Workaround: None.
ID 354518 "Some BIG-IP blades and appliances use an RJ-45 type connector for the Serial Console port, which can be confused with an Ethernet port. If you accidentally connect an active Ethernet cable to the Serial Console port on certain BIG-IP platforms, you will likely see garbled content on the serial terminal." "The following BIG-IP platforms use an RJ45-type connector for the Console port, and implement automatic baud-rate detection to attempt to synchronize the serial console port with the serial terminal that is connected to it: - VIPRION B2100 blade - BIG-IP 2000-series appliances - BIG-IP 5000-series appliances - BIG-IP 7000-series appliances - BIG-IP 10000-series appliances Part of the updated functionality of the Always-On Management (AOM) serial port includes auto-baud, meaning that when you connect a cable to the Console port and issue a break from the keyboard, the system enables scrolling through baud rates using the return key. If you accidentally plug an active Ethernet cable (that is, a cable carrying network traffic rather than serial terminal data) into the Console port, when you power up the blade, the auto-baud functionality might engage, even though the cable is not connected to a valid serial terminal. This occurs because, depending on the traffic on the cable, network communications can simulate the effect of issuing a break, which initiates auto-baud." If you are already in this condition, after you remove the Ethernet cable and connect a valid serial cable, you will likely see garbled content on the serial terminal until you reset the AOM serial port's baud rate to match the terminal's baud rate. Workaround: "To synchronize AOM and terminal baud rates 1. Issue a break (using the <BREAK> key on the keyboard). 2. Press return to have AOM cycle through the supported baud rates (115200, 57600, 38400, 19200, and 9600) 3. When the baud rates are synchronized, the following prompt appears --- Press <ESC>( for AOM Command Menu. You can then press Esc ( to access the AOM Command Menu."
ID 354972 In some cases, tmsh will not properly recognize hostnames as an item reference for commands. Use IP addresses instead of hostnames when creating addresses with tmsh in this release. Workaround: None.
ID 354993 "When loading a UCS, the following message may appear in the ltm log: debug bigd[3980]: External program not found in monitor /Common/external @528, file conv_to_service.cpp This message is benign and it can be ignored." Workaround:
ID 355299 PVA acceleration can be configured on a platform without a physical Packet Velocity ASIC present. The setting has no actual effect and is harmless. Workaround:
ID 355564 "The Error message ""The requested unknown (/Common/traffic-group-1 /Common/bigip1) was not found."" might appear in the log during startup. This message does not indicate a problem, and can be ignored in this situation." Workaround:
ID 355616 ltm virtual-address objects are only shown in tmsh list output when specifically requested, as in "list ltm virtual-address", not in commands such as "list ltm". Workaround: None.
ID 355622 tmsh "list" output most commonly shows only user-specified settings, unless the "all-properties" argument is given, in which case both default and user-configured settings are shown. In this release, some default settings are shown in the "list" output, even when "all-properties" was not requested. Workaround: None.
ID 356073 Every part of the iApp template's presentation section is run every time, even the hidden parts. This means that anything that might crash (if something isn't provisioned) needs to be enclosed in a TCL block that is protected with a catch. Workaround: None.
ID 356319 You cannot reset the management port statistics (those that appear under Network: Interfaces: Statistics). The system does not report an error, but also does not reset statistics. Workaround: None.
ID 356611 You can invoke imish (the shell for configuring dynamic routing) from tmsh. When you subsequently press Ctrl + Z, sshd and imishd start consuming CPU until the imish shell times out. This occurs when tmsh is not the login shell. If the system is already in this state, run the fg command, and then exit imish. Workaround: None.
ID 356705 "After completing the setup wizard in the Configuration utility, the user is redirected to the Welcome screen. The menu at left should also change from the restricted setup menu to the full menu, but occasionally it does not. In this case, the workaround is to log out/in or refresh the browser." Workaround: None.
ID 356938 Special characters (such as the Yen sign) in data group names generate garbage characters. Do not use special characters of this type for data groups. Workaround:
ID 357262 As a workaround, reqlog now closes the connection whenever it serves an http response on logging error. Ideally, it would keep the connection open when the protocol is HTTP 1.1 or higher. Workaround: None.
ID 357283 "If creating a new device group out of devices that have pre-existing config objects, the GUI will inaccurately report that the device group is ""in sync"". To work around this, either make a configuration change to the device group, or force a config-sync by issuing the following command in the tmsh shell from device 'foo': modify cm device-group [device group name] devices modify { foo { set-sync-leader } }" Workaround: None.
ID 357391 "The first connection started prior to racoon being initialized fails. You must wait for racoon to initialize before first traffic is fired/processes. You can determine whether racoon is initialized by looking at /var/log/racoon.log. After configuring IPsec objects, /var/log/racoon.log reports that it has loaded the configuration and there is no error after it in a message similar to the following: 2011-04-27 11:03:35: INFO: Reloading configuration from ""/etc/racoon/racoon.conf""" Workaround: None.
ID 357656 "When you use bigstart restart to restart all daemons on a guest, the system logs the message: Apr 25 15:43:27 slot1/vcmp1 notice chmand[7975]: 012a0005:5: Chmand cleanup: Slot:Led:Color (1:3:0) not succeed: virtual void Hal::NullAnnunSvc::ledSet(Hal::LedFunction&, Hal::LedColor&, uint32_t&, uint32_t&, uint32_t&) This is a benign message and you can safely ignore it." Workaround: None.
ID 357705 "Loading the default configuration may cause the system to go offline before resuming the active status." Workaround: None.
ID 357822 User can use "delete cm trust-domain all" to create or fix trust-domain when loading a blank or inconsistent SCF. Workaround: None.
ID 357852 If a device is part of an established trust-domain but is added into a second, separate trust-domain, the devices in the original trust-domain will still have references to the device. It is recommended that you delete the device from the trust-domain from a certificate authority before adding it to a different trust-domain. Workaround: None.
ID 357874 "Creating an overlapping route can cause an unclear configuration exception message, such as: 1. [root@ltm-56:Active] config # tmsh create net route test_route_ipv6 network 2002::1/128 gw 2002::3 2. [root@ltm-56:Active] config # tmsh create net route default-inet6 { gw 2002::1 } 01070712:3: Caught configuration exception (0), Netlink reply from kernel has error: -113 (for static route create: ::/0 gw 2002::1 in vlan '') - net/validation/routing.cpp, line 332." Workaround:
ID 358019 "NATs require a translation-address, but the error message does not indicate this. Instead, when you create the NAT, the message posted is: 01020059:3: IP Address :: is invalid, must not be all zeros. To work around this, make sure to include a translation-address." Workaround: None.
ID 358063 "If you do a ""restart sys service all"" from tmsh shell, the next command you issue will result in the error message: ""The connection to mcpd has been lost, try again.""" Workaround: None.
ID 358099 If two devices have different provisioned modules, then the application with those modules configured in one device might not be able to sync to the other device. The two devices will be out of sync and cannot recover in this situation. For sync to occur correctly, both devices must have the same provisioning. Workaround: None.
ID 358191 "If the user resets the trust and changes the host name of the device, the other devices in the trust domain still show the unchanged, former host name and show the device as still attached." Workaround: None.
ID 358575 The traditional ConfigSync mechanism has been replaced with a more robust MCP-to-MCP communication mechanism. As a result, UCS files now load the full configuration in all cases, and no longer have the concept or ability to only load the "shared" portion. Loading of UCS files created on a different device is no longer supported. Workaround: None.
ID 358615 "When modifying failover unicast addresses via tmsh, user should be aware that all addresses must be specified even if the intention is to remove or add a single address to/from the list. For example, given a device with two existing unicast addresses, this command will replace both addresses with a single address: modify cm device unicast-address { { ip } }" Workaround: None.
ID 358655 The No such file or directory error always shows up around kernel installation, but it does not negatively impact the installation itself. Workaround: None.
ID 358685 "You might see messages similar to the following when booting the VIPRION 2400. These can be ignored: ""PCI: Cannot allocate resource region 2 of device 0000:0a:00.0 PCI: Cannot allocate resource region 2 of device 0000:0a:00.1 PCI: Cannot allocate resource region 2 of device 0000:0c:00.0 PCI: Cannot allocate resource region 2 of device 0000:0c:00.1""" Workaround: None.
ID 358855 "Only the array command makes a drive with a failed SMART self-test visible to an end-user. We have a new feature in this release which automatically checks every new drive for SMART-type errors. If it finds any, the self-test fails and the drive can't be put into service. The results of this test are only seen when viewing the output of the ""array""." Workaround: None.
ID 359393 In order to be compliant with the FIPS-140 standard. Keys cannot be exported from a FIPS card in plain text, hence they can only be exported by encrypting them with the master key on the FIPS card. If the master key on the FIPS card has changed since the keys have been exported, it will not be possible to import the keys back into the card. Workaround: None.
ID 359395 Invalid or empty SSL certificates, keys, or CRLs will not be rolled forward on upgrade to v11.0.0. Workaround: None.
ID 359491 When a system's hostname is set by the user via the tmsh setting "modify sys global-settings hostname" only the local copy of the self device is set. Remote copies of the hostname are not updated accordingly. Thus, running the command "list cm device name-of-device hostname" would have the hostname "" on the local machine and "" on other machines in the trust domain. Workaround: None.
ID 359703 Zone transfers are made via a self-IP due to the global nature of the DNS Express database. Workaround: None.
ID 359774 "In v11.0.0, pools used in an HA group must be in /Common. If the user has a v10.x configuration that has pools in different partitions that are used in an HA group, an upgrade to v11.0.0 will fail." Workaround: None.
ID 359873 LTM-initiated SSL renegotiation will not be attempted when secure renegotiation is configured as required and the peer is unpatched (does not support SSL secure renegotiation). This applies both to configuration-based (e.g., renegotiate-period), as well as iRules-based attempts to renegotiate. Workaround: None.
ID 359894 When creating a CLI transaction for the BIG-IP system ("batch commands"), an attempt to create a sys folder and modify that new folder in the same batch will fail. Any iControl app that creates a partition with the Management::Partition interface will need to be rewritten to use the Management::Folder interface. Workaround:
ID 359978 LTM Throughput statistics might not match when comparing the Dashboard against other interfaces. The Dashboard throughput statistic includes traffic observed on all physical interfaces, layers 2-7. Throughput statistics in other interfaces are based on traffic passing through tmm. Workaround: None.
ID 360097 vCMP guest names (and most TMOS configuration object names) must start with a letter, "/" or "_" and thereafter, consist of letters and numbers. They also cannot conflict with keywords and parameters for the command. Workaround: None.
ID 360122 "The iControl method System.Statistics.reset_all_statistics() does not reset iStats. To work around this, do the following: 1. bigstart stop 2. Remove all files (not directories) in /var/tmstat2 3. bigstart start" Workaround: None.
ID 360137 "After bringing up a BIG-IP newly licensed for Appliance Mode, the in-memory configuration is updated to change any user shell specifications set to bash to tmsh. However, if the configuration is not saved, those changes are lost and subsequent boot of the BIG-IP will fail to load the configuration file bigip_sys.conf. The workaround is to save the configuration after the first boot in Appliance Mode." Workaround: Save the configuration via either the tmsh /sys save config command or by changing something in the GUI.
ID 360263 In this release, the VIPRION 2400 reports a CPU Count of 8 instead of the expected 4 on the Device Configuration screen in the browser-based Configuration utility. This occurs because the implementation of hyper-threading causes the system to report double the actual number of cores. There is no workaround for this issue. Workaround: None.
ID 360485 Node statistics, especially after a statistics reset, may be too high for a node whose address is in a lasthop pool. Lasthop pool configured. Inaccurate node stats. Workaround: None.
ID 360675 Creating a configuration object with a FIPS 140 key will always create a key in the FIPS 140 device even when the configuration objects are not saved. Configuration objects that are not saved will require the user to delete FIPS 140 keys manually from the device. Keys can be deleted manually with "tmsh delete sys crypto fips by-handle". Key handles can be listed with "tmsh show sys crypto fips". Workaround: None.
ID 361028 In rare instances the bigpipe interface might show the management port (MGMT) as UP when there is no Ethernet physically connected to the port. The issue can usually be remedied with a blade reboot. Workaround: None.
ID 361035 Trust-domain members overwritten when discovering existing pair. There is no workaround for this issue. Workaround: None.
ID 361036 When the AOM powers down the Host for cause (for example, over temp) it abruptly stops the Host, bypassing a normal graceful power-down sequence. Because of this, some log messages sent from the AOM to the Host might be lost. Workaround: None.
ID 361094 im command gives error if im package is in root directory (formerly CR 100844). Workaround: None.
ID 361124 The App Editor role will be able to run any iApps template, but most of the iApps templates will not work for them because of permissions issues. Workaround:
ID 361181 "A ""fipsutil reset"" resets the FIPS card and deletes all keys in the card but it does not delete the configuration objects representing those keys. It also does not modify SSL profiles using those keys. This results in the system failing to load the configuration on reboot. An error like this will be generated: Jun 6 06:02:30 RackC6-6900-1 notice mcpd[5816]: 01390002:5: The size of the configuration DB has been extended by 2097152 bytes, now using a total of 10485760 bytes Jun 6 06:02:31 RackC6-6900-1 err mcpd[5816]: 010713e4:3: FIPS subsystem reported error while attempting file object operation: FipsMgr::get_handle_from_modulus error unable to obtain handle. Modulus(e1:fb:55...ef:89:b3), FIPS:ERR_HSM_NOT_INITIALIZED. Jun 6 06:02:31 RackC6-6900-1 err mcpd[5816]: 010713e4:3: FIPS subsystem reported error while attempting file object operation: fips_insert_masked_object error on import, ERR_HSM_NOT_INITIALIZED. Jun 6 06:02:31 RackC6-6900-1 err mcpd[5816]: 01070712:3: Caught configuration exception (0), unable to import FIPS 140 key (/Common/zzFIPSTest) from key file.) - sys/validation/FileObject.cpp, line 4714. Jun 6 06:02:32 RackC6-6900-1 err tmsh[6948]: 01420006:3: Loading configuration process failed. To avoid this situation, delete the FIPS keys and remove the usage from profiles before resetting the FIPS device. If the system gets into the failure condition as shown previously, do the following: 1. Edit the bigip.conf file where the FIPS key is referenced. Delete all occurrences of the key. 2. Delete the key from /config/ssl/ssl.cavfips 3. Find and delete the key from filestore/files_d/<partition-name>/certificate_key_d/ 4. Run ""tmsh load sys config partitions all"" to make sure the config loads. After this point, the config should load without issue after a reboot." Workaround: None.
ID 361315 if you go to the System > Preferences screen and simply click the Update button without editing any values, the system incorrectly posts a Changes pending notice (that is, recommendation for synchronization). Many values on this screen are not even synchronized across BIG-IP devices. Workaround: None.
ID 361318 If you want to turn on connection mirroring in iApps, turn off the strict update. Enable connection mirroring on all virtual servers that belong to the iApp. Then turn the strict update back on. Workaround: None.
ID 361470 If a virtual server's destination address is entered into tmsh with invalid IPv4 or IPv6 numbering or a hostname, the error message "The requested virtual address (</PATH/ADDRESS>) was not found." will be displayed. Workaround: None.
ID 361784 "To add virtual servers to GTM pools, at minimum the user will need to provide this level of information: modify poolxyz members add {<hostname>:<partition>/<vsname>} (specifying the partition for the hostname is not necessary). NOTE: There is NO autocomplete help for any of this. You will need to do this completely and accurately or risk receiving a message such as: 01070226:3: Pool Member VS9eleven6 references a nonexistent Virtual Server" Workaround: None.
ID 362225 Disabling connection queuing via "tmsh edit" while connections are queued will cause the queued connections to become stuck. The workaround is to use tmsh modify command instead of edit. Workaround: None.
ID 362299 You cannot enable/disable virtual servers owned by an application service, with strict updates enabled from the virtual server properties page. A "strict updates" error results. The workaround is to enable/disable the virtual server from virtual server list page. Workaround: None.
ID 362405 If a vdisk migration occurs, the original copy is left unchanged on the source slot. The copy will not ever be synchronized with the new vdisk copy on the destination slot. After the migration is successful, the original vdisk can be safely deleted but can also be kept as a valuable backup. However, note that if the guest is once again allocated to the slot containing the old vdisk, then that old vdisk will be used without it first synchronizing with any other vdisk. If that slot is the only one the guest is allocated to, it will boot up with the old software, configuration, and license that existed on the guest at the time the guest was migrated to another slot. If, however, the guest is already deployed on other slots, the guest will use the old vdisk on that slot but will synchronize the software, configuration, and license from the guest's primary slot, per normal clustering behavior. Workaround: None.
ID 362406 "Tmsh show sys failover cable" does not show the peer cable status anymore due to changes in the configsync process. Workaround: None.
ID 362874 "After upgrading, the following message was posted on the Configuration utility browser window for several hours. ""Upgrading Device Trust Device trust is still being upgraded. Please do not make modifications to Device Management or Traffic Groups pages while this message is displayed."" This occurs when a device that is configured to be in a redundant pair is upgraded to version 11.0, but its peer device cannot be contacted. The banner indicates that the device is waiting for its peer to be contacted. If the peer device is no longer in use, the following workaround should be used to remove the banner message: * Set the trust.configupdatedone db variable to ""true"". * Set the failover.isredundant db variable to ""false"". * Restart devmgmgtd. * Reset trust." Workaround: None.
ID 362984 The console displays a message indicating the DHCP can be adjusted on a VIPRION system. Performing this command will have no effect on the configuration. Workaround:
ID 362985 Displaying the configured syslog server with tmsh might require prepending the /Common/ path. Workaround: None.
ID 363137 "When running an Active Directory (AD) auth access policy, the session might fail with the AD module, reporting a message such as: ""AD module: authentication with '...' failed: Cannot contact any KDC for realm ...""." Workaround: "Our domain controller closes Kerberos connections when source ports 22528 or 53249 are used. Change the ephemeral port range so these ports are not used: echo ""22529 53248"" > /proc/sys/net/ipv4/ip_local_port_range"
ID 363216 "A virtual server might say 'vlans-disabled', but does not include a list of which ones are disabled if that list is empty. For example, this means that the virtual server is disabled for no VLAN entries, which is the default setting: ltm virtual sample_vs { destination any:any profiles { fastL4 { } } vlans-disabled } This is harmless. Use the command ""list ltm virtual all-properties"" to see the (empty) list of VLAN entries." Workaround: None.
