Release Notes : BIG-IP APM 11.2.1

Applies To:

Show Versions Show Versions


  • 11.2.1
Release Notes
Original Publication Date: 10/21/2014 Updated Date: 04/18/2019


This release note documents the version 11.2.1 release of BIG-IP Access Policy Manager.


Supported hardware

You can apply the software upgrade to systems running software versions 10.1.0 (or later) or 11.x. For a list of supported platforms, see SOL9412: The BIG-IP release matrix. For information about which platforms support which module combinations, see SOL10288: BIG-IP software and platform support matrix.

Configuration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

  • Microsoft Internet Explorer 8.x and 9.x
  • Mozilla Firefox 15.0.x
  • Google Chrome 21.x

APM client browser support

For a list of browser versions that the Access Policy Manager client supports, refer to the BIG-IP APM Client Compatibility Matrix.

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP APM / VE 11.2.1 Documentation page.

Evaluation support

If you have an evaluation license for BIG-IP APM VE, note that it does not include support for Oracle Access Manager.

New in 11.2.1

There are no new features in this release.

New in 11.2.0

Secure access features

  • Java applet patching

    With Java Applet Patching enabled, BIG-IP APM can patch server-side Java applets in real-time. The clients that run the patched Java applet connect back through the BIG-IP system using SSL in an authenticated APM session. Patched Java applet code is stored in RAM cache, eliminating the need to rewrite every time.

    Note: If the applet contains encrypted JAR files, the BIG-IP system cannot rewrite the applet.
  • Java RDP support for Linux, Mac, and Windows

    A Java RDP client now supports Mac, Linux and Windows clients, providing a cross-platform method to access remote desktops using the RDP protocol over a non-L3 tunnel.

  • Google Chrome browser support

    BIG-IP APM supports the Google Chrome browser. For the latest supported browser versions, refer to the BIG-IP APM Client Compatibility Matrix.

  • Custom parameter fields for terminals

    You can now set custom parameters for remote desktops. These parameters affect the rendering of certain features for both the Citrix and RDP terminal resource types.

  • Pool assignment agent

    In the Visual Policy Editor, you can configure a new agent, Pool Assign, which assigns an LTM pool to a session dynamically.

  • High availability for Active Directory

    Support for high availability for Active Directory authentication had been added; this includes the ability to define an Active Directory pool.

  • Session ID Rotation

    To improve security, part of the session ID is rotated on each response while an access policy is executing.

Manageability and optimization features

  • Improved OPSWAT package management

    To scan for antivirus products on the end client, F5 uses a library from OPSWAT. The library provides the administrator with a consistent API to use against various antivirus products. When an antivirus vendor updates their code base and, in response, OPSWAT updates the library, F5 verifies the library and posts a hotfix. This improvement enables you to apply the hotfix to multiple BIG-IP systems more quickly, by uploading the file to a single BIG-IP system manually and then syncing the file to all devices in a device group.

  • Form-based SSO improvements

    With BIG-IP APM 11.2, in addition to collecting, caching, and proxying user credentials to multiple backend systems using Kerberos, NTLM, and form-based SSO, there is a second method of achieving form-based SSO. This new form-based client-initiated SSO method works by detecting logon request pages from the client application and then parsing the server response for a logon form. Then APM inserts JavaScript that sets the form’s logon name and password placeholder (or token) to match the user’s and perform auto submit. When the client submits this form, APM replaces the password token with the user’s actual credentials and then submits this to the backend application. If the server returns any errors, the form-based client-initiated SSO mechanism disables SSO for that application to preserve connectivity to that application for other users.

  • Mesh Data Deduplication

    A new version of Symmetric Data Deduplication, SDD v3, is optimized for performance in hub and spoke or mesh deployments involving multiple sites.

Usability enhancements

  • Captive Portal Detection in Edge Client

    BIG-IP Edge Client now automatically detects whether the user is behind a captive portal, such as those at hotels and airports, and waits until the user completes sign in to the portal.

  • Citrix Xenapp server non-default ports

    APM now supports Citrix XenApp server configured with ICA/CGP services on ports other than the default ports (1494 for ICA and 2598 for CGP).

New in 11.1.0

Access Policy Manager Clustering

This release adds support for running Access Policy Manager on a chassis platform and in a virtualized Clustered Multi-Processing (vCMP) environment. Access Policy Manager features work in the same fashion when clustered as not with the following caveat. Upon tunnel reconnect due to a blade going down on a chassis platform, flows inside the tunnel are not preserved; users need to reconnect their applications after an underlying tunnel goes down.

XenApp/XenDesktop Support Enhancements

Acess Policy Manager provides a web services interface that allows Citrix Receiver to connect and get application lists from XenApp, thereby:
  • Eliminating the need for XenApp Services Sites
  • Simplifying configuration and number of boxes required

Other enhancements:

  • Provides enhanced support on challenge events in 2-factor authentication when using a Citrix Receiver. Specifically, Access Policy Manager can gracefully handle requests for RSA new PIN codes and AD password expiration.
  • Enables the Webtop to display folders of published apps, mapping what has been shown on the XenApp server.
  • Provides session reliability support for ICA connections: In case of a network problem between the Citrix client and the XenApp server, the application on XenApp Server continues to run and XenApp server buffers the ICA traffic until the client reconnects. The user’s session does not go into a disconnected state as long as the XenApp Server is buffering data for the user. After the connection is restored, XenApp Server flushes the buffered ICA data to the client and the session continues. Access Policy Manager sits between the Citrix client and the XenApp server and interprets and proxies these ICA communications. This feature improves user experience.
  • Supports multi-Stream ICA: BIG-IP Access Policy Manager is first on the market with support for multi-stream ICA. This feature allows for true network-based Quality of Service (QoS) to the ICA/HDX protocol in XenDesktop 5.5 and XenApp 6.5. It is a mechanism to prioritize network traffic, helping to ensure that the most important data gets through the network as quickly as possible.

Windows Credential Manager Integration

This feature integrates with the Windows Credential Manager such that when a user hits ctrl-alt-del, the actual Windows boot process is halted so that the Edge Client can establish a network access tunnel before resuming it. This allows admins to configure new Windows machines to force a password expiration the very first time a laptop/workstation is used regardless of whether it is on a local net or remote.

