Manual Chapter :
New Features in BIG-IP Version 17.5.1
Applies To:
Show Versions
BIG-IP Distributed Cloud Services
- 17.5.1
BIG-IP APM
- 17.5.1
BIG-IP Analytics
- 17.5.1
BIG-IP Link Controller
- 17.5.1
BIG-IP LTM
- 17.5.1
BIG-IP AFM
- 17.5.1
BIG-IP PEM
- 17.5.1
BIG-IP DNS
- 17.5.1
BIG-IP ASM
- 17.5.1
New Features in BIG-IP Version 17.5.1
General
See the following information about software lifecycle:
Support IPv6 connections to TACACS remote auth servers
BIG-IP has upgraded the Support IPv6 connections to TACACS remote auth servers
pam_tacplus
package from version 1.2.9 to 1.3.2 to enable support for IPv6 as a transport protocol in TACACS-based system authentication. To use IPv6, you must configure the TACACS server with an IPv6 address in the BIG-IP system-auth configuration. This update allows you to use system authentication in environments that support only IPv6.New in APM
BIG-IP version 17.5.1 introduces the following new features for APM:
Dynamic Support for Up to 8 KB Claims Data in OAuth Authorisation Server
ynamic Support for Up to 8 KB Claims Data in OAuth Authorisation Server
Earlier, in the OAuth Authorisation Server, the OAUTH_MAX_CLAIM_DATA_SIZE is set to 8 KB by default, which allowed users to utilize up to 8 KB for claims data, even when the actual claims are smaller.
This update allows the system to dynamically allocate the appropriate amount of memory based on the claims configuration, ensuring efficient memory usage and consistent behavior.
Support for Okta Encrypted SAML Identity Providers Using the Retrieval Method
S
upport for Okta Encrypted SAML Identity Providers Using the Retrieval Method
Earlier, when BIG-IP acted as a Service Provider (SP) did not support the
RetrievalMethod
element used by external SAML Identity Providers (IdPs) to reference the EncryptedKey
. As a result, encrypted assertions could fail to process, and errors such as Cannot decrypt SAML Assertion
, failed to process encrypted assertion
, and error: Cipher value from EncryptedKey element not found
may appear in the logs.BIG-IP now supports encrypted SAML assertions from external Identity Providers (IdPs), such as Okta, that include the
RetrievalMethod
element to reference the EncryptedKey
. This enhancement allows BIG-IP, acting as a SAML Service Provider (SP), to process and decrypt assertions that use this method correctly.This update improves interoperability with IdPs like Okta that use
RetrievalMethod
tag in their encrypted SAML responses.New in DNS
BIG-IP version 17.5.1 introduces the following new features for DNS:
Support for EDNS0 Extended error codes in RFC 8914
BIG-IP now supports forwarding Extended DNS Errors (EDE) received from upstream name servers to clients. Previously, this information was not included in the response, preventing clients from receiving detailed error diagnostics. This enhancement is controlled via the DB variable upport for EDNS0 Extended error codes in RFC 8914
dns.forwardextendeddnserrorcode
, which is disabled by default. To enable support for Extended DNS Errors (EDE), set the relevant variable value to enable
. This allows BIG-IP to include EDE information in DNS responses, providing more detailed error information to clients.New in LTM
BIG-IP version 17.5.1 introduces the following new features for LTM:
Support for X25519MLKEM768 Hybrid Key Exchange in TLS 1.3
Support for X25519MLKEM768 Hybrid Key Exchange in TLS 1.3
BIG-IP now supports the
X25519MLKEM768
hybrid key exchange in TLS 1.3 on the client side and server side. This mechanism combines the widely used X25519 elliptic curve key exchange with MLKEM768; together, they provide enhanced protection by ensuring the confidentiality of communications even in future quantum threats. The X25519KYBER768 is introduced in BIG-IP 17.5.1 release. In this release, the support for the MLKEM768 variant of Kyber768 is introduced to improve compatibility. This enhancement strengthens the application’s cryptographic flexibility and positions it for secure communication in classical and post-quantum environments. This change does not affect existing configurations but provides an additional option for enhanced security where supported.