ID 363284 The cipher list 'DEFAULT:!NATIVE' is different on v10.2.2 (valid) and v11.0.0 (invalid, empty). This can cause configurations to fail loading on v11.0.0 during the upgrade. This occurs because ciphers "ALL" in the Client SSL profile only includes "NATIVE" ciphers. That means that "COMPAT" must be specified to include "COMPAT" ciphers (e.g., EXP, EDH). As all SSLv2 ciphers are COMPAT ciphers, this also means that "ALL:SSLv2" no longer includes SSLv2 ciphers. Note that this change impacts upgrade. So if your configuration uses COMPAT ciphers, it requires a configuration change (to specifically include COMPAT ciphers) for upgrade to complete successfully. Workaround: None.
ID 363309 The max length for a pathed/folderized name is 255 characters. Workaround:
ID 363332 After removing a device from the trust domain, the other devices believe the removed peer is unreachable, instead of removed from the trust domain. Removing a device from a trust domain is a two step process. You must update the trust domain on the device that is being removed and one other device that is still in the trust domain. Workaround: None.
ID 363361 The matchclass command is deprecated in favor of class match command. Do not specify a datagroup name as if it were a global variable. Workaround: None.
ID 363500 The system logs of a BIG-IP vCMP guest might show DriveReady Errors or an AbortedCommand in relation to /dev/hdc. These kernel warnings are innocuous and may be ignored. Workaround: None.
ID 363541 "If a user creates an ""and"" rule for the default node monitor that includes the monitor ""/Common/none"" the state of the node will not be reported correctly." Workaround: None.
ID 363756 "Simultaneous blade-to-blade migrations of guests might occur. In rare instances, it's possible that multiple migration tasks will take longer than the allocated interval and as such migrating guests might encounter a timeout. If this happens three times, the guest will be placed in the ""failed"" state. To recover a guest from this condition, wait until all guest migration tasks complete successfully or fail after three timed-out attempts. Then on any blade with a guest in the ""failed"" state, execute the ""vretry"" command. This will cause any guests in the failed state on that blade to retry the failed action. Executing ""vretry"" one blade at a time and waiting until all migration tasks on that blade are complete will avoid these failsafe timeouts. If a guest's retry attempts also fail, re-provisioning the guest might resolve the issue. To do this, change the guest's state to ""configured"" and then subsequently back to ""provisioned"" or ""deployed"", as preferred. Note that this might cause the guest to be allocated to a different blade." Workaround: "To recover a guest from this condition, wait until all guest migration tasks complete successfully or fail after three timed-out attempts. Then on any blade with a guest in the ""failed"" state, execute the ""vretry"" command. This will cause any guests in the failed state on that blade to retry the failed action. Executing ""vretry"" one blade at a time and waiting until all migration tasks on that blade are complete will avoid these failsafe timeouts. If a guest's retry attempts also fail, re-provisioning the guest might resolve the issue. To do this, change the guest's state to ""configured"" and then subsequently back to ""provisioned"" or ""deployed"", as preferred. Note that this might cause the guest to be allocated to a different blade."
ID 363912 In rare occasions, when there are no monitors assigned as the default node monitor, an entry "none" may appear in the Active select box on the "Default Monitor" page in the Configuration Utility. This still represents the fact that no monitors are selected as the default node monitor and the BIG-IP will operate as such. Workaround:
ID 364407 "Even after vCMP is deprovisioned, VLAN deletion/modification is incurring a verification check that prevents VLAN from being deleted/modified. To work around this, reprovision vCMP, delete/modify the guest, delete/modify the VLANs, and then deprovision vCMP (reboot required)." Workaround: None.
ID 364467 You cannot save sysconfig after the license expires, so make sure to save before the license expires. Workaround: None.
ID 364522 "A user with the app_editor role can create an app service; however, because app_editor users cannot create objects (they can only update and enable/disable them), app_editor users actually cannot create an app service. There are two workarounds: 1. Use the new add_member_v2 method, which does not have this constraint (the add_member command is deprecated). 2. Have a user with the appropriate role create/manage the node address prior to using add_member." Workaround: None.
ID 364588 If you run the show command from /Common partition to display the details of a pool in another partition, the monitor instance line is missing. Workaround: To work around this, navigate to the partition first. Then the show command presents the expected results.
ID 364717 "When using the node-port option with delete command for persistence persist-records, entries with the specified node-port should be deleted. Instead, the system deletes all the persist table entries irrespective of the port specified. Also, the show command with nonexistent port displays all the entries irrespective of the port specified." Workaround: None.
ID 364831 "When snmpd is restarted, you might get this warning message in the log file: ""/config/snmp/subagents.conf: line 9: Warning: Unknown token: agentxPingInterval."" This message is benign and can safely be ignored." Workaround: None.
ID 364939 "When a BIG-IP system has been configured as part of a trust domain for the purpose of config sync, and the configuration has been saved to the configuration files (tmsh save sys config partitions all), the following sequence of commands will incorrectly remove the BIG-IP system from the trust domain and config sync will not work: tmsh load sys config default (set the config back to factory defaults) tmsh load sys config partitions all (load the configuration from config files in /config/...)" Workaround: None.
ID 364978 "If an active/standby system is misconfigured with unit 2 failover objects, two traffic groups are automatically created: traffic-group-1 and traffic-group-2. For traffic-group-2, the default device points toward the unit 2 box. Instead, it should point to the unit 1 box, because it is an active/standby pair. To work around this, modify the default device to point to the unit 1 box, using a command similar to the following: tmsh modify /cm traffic-group traffic-group-2 default-device <unit 1 device name>" Workaround: None.
ID 365006 Installing a 10.x UCS on a "clean" 11.0 will cause daemons on secondary blades to restart. Workaround: None.
ID 365219 "Trust upgrade fails when upgrading from version 10.x to version 11.x. The upgrade fails without apparent error, but there will be one of the two following error messages in /var/log/ltm log: -- Trust configuration update for HA Pair has failed: [STACK TRACE: {java.lang.Exception: Config sync password is invalid.}{ at}. -- devmgmtd[7983]: 015a0000:3: Trust Config Update: [TrustConfigUpdateForHAPair.cpp:521 ] Skipping already-completed trust." Upgrading high availability version 10.x configurations that use the factory default admin password. Trust upgrade for version 10.x high availability configuration fails. Workaround: Change the default admin password in the 10.x configuration before upgrading to 11.0.0. This is intended functionality. The default admin password should be changed before deployment.
ID 365375 DNS response packet is dropped when "DNS::edns0" command is used with nsid option and there is no edns0 resource record in the packet. To workaround this issue, always use "DNS::edns0 exist" and "DNS::edns0 exist nsid" to make sure the packet contains the edns0 RR. Workaround: None.
ID 365472 Traffic IPv6 destinations, including IPv4 traffic in non-default route domains prior to version 11.1.0, might use the wrong self IP as the source address and be directed to the wrong nexthop. Traffic traversing TMM is not affected, only traffic from the Linux host is affected. Default IPv6 route and a more specific IPv6 route to the destination in question using a different nexthop. The neighbor entry for the more specific route's nexthop must be in a 'FAILED' state according to the output of 'ip -6 neighbor show'. Remote IPv6 hosts might not be reachable and monitors might mark them down. Workaround: Ping the nexthop of the more specific route to update the neighbor entry. Adding a gateway monitor to this nexthop address prevents the issue from manifesting at all.
ID 365555 The DES ciphers have been deprecated for TLS V1.2 but TMM is including them. These ciphers are supported on earlier versions of SSL/TLS, such as SSLv3 and TLS v1.0, which are widely used. TLS v1.2 is trying to depreciate and move to higher standards. F5 recommends that you do not use these ciphers. Workaround: None.
ID 365756 On error, partition folder has changed at the command line. Change it back to /Common and attempt to reload SCF after the fix. Workaround: None.
ID 365757 "Mixed mode is presented as an option for extra disks. When applied, this configuration option will present an error message similar to ""01071372:3: Cannot change the mode for logical disk (HD2) from (NONE) to (MIXED). Disks cannot be changed to MIXED or CONTROL modes."". For this release of BIG-IP software, only None and Datastor are functional modes for extra disks." Workaround: None.
ID 365767 The verify option during a load .scf file operation from tmsh on the VIPRION system will cause mcpd to restart. To work around this issue, do not use the verify option on VIPRION. Workaround: None.
ID 365836 "When using tmsh to switch to a vCMP provisioned system, a transaction should be used. The commands to do this are: # tmsh > create cli transaction > modify sys provision ltm level none # All modules must be set to none. Add any other commands here to do so following the previous ltm example. > modify sys provision vcmp level dedicated > submit cli transaction Secondary blades will likely reboot automatically due to this operation. There are conditions where the primary will reboot automatically as well. If the primary does not reboot and the status is REBOOT_REQUIRED, you should wait two full minutes before rebooting the primary blade. This is to ensure that provisioning completes, the secondaries have rebooted, vcmpd starts and the system enters a quiescent state. This only needs to be done when changing provisioning." Workaround: None.
ID 365979 After creating a new folder from tmsh the "tmsh save sys config partitions all" command should be run. Workaround: None.
ID 366060 "FTP mirroring occasionally fails when connections come from tmm0. When it does fail, the idle timer on the standby is not updated and the connection is reaped in the 30-50 second range." Workaround: None.
ID 367072 Running the command 'tmsh show sys hardware' on appliance-based system shows a Registration Key field with a -- value, even on licensed systems. This field is designed only for chassis-based systems, so you can ignore the value Workaround:
ID 367198 Running 'tmsh show sys hardware' on appliances shows a blank Registration Key field. This is by design; this field is intended for VIPRION chassis only. Workaround:
ID 367714 If you encounter an issue in which the BIG-IP system and your terminal are initially set to mismatching baud rates, but later set to matching baud rates, and you subsequently see no output or garbled characters, refer to SOL13331: The BIG-IP serial console port may lock up when the terminal emulator is configured with a mismatched baud rate ( for detailed information about this issue. Workaround: None.
ID 368512 Some actions [in the GUI] may result in a "Changes Pending" sync status, even though no configuration was modified. Manually syncing the devicegroup will fix the status. Workaround: None.
ID 368853 The web interfaces for F5 products rely on HTML style sheets and JavaScript to display graphics and other objects. If you are using a web browser that does not support style sheets or JavaScript, or have these features disabled in the web browser you are using, some items may not display correctly or function properly on the browser screen. For example, you cannot create a Device Group in Microsoft Internet Explorer Compatibility View. To create a Device Group, turn off Compatibility View by clicking the Compatibility View button in the Internet Explorer 8 address bar. Workaround: None.
ID 368888 The system allows you to create a virtual server (which creates the virtual address) in traffic-group 2 and a SNAT translation IP in traffic-group 1, and then to assign the SNAT IP to the virtual IP address, even though doing so could cause asymmetric routes if these traffic-groups were not active on the same unit. Workaround: To workaround this, only perform this type of configuration when two traffic groups are active on the same unit.
ID 369460 Before: SNMP default configuration used to be in /defaults/config_base.conf. User can modify it but can't delete it. After: SNMP default configuration is in /config/bigip_base.conf. User can modify and delete it.
ID 370189 If you upgrade from BIG-IP v10.x and have a virtual server with more than one httpclass attached the compression profiles will not be updated. Workaround: Remove all but one httpclass from your virtual servers.
ID 370225 After a pool member is disabled from a DHCP Relay virtual server, connection flow data for the disabled pool member will persist until it times out. Workaround:
ID 370991 The Logs Local Traffic option under the system menu is not visible on systems provisioned WAM dedicated as of version 11. Version 10 displayed this menu option inadvertently. Workaround: None.
ID 372209 When the certificate used to verify a signed iRule expires, the iRule verification status will still remain "Verified" as long as the certificate exists on the device. To avoid the misleading status, the signature for rules signed with an expired certificate should be modified to have the 'ignore verification' property set to true, or edited to remove the signature (edit the rule and remove the 'definition-signature' line). Workaround: None.
ID 372979 When using the config utility to configure a static IP address, it works correctly. But when using the config utility to select an automatic or DHCP address, the operation does not complete, and returns to the prompt without error. The workaround is to configure a static IP address. Workaround: None.
ID 373467 MD5 certificate will not work with TLS 1.2. Client will not be able to authenticate with certificates that is signed with rsa-md5. Workaround: None.
ID 374109 The radvd config is not migrated to tmsh syntax during a UCS restore. The workaround is to create the config manually with tmsh. Workaround: None.
ID 374259 BIG-IP allows clientssl profiles to be associated with certificates that aren't imported in BIG-IP. This does not affect v11.x. Workaround: None.
ID 374333 When the rate of new connections (CPS) is extremely low, observed/predictive load balancing can perform uneven connection distribution across pool members. Configure a pool using predictive or observed load balancing methods. Uneven connection distribution across pool. Workaround: None.
ID 375068 In certain versions of vCloud Director, VMXNET3 NICs may appear as Flexible. The BIG-IP VE NIC type may be verified by checking /var/log/tmm for VMXNET3 attachment messages. Workaround: None.
ID 375207 "On rare occasions, tmsh will write an innocuous error message to /var/log/ltm based on a query to mcpd. The error appears as: 01070734:3: Configuration error: Invalid wildcard query, invalid or missing class ID" Workaround: None.
ID 375605 Management IP addresses which are not saved in the configuration can remain on the interface after a reboot. Rebooting again or removing the unwanted address manually will solve the issue. Workaround: None.
ID 375887 Using the cluster member 'disable' command with a trunk that spans blades can cause a brief period where received broadcast and multicast packets will egress out the enabled trunk members of the cluster. To an external device running spanning tree protocol or variant, this can look like a loop. Workaround: None.
ID 376166 QSFP+ module ports do not allow a media capability setting of 1 GbE. There is no workaround for this issue. Workaround: None.
ID 376303 "Deploying a BIG-IP VE via template into vCloud director may remove the CPU reservation configuration. CPU reservations are important for BIG-IP VE operation and should be configured as per the guidelines in the ""Platform Sizing"" section of the BIG-IP VE Manual. Please use ""Reservation Pool"" allocation model." Workaround:
ID 376421 While blades boot up, the system posts the following benign message: "i8042.c: No controller found." This is a cosmetic issue and can be ignored. Workaround:
ID 376447 "When using tmsh or iControl and the VLAN group feature, if a VLAN group member is used in the configuration of another object, an error may result similar to the following: 01070712:3: Caught configuration exception (0), Cannot create vlan 'vlanx' in rd0 - ioctl failed: File exists - net/validation/routing.cpp, line 395. To avoid the problem, when using tmsh and the vlan group feature, only use the VLAN groups, never their members, when configuring other objects. Furthermore, it is not necessary to work with the VLAN group member (that is, in this case, the group is already in the route domain, so adding the VLAN itself is not even necessary)." Workaround: None.
ID 376554 The sod daemon could crash and leave a core file if it received a malicious packet. In this case it was a packet that looked extremely large. Workaround: None.
ID 377231 VIPRION B4300 blades only support 9600 and 19200 baud, even though other baud rates are accepted. Workaround: None.
ID 378055 The serial console on the B2100 blade in a VIPRION C2400 chassis cannot be set to 38400 using the tmsh command "tmsh mod sys console baud-rate 38400," but can be set using the AOM Command Menu. After setting to 38400 via the AOM Command Menu you can use the tmsh command to see that the baud rate has been set to 38400. Workaround:
ID 378305 Because the first phase of the BIOS operates at a fixed baud rate of 19200, if you change the baud rate to any other speed, you do not see the BIOS splash screen, nor are you able to access BIOS setup while rebooting the B4200 blade. To see the splash screen or access BIOS setup, change the baud rate to 19200. Workaround:
ID 379213 If a guest provision or deployment stalls on 'waiting for other disk activity to finish', wait for all disk activity to finish. Once complete, bring the guest back to a configured state before attempting to provision or deploy again. Workaround:
ID 379656 The VIPRION B4400 chassis is cooled via side to side air flow. If multiple chassis are aligned in adjacent racks, the heated output air from one chassis becomes the input air to the next chassis and this can cause blade overheating. The workaround is to stagger the chassis vertically in adjacent racks so their cooling paths are not aligned. Workaround: None.
ID 379738 "If a BIG-IP system has both an 11.x install and a 10.x install, in some cases falling back to 10.x will result in these error messages in /var/log/ltm Error 'unknown DS name 'rchits'' during rrd_update for rrd file '/var/rrd/ramcache If so, do the following bigstart stop statsd and either rm -f /var/rrd/ramcache* or cp /var/rrd/ramcache* to some permanent location. See note: bigstart start statsd statsd will then regenerated the rrd file. Note: this will result in the loss of RAMCACHE historical statistics. If that is unacceptable create a directory on /shared to hold the files example: While still running the 11.x partition bigstart stop statsd mkdir -p /shared/rrd11/ramcache mv /var/rrd/ramcache* /shared/rrd11/ramcache Then reboot to 10.x If you wish to restore these when switching back to 11.x (once rebooted to 11.x) bigstart stop statsd cp /shared/rrd11/ramcache/* /var/rrd/ bigstart start statsd" Workaround: None.
ID 380047 Listing certain objects in subfolders of the current folder (e.g. 'list ltm profile ntlm my_subfolder/my_ntlm_profile') may not show any output. Workaround: As a workaround, you can change into the subfolder ('cd my_subfolder') and then list the object: 'list ltm profile ntlm my_ntlm_profile'.
ID 380415 TMM CPU utilization statistics reported by sFlow or by running "tmsh show sys tmm-info" are less than actual TMM CPU utilization. TMM CPU utilization stats can be found by running "tmsh show sys proc-info tmm". Workaround: None.
ID 381123 Enabling more than 10 sFlow receivers may impact the performance of the BIG-IP system and, therefore, is not recommended. Workaround: None.
ID 381512 If the system is going down while an active tcpdump session is ongoing, it will cause tmm to core. Workaround: turn off tcpdump sessions before running any bigstart restart command.
ID 381710 The test-monitor and test-pool-monitor commands require the monitor or pool argument to include its partition; e.g. /Common/pool1. Tab completion from inside a partition will cause the partition name to be omitted. To work around this, run these commands from the root partition, or to manually type the full pool or monitor argument including partition. Workaround: None.