Linux standalone client

This client can be downloaded from Access Policy Manager and installed on Linux endpoints. This is a command-line client (unlike the Windows or Mac edge clients) but supports endpoint inspection and auto-updates. It provides a simple CLI interface with commands such as Connect, Disconnect, Auto-connect.

New Packaging

Edge Gateway VEs

  • F5-BIG-EGW-VE-200M targets the small enterprise; includes support for 100 concurrent users in the base package; supports 500 maximum concurrent users; limits aggregate throughput to 200Mbps
  • F5-BIG-EGW-VE-1G targets the medium enterprise; includes support for 300 concurrent users in the base package; supports 2500 maximum concurrent users; limits throughput to 1Gbps

APM 1600 standalone: Unlike other Access Policy Manager modules, this platform can be used without Local Traffic Manager. It includes support for 500 concurrent users in the base package.

APM on VIPRIONs: Support for APM on VIPRION is provided as an add-on SKU to the VIPRION chassis. There is one add-APM SKU for each chassis model. The format will be similar to appliance add-APM SKUs, with support for 500 concurrent users (for the entire chassis) in the base package and a maximum limit that assumes a fully populated chassis.


With this release Access Policy Manager supports IPv6, enabling connectivity between IPv4 and IPv6 networks. Administrators can configure network access lists per supported IP version, IPV4 or IPV4&IPV6 and then configure lease pools and LAN address spaces for IPv4 only or for both IPv4 and IPv6.

This table provides a summary of IPv6 support for various authentication methods:
Authentication Type IPv6 Support Configuration Notes
AD Auth Supported
  • KDC can be configured with IPv6 address.
  • KDC being FQDN or KDC is empty is supported. (Resolved FQDN or discovered KDC address can be IPv6.)
Note: Starting in 11.3, also supported with the pool option.
AD Query Supported using layered virtuals
Note: Starting in 11.3, also supported with the pool option.
  • KDC being FQDN or KDC is empty is supported (Resolved FQDN or discovered KDC address can be IPv6).
  • KDC cannot be configured with an IPv6 address; AD Query with IPv6 address has been tested with the following layered virtual server approach.
    1. In the AD server configuration, use the host name of the DC in the Domain Controller setting.
    2. Update the system's global setting to include a remote host entry for the DC host name that was used in step 1 and map it to an IPv4 address.
    3. Create a pool with the DC IPv6 address as a member.
    4. Create a layered wildcard TCP virtual server as follows.

      Destination IP: The IPv4 address that was used in step 2, that is,

      Service Port: 0 (All ports)

      SNAT Pool: Auto Map

      Default Pool (in Resources): Pool created in step 3, that is, /Common/AD-IPv6-Pool

    5. Create another layered virtual as in step 4, but for UDP traffic. (Set the protocol setting in the Virtual server configuration to UDP).

    With the above configuration setting, AD query should work with a IPv6 back end DC.

    Note: For an example in which the above configuration is performed, see the Configuring Resources chapter in the BIG-IP® Access Policy Manager®Configuration Guide.
LDAP Auth and Query Supported via the pool option Admin needs to use the pool option for using IPv6 with LDAP.
RADIUS Auth and Acct Supported via the pool option Admin needs to use the pool option for using IPv6 with RADIUS.
OCSP Not supported
CRLDP Supported via the pool option Admin needs to use the pool option for using IPv6 with CRLDP.
TACACS+ Supported TACACS+ server can be configured with IPv6 address.
SecurID Not tested/supported IPv6 support for SecurID is supported in Authentication Manager 7.1 for Windows 2008. However, this is not tested.
Kerberos Supported
HTTP Supported Start URI can be configured with IPv6 address.
The following caveats apply to IPv6 support.
Access Type Supported Feature or Client Caveat
Network IPv6 VPN To use an IPv6 tunnel, both an IPv6 tunnel and an IPv4 tunnel must run to the client system simultaneously. On the server side, configure the network access resource with both IPv4 and IPv6 lease pools and set the supported IP version to IPv4&IPv6.
Note: IPv6 VPN is not supported for Android and Windows Mobile.
Android No IPv6 VPN support.
Linux Linux and Linux client CLI are supported.
  • MAC OS X
  • EDGE client for MAC OS X
  • Supported versions are 10.6 and 10.7.
  • Not suppported with Asian languages.
Windows 7
  • Edge and Web clients only are supported.
  • Windows Logon integration is not supported.
Windows mobile No IPv6 VPN support.
Application Application tunnel Accessing IPv6 resources with a static application tunnel is not supported.
Portal IPv6 web applications To support portal access to IPv6 web applications, configure the portal access using either an IPv6 address or a host name. (Host name resolves to both IPv4 and IPv6 addresses.)
Note: The DNS configuration on the APM machine includes an option to specify the IP address family preference; this setting controls which address type to use when the hostname configured in the portal access resource resolves to both IPv4 and IPv6 address types. By default, the setting is empty and the default IP address family preference is IPv4. When the hostname resolves to both IPv4 and IPv6 addresses, APM picks the IPv4 address.

To enable IPv6 preference in 11.1 (so that when the hostname resolves to both IPv4 and IPv6 addresses, APM picks the IPv6 address), you must use a tmsh command, as shown here.

root@(bigipsys)(cfg-sync Standalone)(Active)(/Common)(tmos.sys.dns)# modify include "options inet6"
                  root@(bigipsys)(cfg-sync Standalone)(Active)(/Common)(tmos.sys.dns)# list
                  sys dns {
                  include "options inet6"
                  name-servers { }
                  search { }

Warning: Do not use the include option without assistance from the F5 Technical Support team. The system does not validate the commands issued using the include option. If you use this option incorrectly, you put the functionality of the system at risk.

Logging and Reporting

With this release: For logging, both scalability and performance are enhanced. As a result, report performance is also enhanced. For reporting, when configuring a custom report, available report fields are now organized for selection by: user, resources, sessions, and access policy.

New in 11.0.0

Application Tunnels

This release provides application tunnels to a single application on a remote user's desktop without the security risk of opening a full network access tunnel.

Optimized Network Access Tunnels

With this feature, you can layer full network access tunnels with optimized tunnels for Windows clients.

Remote Desktops

This release provides a hosted remote desktop connection, from a specific remote desktop application to the remote user's desktop, without the security risk of opening a full network access tunnel. Remote desktop is supported for Citrix XenApp server and Microsoft RDP clients.

