Updated Date: 04/09/2026
New Features in BIG-IP Version 17.5.1
See the following information about software lifecycle:
K8986: F5 software lifecycle policy
K5903: BIG-IP software support policy
BIG-IP has upgraded the pam_tacplus package from version 1.2.9 to 1.3.2 to enable support for IPv6 as a transport protocol in TACACS-based system authentication. To use IPv6, you must configure the TACACS server with an IPv6 address in the BIG-IP system-auth configuration. This update allows you to use system authentication in environments that support only IPv6.
BIG-IP version 17.5.1 introduces the following new features for APM:
Earlier, in the OAuth Authorisation Server, the OAUTH_MAX_CLAIM_DATA_SIZE is set to 8 KB by default, which allowed users to utilize up to 8 KB for claims data, even when the actual claims are smaller.
This update allows the system to dynamically allocate the appropriate amount of memory based on the claims configuration, ensuring efficient memory usage and consistent behavior.
Earlier, when BIG-IP acted as a Service Provider (SP) did not support the RetrievalMethod element used by external SAML Identity Providers (IdPs) to reference the EncryptedKey. As a result, encrypted assertions could fail to process, and errors such as Cannot decrypt SAML Assertion, failed to process encrypted assertion, and error: Cipher value from EncryptedKey element not found may appear in the logs.
BIG-IP now supports encrypted SAML assertions from external Identity Providers (IdPs), such as Okta, that include the RetrievalMethod element to reference the EncryptedKey. This enhancement allows BIG-IP, acting as a SAML Service Provider (SP), to process and decrypt assertions that use this method correctly.
This update improves interoperability with IdPs like Okta that use RetrievalMethod tag in their encrypted SAML responses.
BIG-IP version 17.5.1 introduces the following new features for DNS:
BIG-IP now supports forwarding Extended DNS Errors (EDE) received from upstream name servers to clients. Previously, this information was not included in the response, preventing clients from receiving detailed error diagnostics. This enhancement is controlled via the DB variable dns.forwardextendeddnserrorcode, which is disabled by default. To enable support for Extended DNS Errors (EDE), set the relevant variable value to enable. This allows BIG-IP to include EDE information in DNS responses, providing more detailed error information to clients.
BIG-IP version 17.5.1 introduces the following new features for LTM:
BIG-IP now supports the X25519MLKEM768 hybrid key exchange in TLS 1.3 on the client side and server side. This mechanism combines the widely used X25519 elliptic curve key exchange with MLKEM768; together, they provide enhanced protection by ensuring the confidentiality of communications even in future quantum threats. The X25519KYBER768 is introduced in BIG-IP 17.5.1 release. In this release, the support for the MLKEM768 variant of Kyber768 is introduced to improve compatibility. This enhancement strengthens the application’s cryptographic flexibility and positions it for secure communication in classical and post-quantum environments. This change does not affect existing configurations but provides an additional option for enhanced security where supported.