ID 381977 On a chassis if set IP to DHCP, GUI could not pass the set up page. To avoid this issue set IP option to manual and not DHCP. Workaround: None.
ID 382040 Config sync fails after changing IP address of a pool member with a node name. IP addr change achieved by deleting the pool member and node then recreating the pool member/node. Delete an existing pool member which has a node name set. Recreate the pool member with a different IP address using the same node name before syncing the config. Workaround: Current work around is to delete the pool member and node on the peer then sync the configuration. The issue does not affect pool members/nodes with no name associated with the node.
ID 382109 When a power supply is removed, there is no warning or alert message on the console. PSU changes can still be detected from "tmsh show sys hardware", and when there is insufficient power from the PSUs plugged in, there will be NOTICE log messages in /var/log/ltm Workaround: None.
ID 382335 When particular combinations of modules are provisioned, it's possible for the Memory graph on the System > Resource Provisioning page to show a small white rectangle at the end of the Management Memory Allocation. This is due to a rounding error and does not reflect a problem with the system. Workaround: None.
ID 382577 The imish "terminal monitor" command has no effect in TMOS. Workaround: The workaround is to configure the log file (under /var/log) and use the tail command to monitor it in real-time. This workaround only works for users with access to bash.
ID 382613 On VIPRION 4400 chassis containing B4100 blades, the Speed LED stays with solid yellow when at 10Mb. This is not an indication of a problem with the system, even though the Platform Guide: VIPRION 4400 Series indicates that the Speed LED should blink yellow. Workaround: None.
ID 382804 "There is a difference in time zone adjustment between VPE and tmsh. When a date and time is entered in tmsh, it is interpreted as local time. The input time is adjusted and stored as GMT time. However, when a date and time is entered in the VPE, there is no time zone adjustment. For this reason, the timestamp entered through tmsh will be different than the one entered through the VPE for the same date and time. As a result, pre-logon inspection will fail when using tmsh to configure the agent for endpoint Linux check file. The recommended workaround is to use the VPE to configure the agent for endpoint Linux check file. If tmsh must be used, then subtract or add the difference from your time zone with respect to GMT. PST time zone is -8:00hr from GMT. The date and time for the agent must be -8:00hr from PST." Workaround: None.
ID 383128 While upgrading or booting between versions on the VIPRION B2400, B4200, and B4300 Blade Series, it should be expected that firmware upgrades between versions may delay the cluster from becoming active by up to fifteen minutes. Workaround: None.
ID 383442 If a packet is split into multiple fragments and the matching part of the tcpdump filter would be in a later fragment, it will not match. Workaround: None.
ID 383590 When upgrading multiple machines that are members of the same trust domain, it is possible during mid-upgrade that there will be inconsistent sync status messages across the trust domain. Once the upgrades are complete, and all machines are in running state on the same version, the sync status should return to a consistent status across the domain. Workaround: None.
ID 383692 SSL monitoring exhibited problems with servers running old version of OpenSSL. Workaround: None.
ID 383737 Ha-group and other ha methods are incompatible. The ha-group must either be enabled on all devices in the failover device group or it must be disabled on all devices in the failover device group. It is important to disable ha-groups before adding additional devices to the device trust. Workaround: None.
ID 384103 Intra-chassis connection mirroring may drop connections on trunks with LACP disabled. Enabling LACP is a best practice on all trunks and improves the reliability and speed of connection mirroring. Note that you will need to enable LACP on all devices that are members of the trunk. Workaround: None.
ID 384111 The BIG-IP system may not apply the nexthop iRule command when used in an iRule with other Layer 3 iRule commands. If an iRule performs the 'nexthop' command, but a destination IP address is chosen by pool or node selection, the destination VLAN and MAC address will be a route to the selected destination IP instead of the requested nexthop. This issue occurs when all of the following conditions are met: -- One or more iRules associated with a virtual server uses both the nexthop iRule command and one of the following Layer 3 iRule commands: - pool, - node, - forward. Both the nexthop command and Layer 3 load balancing iRule command are triggered in the same connection. This issue may also occur when the nexthop and Layer 3 forwarding commands are in separate rules associated with the same virtual server. The connection may be forwarded to the incorrect node or pool. As a result of this issue, it might appear that the nexthop command is ignored, with the other Layer 3 load balancing command taking precedence. Workaround: None. For more information, see SOL14196: The BIG-IP system may not apply the nexthop iRule command when used in an iRule with other Layer 3 iRule commands, available here:
ID 384717 While viewing "watch-trafficgroup-device", if the devices in the device group change, the "watch-trafficgroup-device" can sometimes become non-responsive. Killing the tool and restarting after the device group membership stops changing will keep the "watch-trafficgroup-device" running stable. Workaround: None.
ID 384766 When CPC client (ZebOS nsm daemon) disconnects and at the same time either a static route is added or removed or RHI causes and new or withdrawn advertisement, tmrouted may segfault due to iteration through a freed entry in a list. ZebOS nsm daemon disconnects and at the same time a route change occurs. Workaround: None.
ID 385345 Automatically configuring the management port IP address via DHCP is not supported on VIPRION platforms in BIG-IP software versions 10, 11.0, 11.1 and 11.2 Workaround: None.
ID 385508 Loading a pre-11.0 ucs onto a system running 11.0 or later will reset the device trust group, and should be avoided after the original migration. Save a new 11.0 ucs immediately after migration to 11.0 is complete and use this one going forward. Workaround: None.
ID 385656 "Upon provisioning, deployment or disabling of a guest, administrative users logged into the vCMP host gui may be logged out prematurely. Logs detailing an invalid password change will be present and should be considered innocuous. err mcpd[8153]: 01070366:3: Bad password (admin): BAD PASSWORD: it is too short err mcpd[8153] 01070366:3: Bad password (root): BAD PASSWORD: it is based on a dictionary word" Workaround: None.
ID 385796 The load status of the MCP daemon as shown by "tmsh show sys mcp-state" can become "config-load-in-progress" very infrequently. The other accompanying symptom is the lack of any error messages in the log files. This can be remedied by running "tmsh load sys config partitions all". Workaround: None.
ID 385825 The CMI watch_* scripts (like watch_devicegroup_device) should not be allowed to run indefinitely as they may adversely affect performance of the box after a few hours. Workaround: None.
ID 385915 After updating interface configuration from the web interface, the value of lldp-tlvmap changes from default of 130943 to 114552. None. None. Workaround: Manually modify the value as needed.
ID 386419 11.2.x has an updated version date. This means all users installing 11.2.x on vCMP guests first need to renew their license on the hypervisor. This helps ensure uninterrupted service on the guest as it starts up for the first time. Workaround:
ID 386778 IPsec in HA deployment cannot use anonymous ike-peer Workaround: "- Create a new ike-peer with the required remote IP field holding the remote peer's IP address. - If using PSK you are OK. If using RSA (the default) uncheck the verify certificate field - Change the presented ID and verified ID fields to ""address"" "
ID 387070 Using remote authentication, a remotely authenticated user can use ssh to login, but console login is denied. There is no workaround for this issue. Workaround:
ID 387106 Ramcache statistics will be associated with only one virtual server per profile. The statistics for all of the virtual servers that use this profile will be reflected in the ramcache statistics for that virtual server. The workaround is to create a copy of the Web Acceleration profile for each virtual server if the individual statistics are desired. However, this adds complexity to the configuration and should only be done when necessary. Workaround: None.
ID 387448 "When monitoring a device group status from a device that does not belong to that group, the config sync status reported could be inconsistent with the device-level status. For example, the sync status for device A is 'Changes Pending,' but the device-group to which device A belongs shows a status of 'In sync.' The workaround is to view the sync status from a device in the device group." Workaround:
ID 388098 "dmesg may display a message similar to the following: localhost warning kernel: hda: host side 80-wire cable detection failed, limiting max speed to UDMA33 This is expected and does not indicate any problem with the hardware or software." Workaround:
ID 388273 "On a VIPRION, the failover daemon will not be able to communicate correctly with the peer chassis unless the customer configures the management port on each blade." Workaround: None.
ID 389642 The "route" command will not display multiple nexthops for a route. If you have routes with multiple nexthops, use the "ip route show" or "ip -6 route show" command to view them, instead. Workaround: None.
ID 389912 When a single blade chassis is in the standby mode, there is no blade LED indication that the chassis is in standby mode. Workaround: None.
ID 389924 If multiple nexthops to a destination prefix are learned via dynamic routing (ECMP), traffic originated from the Linux host will only use one nexthop for all traffic to that prefix. Traffic passing through tmm will use all available nexthops. Workaround: None.
ID 389976 There is a memory leak in the kerberos delegation feature. There is no current workaround. Workaround: None.
ID 390248 Devices outside of a device group but in the trust domain may have an out-of-date Commit ID (CID) or Last-Successful-Sync (LSS) ID, causing configsync status to be displayed incorrectly on some devices and not others. Workaround:
ID 390423 Performing a 'sync from group' currently causes a mismatch in LSS "Last Successful Sync" IDs such that viewing configsync status will be incorrect on some devices and not others. Workaround: None.
ID 390764 BFD session may not show the correct session "Up Time" value when user displays BFD session information using the IMI shell command 'show bfd session detail'. This is due to a known issue in the current implementation where any innocuous session parameter update resets the session Up Time value. The actual BFD session itself functions correctly. Workaround: None.
ID 391947 Pasting a large quantity of characters into an SSH client can result in dropped characters. To work around this, divide the characters being pasted into the client into several smaller paste operations. Workaround: None.
ID 392085 On a standalone BIG-IP system, on the properties screen for Device Management, the Force to Standby button may become available. Since this is a standalone unit and there is no active-standby pair, this button is not valid and it should not be clicked. Workaround: None.
ID 392702 Modifying the traffic-group of a configuration object with "floating" set to "disabled" will silently fail. To work around this, set "floating" to "enabled" before modifying the traffic-group. Workaround: None.
ID 393150 When loading a configuration with 42,000 items or more on a system with 8 GB of memory, you may experience up to 45 seconds of extra load time. To avoid this extra time, you can issue the following command before loading: "tmsh modify sys db provision.extramb 512". Workaround: None.
ID 393647 The availability status for objects configured with a connection rate-limit can remain yellow even if the object is available to handle traffic. Once the connection rate falls below the configured value, the object's status will continue to show unavailable until the object receives additional traffic. This is a cosmetic issue and is limited to testing scenarios where the test tool stops sending traffic upon receiving a reset packet. ApacheBench is one such tool. In real world scenarios, continued traffic processing will automatically restore the correct status. Workaround: None.
ID 395208 On the BIG-IP 2000 and 4000 family of platforms, messages such as "subscriber(%pfmand): Snapshot for req_id(XX) getting removed due to timeout." will appear in the ltm log. These messages are innocuous and should be ignored. Workaround:
ID 395269 "Reapplying a template to reconfigure an Application Service Object will delete any firewall rules that have been created through the Security screen. To retain a set of firewall rules, include creation of the desired firewall rules in the template itself." Workaround: None.
ID 395720 On the BIG-IP 4000 platform, sometimes on boot, Ethernet devices do not get renamed. For example, eth6 should be renamed to pf1-7. Workaround: To work around this issue, reboot the device.
ID 395882 Using liveinstall with the save and transfer config options enabled to install another image of unlicensed 11.2.1 can cause the second volumes install to take extremely long to reach active status. Workaround: None.
ID 396122 In a non-homogeneous cluster, validation on a secondary blade may fail if the module is not allowed or resources are not available. Workaround: Make sure the primary member of a cluster is the blade with the least available resources (Puma1).
ID 396273 When running dmesg, you might see errors similar to the following: 0000:17:00.0: vpd r/w failed. This is likely a firmware bug on this device. Contact the card vendor for a firmware update. This can occur when 'lspci -vvv' has been executed. This is a benign message, and you can safely ignore it. Workaround: There is no workaround, but this is not a functional issue.
ID 396278 If you set MGMT IP address using the LCD module, the ltm log contains a message stating the management route was not found. This is the message: Aug 31 12:01:20 localhost err tmsh[9771]: 01420006:3: 01020036:3: The requested management route (/Common/default) was not found. This is a benign logging message, which is reporting a non-existent error condition. Workaround: None.
ID 396293 SNAT bounceback does not work when the non-default CMP hash is used on a vlan carrying that kind of traffic. Workaround: None.
ID 396294 At startup, the BIG-IP 4000 logs a message "SwEdge Error: No core edge found" in /var/log/ltm. This message is benign and reports a non-existent error condition. Workaround: None.
ID 396729 If you have configured two mirroring connections (both a primary and secondary pair), when the inactive mirror connection is dropped and then re-established, fastL4 connections expire on the standby after the timeout. To work around this issue, configure only one mirroring connection. Workaround: None.
ID 396831 Provisioning Virtual Clustered. Multiprocessing (vCMP) on the 4000 platform can cause a kernel panic. vCMP is not supported on the 4000 platform and the UI should not permit it to be provisioned. Workaround: Please check the askf5 website for a list of platforms supporting vcmp.
ID 397146 DNS Services/DNSSEC/ GTM licensing is required in order to use the DNS firewall. Workaround: None.
ID 397638 While performing a liveinstall, use the command "tmsh modify sys global-settings mgmt-dhcp disabled" to preserve the static management-ip. Workaround: None.
ID 398947 It is possible that the text "serial8250: too much work for irq4" may be seen on the host serial console. These messages are extremely rare. The cause of the message is a temporary overload of the serial port. However, once the serial port has recovered from the overload, it continues to operate normally. No character loss on the console has been observed when this condition is encountered. Workaround: None.
ID 399073 Encountering the error "err ntpd[5766]: Frequency format error in /var/lib/ntp/drift" in /var/log/daemon.log once after boot is an innocuous condition. Workaround: None.
ID 399213 On 11.2.1 IPv6 traffic passing over trunks on a 4000 platform does not get hashed by IP address, but rather by MAC address. This often ends up mainly using one link of the trunk. Workaround: None.
ID 399470 Switch based platforms do not support Fiber Channel SFP modules. Workaround:
ID 399622 Mcpd validation will fail and cause daemons to restart if the volume sizes on a cluster are not the same on all blades and the web-acceleration profile cache size or the sum of the cache sizes is set higher than the datastor volume size on a secondary blade. Workaround: Make sure all volume sizes on a cluster are the same on all the blades. Or make sure web-acceleration profile cache size or the sum of the cache sizes is smaller than the smallest datastor volume.
ID 400078 When removing a pluggable module from some specific Centaur or Treadstone ports, it is possible for the adjoining ports to loose link briefly, e.g. when removing a pluggable module form Centaur ports 1.1 or 1.5, it may cause established link on ports 1.2 or 1.6 respectively, to drop briefly. Workaround: None.
ID 400346 a server_name field populated with a properly formatted URL in a DHCP response may cause the dhclient process to generate an error in daemon.log. The error message "err dhclient: suspect value in server_name option - discarded" is innocuous and can safely be ignored. Workaround: None.
ID 400584 The TMSH command "ltm lsn-pool" allows you to create a pool with an empty member list. However the lsn-pool will not be functional until a memberlist is configured. Workaround: None.
ID 400778 On a VIPRION system during failover in which the blade transitioning from secondary to primary, log messages make it appear that chmand is looking to delete logical disks on CF1 and HD1. This occurs on a VIPRION system. The VIPRION posts messages: 'Oct 9 01:31:00 slot2/cluster err chmand[6909]: 012a0003:3: Physical disk CF1 not found for logical disk delete', 'Oct 9 01:31:00 slot2/cluster err chmand[6909]: 012a0003:3: Physical disk HD1 not found for logical disk delete'. Workaround: None. These messages are benign and you can safely ignore them.
ID 401412 "The default dhclient request elements can be displayed with the command ""tmsh list sys management-dhcp sys-mgmt-dhcp-config"" These elements can be managed by using add/delete statements under the management-dhcp object. This example disables updates to the system hostname from DHCP: tmsh modify sys management-dhcp sys-mgmt-dhcp-config request-options delete { host-name }" Workaround: None.
ID 401429 "Power health checks that were previously only performed on Predator P4 chassis are needed on P8 and Victoria chassis as well. In addition, the following unused variables need to be removed. sys db platform.powersupplymonitor.1 sys db platform.powersupplymonitor.2 sys db platform.powersupplymonitor.3 sys db platform.powersupplymonitor.4 sys db" Workaround:
ID 401739 Creation of a large number (>10000) of custom categories or applications could lead to memory exhaustion and possibly crash the BIG-IP. Workaround: None.
ID 401917 When disk space is available on the primary blade of a chassis, but not available on one or more of the secondary blades mcpd validation will fail on the secondary blade(s) and cause mcpd to restart. Workaround: Use the GUI or tmsh to remove any unused application volumes from secondary blades.
ID 402004 When the persistence mode or address range of a LSN pool is changed and there are active persistence mappings, the "Total Active Persistence Mappings" statistic will not immediately reflect the change. Any currently active persistence mappings that are invalidated by the change will be continued to be counted until they expire. Workaround: None.
ID 402115 Using the command 'tmsh show sys memory' displays zero usage for some entries. Any running product The division of memory usage may not be clear Workaround: None
ID 402455 Before attempting synchronization using the GUI setup wizard, clocks of the BIG-IP devices must be synchronized. It is recommended to use a NTP server for this. Workaround: None.
ID 402551 On BIG-IP 4000 Series platforms, any trunk which does not consist of 1,2,4, or 8 members will have imbalanced traffic. Workaround: On BIG-IP 4000 Series platforms, use trunks with 1,2,4, or 8 ports in order to balance traffic evenly across links. Non-power-of-two configurations will work, but traffic will not be balanced.
ID 402743 In a rare case after upgrade, BIG-IP will fail to create new ClientSSL profile. Workaround: Restart mcpd will be able to fix this issue.
ID 402811 On hypervisor systems that host a BIG-IP Virtual Edition system, memory reservation should be configured as 100% of the Virtual Edition memory allocation. Workaround: None.
ID 402855 If a config is created with route domains and a config is created that is identical except without any route domains, then while one config is loaded, a load of a UCS of the other config may fail. Workaround: "Clear the current config by loading defaults before loading the UCS. i.e. tmsh load sys config default ; tmsh load sys ucs <ucs_name>"
ID 402864 "If /var/tmp is full, MySQL queries can fail, for example during an event logs report generation (under Security -> Event Logs) the error shows up in GUI and /var/log/avr/monpd.log contains the below line: Because : Error writing file '/var/tmp/......' (Errcode: 28) Workaround: Free some space under /shared disk partition." Workaround: Free some space under /shared disk partition.