Kerberos Protocol Translation

With this feature, APM is able to authenticate the user with Active Directory, and then receive a Kerberos ticket on the user's behalf, allowing secure access to the Application server and offloading SSL negotiation from the app server. This feature also makes SSL offload for Smart Card authentication possible.

Kerberos Single Sign-On

With this feature, a user can automatically sign onto backend applications and services that are part of a Kerberos realm, for seamless authentication after the user completes an access policy using a supported authentication scheme.

Oracle Access Manager (OAM) integration

With this release, you can design access policies and manage policy-based access services for Oracle applications on an Oracle Access Manager server from one location.

Flash Patching

In Portal Access, HTML-formatted fields in Flash content are patched by the APM rewrite engine. When rendering an application through the Access Policy Manager, the rewrite engine rewrites the Flash content to render links properly.

Dynamic webtops

The dynamic webtop displays a list of network resources, which include applications, network access and remote desktops, available to a user after authentication. The content of the webtop is dynamic in the sense that only resources for which the user is authorized are displayed to the user. The webtop is customizable based on a user’s identity, context, and group membership.

Reporting system

With the new reporting system, you can generate customized, granular reporting for analysis and troubleshooting purposes. You can generate reports based on many parameters, for example, access failures, users, resources accessed, group usage, or geolocation.

Machine info inspection

The machine info client check allows administrators to examine the security posture of a device, including attributes such as MAC address, CPU ID and HDD ID. The access policy can compare information collected by the machine info check to an allowed list of hardware devices or configurations, then add the result to the access policy. This enables the access policy administrator to identify IT-controlled assets.

Client Type inspector

The client type inspector replaces the UI mode inspector, and includes new branches for the BIG-IP Edge Client, iOS, and Android devices.

Dynamic ACLs

BIG-IP Access Policy Manager can load ACLs from an external authentication database (Active Directory, RADIUS, or LDAP) and apply them dynamically. This allows for a single policy per user, no matter which Access Policy Manager the user is connecting to.

Edge Client for MacOS

The optional BIG-IP Edge Client can be delivered by browser or as a standalone application. Its functionality is identical to the Windows version (though Windows provides more client side checks), in a native MacOS interface. The Edge Client for MacOS is supported on Mac 10.5.x and later, and supports 64-bit OSes.

Adaptive Compression

Compression in resources now compresses downstream data to the client using the best available compression codec, based on network conditions and compressibility of the data.

Supported high availability configuration for Access Policy Manager

Access Policy Manager is supported in an Active/Standby configuration with 2 BIG-IP systems only.
Note: Active Policy Manager is not supported in an Active-Active or an N+M configuration.

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in Upgrading Active-Standby Systems and Upgrading Active-Active Systems, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.

Installation checklist

Before you begin:

  • Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
  • Update/reactivate your system license, if needed, to ensure that you have a valid service check date.
  • Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
  • Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are running WAN Optimization Manager, set provisioning to Minimum.
  • If you are running Policy Enforcement Manager, set provisioning to Nominal.
  • If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
Installation method Command
Install to existing volume, migrate source configuration to destination tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 11.2.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP- volume HD1.3

Post-installation tasks

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in Upgrading Active-Standby Systems and Upgrading Active-Active Systems, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.

After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
  3. Log on to the browser-based Configuration utility.
  4. Run the Setup utility.
  5. Provision the modules.
  6. Convert any bigpipe scripts to tmsh. (Version 11.x does not support the bigpipe utility.)
Note: You can find information about running the Setup utility and provisioning the modules in the BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Upgrading from earlier versions

Your upgrade process differs depending on the version of software you are currently running.

Warning: Do not use the 10.x installation methods (the Software Management screens, the b software or tmsh sys software commands, or the image2disk utility) to install/downgrade to 9.x software or operate on partitions. Depending on the operations you perform, doing so might render the system unusable. If you need to downgrade from version 10.x to version 9.x, use the image2disk utility to format the system for partitions, and then use a version 9.x installation method described in the version 9.x release notes to install the version 9.x software.

Upgrading from version 10.1.0 (or later) or 11.x

When you upgrade from version 10.1.0 (or later) or 11.x software, you use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help.

Upgrading from versions earlier than 10.1.0

You cannot roll forward a configuration directly to this version from BIG-IP version 4.x, or from BIG-IP versions 9.0.x through 9.6.x. You must be running version 10.1.0 software. For details about upgrading to those versions, see the release notes for the associated release.

Automatic firmware upgrades

If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might reboot additional times to perform all necessary firmware upgrades.

Upgrading from earlier versions of APM

When you upgrade from an earlier version of Access Policy Manager (APM), you might need to take care of issues related to these configurations.

Advanced customization

If you performed any advanced customization of files, you must upgrade these files manually.

Custom reports

Custom reports are lost after upgrade. To work around this issue, export your custom reports before you upgrade and then reimport them after you upgrade.

OAM configuration

When upgrading from version 10.2.x to 11.x with an OAM configuration, upgrade fails. To work around this issue: before you upgrade, delete the OAM configuration; after the upgrade is complete, create a new OAM configuration in 11.x.