ID 403002 It is not possible to set up configuration synchronization using a configsync-ip on a nonzero route domain, but the system does not prevent you from configuring a device in this manner. Workaround: None.
ID 403042 "The DNS Security profile and DNS settings of the DoS profile are available when either PSM or ASM are provisioned but require base DNS support to function. This is provided by the GTM, LC, and DR modules or one of the following add-on modules: DNS Services AWS Add-on: DNS DNS Services, Virtual Edition VIPRION ADD-ON: DNS License" Workaround: None.
ID 403440 The system may encounter memory problems when attempting to display the entire connection table during peak traffic. To prevent system problems, please use filters to display only specific parts of the table per query. Workaround: None.
ID 403613 The drop counters for the 1.x interfaces on the 2000s / 2200s and 4200v platforms currently do not work in LTM mode due to a hardware issue. Workaround:
ID 403688 Hardware syncookies currently require both client side and server side profile context to have hardware syncookies enabled in order to function. Workaround: None.
ID 403764 If a log message is not matched by any filter, then the log will be processed by the syslog-ng daemon. Workaround: To disable log processing by the syslog-ng daemon, create a filter with source equal to "all" and level equal to "debug" then route as desired.
ID 403829 When editing the configuration of a SNAT, changing the Translation type from IP Address to SNAT Pool will result in an error. Workaround: "The workaround is to use tmsh to modify the SNAT pool with the following command: tmsh modify ltm snat my_snat { snatpool /Common/my_snat_pool }"
ID 404398 Using tmsh merge to update route-domains will not work. Workaround: A workaround is to manually merge the changes to /config/bigip_base.conf (or /config/partitions/<partition_name>/bigip_base.conf) and load.
ID 404443 The VIPRION 4800 chassis only support blades running 11.3.0 software. If you attempt to add a blade running older versions, it will be unable to join the cluster and some daemons on that blade might begin restarting repeatedly. Workaround: None.
ID 404545 It is not necessary to run the eud_log command on the 10200v platform because the eud.log file is already in the \shared\log directory. Workaround: None.
ID 404588 LSN iRules persistence-entry get/set and inbound-entry get/set may not work properly for RTSP if "after" command is used Workaround: None.
ID 404659 State mirroring within the eight-blade VIPRION 4800 chassis is not supported for this release. To workaround this, mirror between two separate chassis. Workaround:
ID 404668 Device sync can be lost between a device with GTM and LTM licensed and provisioned, and a device with LTM licensed and GTM provisioned but not licensed. This can arise when loading scf files even if they reflect the current configuration. To work around this, after you load back the scf files and then save them, run a tmsh load cmd. This 'activates' the trust and requests a sync for the device group. Workaround: None.
ID 404711 To prevent config sync issues, you should ensure that non-floating self-IP items are not dependent on system unique resources that do not also config sync. For example, a tunnel used by a self-IP should be placed in a folder that does not sync (the devicegroup setting is set to 'none'). Workaround: None.
ID 404858 If you have wccp configured, you can ignore all synchronization failures related to wccp, but pay attention to any other errors that might occur. Workaround: None.
ID 405255 Issuing a 'reset-stats net interface' command in tmsh does not clear the stats for an interface with status 'disabled'. Enabling the interface with 'modify net interface x.y enabled' before resetting stats causes the stats to correctly clear. The interface can be disabled again afterwards if desired. Workaround: None.
ID 405289 Prior versions of BIG-IP with HTTP profiles having cookie encryption enabled would sometimes pass through cookies that would fail to decrypt. Some connections with undecryptable encrypted cookies would be reset. Only effects LTM virtual servers with an HTTP profile configured to encrypt cookies and only for those encrypted cookies. Undecryptable encrypted cookie values may be passed back through the BIG-IP to your server. Some connections with undecryptable encrypted cookies would be reset. Workaround: Make server cookie values for cookies to be encrypted be a multiple of four in length or validate the returned cookie value through other means, such as a changing nonce.
ID 405356 Hot swapping hard drives at a rate of approximately once per second may result in the drive failing to show back up after insertion. Occurs when the swapping occurs at a rate of approximately once per second. Loss of access to an affected drive. Workaround: "It is possible to recover missing devices by manually forcing the kernel to rescan the SATA/SCSI host bus. To find out how many SATA/SCSI busses you have: shell> ls -l /sys/class/scsi_host/ drwxr-xr-x 3 root root 0 Feb 12 19:01 host0 drwxr-xr-x 3 root root 0 Feb 12 19:01 host1 drwxr-xr-x 3 root root 0 Feb 12 19:01 host2 drwxr-xr-x 3 root root 0 Feb 12 19:01 host3 drwxr-xr-x 3 root root 0 Feb 12 19:01 host4 drwxr-xr-x 3 root root 0 Feb 12 19:01 host5 To find out which device(s) may have an error perform the following: dmesg | grep -i sata Example Output: ata1: SATA link down (SStatus 0 SControl 300) (Indicating host bus 1 (ata1) is down. If you know the host interface which you need to rescan, perform the following: (wildcarding the Channel, Id, and LUN with '- - -'). shell> echo '- - -' > /sys/class/scsi_host/host<n>/scan (replace the <n> with the number of the SATA/SCSI host bus to be rescanned) NOTE: Do not perform this procedure on a mounted device! To verify the device was recognized and attached by the SATA/SCSI subsystem, use the proc interface. shell> cat /proc/scsi/scsi An example of the output: Attached devices: Host: scsi0 Channel: 00 Id: 00 Lun: 00 Vendor: ATA Model: WDC WD1000CHTZ-0 Rev: 04.0 Type: Direct-Access ANSI SCSI revision: 05 Host: scsi1 Channel: 00 Id: 00 Lun: 00 Vendor: ATA Model: WDC WD1000CHTZ-0 Rev: 04.0 Type: Direct-Access ANSI SCSI revision: 05 Notice after the ""Attached devices:"" line above, there are 3 lines for each recognized device. Each host will show its host bus number. In the example above there are two devices. host bus 0 (scsi0) and host bus 1 (scsi(1)."
ID 405435 When integrating with Thales network HSM and the configuration is not correct, netHSM driver could crash TMM. Workaround: None.
ID 405539 "There is exist incorrect indication for interface in GUI. After disable and reenable interface back it will still DISABLED. Correct indication can be returned after reboot (till next disabling)." Workaround: None.
ID 405844 The racoon daemon will be killed by the Linux kernel when the system is running out of memory. This issue will happen when IKE daemon uses preshared key to authenticate peer ~thousands of times or to authenticate thousands of peer. This limit IPsec scalability to thousands of IKE peers using preshared key. Workaround: Use X.509 certificate to authenticate IKE peer instead.
ID 406141 For all hardware platforms that are in an unlicensed state, LED behavior is undefined. Workaround: None.
ID 406238 FTP active mode data connection does not work from the BIG-IP system command line, if the connection is exiting through an interface with SP DAG. Workaround: Use FTP passive mode for data transfer.
ID 406590 This occurs only when you have two power supplies installed and pull one. Workaround: None.
ID 406878 If you have a version of TMOS on multiple devices configured for sync, when you upgrade them all to a later TMOS version, there might be inconsistency in what versions one device reports as being present on other devices. You can run the command list cm device to see the version/build reported. This occurs after upgrading members of a trust domain from TMOS v11.0.0 or later. Sync occurs correctly; this is only a cosmetic problem. Workaround: Make a change to the device's description field, or some other non-operational change. This forces the device to advertise an updated trust configuration, including the updated version field.
ID 406967 "An issue occurs when a power supply is plugged into the chassis, whereby the status of the supply goes to ""present"", but the power supply has not yet transitioned to ""Power Good"". This is normal behavior for the power supply. There is a short amount of time (500 mSecs) required for the power supply to ramp up to the good status. Although that window is short, a cached read of that status is reported to BIG-IP. Hence, the power supply is present, but ""not good"". This causes a blinking red emergency alarm when, in fact, no real issue exists. A fix is going to be put into place that provides more hysteresis around power supply insertion to avoid the emergency alarm issue." Workaround: None.
ID 408810 BIG-IP with Vyatta neighbor on a single link may appear to be stuck in ExStart/Exchange state because Vyatta incorrectly drops a database description packet containing a 24 byte router-LSA (zero link LSA). Workaround: None.
ID 409059 Hairpin connections are not supported for NAT64. Workaround: Hairpin via upstream router
ID 409697 A user cannot create certificates and keys in subfolders using the web interface. creation of keys and certificates in subfolders using UI Workaround: use tmsh/iControl
ID 410051 Umem (variable) memory stats seem to grow to abnormally high values on the customer's system During normal operation, umem (variable) grows over time and never decrements Apparent eventual memory starvation on the system Workaround: N/A, aside from restarting TMM
ID 410114 When OSPF protocol running on BIG-IP system sends a 24-byte router LSA, Vyatta discards such an LSA and this may cause OSPF protocol to get stuck in ExStart/Exchange and never reach FULL state. This occurs intermittently. OSPF v2 protocol configured between BIG-IP system and a Vyatta neighbor. OSPFv2 protocol does not synchronize without manual intervention. Workaround: In imi shell, 'clear ip ospf process'. May need to do this a few times.
ID 410223 For a virtual with a SIP profile configured as an ALG using the TCP transport, TCP FIN and RST packets are being unnecessarily sent by the BIG-IP to multiple peer clients/servers when one of the client/servers issues a FIN or RST packet. SIP ALG TCP virtual configuration and one of the clients/servers send a FIN or RST packet to the virtual. Unless the SIP clients/servers are configured to automatically reconnect when they receive an unexpected FIN or RST, the in-progress sessions/calls that are using the connection being closed will fail. Workaround: "Add the following mblb profile to the SIP virtual: ltm profile mblb /Common/test { defaults-from /Common/mblb isolate-abort enabled isolate-client enabled isolate-expire enabled isolate-server enabled }"
ID 410791 "In 11.2.0 VE, the default value for ""sys global-settings mgmt-dhcp"" is enabled. If user has not specified this config (using default) on 11.2.0 VE, when roll-forwarded from it to 11.4.0, this config will be set to ""disabled"" since 11.4.0's default value is disabled." After upgrade user has dhcp-supplied address used as static. Workaround: Reconfigure management interface manually after upgrade.
ID 411569 If Emerson/DC supply is removed while the appliance is operational, the power status in tmsh show system hardware does not reflect the correct status (i.e. down) it does display as power up. Emerson power supply affects BIG-IP 5000/7000 platforms only. DC power supply affects BIG-IP 5000/7000 and 10000 platforms. Unplug one power supply during operation tmsh show system hardware does not display the correct status of the power supply when it is missing. Workaround: Rebooting the AOM is the only way to guarantee that the PSU status is correctly displayed after a power supply is removed or inserted. This can be done from the AOM menu with the "A" command.
ID 411636 "If user commits the changes this is what users will see ""Disable DCHP from LCD before setting IP"". LCD System is enhanced with a new menu for DHCP. This menu reflects the current dhcp value set either via LCD DHCP or via other means like tmsh or config script. If dhcp value is enabled, the LCD System Management menu still allows n/w operator to type values for the management data. However, the n/w operator cannot commit successfully, an error is shown on LCD stating ""Disable DCHP from LCD before setting IP""." Appliance boxes only Workaround: If the users want to enter IP address then disable DCHP first in LCD.
ID 412433 When using a suspending iRule, the flow will stay around as long as the iRule is suspended. This will apply to any suspending iRules command. Once the iRule has completed, the flow may be cleaned up or timed out. An iRule that suspends (such as "after") and an attempt to delete a connection, or the connection times out. The connection will not be deleted even though it is idle as it still in use by a suspended iRule. This is the desired behavior, but the behavior is different from versions prior to 11.3.0. Workaround: None.
ID 413169 BGP does not work on v11 when the bgp capabilities negotiation is turned on. Workaround: This problem is fixed in 11.3 and later versions.
ID 413236 "The problem is that TMSH uses 256 bytes to store client-ssl profile name. But SSL uses 31 bytes (the 32bits is '\0') to store the client-ssl profile name and partition name. For example, the full name is ""/Common/"", but SSL cuts it to ""/Common/"". SSL uses profile full name as hash index to store the profile, but it uses profile shorten name to find the profile. Then cause full handshake instead of resumption." SSL profile with name length >= 32 bytes. SSL resumption does not work Workaround: Change SSL profile with name length < 32.
ID 413659 Using a user defined certificate authority during trust reset results in bad issuer errors when verifying the device certificate. Workaround: Use a self-signed certificate.
ID 414018 Hairpin connections between different subscriber hosts fail. The subscriber network(s) and the internet are in different route domains. Applications on different subscriber hosts cannot establish connections. Workaround: Use the same route domain for the subscriber networks and the internet.
ID 414160 Configuring the VLAN used for inter-device mirroring for an IP cmp-hash mode may cause errors establishing the mirroring connection between devices. Workaround: Configure the VLANs used for the mirroring connection with the default cmp-hash mode, not an IP cmp-hash mode.
ID 414245 Using TMSH "edit /ltm virtual <vs-name>" where vs-name already exists will open the editor with a default "create" template instead of a fully populated "modify" template. Create a virtual server and attempt to modify via TMSH "edit /ltm virtual" command. A command line full-screen editor cannot be used to modify an existing virtual server. Workaround: Use the TMSH "modify /ltm virtual" syntax to make the desired changes instead.
ID 414454 When you update an iRule and replace an event that contains script content with a blank script, TMM cores with a stack trace. In response, TMM cores because it is trying to compile an empty script. Note that when creating a new iRule, there is a check for adding an event script with no content, so the error does not occur on create. This occurs when replacing iRule events containing valid Tcl code with whitespace or with no Tcl code. When the issue occurs, TMM cores with stack trace. Workaround: The workaround is to delete or comment out the empty event, or insert a comment.
ID 415055 Password protected key is not supported in 11.4.0. Workaround: None.
ID 415483 License not operational after a downgrade from a software version 11.2.1 or later to a software version 11.2 or earlier Software downgrade License not operational Workaround: New License Key or request "allow move"
ID 415716 "The iControl REST service offers an API designed for managing a BIG-IP device. The iControl REST service is accessible through HTTPS on any BIG-IP interface. Typically, you access iControl REST through its management-IP address, the one you use to access tmsh or the BIG-IP GUI. The BIG-IP device runs rate-limiting software on its management interface, which can artificially slow down script or program calls to iControl REST." Workaround: Use an alternate BIG-IP address for iControl REST, such as a self-IP address.
ID 415961 Unused HTTP Class profiles are not rolled forward. If you have defined HTTP Class profiles but have not assigned them to virtual servers, the system does not bring forward those profiles into the new configuration when you upgrade. BIG-IP v10.x or v11.y (y < 4) with a httpclass profile not attached to a virtual server. May loose unused httpclass profile config. Workaround: To work around this, assign unused HTTP Class profiles to a virtual server before upgrading.
ID 415991 active FTP fails when there is no route back to client. It used to work in 11.1.0 with auto lasthop. "active ftp client at least 1 hop away from bigip bigip with no route to client" active FTP fails Workaround: add a route to client
ID 416496 Cancelling tmsh during a show command might restart TMMs. The TMM processes, and possibly mcpd, may restart because the process runs out of memory if the command 'show sys connection' from tmsh is interrupted while processing. This intermittent issue occurs when the system has a large number of active connections in the TMM processes (number varies by platform), and tmsh is formatting the connection table for output. System restarts cause all connections to be lost, and the appliance is unusable for a short time while the processes begin again. Workaround: None, but you can prevent the issue from occurring by waiting for tmsh to complete the collection and formatting of connection table information. Specifically, do not interrupt the operation from the command 'show sys connection'.
ID 416839 When the vxland process starts or restarts, the system logs a message similar to the following in /var/log/ltm: ltm4 err vxland[12801]: 01140019:3: String offset 0x0 invalid. The error occurs whether or not there are vxlan tunnels defined in the configuration. This is a benign, cosmetic error and has no functional impact. Workaround: There is no workaround.
ID 417526 "When a power cable is reconnected to a power supply, a message will typically show up in the log /var/log/ltm like this: Mar 29 11:09:37 SJPtengs-Treadstone notice chmand[9322]: 012a0016:5: Blade 0 hardware sensor notice: Power Supply 2 GPIO status(SPAFFIV04G): Good But sometimes, the status may switch from Good to Bad, then back to Good within seconds: Mar 29 11:09:37 SJPtengs-Treadstone notice chmand[9322]: 012a0016:5: Blade 0 hardware sensor notice: Power Supply 2 GPIO status(SPAFFIV04G): Good Mar 29 11:09:37 SJPtengs-Treadstone crit chmand[9322]: 012a0013:2: Blade 0 hardware sensor critical alarm: Power Supply 2 GPIO status(SPAFFIV04G): Bad Mar 29 11:09:40 SJPtengs-Treadstone notice chmand[9322]: 012a0016:5: Blade 0 hardware sensor notice: Power Supply 2 GPIO status(SPAFFIV04G): Good" This may happen when a power cable is disconnected, then re-connected to an AC power supply. This does not affect the normal operation of the BIG-IP. It simply means it may take a few seconds for the fan in the power supply to go up to speed. Workaround: None.
ID 417548 If thousands of FIPS keys are configured, it is possible to cause an out of memory error in the web UI. This will present itself as a blank page in the GUI. When thousands of FIPS keys are configured this sometimes will happen. Workaround: A simple workaround is to use TMSH to list FIPS keys. Or run tmsh modify sys db provision.tomcat.extramb value 64. This will increase memory provisioned to GUI database query
ID 418601 "upgrades from versions 10.2.x - 11.3.x TO 11.4 may produce incorrect policy from HTTPClass profiles using REGEX matching. User observes HTTP traffic receiving resets and logs in /var/log/ltm complaining about policy configuration." policy will not function as expected Workaround: build policy in the GUI tool post upgrade
ID 418621 "An iRule has the chatterer ""\"" as a line continuation char within an ""if"" (and likely for or while) body can cause TMM to core when the rule is updated after being executed. Example: ltm rule /Common/myrule { proc myproc { a b } { if { $a != $b } { log local0. ""This is a line \ of text"" } } Save the rule, run it once, then change the text in the first time. TMM will core when the proc is updated" Using a proc with a "\" to indicate the continuation of a string on to multiple lines and updating it. Cores tmm Workaround: Keep the strings on one line.
ID 418685 Unable to execute tmsh when using custom MIB, this is because snmpd is not allowed byselinux to run tmsh by default Workaround: "Workaround is to add SELinux policy so that allow snmpd to run tmsh. 1. Reset my policies #semodule -r <nameofmodules> 2. Restart snmpd #bigstart restart snmpd 3. create new module based on a complete list of AVC messages #vi audit_snmpd.log type=AVC msg=audit(1375337597.590:526): avc: denied { execute } for pid=12206 comm=""snmpd"" name=""tmsh"" dev=dm-12 ino=154992 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:tmsh_exec_t:s0 tclass=file type=AVC msg=audit(1375338586.172:580): avc: denied { read } for pid=12315 comm=""snmpd"" name=""tmsh"" dev=dm-12 ino=154992 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:tmsh_exec_t:s0 tclass=file type=AVC msg=audit(1375338622.864:596): avc: denied { setattr } for pid=12358 comm=""tmsh"" name=""tmsh"" dev=dm-0 ino=3063865 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1375338622.865:598): avc: denied { unix_read unix_write } for pid=12358 comm=""tmsh"" key=-168956060 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:system_r:tmm_t:s0 tclass=shm type=AVC msg=audit(1375338642.258:601): avc: denied { create } for pid=12388 comm=""tmsh"" name=""c6s3XK"" scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1375338642.285:605): avc: denied { associate } for pid=12388 comm=""tmsh"" key=-168956060 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:system_r:tmm_t:s0 tclass=shm type=AVC msg=audit(1375338660.669:620): avc: denied { rmdir } for pid=12428 comm=""tmsh"" name=""MznKPU"" dev=dm-0 ino=3064056 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1375338660.670:622): avc: denied { read write } for pid=12428 comm=""tmsh"" key=-168956060 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:system_r:tmm_t:s0 tclass=shm type=AVC msg=audit(1375338660.711:624): avc: denied { write } for pid=12433 comm=""mv"" name=""root"" dev=dm-11 ino=47105 scontext=system_u:system_r:snmpd_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1375338723.612:643): avc: denied { remove_name } for pid=12495 comm=""mv"" name="".tmsh-history-root"" dev=dm-11 ino=47177 scontext=system_u:system_r:snmpd_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1375338741.562:646): avc: denied { add_name } for pid=12532 comm=""mv"" name="".tmsh-history-root"" scontext=system_u:system_r:snmpd_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1375338741.777:647): avc: denied { add_name } for pid=12533 comm=""tmsh"" name="".tmsh-history-root"" scontext=system_u:system_r:snmpd_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1375338756.189:650): avc: denied { create } for pid=12563 comm=""tmsh"" name="".tmsh-history-root"" scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file type=AVC msg=audit(1375338772.068:655): avc: denied { read append } for pid=12598 comm=""tmsh"" name="".tmsh-history-root"" dev=dm-11 ino=47176 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file type=AVC msg=audit(1375338772.069:656): avc: denied { read write } for pid=12598 comm=""tmsh"" name="".tmsh-history-root"" dev=dm-11 ino=47176 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file type=AVC msg=audit(1375338792.149:660): avc: denied { lock } for pid=12633 comm=""tmsh"" path=""/root/.tmsh-history-root"" dev=dm-11 ino=47176 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file type=AVC msg=audit(1375338806.671:665): avc: denied { getattr } for pid=12673 comm=""mv"" path=""/root/.tmsh-history-root"" dev=dm-11 ino=47176 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file type=AVC msg=audit(1375338819.790:669): avc: denied { unlink } for pid=12716 comm=""mv"" name="".tmsh-history-root"" dev=dm-11 ino=47176 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file type=AVC msg=audit(1375338832.287:672): avc: denied { relabelfrom } for pid=12753 comm=""mv"" name="".tmsh-history-root"" dev=dm-11 ino=47116 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1375338845.499:681): avc: denied { relabelto } for pid=12792 comm=""mv"" name="".tmsh-history-root"" dev=dm-11 ino=47116 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1375343821.370:1020): avc: denied { execute_no_trans } for pid=15279 comm=""snmpd"" path=""/usr/bin/tmsh"" dev=dm-12 ino=154992 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:tmsh_exec_t:s0 tclass=file # audit2allow -M snmpdallow < audit_snmpd.log # semodule -i snmpdallow.pp"
ID 418709 The LCD module reports, "Low fan speed", but does not specify which fan component on the unit is low. Uncertainty of which component is failing which helps neither the customer or NSE (for RMA). Workaround: Please use the console to determine which fan is low either by viewing console messages/warnings as they show up or by running 'tmsh show sys hardware' or viewing the /var/log/ltm file.
ID 418924 Secondary blades in a cluster will go into swap when there are too many iso images in /shared/images. Too many iso images in /shared/images. Secondary blades will be slow. Workaround: Use tmsh or the GUI to delete as many iso images from /shared/images as feasible.
ID 418967 If two iRules in HTTP_RESPOND events are present with different priorities, and the iRule to run first executes "HTTP::retry", the second iRule will cause an error to be generated. Workaround: Perform iRules with HTTP::retry with higher priority.
ID 419345 "Change the master key on a standby chassis in a HA pair. The secondary blades of that chassis might see continuous restarts of mcpd and other daemons, accompanied by ""decrypt failure"" messages in the ltm log." Chassis in HA; Modification of master key on standby chassis. User might not be able to access cluster. Workaround: "bigstart restart on secondaries will fix it. Advise: In general do not do master key changes on the standby machine."
ID 419623 If a command that needs to suspend processing (for example, table, session, after, sideband, and persist) is evaluated within the content of an expr block, tmm cores. This occurs when using the table, session, after, sideband and persist commands inside an expr block within an iRule. Workaround: Assign result of command to a variable outside the block and operate on that value.
ID 419730 "TMM panics with a message like: "" panic: ../modules/hudproxy/bigproto/bigproto.c:4039: Assertion ""syncookie"" failed""" FTP traffic is being processed by the BIG-IP system. The impact is that the BIG-IP system fails over or stops working. Workaround: None
ID 419733 BIG-IP systems configured with additional non-default management routes via static, OSPF or other protocols may encounter an route_mgmt_entry count Error during the operation of the "/usr/bin/config" script. Workaround: Alternative methods exist for configuring the mgmt address and default route via The Web based Configuration Utility, iControl, tmsh and configuration file load in this release of BIG-IP software. Please refer to the BIG-IP documentation for more information on these methods.
ID 419741 TMM will crash and dump core. Core analysis would be necessary to determine if this bug is the cause. Triggering this bug is difficult and seems to require vip-targeting-vip (e.g. use of the 'virtual' command in an iRule) and more than one blade. In rare situations, the TMM will crash. The system will recover automatically. Workaround: This workaround has not be verified, but in situations where virtual A targets virtual B via the 'virtual' command, it should be sufficient for virtual A to have shorter timeouts than virtual B.
ID 419969 "If FTP Virtual is configured to use snat pool, Passive FTP may use different IP addresses in the snat pool for data channel and control channel and result in failure of setting up data channel. FTP command will fail. Additionally, selection of a specific snatpool member in an iRule may be ignored, resulting in round-robin selection of a member from the snatpool." Workaround: Don't configure snat for ftp VS. Or Configure only one Pool member in the snat pool if snat is really necessary.
ID 420153 When bwc is attached to ftp virtual passive ftp does not get restricted by the bwc policy create bwc policy and attach it to ftp virtual bandwidth does not get restricted by bwc policy Workaround: user irule or pem policy to restrict the bandwidth.
ID 420157 TMM may core when validation or running an iRule with a sideband connection made using a variable as a dest whose value is 'NULL'. This occurs when using sidebands whose dest field is a variable, or which could otherwise have a 'NULL' value that the validator does not catch. This occurs when using sidebands with 'NULL' dest value in iRules. When this happens, TMM cores with a Segmentation fault. Workaround: To work around this, ensure that the dest field in a sideband connection has a value, and ensure rules.validation is set to strict.
ID 420184 A transaction fails when you create a new folder and then create an object in that new folder in a batched set of command-line commands. This occurs when a folder does not yet exist, and you try to create the folder and the object in a batched set of command-line commands. The transaction fails with an error similar to the following: 01070734:3: Configuration error: Invalid mcpd context, folder not found (/AAA). Workaround: To work around this, create a folder before using batch commands to create objects in a folder.
ID 420213 "You may encounter this error message when attempting to establish trust: ' Could not read response from server: ParseError at [row,col]:[1,236] Message: The processing instruction target matching ""[xX][mM][lL]"" is not allowed.' This indicates that the device that you are attempting to add is not accessible from the current device (there is no route)." Workaround: None.
ID 420344 When BFD is configured between the HA pair neighbor and the HA pair units, BFD fails to establish a session because the IS-IS routing module uses floating self IP address for establishing adjacency rather than non-floating self IP address. BFD is used with IS-IS in HA pair configuration. BFD cannot be used with IS-IS in HA pair configuration. Workaround: None.
ID 420438 In an NSSA configuration with a DR, BDR and HA pair BIG-IP systems, we see three default routes each from DR, BDR and standby BIG-IP system. The standby BIG-IP system shouldn't send out any default routes. NSSA configuration with a DR, BDR and HA pair BIG-IP systems. Traffic is directed to the standby when it should not. Workaround: None.
ID 420485 "in v10.2.3, tmm reject non-SYN packet if TCP 3WHS has not yet established. however, in v11.0.0 and v11.3.0, tmm silently drop the non-SYN packet without TCP RST. v11.2.1 send reset. in 10.2.4, I changed db key ""tm.rejectunmatched"" to ""false"" and tested, then, BIG-IP did not send RST to client. the rstcause was logged as ""3WHS rejected"" on 10.2.4." tmm reject non-SYN packet if TCP 3WHS has not yet established. no RST for non sync packet Workaround: none
ID 420573 Using tmsh, import a FIPS-exported key (.exp) into FIPS card when the keyname contains colon(s). The key is actually imported into FIPS card but the corresponding file object is not created. The key to be imported is a FIPS-exported key (.exp) with colons in its name. Such key is actually imported into FIPS card but the corresponding file object is not created. Workaround: Rename the key to remove the colons while keeping the .exp extension.
ID 420689 A single configuration file (SCF) as generated by "save sys config file <name>" does not contain information describing what configuration objects have synchronized between the device and other devices. Loading the SCF will make the system lose track of this information. Workaround: From one device, run "modify cm device-group <device group name> devices modify { <device name> { set-sync-leader } }".
ID 420776 Discovering the device in EM causes it to be in impaired state. Having iRules with comments having line continuations. EM fails to completely discover the device, causing some of the configuration objects to be not visible in configuration viewer, not available for deployment. Workaround: Remove the line continuations from the comments in iRule.
ID 420789 Occasionally, the standby system crashes in a configuration containing a forwarding virtual server with a wildcard IP address and port, with connection mirroring enabled. When the crash occurs, the system posts the following assert: tmm failed assertion, non-zero ha_unit required for mirrored flow This occurs in 11.4.0 on an active-standby setup in which there is a l4 forwarding virtual server configuration with a wildcard IP address and port, with and connection mirroring enabled. The standby crashes. Workaround: None.
ID 420848 when 11.x is installed, root user description is set to root in bigip_base.conf, and it's set to none upon tmsh save sys config. Upgrade to 11.X from 10.X, then run "tmsh save sys config". Minimal; description changed. Workaround: None.
ID 420933 The GUI Disk Management page will show the error message "No Access" when attempting to add a disk to the RAID array. When observing the array after this error, the user will notice the drive as not been added. The error is encountered if the drive being added back was formerly an array member. The GUI cannot be used to add disks to the RAID array. Workaround: All other disk management interfaces work properly. iControl or TMSH can be used to work around this GUI issue. For example, addition of disk HD2 in TMSH would use the command 'tmsh modify sys raid array MD1 add HD2'
ID 420974 When restoring a UCS archive containing HTTP classes onto v11.4 that cannot be successfully rolled forward, the UCS archive installation will fail, but should leave a partially-converted configuration in the on-disk files (/config/bigip.conf). Instead, the configuration files reflect the current running configuration. "- pre-v11.4 UCS archive restored onto v11.4 - UCS archive contains HTTP classes with regex / glob expressions that cannot be successfully rolled forward - ASM (and possibly WAM) configuration must be present in the UCS archive. - BIG-IP should" Makes the manual workaround process for ID419886 more complex. Workaround: "The configuration should be present in the configuration directory as the "".bak"" files (e.g. /config/bigip.conf.bak). These files can be manually restored (to /config/bigip.conf), at which point the configuration should load with the converted policies (note that the converted policies will still drop traffic until they are manually converted [by an administrator] into proper Local Traffic Policies). Alternative work around (if your setup matches all conditions): 1) Backup the currently running configuration into A UCS and save it. 2) Reset the BIG-IP configuration (i.e., run command 'tmsh load sys config default'). 3) Restore the pre-v11.4.0 UCS archive."
ID 421092 The maximum number of named variables in an iRule is 4,194,304. This may be increased in the future All No more than 4,194,304 named variables can exist in an iRule Workaround: None.
ID 421270 The MBLB profile association adds an extra five seconds of TCP closure time, although the TCP profile specifies immediate Fin Wait, Close Wait and Time Wait. n/a Five second delay even when the timeout specified in TCP profile is immediate. Workaround: None.
ID 421289 mcpd crash when configuring a parent-child rate class The sum of the base rates of all child rate classes attached to a parent rate class, plus the base rate of the parent rate class, exceeds the ceiling of the parent rate class. mcpd crash Workaround: As suggested in the manual: always set the base rate of a parent rate class to 0 (the default value).
ID 421401 In parent child relationship of the rateshaper on VE with one core the rate-shaping parent class does not seem to enforce the configured ceiling. "tmsh list net rate-shaping net rate-shaping class extra { ceiling 2mbps ceiling-percentage 100 drop-policy policyname max-burst 25k parent t3-parent queue pfifo rate 1240kbps rate-percentage 62 } net rate-shaping class ms { ceiling 2mbps ceiling-percentage 100 drop-policy policyname max-burst 25k parent t3-parent queue pfifo rate 740kbps rate-percentage 37 } net rate-shaping class t3-parent { ceiling 2mbps drop-policy policyname queue pfifo } [root@bigip1:Active:Disconnected] config # tmsh list ltm virtual ltm virtual ms { destination ip-protocol tcp mask any profiles { tcp { } } rate-class ms translate-address disabled translate-port disabled vlans-disabled } ltm virtual vs_extra { destination ip-protocol tcp mask any profiles { tcp { } } rate-class extra translate-address disabled vlans-disabled }" Parent rate class does not restrict the bandwidth to configured limit on VE system. Workaround: None
ID 421528 HSB lock messages would appear and BIG-IP system would eventually reboot. All traffic flows are lost. Large ping messages to get re-assembled but when vlangroup.flow.allocate is disabled, tmm can write whole big message to HSB and that messes up internal state. TMM goes down. Workaround: "Set vlangroup.flow.allocate to enabled with 11.4.0 you can limit bigger ICMP with dos.maxicmpframesize"
ID 421567 The UI.logaccess DB variables used to control role-based access to the System Logs in the GUI do not persist after reboot. On a reboot these keys will revert to their default value of "disabled". System is rebooted. After reboot, non-admin users will not be able to see the System Logs in the GUI until the fields are reconfigured. Workaround: None.
ID 421611 SIP messages are sent directly to the peer and not to the SIP-Proxy when both peers are inside the NAT. "CGNAT and SIP-ALG are configured. Peer1 and Peer2 are in the NAT'd network. (subscribers) SIP-Proxy is located outside the NAT network. (internet)" Some SIP messages may not be seen by the SIP-Proxy and cause missed messages and accounting gaps. Workaround: None.
ID 421612 Subscriber traffic through the Carrier Grade NAT and SIP-ALG will not have all the addresses and ports used by the subscriber logged. CGNAT and SIP-ALG configured and subscriber sending SIP traffic. Some subscriber traffic will not have translation addresses logged as expected. Workaround: None.
ID 421640 Entries that mention yourtheme.css show up in the httpd error logs. Using the UI for iApps will trigger this condition. Entries show up in httpd_errors referencing yourtheme.css. There is no impact, visual or otherwise, to the UI or the rest of the BIG-IP system. Workaround: None.
ID 421702 BIG-IP publishes the mgmt MAC addresses using offsets of the chassis base MAC address, instead of the MAC addresses from the kernel as ifconfig and dmesg reported. Workaround: None.
ID 421851 "When iRules are saved into bigip.conf, first line is automatically indented with 4 whitespaces. Usually these whitespaces are removed when config is loaded, but in case when rule starts with commented line this doesn't happen. And every save/load cycle adds another 4 whitespaces. When users adds checksum to the iRule, the above problem causes loading fail at checksum verification error" "When the following are both true: 1. Line started with ""#"" and white spaces 2. Checksum the irule" Load failure. Workaround: Remove the white spaces
ID 421868 Not able to manage firewall policies in BIG-IQ AFM Not able to manage firewall policies in BIG-IQ Workaround: No workaround
ID 421964 When there is one way packet loss on a LACP-enabled link, the packet-loss side BIG-IP system still aggregates the LACP link. LACP trunk does not fully work. Workaround: None.
ID 421971 Renewing an existing certificate fails in UI if a user provides Subject Alternative Name (SAN) as input. Provide SAN while renewing certificate. Cannot renew certificate. Workaround: Do not provide SAN information while renewing certificates.
ID 422082 tmrouted might generate a core file during HA failover. HA failover happens with OSPFv3 configured. tmrouted exits and restarts routing daemons, advertised routes might be withdrawn after HA failover until the daemons restart and reestablish adjacency. Workaround: None.
ID 422085 "The sysL2Forward stats do not return data even after they have been activated from tmsh: 1) modify sys snmp l2forward-vlan <vlan-name or all> 2) snmpwalk -v 2c -c public localhost" You have enabled l2forward-vlan for one or all VLANs using tmsh, for example "modify sys snmp l2forward-vlan all" You attempt to access the SNMP stat sysL2ForwardStat, for example vi a "snmpwalk -v 2c -c public localhost" and it does not show any of the VLAN information you specified using tmsh. Workaround: None.