Fixes in 11.2.1

ID Number Description
360678 Previously, SMB traffic went directly even when network access was configured with the Force all traffic through tunnel option. The recommended workaround, "SOL13086: SMB traffic may bypass VPN tunnel when split tunneling disabled" is no longer necessary.
365453 APM Citrix proxy fully supports Wyse Xenith terminals now.
381332 Single sign-on to Citrix CloudGateway and Citrix StoreFront is supported correctly now.
384217 Improper patching of SWF files with AS1/AS2 scripts no longer occurs when function/try/with/branch length is too close to the maximum value.
384627 BIG-IP Edge Client no longer goes into a loop trying to update when auto-update information is missing.
385039 You can now delete an access policy with customized App Tunnel and Remote Desktop resources, including images.
385099 Terminal Server favorite setting "Enable persistent cache (bitmap caching)" functions properly now; when the setting is off, caching is disabled.
385193 To be compatible with the GateKeeper feature introduced in Mac OSX Mountain Lion (10.8), BIG-IP Edge Client components and installer packages for MacOSX are now signed with Developer ID certificate.
385918 A tmm panic/assert no longer occurs when running an access policy.
386046 A confusing message about the RAS subsystem was displayed when running self-diagnostics. The message has been corrected.
386342 Macintosh Network Access client now properly deallocates memory after routing table manipulation.
386654 If the system shuts down unexpectedly, any changes that a Network Access client made to the registry are cleaned up now upon system startup.
387264 After an administrator changed the SSO configuration in an access policy multiple times, SSO stopped working. This usually happened after using an SSO configuration with a longer name and then trying to use an SSO configuration with a shorter name. With this release, SSO continues to work after changing the SSO configuration.
387365 A defect that could cause APM access connection entries to extend beyond the timeout period and consume excessive memory has been corrected.
388023 This release fixes a rare case in which BIG-IP Edge Client would crash.
388242 If a customized localization string included a single quote, it was displayed as \' on a webtop. A single quote is now displayed correctly on a webtop when used in these settings:
  • Show and Hide Settings
  • These Form and Message Settings:
    • AppTunnels conflict with Network Access message
    • Network Access conflict with AppTunnels message
    • Initialization message
388514 Previously, when accessing public folders on Outlook Web Access 2003 through Portal Access, you might see an error, Login Timeout failed with HTTP status code 440. The error occurred because backend cookies were not inserted. Now, the rewrite plugin inserts backend cookies correctly for this case and errors no longer occur when accessing public folders on OWA2003.
388784 There was a conflict between Windows 2008 and MIT Kerberos interpretation of kvno field size. As a result, users could not sign on using APM Kerberos SSO when the BIG-IP system used a Read-Only Domain Controller as a KDC. The conflict is resolved.
388860 The toolbar icon for BIG-IP Edge Client now displays properly on a MacBook with a Retina display.
389258 An HTTP POST request did not complete because the related HTTP POST payload was not being released from BIG-IP system to the backend HTTP server. This happened after the eam plugin received a TMEVT_RESPONSE event followed by TMEVT_INGRESS event. Now when the eam plugin receives TMEVT_RESPONSE and TMEVT_INGRESS events successively, the BIG-IP system sends the payload to the backend server, and the backend server reacts properly with a response.
389262 A crash occurred when looking up a property name beginning with 0 (zero). Portal access rewrite no longer crashes in this case.
389412 Under high load and in deployments where users log in and log out frequently, if APM fails over multiple times, or if services are restarted on APM, APM might lose some license keys. Subsequently, APM might report an out of license error even though the max sessions are not established as per the license limit. The problem is resolved, so the out of license error no longer occurs.
389564 DNS SRV records are now redirected according to the Network Access split tunneling mask.
389617 A file descriptor leak in APD, which can result in APD consuming 100% CPU, no longer exists.
389716 If you opened an SSO Forms Client-Initiated window and your session timed out before you entered data, a blank page was displayed and remained for some time. This no longer occurs.
391514 The system now handles the condition where the DNS Relay Proxy service fails to get the list of DNS servers on a particular machine.
391517 Some icons for Citrix published applications were not rendered correctly on a webtop; the default icon was used instead of an application-specific icon. Now the icons are rendered correctly on a webtop.
392699 The TMM crash associated with this log entry: Assertion "Access pcb policy result is unknown." failed. no longer occurs.
392745 BIG-IP Edge Client customizations (for example, banner color and logo) for Chinese languages are now applied correctly.

Fixes in 11.2.0

ID Number Description
226524 Active Directory forest mode was not supported in earlier versions. Starting in this release, APM supports the cross-domain option for AD Query and AD Auth agents.
354486 Previously, a Mac Edge Client did not automatically try to reestablish a connection if the Tunnel Server (svpn) was still alive from the previous connection; instead, this status was displayed: Error: VPN disconnected. This issue has been resolved.
358874 Previously, APM did not inform the user about the Active Directory password policy at logon. We have implemented Active Directory password policy check in this release.
365344 The Linux command line client now supports PEM and PKCS12 client certificates.
367511 An AAA configuration using the LDAPS protocol did not negotiate SSL. Previously, you needed to use a layered virtual server with an SSL profile to work around this problem. You no longer need to use the workaround.
368210 In versions 11.0, an iRule that was present in version 10.2.x was replaced with a Remote Desktop profile. During upgrade from version 10.2.x to version 11.x, the configuration failed to load, displaying the error message Virtual server /Common/citrix_vs references rule _sys_APM_Citrix which does not exist. We have resolved this issue.
369151 In earlier versions, after an upgrade, configuration reload failed if duplicate resource names existed. We have resolved this issue as follows: It is no longer possible to create APM webtop links and connectivity resources with the same names.
369657 In earlier versions, help was missing for the confirmation window that was displayed when you deleted an access policy. Help now displays correctly.
369714 Previously, the Advanced Customization Editor did not work with multi-byte character sets. Now it does.
370336 Performance has been improved for creating and updating custom reports.
371046 Active Directory authentication now works with IPv6 as expected.
371577 Server-initiated connections to VPN tunnel clients frequently failed after the client's VPN tunnel dropped and reconnected on a system running in CMP mode. This issue has been resolved.
371691 APM no longer depends on reverse DNS records to resolve the fully qualified domain name (FQDN) of the domain controller. Instead, APM uses LDAP protocol to retrieve the ldapHostName attribute from domain rootDSE and uses reverse DNS only as a fallback.
371692 This version introduces native HA functionality in APM. (In addition, APM still supports HA using a layered virtual server.) Native HA works as follows: If only a domain name is specified for an AAA Active Directory server object, APM discovers a list of domain controllers (DCs) for that domain using DNS SRV request. After that, APM tries to use the DCs in the list for AD Auth (or AD Query). If AD Auth (or AD Query) fails due to a connectivity issue, APM marks that DC as unavailable for 10 minutes and tries the next one.
371854 Previously, when the rewrite plugin sent a list of application cookies to the backend server using the Cookie: header, it appended a semicolon to the value of the last cookie; this broke compliance with RFC2109. Now, the value of the last cookie does not include a trailing semicolon.
371959 Previously, a database error occurred when running a report that returned a large amount of data (over a million records). Now when you run reports, you can specify a time range or accept a default value (the most recent 8 hours). The timeout value has also been increased.
371989 Previously, when running custom reports, pagination was not enabled. For large reports, this caused the Configuration utility to be slow. This issue has been resolved.
372034 Previously, if a domain controller was specified using an IPv6 address, AD Query reported as successful without running in the access policy. This issue has been resolved. It is no longer necessary to work around this problem.
372060 Previously, the Timeout popup window in French and Spanish locales would display a JavaScript error. The error was due to extra spaces in a parameter that prevented the proper loading of subsequent pages. Pages now load correctly, and the error does not occur.
372092 Due to a known problem with cookie support in the Linux Citrix Receiver client 12.0, every request made to APM started a new session. This issue has been resolved.
372494 It is no longer necessary to use a layered virtual server to use IPv6 addresses with Active Directory or LDAP. Now, you can specify Active Directory and LDAP AAA servers using IPv6 addresses. AD Auth, AD Query, LDAP Auth, and LDAP Query now work with IPv6 addresses as expected.
373668 Previously, you could not copy an access policy if the name (including the partition) exceeded 62 characters. Now when you copy such an access policy, the name of the copy is truncated: characters in the middle of the name are removed.
373825 When you include a dot (".") in an access profile name, authentication works correctly now.
373830 The current active sessions statistic in the access profile no longer underflows, showing unreasonably large values.
373831 The current pending sessions statistic in the access profile no longer underflows, showing unreasonably large values.
374531 Previously, dynamic ACL generated an incorrect IPv4 netmask during the parsing of an ACL entry. In certain cases, the order of bits in an octet were reversed, and dynamic ACL presented an error message for a correct ACL entry. For example {allow tcp any} and {allow tcp any } are both correct ACL entries, but dynamic ACL would give an error message for the latter entry. This issue has been resolved.
374953 Previously, you could not start Citrix applications configured with custom encryption from an APM dynamic webtop. Now, APM supports custom encryption settings on a per application basis.
375263 In previous versions, if you enabled the Server-Side SSL setting for a Remote Desktop resource of the Citrix terminal type, the setting was not saved. This issue has been resolved.
375495 Previously, iSession socket connections through the BIG-IP APM system were not reused. We have added connection reuse capability, which should improve data latency.
376115 Previously, on Windows 7 clients with more than one network interface running Internet Explorer 8 in protected mode, the APM client caused memory allocation failures, resulting in an Internet Explorer crash. This issue has been resolved.
376556 Exchange support system iRule did not comply with RFC 2617 with respect to non case-sensitivity for handling the HTTP Authorization Basic header. Although it is extremely rare, a particular Exchange client might send the credential using a different case; for example, sending "basic", instead of "Basic". Previously when this happened, the system iRule failed to extract the credentials and rejected the request. This issue has been resolved.
377853 To ensure that SSO works for Active Directory whether cross-domain support is enabled or not, a new session variable is registered: . This variable contains the user domain to which the user successfully authenticated.
378362 Access policy branches that originate from macrocalls are followed correctly now.
378926 With the behavior change introduced in ACCESS hudfilter for 11.1.0 release on handling clientless-mode header, the existing iRule code did not work properly with this new functionality. Due to this, the OutlookAnywhere system iRule did not work. This issue has been resolved.
378991 Previously, a user name that contained special characters might be logged incorrectly. This issue has been resolved.
379413 ActiveSync clients were detected incorrectly as Windows NT Internet Explorer 7. It is no longer necessary to rely on properties other than client type to detect an ActiveSync client; the issue has been resolved.
380725 Previously with Windows Phone, reverse-proxy was unable recognize a Windows object. For example, when a Windows Mobile 7.x device connected to an APM full webtop and started a Portal Access favorite, the URL request was not rewritten and therefore did not take the user to APM for connection. This issue has been resolved.
380838 We have introduced a database variable to allow the administrator to disable LDAP DN/Filter escape in LDAP/AD Query agent in case the administrator wants to prepare the DN/Filter escape in advance.
381118 TMM no longer restarts with a SIGSEGV when running ACCESS::session exists iRule commands in ACCESS_SESSION_CLOSED events.
383008 The Msxml2.XMLHTTP.6.0 object was not supported in web applications. Now it is supported.
383201 Previously, WebSSO crashed when receiving a response without headers from a server. This no longer happens.
383708 Previously, VBscript (contained within a vbscript script tag or referenced externally, using the src attribute) was treated as JavaScript. Therefore, content was not patched correctly. This issue has been resolved.
385786 After integrating APM with Oracle Access Manager (OAM) so that APM acts as an OAM 10g webgate, an HTTP post request against OAM protected resources would fail. This issue has been resolved.

Fixes in 11.1.0

ID Number Description
248018, 354427 Now, multiple Network Access resources can be assigned to a user session at one time, and displayed on the dynamic webtop. A user can only start one Network Access session, however.
307017 Network Access tunnels running on Mac now use the client system's proxy settings.
350161 Upon exit, protected workspace now attempts to clean up the system paging file and RAM to prevent information leaks.
353010 APM session cookies now support the HttpOnly attribute for certain security settings. This attribute is supported in LTM+APM mode, and cannot be used with client-side endpoint checks.
355549 Previously the SSO credential mapping agent added unnecessary braces { } around the expression. Now these braces are not added.
360374 Mac OS X 10.7 is now supported for Network Access connections.
360442 Network Access now supports two-factor authentication with Windows Logon Integration. This feature added two options for the Network Access client: Enable Full Pre-logon Sequence and Reuse Winlogon Session.
363034 The Z parameter in the /myvpn request on iOS, Mac and Linux clients previously required a special iRule. Now the Z parameter is supported without an iRule.
363724 Previously in access policies, the logging agent had to be configured explicitly with "session.client.unique_id. Now, the logging agent "session.client.*" can be configured with the wildcard asterisk, to allow logging of all UUIDs.
364684 An issue with logout URIs building up on the system was fixed.
364853 The webtop-type last is no longer listed as a supported option in the command line interface.
364936 Previously, in some circumstances the Logon Page action could not be customized in the Visual Policy Editor. This is now fixed.
365096 ACCESS_POLICY_AGENT_EVENT now probperly starts in clientless mode.
365175 Import of access policies that include objects that were created in the non-common partition now succeeds.
365347 After the BIG-IP box restarted, in some circumstances, users could not establish new sessions and received TCP RST messages. In /var/log/apm, the following error appeared: Access policy configuration version: configuration-id in use by user session was not found. This issue is now fixed.
365349 Previously, if an app tunnel was configured with multiple addresses to the same destination but different ports, and the DNS Relay Proxy was not enabled, only the first address/port combination would be reachable. This was corrected by enabling the DNS Relay automatically.
365597 Previously, custom reports with a very large database could consume up to 40% of the CPU. This issue has been fixed.
365662 In the Customization tool preview page, macro ending page nodes, which cannot be previewed, have been removed from the preview tree nodes.
365882 The Installer control setup file that controls all installable components was previously unsigned and caused warning messages on some systems. The setup file is now signed by F5.
365948 In a protected workspace session, if a webtop was configured with the Minimize to tray option enabled, the webtop was correctly minimized to the system tray, but if the user restored it from the system tray by double clicking, the protected workspace session closed. This has been fixed.
366190 Access policy inactivity timeouts sometimes failed in a previous version, when the Cache and Session Control action was enabled. Access policy inactivity timeouts now work properly.
367070 When an access policy manager session was stopped by the system administrator or expired, the Citrix Receiver attempted to reconnect until the window was closed by the user. This has been fixed.
367512 The administrator is no longer prompted to select the SSL server profile when configuring an LDAP server in direct mode.
367726 Citrix applications can now be started from the dynamic webtop on Internet Explorer 9.
367850 Previously, the Network Access status window remained active after a session was terminated by the administrator, or expired due to timeout. This has been fixed.
368488 All roles above operator can now manage sessions.
369248 The network access web client now supports proxy autoconfig (PAC) scripts located on HTTP or HTTPS servers, in addition to locally stored PAC files.
369407 In a previous release, access policies created using the Access Policy Manager wizards did not allow the choice of the dynamic webtop, and labeled the Full Resource Assign action incorrectly. These issues have been fixed.