ID 422314 tcpdump will show an inbound echo of some outbound L2 multicast IP traffic on the 2.x interfaces. This will only occur when transmitting IPv4 or IPv6 packets to Ethernet multicast or broadcast addresses, and only on the 2.x bank of interfaces of a BIG-IP 2000, 2200, 4000, or 4200 platform. This may cause an incorrect or confusing fdb entry to appear for the source MAC address if the multicast IP packet is being bridged through from one interface on the VLAN to another (IPv6 router advertisements for example). For sites using neither IPv6 nor MAC level multicast IPv4 this is unlikely to occur. Workaround: "The fix is simple, and can be implemented by editing an init script: In /etc/init.d/stratospfinit there is a line that reads: modprobe ixgbe max_vfs=$vfs,$vfs force_rss_sriov=1,1 lacp_target_queue=1,1 >/dev/null 2>&1 replacing it with a line that reads: modprobe ixgbe max_vfs=$vfs,$vfs force_rss_sriov=1,1 lacp_target_queue=1,1 L2LBen=0,0 >/dev/null 2>&1 will fix the problem (a reboot is required after the edit)."
ID 422460 Tmm restarts without any core file on startup or when mcpd is loading the configuration if the size of configuration is considered big (for example over 1000 passive monitors). "( TMM startup || when mcpd loads a configuration ) && size of configuration is big" After few restarts TMM is likely to settle down. This causes serious traffic disruption. Workaround: "Set ""zero_window_timeout 300000"" in ""profile tcp _mcptcp"" entry in ""/usr/lib/tmm/tmm_base.tcl"". This will lengthen the timeout and hence avoids the restart"
ID 422471 Unit does not generate SNMP trap when link state changes (e.g. from UP to DOWN). Device is configured to generate SNMP traps. Management agents will not detect link state transitions. Workaround: None
ID 422709 Intermittently, if a secondary blade is being disabled, it may miss the command and stay enabled. Unknown. Secondary blade will still pass traffic as if it is active. It will not be considered inactive for counting of min-up-members. Workaround: As this only happens rarely, you can re-enable the blade and re-disable the blade.
ID 422808 "In 10.2.4, a disabled port specific vip ( will answer and then reject the connection In 11.3.0, the connection to a down port specific vip ( will be answered by the next less specific port, in this test it was a :0 any port vip. In 10.2.4, a disabled port specific vip ( will answer and then reject the connection In 11.3.0, the connection to a down port specific vip ( will be answered by the next less specific port, in this test it was a :0 any port vip." In 11.3.0, the connection to a down port specific vip ( will be answered by the next less specific port, in this test it was a :0 any port vip. "In 10.2.4, a disabled port specific vip ( will answer and then reject the connection In 11.3.0, the connection to a down port specific vip ( will be answered by the next less specific port, in this test it was a :0 any port vip." Workaround: none
ID 422897 FTP may not work when a port requires translation but the IP address does not. In this scenario, the data channel for the FTP transfer may fail. "In an FTP transfer, the port requires translation but the address does not. For active FTP auto-lasthop or a lasthop pool is configured. For passive FTP, gateway pool is configured. An example of this scenario in active FTP, is if the SNAT is not set and port is configured to be any port." FTP fails. Workaround: For active FTP, you can use SNAT to work around the issue. For passive FTP, port translate configuration need to be same as address translate configuration to avoid the issue.
ID 423061 Creating or modifying SNMP v3 users using the GUI or tmsh adds passwords in plain text to the /config/net-snmp/snmpd.conf file. You have created or modified an SNMP v3 user using the GUI or with the command 'tmsh modify sys snmp users ...' SNMP v3 user passwords are visible to those with root read access on the BIG-IP system until you run bigstart restart to restart the snmp process. Workaround: Run the command 'bigstart restart snmp' to restart snmp after creating or modifying SNMP v3 users. This results in encrypted passwords in the file.
ID 423287 If the SendWeights messages are received by the SASP monitor prior to completion of registration of all pool members, then the pool member status might not be as reported by the SendWeights message. It is updated correctly on receiving subsequent SendWeight messages. Temporary flapping of pool member status can be seen. Workaround: None.
ID 423304 Objects may display extra parameters that don't belong to the object. "When deleting a monitor or profile object and recreating it as a different type with the same name, after syncing parameters from former object get appended to the new object. e.g.: delete ltm monitor https monitor1 create ltm monitor http monitor1 <...> 'monitor1' now changed to http type will have parameters from the original https monitor." Bad configuration on the box that is synced to, and no obvious warning signs. Workaround: "Do the changes and sync incrementally. e.g.: delete ltm monitor https monitor1 <sync> create ltm monitor http monitor1 <...> <sync>"
ID 423392 "In previous versions of iRules, the variable tcl_platform was readable as set myvar static::tcl_platform. However with recent changes, the variable is in the global, not static namespace and should be accessed as ::tcl_platform." iRule that uses 'static::tcl_platform' iRules that worked properly under earlier versions may result in runtime TCL exceptions (disrupting traffic) after an upgrade to v11.4.0, if those iRules reference static::tcl_platform Workaround: "Use this in an iRule, to map tcl_platform into the static namespace: when RULE_INIT { upvar #0 tcl_platform static::tcl_platform } or use ::tcl_platform instead of static::tcl_platform (but note that this may demote a virtual server from CMP)"
ID 423482 Removing the gateway failsafe pool in GUI does not set the pool::gateway failsafe device property to none. When the gateway failsafe pool is removed from web user interface, the pool maintains the prior gateway failsafe device. This is seen on listing the pool in tmsh. Creates confusion about the current pool::gateway failsafe device configuration. Workaround: The pool::gateway failsafe device property can be set to none using tmsh.
ID 423629 bigd restarts once, and afterwards, subsequent pings from the monitor fails. For bigd, a single restart is actually harmless. The invalid config will cause monitor failures, since the route domain no longer exists, the pool member will be marked down. Workaround: None.
ID 424143 Upon installation of TMOS v11.2.1 HF 5, SNMP configuration in the GUI is not saved. SNMP configuration was saved only in /var/run/snmpd.conf, not in bigip_base.conf. TMOS v11.2.1 HF 5 is installed. The SNMP configuration is actually not lost. Instead, it was saved only to /var/run/snmpd.conf, but not in bigip_base.conf, which causes it not to be shown in the GUI. Workaround: Use tmsh to set up and save SNMP configuration.
ID 424228 If a virtual server is created without an assigned pool (i.e. the pool is assigned in the iRule) and the iRule parks, the iRule may not return from suspension and the packet will be dropped. A virtual server is created and an iRule is assigned that parks, and the virtual server has no assigned default pool. Packets are dropped Workaround: Either use the CLIENT_ACCEPTED event for UDP data or assign a default pool.
ID 424248 Packets arriving on the BIG-IP system that should match a specific virtual server are dropped, or are matching a less-specific virtual server. In this case, the virtual servers may fail to bind on some tmms and therefore not forward traffic. Two or more virtual servers that are listening on the same ip, port, and protocol but have different vlan assignments, typically with a vlan enable list on one, and a vlan disable list on the other, although this may not be strictly required. Dropped or misdirected traffic. Misdirected in the sense that the traffic does not match the more-specific virtual server and is matched to a less-specific one. Workaround: At this time, we recommend using vlan enable lists for all virtual servers that are listening on the same ip, port, and protocol
ID 424649 Blades will continually fail over with a large enough translation address space in an lsn-pool in DNAT mode. An example of a translation prefix large enough to cause this problem would be /8, or several translation prefixes summing to a large number of translation addresses. an lsn-pool in deterministic mode, assigned to a virtual, with a /8 prefix (or similar number of addresses.) System is rendered unusable until DNAT mode is disabled. Workaround: Change to NAPT mode, or use a smaller translation prefix range. There is no other workaround.
ID 424698 "When attempting to configure a LTM Policy with a target of ""forward"", event of ""request"", action of ""select"" and parameters of ""node"", the following is logged in /var/log/ltm: err tmm[11363]: 016e0000:3: Could not bind action 'forward select policy=/Common/policy-name rule=rule-name action-id=0 node=/Common/', reason ERR_NOT_SUPPORTED Although the configuration appears to successfully save, traffic which matches at or below this rule in the policy malfunctions. The feature was not intended to be available yet in the 11.4.0 release." An LTM Policy with a target of "forward", event of "request", action of "select" and parameters of "node". Traffic matched by the policy at the effected rule or a later rule will malfunction. Workaround: To work around this, configure a pool with the desired node IP as a member, and use the pool in the policy in place of the node IP address.
ID 424797 "Some parts of the UI become non-functional. Tomcat logs (/var/log/tomcat/catalina.out) will show java.lang.OutOfMemoryError: PermGen space error(s). Other parts of the UI will continue to function, particularly ones that the user has used most recently." Issue has been seen over extended use with LTM, AAM, and AVR all provisioned. Issue is possible with other combinations. Some parts of the UI become non-functional. Other parts of the UI will continue to function, particularly ones that the user has used most recently. Other BIG-IP functionality is not affected. Workaround: "On command-line, as root, run the following command: bigstart restart tomcat"
ID 424842 When adding a Peer to the Device Trust, the operation will fail if the Peer's certificate contains the ampersand ( & } character in any of its fields (for example Division: "Dog & Cats"). Certificate contains the ampersand character in one of its fields. Certificates containing the ampersand character in one of its fields cannot be loaded. Workaround: You can workaround this by editing the certificate fields and removing any ampersand characters.
ID 424931 Upon the creation of a large file, such as a UCS archive, csyncd can raise the CPU utilization of a system for an extended period of time. Create a large file in a directory monitored by csyncd (see /etc/csyncd.conf). Increased CPU utilization can lead to system instability. Workaround: None.
ID 425018 Linux host applications may not be able to connect when they are expected to. Create a config with a self IP on a VLAN and a default gateway route on that VLAN, save a SCF file, then modify the self IP in that SCF file and then load the SCF. Linux kernel default gateway route is dropped and host applications looking for the route may not be able to connect. Workaround: "Reset the config to default before loading modified SCF: 1. tmsh load sys default 2. tmsh load sys scf <SCF_filename>"
ID 425028 When performing an upgrade of an HA configuration from a 10.x release, the root folder '/' has its traffic-group setting changed to none on at least one device. This occurs on HA configured traffic groups that are upgraded from 10.x to 11.2.1 through 11.4.1. The impact is that some failover objects are incorrectly advertised by units in the HA configuration. Workaround: None.
ID 425058 TMM produces a core file with a segmentation fault when a FastL4 virtual server uses a suspend command in an iRule on the client side, and then tears down the server-side without completing the server connection. The FastL4 virtual must have an iRule that runs on the client side, before the SERVER_CONNECTED iRule can run, and the client-side flow needs to be torn down during suspension. Workaround: None.
ID 425182 System is under memory pressure, umem slabs are constantly being created and destroyed. High memory usage of network buffers. Box slows down and becomes unstable. Workaround: None.
ID 425250 The TMM will segfault. It is difficult to identify this issue without a core analysis. "* Datagram load-balancing is enabled. * An iRule command which parks is used. Examples include 'delay' and 'table'. * More than one response is received. An example of this situation might be the use of udp dns with the udp_gtm_dns profile (which enabled datagram lb). The DNS_RESPONSE event triggers for each DNS response. If a parking iRule command is used in this event and more than one response is returned from the DNS server, the TMM may crash." The TMM will crash and write out a core file. The system should recover on its own. Note, however, that this crash is caused by a specific sequence of events and if those events replay or are mirrored to another device, failover systems may also crash. Workaround: If using datagram load balancing, avoid iRule commands which park in events which may trigger multiple times (e.g. DNS_RESPONSE).
ID 425347 vCMP guests report "unknown" as platform type. Customer is unable to remotely determine exactly which platform is being monitored. Workaround: None.
ID 425670 If you attempt to delete a wide IP using the Link Controller web interface, you receive this error: "0107070b:7: Wideip pool (/Common/xxx) is referenced by one or more wideips". Link Controller devices are unable to delete wide IPs created. User can not delete wide IP configuration from the Graphical User Interface. Workaround: "On affected versions use tmsh to delete this object instead of the web interface. (/Common)(tmos)# delete gtm wideip (/Common)(tmos)# delete gtm pool"
ID 425736 The BIG-IP system might erroneously forward ICMP error packets. ICMP error messages include type 3 (destination unreachable), type 11 (Time Exceeded), type 12 (Parameter Problem). This might occur when there is a virtual server matching ICMP, and the triggering packet carried in the ICMP payload does not match any existing flow (possibly because the flow has timed out or been deleted), or when the flow is nonexistent. When ICMP errors arrive for nonexistent flows, the error packets might be forwarded and create a new flow. This results in unnecessary flows, extraneous memory usage, failure to update MTU with needed ICMP fragmentation, and potential use of NAT ports. The unnecessary flows created by the ICMP unreachable error might cause subsequent ICMP Unreachable/Fragmentation needed messages to be ignored by BIG-IP system and MTU for the route not being updated. Workaround: None.
ID 425817 boot_marker entries found in system logs do not accurately reflect the version of the active slot. Slots names must share a common prefix, such as "HD1.test" and "HD1.testing". None. Workaround: None.
ID 425878 Multiple vcmp instances may use the same mac addresses when running fastL4 traffic. This issue can be triggered by loading a configuration, ucs, or scf containing vcmp objects in the provisioned or deployed state while the running system is not provisioned for vcmp. It may also be triggered during a relicensing event if the system has vcmp guests provisioned or deployed and is restarted prior to applying an updated license. This issue can cause traffic disruption, traffic being directed to the wrong vcmp instance, and incorrect learning on upstream devices. Workaround: Set all vcmp guests to the configured state. After all guests are down, they may be redeployed as desired.
ID 425992 If the BIG-IP mgmt interface is connected to a switch port with fixed settings (e.g., 100Mbps Full duplex) but with auto-negotiation Disabled, the BIG-IP mgmt interface will be set to 100Mbps HALF duplex instead. "1. The remote switch port is configured with fixed media settings (speed, duplex) and auto-negotiation disabled. 2. The Management interface on the BIG-IP system is configured with fixed media settings (speed, duplex)." Inability to access BIG-IP via mgmt interface. Workaround: "1. Enable auto-negotiation on remote switch (with only the desired option advertised). 2. Toggle the mgmt interface media setting between 'auto' and '100TX-FD' after the BIG-IP boots."
ID 426128 If the passphrase for the pkcs12 file being installed is greater than 49 characters in length, installation could fail with the error - "Key management library returned bad status: -28, Bad password". Workaround: Use passphrases fewer than 50 characters in length for pkcs12 files.
ID 426129 CGNAT translation logs sent to ArcSight HSL destinations will not be in a compatible format for ArcSight to parse. "LSN pools are configured for a virtual server A log profile is configured to use an ArcSight destination and attached to the LSN pool" CGNAT log messages will not be processed correctly by ArcSight Workaround: "Modify ArcSight for custom parsing Use a different log server."
ID 426202 [HTTP::cookie] can fail to return a cookie that is actually in the request or response. This issue occurs only when the last character of the HttpOnly attribute comes at the end of an internal boundary. This usually aligns with packet boundaries, but is not guaranteed to. Workaround: None.
ID 426328 When updating an iRule that is in process or parked and has existing connections and uses a proc, a core can occur due to incorrect internal reference counting. High traffic iRule that both parks and uses a proc. Workaround: Disable listener before updating iRule.
ID 426569 BIG-IP uses a message-based framework internally. Timed events and session responses did not properly respect the boundaries of the framework and could cause connection data to become corrupted or freed too early, leading to difficult-to-diagnose crashes. Workaround: None.
ID 426570 Granular memory statistics as seen in "tmctl memory_usage_stat" show increasing use of "source address (variable)" memory. Behavior manifests itself under numerous configurations. Memory leak can starve tmm of memory, triggering a crash. Workaround: None.
ID 426600 TMM may loop and be killed by SOD service in the end rate limit and priority group enabled tmm will crash Workaround: NO
ID 426625 Error is returned when a user tries to update a Data Group of type "string" or "integer" which have records containing a String but not a Value. User creates a data group of type String or Integer containing records with a String but no Value. Error is returned, preventing update of data group, until all records have Values. Workaround: Update data group in tmsh.
ID 426704 With a full deployment of guests, if delete a guest and deploy a new guest on the same blade (before the deleted guest has fully stopped) then the new guest can remain in waiting-install. This condition happens when resources from one shutting down guest are in use for the next guest that wants to start up. New guest does not deploy. Workaround: The workaround involves taking the guest down to configured and deploying it again, after the deleted guest has fully stopped.
ID 426803 B2100 or B2150 blades include locking levers for securing the blade into a blade chassis (i.e. C2400). These levers should be open during blade chassis insertion. As the blade is pushed the final distance in the chassis the blade locking levers will close securing the blade in the chassis. It has been discovered that if the locking levers are closed before blade chassis insertion that the blade will power on even though the blade is not fully mounted in the chassis. Even though the blade is powered on, the blade will not properly function in the chassis. This problem only exists if the user inserts a B2100 or B2150 blade into a chassis with the blade locking levers closed. Blades inserted with the locking levers closed do not mount properly with chassis connectors inhibiting proper operation. The blades will however power on. Workaround: Make sure the locking levers are open prior to blade insertion as described in the product guide.
ID 427002 A specific configuration of allow-services to self-ips leads to an attempt to add a listener for same port twice, resulting in an error. For example, adding (which has a configuration that specifies 'tcp:https' and also 'default') when 'default' tries to add a listener for 443, it fails in response to an E-INUSE error, which occurs because the value 'tcp:https' already exists in the 'default' list. This occurs when the configuration contains a definition for a listener on a port that has already been added by 'default.' You can see this list in the /defaults/bigip_base.conf file. When this occurs, the tmm rejects the part of the configuration containing the duplication. Workaround: To work around this, remove lines in self-ip configurations that try to add a port that is already being added by 'default.' In this case, edit the configuration to remove 'tcp:https.'
ID 427012 BIGIP did not truncate DNS responses (for non-EDNS0 queries) to 512 bytes. Workaround: You can use an iRule to keep track of the query ID and conditionally truncate the response.