Fixes in 11.0.0

The current release includes the fixes and enhancements from previous releases and the fixes that were distributed in SOL12729: Overview of BIG-IP version 10.2.1 HF1, SOL12778: Overview of BIG-IP version 10.2.1 HF2, and SOL12816: Overview of BIG-IP version 10.2.1 HF3.

ID Number Description
225512 Previously, Access Policy Manager clients that started network access tunnels that ended up on different Traffic Management Microkernels (TMMs) could not communicate. Now, such clients can communicate.
225870 Previously, a rare condition could cause a crash in the system when APM tried to connect or reconnect a network access tunnel. We have corrected this.
226423 Previously, Access Policy Manager's active sessions graph erroneously reported a maximum value when active sessions existed and a failover event occurred. Now, this issue no longer occurs.
336284 Previously, network access tunnels on a system that failed over could not restart after the failover because the lease pool was not created. Now the lease pool is created and network access tunnels fail over correctly.
339171 Previously, when an administrator created a AAA server with the web interface, some legal characters could not be used in the AAA server name. Now the name field accepts all legal characters.
339951 Previously, Access Policy Manager HTTP 404 Not Found errors could not be configured. Now, the message for these errors is configurable as part of the logout group.
341377 The following new iRule commands have been introduced to allow the use of multiple SSO profiles and make them selectable based on user-defined criteria:
  • WEBSSO::enable
  • WEBSSO::disable
  • WEBSSO::select sso_profile_name
You can use these iRule commands in the following event contexts: ACCESS_ACL_ALLOWED, HTTP_REQUEST, HTTP_REQUEST_DATA. More information is available on F5 DevCentral.
344713 Previously, WebSSO crashed when the HTTP header dictionary was invalidated and refreshed. Now this no longer occurs.
346047 Previously, the documentation for portal access described a patching method (No patching) that is no longer supported. The patching method is no longer described.
347568 In portal access, JavaScript rewriting has been enhanced to better handle SVG elements.
348742 Previously, the Client OS action in Access Policy Manager did not support Microsoft Internet Explorer 9. The Client OS action now supports clients identifying themselves as Internet Explorer 9.
349490 Previously, when you configured an access policy using HTTP form-based authentication, the username and password were sent to the authentication server in POST variables, even if a username and password were not specified in the server configuration, resulting in authentication failures. Now the username and password are sent only when specified.
351757 In a previous release, when the admin configured client power management settings in Network Access network properties, those power management settings were ignored by Windows Vista and Windows 7 clients. Now, Windows Vista and Windows 7 clients use the Network Access power management settings.
351895 Previously, when you created multiple Active Directory AAA servers, or changed the realm on multiple Active Directory server, several default_realm entries were erroneously added to the /etc/krb5.conf configuration file, causing authentication errors. Now, only one default_realm entry is added to the configuration file.
354748 Previously, when you configured portal access for a backend server with the same host name as the Access Policy Manager virtual server, portal access failed to rewrite some links. Now, portal access rewrites links correctly when the backend web server has the same host name as the virtual server.
358873 Previously, when a Portal Access connection was made to an SAP Netweaver backend server, some JavaScript Function() calls were not correctly handled, resulting in errors on the client. Now, NetWeaver JavaScript functions are handled correctly by Portal Access.
359330 Previously, when you configured an Access Policy Manager LTM Access connection with at least one pool member, and source IP persistence or persistent cookies enabled, some connection errors occurred with certain web servers. Now, this configuration works correctly.
359530 Previously, when a user accessed a SharePoint 2007 site through portal access, the rewrite engine used the wrong parser to patch some URLs incorrectly, causing connection errors and failures. Now, the rewrite engine for SharePoint 2007 sites uses the correct parser.
365107 Previously, when the Access Policy Manager received an HTTP 100 continue response from a backend server, the system could fail or experience instability. The system no longer fails or becomes unstable in this scenario.

Behavior changes in 11.2.0

ID Number Description
371693 Previously, if a domain controller was not specified for an AAA Active Directory server object, Access Policy Manager (APM) discovered domain controllers using the DNS AAAA/A request. Now, APM discovers domain controllers using the DNS SRV request.
379363 To fully support cross-domain AD Query, as well as AD Auth, a change was needed. Previously, APM used the sAMAccountName filter to search for users. APM now uses (userPrincipalName=username) in the following two cases:
  • When the cross-domain option is enabled.
  • When the cross-domain option is disabled, but the user's logon name contains '@' or '\' characters.


Session ID rotation has been implemented, and starting from 11.2.0, it is on by default. This breaks compatibility with earlier Edge client and plugin versions. For example, when APM is configured for session ID rotation, an 11.1.0 Edge client is not allowed to log in to Access Policy Manager (APM) verson 11.2.x. The expected behavior in this case is for APM to present the login page to the Edge client after each login attempt. To disable session ID rotation per-box, you can use the following tmsh command: tmsh modify sys db apm.rotatesessionid value disable

Known issues

This release contains the following known issues.

ID Number Description
223583 Inside Protected Workspace (PWS) on Windows Vista, a user can create folders only in some locations using the context menu; that is, only a Folder item appears on the New menu. However, a user can create standard type files using the context menu directly on the desktop and in the user's home folder.
223712 During a web applications session, when a user logs out of Microsoft Office Communicator and then attempts to log on again, the logon request fails.
224145 On rare occasions, the Visual Policy Editor can return a non-specific failure when attempting to create new items. The failure is transient; the request invariably succeeds on retry.
225705 UDP applications that use fixed port numbers do not work over APM Network Access tunnels due to the port number being changed.

To work around this issue, create a layered virtual server that will catch application traffic and apply the Preserve Strict option to the Source Port.

337178 When HTTPS proxy is configured on a Windows client, neither BIG-IP Edge Client nor APM client can use DTLS with Network Access. After some delay, the client automatically switches (falls back) to Network Access over TLS connection through HTTPS proxy.
337757 A user cannot use the NAS-IP as the source IP of the RADIUS Authentication request client.

To work around this issue, create a layered forwarding-IP virtual server with the same IP/port as the AAA server, and add a SNAT pool created with the IP address that must be used as a source IP of RADIUS/SecurID packets. You can do this either with the Configuration utility, or using tmsh commands.

  1. Create a AAA RADIUS server, named qastressaaa in this example, and set Server Connection to Direct. In the Configuration utility, on the Main tab select Access Policy > AAA Servers. Create the server using these tmsh commands:

    apm aaa radius qastressaaa {
                  mode auth
                  pool qastressaaa-pool
                  secret gQ\\lkXD6_4_5/US\?K\?Gcd5598dQWbU>K*:\\cHCH5jf:COUE
                  use-pool disabled

    Use this server in your access policy.
  2. Create a SNAT pool, named nas_ip_snat_pool in this example, with the nas-ip-address that was specified in step 1. In the Configuration utility, on the Main tab select Local Traffic > SNATs > SNAT Pool List. Create the SNAT Pool using these tmsh commands: ltm snatpool nas_ip_snat_pool { members { } }
  3. Create a UDP layered virtual server of the forwarding (IP) type with the SNAT pool created in step 2. ltm virtual Radius_layered { destination ip-forward ip-protocol udp mask profiles { fastL4 { } } snatpool floating_ip_snat_pool translate-address disabled translate-port disabled } In this configuration, the RADIUS Server IP is The NAS IP, which is, is also used to create the SNAT pool.
339865 Microsoft SharePoint 2007 with Office Integration does not work in LTM + APM mode when Protected Workspace is used in an access policy. When you try to open a Microsoft Office document, an alert about a wrong URL is displayed.
340344 Currently, you cannot specify the source IP address of the packet when you set up AAA server definitions. To work around this issue, you must create a layered forwarding-IP virtual server with the same IP address and port number as the AAA server. Use these steps:
  1. Create a SNAT pool with the IP address that you want to use as the source IP address. (On the Main tab, click Local Traffic > SNATS > SNAT Pool List.)
  2. Create a UDP layered virtual of Forwarding (IP) type with the SNAT Pool that you just created.
  3. Disable ARP for the layered virtual IP.
340541 When you open a Microsoft Office document in Windows XP with Office 2010 over a portal access connection to SharePoint, and you attempt to save the document using the Save As command, the document is saved but an error message appears stating that the document could not be saved. You can safely ignore this message.
340549 The rewrite plugin does not implement forwarding HTTPS requests through the HTTPS proxy correctly. However, forwarding HTTP requests through the HTTP proxy does work correctly.

To work around this problem, create a layered virtual server to catch HTTPS traffic leaving APM and forward it to a HTTPS proxy server using CONNECT. Proxy authentication is not implemented, and if response status from HTTPS proxy server is not 200, then use an iRule to close the connection.

342035 SIP client cannot communicate with SIP server when connecting over Network Access tunnel. SIP protocol uses fixed UDP ports, and communication fails because Network Access tunnel translates the source port of the connection.

To work around this problem, configure a layered virtual server using the SIP UDP port and set the Source Port setting to Preserve Strict.

343280 When using portal access in Safari 5.X, sometimes web pages do not load properly. A bug in Safari 5.X leads to accidental loss of all HTMLElement.prototype changes when setting HTMLElement.prototype properties in a window and accessing window.frameElement from any of its frames. (The problem also occurs in other less-defined cases.)
347100 Every time the Hometab loads, a message displays, such as: This Page contains both secure and nonsecure items. Do you want to continue? To work around this problem, disable the Hometab.
348307 When comparing and validating authentication results, additional log messages for troubleshooting should be added to the HTTP form-based authentication agent.
348839 Oracle Access Manager Access SDK (OAM ASDK) logging level might not be updated automatically corresponding to the BIG-IP system SSO logging level (that is, log.sso.level).
Note: You need to set OAM ASDK logging level only when an administrator wants to collect the log messages that are directly reported by OAM ASDK library at run time. These log messages are different from the log messages reported by the BIG-IP system and APM processes.
To work around the problem, perform these steps:
  1. Manually update the /oblix/config/oblog_config.xml file to set the desired OAM ASDK logging level.
  2. Restart the EAM plugin service using this command: bigstart restart eam
351360 When assigning different route domains to Network Access clients connecting to the same virtual server or using the same connectivity profile, traffic from the client might go out into the network associated with the wrong route domain. This could happen when two clients are assigned the same IP address (from different lease pools containing the same address ranges) and different route domains, and try to access the same IP address on the internal network using the same TCP/IP protocol.

To work around this problem, when sharing IP address ranges among route domains, use separate virtual servers for each route domain, with different connectivity profiles.