ID 427201 "The http-set-cookie action in an ltm policy can have several parameters. The parameters 'domain' and 'path' are reversed. The value of the domain parameter is used as the path in the Set-Cookie header and the value of the path parameter is used as the domain in the Set-Cookie header. It is also possible to use an http-set-cookie action without supplying a value. This results in an invalid Set-Cookie header." The issue happens whenever the http-set-cookie action is executed with a domain and/or path parameter, or without a value parameter. An invalid Set-Cookie header might be sent to the browser. Workaround: Reverse the values for the domain and path parameters and make sure a value parameter is supplied.
ID 427248 A subscriber connecting through the CGNAT may not get the same translation address and port with the same subscriber and port as expected for Endpoint Independent Mapping behavior. "LSN Pool mode = NAPT or Deterministic Persistence = address-port Inbound = OFF Many connections are going to the same host" this may break some applications Workaround: turn Inbound ON
ID 427260 Type tmsh show sys pptp and it shows the identical flow with different stats incremented CGNAT and PPTP-ALG with default DAG Cosmetic but may be confusing Workaround: Grep and aggregate the stats for a unified view
ID 427342 If you filter by the Status column under Local Traffic > DNS Express Zones > DNS Express Zone List, the page will cause an error. From that point the page will always error until the user closes the browser and reopens it. Filter the list page by status Page error Workaround: Close the browser and reopen it
ID 427447 Route domain firewall policies do not sync. Workaround: Manually apply polices to each node's route domain firewall.
ID 427607 "With certain traffic patterns, the hardware compression can exhibit slower processing of compression requests. This can be observed by monitoring the compression stats within BIG-IP system using the command 'tmctl compress' and monitoring the qa-dc provider. The number of requests enqueued, showed in the cur_enqueued stat, is large and drains slowly. The customer may also see watchdog errors reported in the LTM log: Aug 12 10:21:49 B4200-R19-S35 crit tmm7[19112]: 01010025:2: Device error: (null) Watchdog on unit 1!" This behavior would occur when a large amount of data needs to be compressed at the same time, overwhelming the hardware compression driver. A significant delay can occur before the data is compressed, potentially causing connections to time-out. Workaround: No workaround is available. The fix for ID425921, ID427607 and ID428150 need to be installed on the customer's platform to resolve hardware compression issues. Note that ID428150 is only required on TMOS v11.2.1 and v11.3.0.
ID 427700 After licensing a platform, it may lose it's recently DHCP acquired management route and hostname if the configuration is not saved before licensing. Unlicensed systems acquiring licenses may lose their default route on the license transition if it was not previously saved. Utilize the console port or access the BIG-IP management address from another system on the local subnet to recover from this condition. Workaround: Restore the default route after the licensing event by returning to a static configuration and then reenabling DHCP.
ID 427736 With sFlow sampling for HTTP enabled, TMM might crash with assert messages. Messages posted appear similar to the following: '../modules/hudfilter/http/http_sflow.c:307: %; len is valid%s' When sFlow sampling for HTTP is enabled. TMM crash and restart. Workaround: Disable HTTP sampling.
ID 427791 In some cases, IKE agent(v1) negotiates multiple Security Associations (SAs) for the same tunnel. Some of the third-party IPsec vendors delete redundant SAs and only keep one pair of working(MATURE) SAs. If the remote IKE agent doesn't send a DELETE payload to the BIG-IP system, the BIG-IP system ends up with a pair of invalid SAs. Furthermore, during (lifetime) rekey when one of the valid SAs goes away due to a BIG-IP system implementation bug, if the new SAs has not been negotiated, the BIG-IP system might try to use the invalid SA, which causes the traffic to stop. IPsec rekey while interop with some 3rd party IPsec vendor. Traffic becomes stale (from seconds to minutes) until all the invalid SAs are expired. Workaround: When this happens, users can manually delete an SA using the "tmsh delete net ipsec ipsec-sa " command to remove the invalid SAs.
ID 427832 On platforms with software-only syncookies, when a tcp virtual server is under SYN and ACK attacks, and is also under regular traffic loads, some regular connections were dropped. This occurs only on platforms with software-only syncookies, on a tcp virtual server that is under SYN and ACK attacks. Small amount of valid traffic may be dropped when under SYN/ACK attacks. Workaround: Use fastl4 profile, or tcp profile with RFC1323 turned off.
ID 427840 dnatutil is not able to use --start_time/--end_time correctly when the timestamp is provided in a different time zone than the local-time time zone. When use-provided values for --start_time or --end_time contain a time zone that is different than the time zone of the machine the dnatutil is being run on. time matching for reverse lookup Workaround: 1) Convert the desired time-frame to the local-time time zone for time matching. 2) Use the TZ environment variable to modify the time zone of the host; see man tzset for more information.
ID 427924 "When inserting a new blade in a VIPRION C2400 chassis, with UDP or TCP hash set to 'ipport', the new blade uses the 'port' hash instead. Rebooting the blade or restarting bcm56xxd & tmm causes the correct DAG (Disaggregator) hash to be used." "UDP or TCP hash algorithm changed from default (e.g. changed from 'port' to 'ipport'). UDP or TCP virtual servers configured New blade inserted into chassis. New blade includes external interface to which traffic will arrive." Prevents adequate distribution of traffic within a chassis, which may disrupt traffic flows or reduce the traffic throughput of the BIG-IP system. Workaround: "Reboot the new blade after it has been configured. Issue the 'bigstart restart' command (to restart the bcm56xxd & tmm modules and program the DAG with the correct hash type)."
ID 428036 This issue might occur when there is some anomaly occurred during quick mode exchange(phase 2) with some 3rd party vendors which resulted in BIGIP updating the same SA twice. This anomaly will cause internal memory corruption and tmm will crash. In some very rarely condition during IPsec rekey while interop with some 3rd party vendors(FortiGate). TMM will crash. Workaround: None.
ID 428072 If an iRule refers to a pool by the full /folder/pool name, the virtual server status does not reflect the pool's status. While traffic can still be served to the pool_member despite the virtual server status, for changes at the virtual server level (for example, route health injection), the system needs a reliable the virtual server health status. Workaround: None.
ID 428150 TMOS v11.2.1 and v11.3.0 shipped with an older version of the SDK for hardware compression. A newer version is needed for improved stability. When large amounts of data are compressed by hardware, the system can become unstable resulting in crash. Without this fix, the customer may experience instability on their platform when hardware compression is enabled. Workaround: None.
ID 428255 The GUI allows you to add multiple headers for SIP profiles, but when updating or creating the profile, only one of the monitors will persist. Unable to configure multiple SIP monitor headers via the GUI Workaround: Use tmsh to configure multiple headers
ID 428467 If the max-concurrent-udp/max-concurrent-tcp dns cache parameters are set too high for the platform they're running on, the memory needed to fulfill the request may cause tmm to panic. This occurs because tmm creates max-concurrent-tcp communication points, each of which has a 64 KB buffer. So 8 tmms, 64 KB each, is approximately 500 KB. That is for a single communication point. Multiply that by 2 billion, and there will be problems with memory allocation. When this occurs, tmm can core. Workaround: None.
ID 428735 "Administrative access to the system with remote authenticated accounts fails, and the following is seen in the security log (/var/log/secure): httpd[###]: PAM [error: /lib/security/ cannot open shared object file: Too many open files]. This can eventually lead to lack of access to the BIG-IP system from all but the root account." Remote system authentication configured to use TACACS+. Administrative access to the BIG-IP system using any HTTP-based results in leaked file descriptors. Relevant access methods include Web UI, iControl and iControl-REST. Repeated automated access using iControl is the fastest route. If the leak is allowed to accumulate to the point that no file descriptors are available, administrative access using remote authenticated accounts is no longer possible. This also includes access from SSH and console. The root account, which always uses local authentication, is not affected. Workaround: "Several workaround options: 1. Use a system auth method other than TACACS+. 2. Use only SSH for administrative access. 3. Restart httpd as needed."
ID 428736 iRule creation fails using iControl REST API. This occurs because the tmsh command that creates iRules cannot specify different portions of the iRule. Essentially, because it is difficult to modify iRules using tmsh, it is difficult to modify iRules using iControl REST API. The functional implications of this is that you cannot use iControl REST API to create iRules. Workaround: The best way to work around this is to alter the tmsh command.
ID 428752 "The system console will display this: 011d0002: Can not access the database because mcpd is not running. /var/log/ltm will show the same warning with a time and system stamp: Aug 23 14:31:02 BIG-IP.web1 warning diskmonitor: 011d0002: Can not access the database because mcpd is not running." "The system is rebooting or shutting down. The system runs the ""diskmonitor"" script while mcpd is not active." The diskmonitor script will automatically run when the system is booted next. The impact should be relatively minor. Workaround: The text is innocuous and may be ignored.
ID 428976 If a self IP is configured for advertisement in OSPF and is moved to a different VLAN, the LSA may be removed from the database and not readded. OSPF enabled, self IP moved between VLANs. Missing prefix from OSPF. Workaround: Remove and readd connected route redistribution, delete and readd the self IP, or clear the OSPF process ("clear ip ospf process" in imish).
ID 429011 For switch based platforms, the bcm56xxd daemon monitors the active/standby state using the failover.bigipunitmask DB variable and if this indicates a transition from Active to Standby, it downs external links and starts a timer for re-enabling the links after a customer-specified delay as per the failover.standby.linkdowntime DB variable. This support is not yet available on the 2000s, 2200s, 4000s, and 4200v platforms. Workaround: There is no workaround for this issue.
ID 429075 Unable to use the WMI monitor to monitor a pool of IIS servers. A Windows Server running IIS on a virtual machine with the F5.IsHandler.dll installed. Unable to use the WMI monitor to monitor a pool of IIS servers. Workaround: None.
ID 429080 If a specific port is owned by a virtual server on another tmm, even if the virtual server is configured for immediate timeout, the port may becomes unavailable sometimes. In the case, the tmm may randomly pick another port. Workaround: There is no workaround for this issue.
ID 429114 TCP traffic from a FTP monitor intermittently picks the wrong source address for the egress interface if the pool member being monitored is located on a network served by ECMP routes. This causes FTP monitor to report false failures. FTP monitor is configured to monitor pool members that are accessible through ECMP routes from the BIGIP. FTP monitors may intermittently report available pool member(s) as not available in a false failure. Workaround: Allow asymmetric routing by disabling VLAN keyed connections - 'tmsh modify sys db connection.vlankeyed value Disable'
ID 429213 External monitors open a file with a name derived from the node and monitor name; however, the name isn't always unique. Two different monitors derived of the same type applied to the same IP:PORT. Race condition. Workaround: "- change the intervals to reduce likelihood of race. - disable debugging on external monitor."
ID 429365 FTP data connections do not honor LSN pool translation port ranges This affects all FTP data connections in all LSN modes(NAPT and DNAT). The BIG-IP system chooses any valid ephemeral port instead of the range specified in the LSN pool It is not possible to trace which subscriber initiated a data connection using LSN logs. Workaround: None.
ID 429393 Mcpd fails to load the config. When restoring a UCS or installing from a version with HTTP Class profiles the upgrade may convert the profiles to policies that fail to load. The policies fail to load when the profiles and pools are partitioned. The BIGIP is mostly unusable after the load fails. Workaround: "Upgrade to v11.x (x < 4) then upgrade to v11.4 or: 1) For all policies referencing pools in /config/bigpipe/bigip.conf, edit the pool name so it has the correct folder. 2) Run /usr/libexe/bigpipe daol 3) Run tmsh save sys config 4) Run tmsh load sys config"
ID 429396 Mcpd fails to load the config. When restoring a UCS or installing from a version with HTTP Class profiles the upgrade may convert the profiles to policies that fail to load. The policies fail to load when the profiles have a url that does not start with a http:// or /. The BIGIP is mostly unusable after the load fails. Workaround: "1) For all policies with urls, edit them so they are correct. 2) If upgrading from 10.x, run /usr/libexe/bigpipe daol 3) If upgrading from 10.x, run tmsh save sys config 4) Run tmsh load sys config"
ID 429699 Bridging traffic between two interfaces on a child VLAN in vlangroups mode may be disrupted when there are packets arriving on another child vlan of the same vlangroup that create conflicting FDB entries. For this to happen, there usually has to be an unresolved loop in your network. "In active mode, the 2x00 and 4x00 boxes will preferentially bridge over the vlangroup rather than to another port on the child vlan. In standby mode, this remains true, but the frame gets dropped unless we are set to bridge in standby." Workaround: It is inadvisable to use the 2x00 and 4x00 platforms as a switch/bridge at this point. Having no hardware support the switching happens in software at a higher latency and CPU cost.
ID 429770 With connection queuing enabled, and with pool members having connection limit set, under certain conditions the pool members become unavailable and show that they have reached the connection limit. They stay in this state even after the connections themselves are long gone. Connection limit on pool members needs to be set. Queue connection needs to be set. Pool members become unavailable, and remain unavailable. Workaround: None.
ID 429896 When booting a blade to the EUD application and running the 'sensor' test, then booting back to BIG-IP system, the CPU fans for that blade appear to be running at double their true speed. The fans are not actually spinning that fast. This is a reporting error only. To make the error condition appear, the blade must be booted into the EUD application. In the EUD application, run the sensor validation test, option #2. After that test completes, select the option to quit and reboot the system. When the blade boots back into BIG-IP system, the CPU fans will show double the speed of the EUD sensor test. There is no physical impact to the CPU fans because the fans are not actually spinning that fast. The CPU fans normally spin at 6600 to 7200+ RPMs. In the error condition, the fans appear to be running anywhere from 13500 to 14400 RPMs. This is a reporting error only. Although the reporting of the fan speed appears doubled, the fans are still operating at their nominal speed of 6600 to 7200+ RPMs. Workaround: To work around this issue, do one of the following: -- Have a serial console open to the blade running EUD and open the AOM command menu using ESC ( keystroke combination. Select to RESET the blade from that menu. -- Pull the blade from the slot and wait 10 seconds, then re-insert the blade.
ID 430728 The tmm process may crash when a connection is reset, typically with a panic message such as 'freed invalid pcb magic'. This occurs when the following conditions are met: -- A TCP iRule event other than CLIENT_CLOSED or SERVER_CLOSED is suspended. -- The peer sends a RST packet on the connection. -- There is an error in the suspended iRule, possibly as a side-effect of the RST packet being received. -- Code for a CLIENT_CLOSED or SERVER_CLOSED iRule event does exist. The BIG-IP system reboots or fails over. Workaround: Remove CLIENT_CLOSED and SERVER_CLOSED event, or run tmm.debug.
ID 435592 Users will see an error message to "Error parsing template:MCP call 'mcpmsg_set_string_item(msg, CID2TAG(m_cid), val.c_str())' failed with error: 16908375, 01020057:3: The string with more than 65535 characters cannot be stored in a message." when creating or reconfiguration iApp Application Services. User has a very large number of items that the iApp Template may be querying for. For example, a large number of pools. User is no longer able to create or modify application services. Workaround: None.
ID 436442 When a GBB license for AFM is installed on 11.4.1 and its hotfixes, provisioning of Protocol Security (PSM) is required for the protocol-transfer command to work. For example, if you are creating or modifying a security log profile by attempting to add a DNS profile, using commands similar to the following: protocol-transfer add { dns_prof, you will encounter an error message if the PSM module is not provisioned. The error appears similar to the following: ‘[Syntax Error: "protocol-transfer" is dependent on one of the following modules being provisioned: asm em psm.’ If you provision PSM, the protocol-transfer command works as expected. You can provision PSM on the Resource Provisioning screen, available under System.
ID 430197 When source port and destination port are same, traffic initiated from the host, such as NTP, may have the response directed to the wrong tmm, resulting in the response being dropped. The traffic has to be initiated from the host. The source and destination ports have to be the same (though some port numbers may succeed in spite of them being same). The platform needs to have HDAG hardware. Specifically, the 5200, 7200, and 10200 platforms, and the B2250 and B4300 blades. Host traffic like NTP, or any other traffic from hosts whose source and destination ports are the same, might not work properly. Workaround: "None. Unless the protocol can be configured to work with a source and destination port numbers that are different."
ID 430323 VXLAN process restarts continuously with 8k tunnels - 8k VTEP's and 8k VNI's configured on 11000. Workaround: None.
ID 430729 On rare occasions, a race condition may allow the wrong connection flow to handle Clustered Multiprocessing (CMP) responses. The CMP messages for flows that are quickly created and destroyed may match a flow that was already destroyed. This issue occurs when the configuration contains a VLAN with the CMP hash setting set to Source Address. The Traffic Management Microkernel (TMM) may produce a core file and temporarily fail to process traffic. In addition, failover may occur if the system is configured for high availability. Workaround: There is no workaround.
ID 430731 On rare occasions, a race condition may allow the wrong connection flow to handle Clustered Multiprocessing (CMP) responses. The CMP messages for flows that are quickly created and destroyed may match a flow that was already destroyed. This issue occurs when the configuration contains a VLAN with the CMP hash setting set to Source Address. The Traffic Management Microkernel (TMM) may produce a core file and temporarily fail to process traffic. In addition, failover may occur if the system is configured for high availability. Workaround: There is no workaround.
ID 430797 Pages that are browsed to by an HTTP POST (namely changing the Statistics Type under any of the stats pages) are not normally cached by the browser. So if you hit the browser back button to a page that was received via a POST, Firefox will display a Document Expired page. Click the browser back button in Firefox to a page that was received by an HTTP POST. The browser displays a Document Expired error page to the user. Workaround: Click the "Try Again" button on the Document Expired page. This will force Firefox to cache the page.
ID 430912 FTP traffic may fail to pass intermittently. This issue presents in vCMP guests running BIGIP versions prior to 11.4.1 when the guest is configured to have multiple blades with a single cpu core. FTP traffic may fail to pass intermittently. Workaround: None
ID 431160 "You detect a kernel panic as follows: divide error: 0000 [#1] SMP .... RIP: 0010:[<ffffffff8103d93d>] [<ffffffff8103d93d>] find_busiest_group+0x35b/0x99f Call Trace: <IRQ> [<ffffffff8103e9ad>] ? run_rebalance_domains+0x190/0x4b9 [<ffffffff8104d3f5>] ? run_timer_softirq+0x45/0x232 [<ffffffff810470ac>] ? __do_softirq+0xc5/0x17a [<ffffffff81003a5c>] ? call_softirq+0x1c/0x28 [<ffffffff81004feb>] ? do_softirq+0x31/0x66 [<ffffffff81019c79>] ? smp_apic_timer_interrupt+0x87/0x96 [<ffffffff81003433>] ? apic_timer_interrupt+0x13/0x20 <EOI> ..." "Not known - seen in upstream kernels under a variety of load conditions. No obvious reproduction scenario." "Can affect 11.1.0, 11.2.0, 11.2.1, 11.3.0, 11.4.0, and 11.4.1 releases. Does not affect any release newer than 11.4.1." Workaround: Should upgrade to the appropriate hotfix release.
ID 431936 The SASP monitor does not mark pool members down when the GWM server cannot be reached. The GWM server does not send a RST packet to terminate its connection to the SASP monitor in case of a network failure. The pool members are not marked down for a SASP monitor in case of a GWM/network failure. They are marked down when the TCP connection to the GWM terminates on a connection timeout which was observed around 10 minutes. Workaround: Use the icmp monitor in conjunction with the SASP monitor. The icmp monitor should use the GWM server as its destination. This monitor should be associated with each of the nodes that are present in the pool using the SASP monitor. The pool members will be marked down when the GWM server cannot be reached.
ID 431957 When a full load sync occurs, some user objects may sync unexpectedly. This only applies to full load syncs (any sync of a device group with full-load-on-sync true, any use of the 'Overwrite Configuration' option, any use of set-sync-leader from tmsh, and some syncs under incremental sync mode). Users unintentionally sync. Workaround:
ID 431985 Monitor instance is not re-enabled by an incremental sync. If you set a monitor to be disabled and then perform a sync, when you later set the monitor to enabled, a subsequent incremental sync does not update the monitor status to enabled. This occurs after disabling a monitor, syncing a configuration, enabling the monitor, and incrementally syncing the configuration. The effect is that the monitor status does not update. Workaround: You can work around this by forcing a full load sync from the active device. Either use 'Overwrite Configuration' on the Device Management Overview page, or the tmsh command 'modify cm device-group <device group name> devices modify { <current device name> { set-sync-leader } }'.
ID 432720 The BIG-IP will send gratuitous ARPs (GARPs) for a virtual address that has ARP disabled Failover Traffic is directed to the node on the network Workaround: Disable both "ARP" and "ICMP Echo".
ID 432939 SASPD_monitor's memory usage keeps continuously increasing. Depending on how many monitors are configured, it may increase at the rate of 18M per day and may over time lead to memory being exhausted and reboot. SASP Monitors need to be configured and operational Memory usage continuously increases, and may eventually lead to automatic reboot of bigip when all memory is used. Workaround: None, except disabling the SASP Monitor
ID 433120 If you used "http_security" as profile name in versions 11.4.x or earlier, the upgrade to 11.5.0 will fail, since this is a system-defined name for a new HTTP Security profile. Workaround: Please rename the profile "http_security" before upgrade to 11.5.0
ID 433223 "On a VIPRION B4300 blade or BIG-IP 10000-series appliance, messages similar to the following may be logged in the LTM log every 2 seconds: info bcm56xxd[25425]: 012c0016:6: _soc_xgs3_mem_dma: ING_SERVICE_COUNTER_TABLE_Y.ipipe0 failed(NAK) info bcm56xxd[7610]: 012c0016:6: _soc_xgs3_mem_dma: EGR_VINTF_COUNTER_TABLE_Y.epipe0 failed(NAK) info bcm56xxd[11548]: 012c0016:6: _soc_xgs3_mem_dma: EGR_SERVICE_COUNTER_TABLE_X.epipe0 failed(NAK) Similar errors also appear in the bcm56xxd log file." This error is logged if an internal parity error is reported by the Broadcom switch chip when stats are read from the chip by BIG-IP. Since these errors are reported for the interface that is used to retrieve stats from the Broadcom switch chip, they are not expected to impact the packet path/traffic passing. Workaround: "To stop logging of these errors and clear the internal parity error from the Broadcom switch chip, perform one of the following actions: 1. Restart the bcm56xxd daemon: bigstart restart bcm56xxd 2. Reboot the affected blade or appliance."
ID 433323 When a client request contains no-cache directive, ramcache excludes the request from caching and passes the request through. Because caching is disabled, the resource is not invalidated and the response is not cached. The expectation is the action should cause revalidation of the resource. Configure a virtual server with HTTP caching. Failure to invalidate resource. Increased load on origin server. Workaround: None.
ID 433897 If a datagroup contains entries that are longer than the maximum length allowed by a TCL object, the datagroup will fail to load the element without warning. Tmm may core if this non-loaded element is referenced. Incorrect datagroup, possible core Workaround: Individual datagroup entries should be less than 65k in length.
ID 433997 After 200-ok following 100-continue, the BIG-IP system ICAP client sometimes stops sending ICAP request body to ICAP server, mid-stream (no ICAP termination). "ICAP preview-length >= ADAPT preview-size(lesser is used). Server responds with 100-continue after preview, and later with 200-ok." Server stops receiving data so cannot complete its response. Transaction hangs and adaptation virtual server (with response-adapt profile) will eventually time out and perform its service-down action. Workaround: Increasing ADAPT preview-size to a few KB greater than ICAP preview-length might reduce the frequency of occurrence.
ID 434101 Currently, there is no GUI for configuring 'net fdb tunnel'. Such a configuration can be done through CLI. Workaround: None.
ID 434211 "The primary blade in a clustered system may send management traffic sourced from the blade IP address associated with the management port instead of from the cluster IP address. In addition, traffic sourced from the management interface of a VCMP guest may fail with an ICMP ""destination unreachable"" message." "On a physical cluster, functionality which generates traffic over the management interface of the primary blade (such a Radius authentication, remote logging, ping) will result in traffic sourced from the IP address of the primary blade, not the cluster floating IP address. On a VCMP guest, functionality which generates traffic over the management interface of the guest may fail with an ICMP ""destination unreachable"" message." "Services which receive traffic from the management interface of the primary blade in a physical cluster may not recognize the cluster as the source of the traffic. Services which depend on traffic sourced from the management interface of a VCMP guest may fail." Workaround: None.
ID 434573 "While running a version of BIG-IP older than the most recent release on a new hardware platform (recently purchased or recently acquired through RMA exchange), the 'tmsh show sys hardware' command may display the Platform ID code in place of the official F5 platform name. For example, the 'tmsh show sys hardware' command may display a Platform ID like the following: Platform Name D113 instead of the official platform marketing name, such as: Platform Name BIG-IP 10000F" This may occur if the version of BIG-IP software installed is not the most recent release, and the hardware platform is a newer variant (due to added hardware features or other manufacturing change) than was originally supported by the older BIG-IP software release. Custom automation scripts which depend on correctly matching F5 platform marketing names may fail to match the platform ID. Workaround: Update platform-identification scripts to include the relevant platform IDs among the recognized match values.
ID 434737 Initial, and unset, values for the zone's serial numbers (primary and external) are "18446744073709551615". This value can be safely ignored when not using zone transfer signing; If using zone transfer signing, these values will be reset the first time a SOA record from the primary passes through the BIGIP. Workaround: None.
ID 434855 "Disable of the net interface management not supported on: BIG-IP 1500 (C36) BIG-IP 3400 (C62) BIG-IP 6400 (D63) BIG-IP 6800 (D68) BIG-IP 8400 (84) BIG-IP 8800 (D88) BIG-IP ASM 4100 (D46) BIG-IP EM 500 (C36) VIPRION 4400 VIPRION 2400" The user cannot disable the management interface on a set of platforms. Workaround: Unplug cable or disable the remote end or delete the management ip.
ID 435332 If there are users defined in a 10.2.1 BIG-IP to have administrator or resource-admin roles, and they have partition access to a single partition, these user config objects will fail to load during an upgrade to 11.X TMOS. "A user config from 10.2.1 looking like this - user v-abban { password crypt ""$1$UIPmGYdY$yewCx.a2qNDauz/UB1Jbp/"" description ""v-abban"" group 500 home ""/home/v-abban"" shell ""/bin/false"" role administrator in Common }" "Upgrade or load UCS will fail with the following error - 01070821:3: User Restriction Error: The administrator, resource administrator, auditor and web application security administrator roles may not be restricted to a single partition." Workaround: "Prior to upgrade, edit the bigip_sys.conf to have the role line as follows - ... role administrator in [All] }"
ID 435482 In versions prior to 11.4.0, the UCS does not save files containing spaces in the names. That means that any files that had spaces in the name would not be written to the UCS file and the UCS save would appear to succeed. When a UCS file which was saved in this manner is subsequently applied to 11.4.0 or greater, the configuration load will fail because the referenced file(s) (with spaces in their names) are not present in the UCS. 1. The UCS being applied was saved in a release prior to 11.4.0. 2. The configuration contained config objects with spaces in their names. 3. The UCS is being applied to 11.4.0 or greater. After upgrading into the newer release, the initial config load will fail. Alternatively, manually loading any UCS saved in this manner will result in a similar configuration load failure. Workaround: Boot back to the previous version and rename all the files in question so they don't have spaces in their names. Save the UCS again, and upgrade.
ID 435488 Can no configure route domain for CMI device unicast-address. Try to configure non-default route-domain for CMI device unicast-address. Not supported configuration. Low impact. Workaround: don't configure route-domain for CMI device unicast-address.
ID 435494 DTLS handshake may fail when UDP messages are round robin among TMMs. "DTLS configuration. Round Robin DAG enabled for DTLS UDP packets." DTLS handshake could fail Workaround: Disable Round Robin DAG for DTLS packets.
ID 435592 Users will see an error message to "Error parsing template:MCP call 'mcpmsg_set_string_item(msg, CID2TAG(m_cid), val.c_str())' failed with error: 16908375, 01020057:3: The string with more than 65535 characters cannot be stored in a message." when creating or reconfiguration iApp Application Services. User has a very large number of items that the iApp Template may be querying for. For example, a large number of pools. User is no longer able to create or modify application services. Workaround: None.
ID 435646 lsn-pool inbound setting does not work when not associated with a virtual. "lsn-pool with inbound or hairpinning enabled That lsn-pool is not associated with a virtual but is assigned by an iRule." inbound and hairpinning is not enabled for subscribers using that lsn-pool when assigned via an iRule. Workaround: Create a virtual for each lsn-pool.
ID 435670 The configuration item specified in a value_list (part of the file object feature) gives an error during a load that the item is not found. The configuration item was removed from the running config, but exists inside a saved config. The chosen configuration file does not load. Workaround: None.
ID 435814 CGNAT connections for a single client might exceed connection limits. This occurs when the persistence-timeout value is fewer than 30 seconds on lsn-pools with connection limits Connection limits are not enforced. Workaround: Set persistence timeout to a value greater than 30 seconds.
ID 435855 "The customer may experience a TMM panic if a packet is cloned from a packet with an IP fragment and TMM fails to transmit the cloned packet. The following is present in the TMM log: <13> Oct 15 11:37:16 f5-5a notice panic: ../net/packet.c:136: Assertion ""packet is not locked by a driver"" failed. A core file is also generated, showing the following in the stack trace: #0 0x000000000055032f in tmm_panic (format=0x12e4698 ""../net/packet.c:136: %spacket is not locked by a driver%s"") at ../lib/stdio.c:1164 #1 0x0000000000550375 in tmm_assert (message=0x0) at ../lib/stdio.c:1173 #2 0x00000000008b415b in _packet_free (pkt=0x556c33cd1b80) at ../net/packet.c:135 #3 0x000000000080632e in clone_pkt (cf=<optimized out>, pkt=<optimized out>) at ../modules/hudproxy/clone/clone.c:377" This happens when the customer is using a clone pool. If a packet is received that needs to be cloned, originates from an IP fragment, and fails to transmit, then this condition can occur. TMM will panic and restart. This will repeat any times this condition occurs. Workaround: None.
ID 435857 dpid seems to be restarted suddenly every two weeks PEM provisioned and traffic from multiple subscribers pass trough Big-IP dpid daemon restarts, analytic(statistics) result affected Workaround: no workaround
ID 435946 "TMSH would allow operator to configure two mutually exclusive failover methods, namely auto failback and HA group, concurrently without warning. In this case, the HA group method will be used." Workaround: Use GUI instead. It prevents invalid selections.
ID 435953 The 'Search' fails to return results in the DNS WideIP list page when WIP alias is created Workaround: None.
ID 436212 "If a copper SFP module is installed and a configuration is loaded which sets that module's speed and duplex, this configuration might fail to load. The /var/log/ltm file will show an error similar to this and the config will fail to load. 01070318:3: The requested media for interface 1.1 is invalid." "The system being upgraded needs to have a copper SFP module installed in order to encounter this issue. There are two ways to arrive at this state: upgrading and at runtime. The issue can be observed using TMSH to configure the port with a speed/duplex other than 'auto'. root@(ebxlv-lb01)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify net interface 1.1 media-sfp 10000SR-FD 01070318:3: The requested media for interface 1.1 is invalid. This runtime error and its workaround is covered in SOL4556. When applying a UCS from a previous version of TMOS, this condition can also be triggered." The upgrade will fail after booting into TMOS for the first time. Workaround: "/config/bigip_base.conf can be edited so lines specifying the 'media-sfp' setting are set to 'auto'. Problematic configuration: net interface 1.1 { media-sfp 10000SR-FD } Fixed configuration: net interface 1.1 { media-sfp auto } Once all interfaces using this setting are changed, the config should load."
ID 436442 "When GBB license for AFM is installed on 11.4.1 and its hotfixes, Provisioning of PSM module is required for protocol-transfer to work. tmsh modify security log profile dns_prof { protocol-dns add { dns_prof { filter { log-dns-malformed enabled log-dns-drop enabled log-dns-malicious enabled log-dns-reject enabled log-dns-filtered-drop enabled } format { type none } publisher local-db-publisher } } protocol-transfer add { dns_prof { publisher none } } } '>& /tmp/uuqVHpyxSs] screen output was: [Syntax Error: ""protocol-transfer"" is dependent on one of the following modules being provisioned: asm em psm" Workaround: None.
ID 436674 Generate SNMPv3 traps from BIG-IP and observe that the engineBoots and engineTime reported in the PDU is incorrect and not in sync with the value in /config/net-snmp/snmpd.conf. This is also evident after the restart of snmpd. The circumstance that lead to the customer finding this problem is that their SNMP monitoring server (SpectroSERVER) looses the ability to poll the BIG-IP. When the BIG-IP sends out the incorrect values their server thinks the information has been spoofed and it looses the ability to poll the BIG-IP until manual intervention. Workaround: None.
ID 436825 Under certain conditions, nodes (or any other object with an IP address) in a partition that belong to route domain 0 will be treated as part of the default route domain for the partition after an upgrade. "All of these conditions must be true: - A system is being upgraded from any TMOS v10.x release to any TMOS v11.x release - It has a partition that has its default route domain set to a nonzero route domain - That partition contains nodes with no route domain set (so the default is used) - That partition contains other nodes in route domain 0" Those objects may no longer be addressable or able to connect. Workaround: "Set the partition's default route domain ID to 0 before upgrading, then set it back to its previous value after the upgrade. This field is only used by the GUI and shell, so temporarily changing it to 0 will have no effect on the dataplane."
ID 437430 Enabling ISO 8601 timestamps in syslog breaks alertd message parsing, inhibiting system alerts. This includes LCD panel messages, alarm LEDs, SNMP traps and alert emails. modify sys syslog iso-date enable No system alerts are generated. Workaround: modify sys syslog iso-date disable.
ID 437711 TMM crashes. Memory corruption with a simple SSL configuration. Failover or temporary traffic stop. Workaround: N/A
ID 437718 Settings in /ltm dns cache global-settings do sync between HA members. Each HA member will act on its own dns cache global-settings when it is processing traffic. Workaround: Settings can be set on each HA member.
ID 437739 If a BIGIP has more than 12 tmms and one of the tmms above the 12th one loops due to a bug, it will loop indefinitely. Another bug that causes a tmm to loop and it has to be a tmm greater than the 12th tmm. Traffic will no longer be accepted on that tmm that is looping indefinitely. Workaround: Manually change /defaults/daemon.conf and bigip.conf to have the correct stanzas for the remaining tmms.
ID 437768 Do not use "bigip1" as device name. The BIG-IP system uses it as factory default device name. Workaround: None.
ID 437768 When setting the Ethernet ports on BIG-IP 5000 and 7000 series platforms to half duplex and then pinging, the Activity LED blinks Green instead of Amber. This occurs because half-duplex operation is not supported at any speeds. This occurs when setting half-duplex on Ethernet ports on BIG-IP 5000 and 7000 series platforms. Operating in half-duplex may hang a port. Workaround: There is no workaround. User must operate in full-duplex modes. This is as designed.
ID 442625 When attempting to create an IPsec Authentication Header (AH) traffic-selector, you might encounter errors, and TMM might crash. The crash occurs when a TCP virtual server retransmits over an IPsec AH tunnel. The system posts alerts similar to the following: err alertd[6623]: 01100014:3: Action tmsh create net ipsec traffic-selector NET18 Source-Address destination-port any destination-address ipsec-policy test_tunnel is failed. err mcpd[5973]: 01020037:3: The requested unknown (/Common/NET19) already exists. err tmsh[32652]: 01420006:3: 01020037:3: The requested unknown (/Common/NET19) already exists. Workaround: None.
ID 445911 tmm fast forwarded flows are offloaded to ePVA, which is incorrect behavior. This occurs on ePVA. tmm fast forwarded flows are offloaded to ePVA, which is incorrect behavior. Workaround: For versions 11.3.x and 11.4.0, there is no workaround. On version 11.4.1 or later, you can use the following command to turn off tmm fast forward when using the guaranteed hardware acceleration mode: 'tmsh modify sys db tmm.ffwd.enable value false'.
ID 450058 Some swap activity might occur during bootup of the BIG-IP systems with SDD drives (or BIG-IQ). There is a possible race condition that can lock up some of the CPUs, causing a disruption of service from that CPU. This occurs only on BIG-IP 5000s, 5200v, 5050, 7000s, 7200v, 7050, 10000s, and 10200v platforms, and on VIPRION B2150 and B2250 Blades. Swap activity that occurs during bootup locks up the system, requiring a power cycle or AOM host reset. Workaround: None. However, this is a rare occurrence.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802

For additional information, please visit

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.


AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to from the email address you are using to subscribe. Unsubscribe by sending a blank email to

Legal notices