352542 The configuration inside of an ACL entry does not support session variables.
352865 Firefox 4 beta crashes or displays a warning, such as Unresponsive script for cache-fm.js. This happens after you navigate to a web application through reverse proxy from a Windows client and then log in.
354360 Sometimes a Mac Edge Client displays a Bad URL error after you click the Connect button. This error might repeat a few times before you successfully connect. To avoid this, click the Disconnect button and then the Connect button again.
354406 When a virtual server is configured to use a SNAT pool for doing source NAT of the traffic between the virtual and backend servers, if one of the IP addresses used in the SNAT pool is self-IP, the access policy does not work for the virtual server.
354628 When using portal access to access OWA using NTLM authentication without SSO configured, the upload of a large attachment to attach to an email message can stop and be followed by a 401 response from the server.
355490 TACACS+ accounting STOP messages are sent successfully and are properly logged on the TACACS+ accounting server. However, sometimes when the reply from the TACACS+ server is processed, APM logs the message Invalid reply error message. This error message does not indicate any failure in sending the accounting STOP message to the TACACS+ server, so you can ignore it as the accounting functionality is working.
355981 APM CRLDP Authentication Agent binds anonymously to the LDAP server to retrieve CRL files. An option for a strong authentication bind is not currently supported.
356419 On Linux, PPP routes might be lost if network access is configured with the Allow Local Subnet option enabled. This behavior is very rare.

To work around the problem, disconnect from the server using the f5fpc -o command, and then reconnect to the server.

356562 Custom reports are lost after upgrade. To work around this issue, export custom reports before you upgrade, and then import them after you upgrade.
356766 Removing or updating Network Access device or client components while the system has an active Network Access connection might cause the system to drop the existing connection and fail to establish a new connection until after a system reboot.
359639 Some long captions for resources can be longer than the bounding box in Firefox 7. This problem does not affect the workflow.
360141 Modifying the SSO configuration does not cause the Apply Access Policy button to show up on the Admin UI or the visual policy editor. The configuration change takes effect immediately for new sessions established after the change. Old sessions (those that were already created before the configuration change) continue to use the old SSO configuration.
360734 When previewing pages, the Preview pane does not automatically refresh when the language is switched. To cause the page to refresh in the new language, click an item in the Preview tree pane
360742 When the logon page is customized in visual policy editor in multiple languages, the images appear broken. To work around the problem, customize the logon page using localization customization. (On the Main tab of the Configuration utility, select Access Policy > Customization.)
360889 For ACLs that are generated from a portal access resource, port 0 (zero) matches against port 80 (when the scheme is HTTP) and against port 443 (when the scheme is HTTPS). For ACLs otherwise, port 0 matches against any port.
362200 When customizing messages, you cannot use special characters, such as ", &, <, and '.
362325 Links in content are rewritten in HTML attachments from Outlook Web Access (OWA) after you open the attachments in the browser or save them to disk using Save as. This happens because APM application access patches the links in HTML attachments. This occurs with OWA 2003, 2007, and 2010.
362351 Branch names cannot start with the word fallback in the visual policy editor.
363188 Using a space in an alias for a virtual server can cause unexpected results when you use tmsh to add or update a connectivity profile. No spaces are allowed in aliases for virtual server.
363227 In Access Policy Manager customization, common partition objects are not made read-only for managers of a partition.
364030 The Hometab disappears for Domino Web Access (DWA) 8.5 through reverse proxy.
364061 On a Linux client, the network access Show log file link does not display the log file unless gedit is installed. To work around this problem, install gedit on the Linux client.
364257 When using Microsoft Communicator through reverse proxy, an error occurs when you click Home on the Hometab in the Conversation window. The error differs depending on the browser:
  • Internet Explorer displays access denied in a popup window.
  • FireFox displays F5_HT_SP is not defined in the error console.
365014 If you upgrade from APM version 10.2.x to version 11.2.x, you might run into this error:

012e0008:3: The requested command (connectivity resource) is invalid

To prevent the error, perform these steps.
  1. Switchboot back to version 10.2.x.
  2. Use text editor vi or vim to open the /config/bigpipe/bigip.conf file.
  3. Look for the pattern connectivity resource at the beginning of a line.
  4. Within the scope of connectivity resource, look for the line with pattern patching type and remove the line.
  5. Save the file and exit the vi or vim editor.
  6. Run bigpipe load to make sure that there is no error.
  7. Redo the software upgrade.
365583 and 366420 An IPv6 only network access configuration is not supported. The supported IP versions are IPv4 and IPv4&IPv6.
365646 When a blade goes down while sessions are running in an Access Policy Manager process on that blade, a later session that accesses the session database can lead to a failure.
365786 Multiple Webgate instances on a single BIG-IP system against Oracle Access Manager (OAM) 11g server is not supported; host identifier information is required for support. OAM ASDK cannot fetch the host identifier information from the OAM 11g server; this is a known issue at Oracle support (SR 3-3909003061).
366001 If you have performed any advanced customization, you must upgrade the files manually when upgrading from version 10.2 to version 11.x.
367434 Changing Active Directory password over IPv6 is not supported.
367621 Access Policy Manager (APM) does not support IPv6 for communicating with the OCSP responder. Configuring the OCSP URL with an IPv6 address or a host name that resolves to an IPv6 address does not work. Access Policy Manager uses OpenSSL BIO APIs to connect to the OCSP responder, and these calls do not support IPv6.
369780 When you use the client to access SharePoint 2010 and upload multiple files (Library Tools > Documents > Upload Document > Upload Multiple Documents), the Upload Multiple Documents dialog box does not close automatically after upload. This happens when using a combination of:
  • Windows 7 or Windows XP SP3
  • Internet Explorer 8 or Internet Explorer 9
  • Microsoft Office 2007
To work around this problem, close the dialog box and, to see the uploaded documents, refresh the mail page.
369815 Active Directory authentication module creates incorrect log messages if Kerberos Key Distribution Center (KDC) is not accessible. The messages do not contain a user name.
369887 On a Mac when Japanese language is selected during client component installation, you might see the following problems:
  • Symbols that look like gibberish
  • Strange characters, such as amp;nbsp; (observed on Firefox)
To work around the gibberish symbols, change the default language to English during the installation, then switch back to Japanese and enforce UTF-8 on browser level. To work around the problem of strange characters, on the Main tab, you can select Access Policy > Customization and select the Localization tab. Then select Access profiles > Framework installation and change the text for the desired installation option.
371015 On chassis platforms in some scenarios, more than one value is displayed in the Local Time column of the All Sessions report.
371467 Users cannot log in if the HA Active node primary blade is rebooted. This occurs only on chassis systems or vCMP guests in HA/Failover configuration when the chassis systems or vCMP guests are configured to run on more than one blade.
Note: In such a High Availability setup, for the settings Minimum blades up enabled and Minimum blades up ensure that you set the numbers equal to the total number of blades in the chassis.
371747 When a report has a large number of rows and you click Export to CSV File, the Admin user interface might become unavailable.

To work around the problem, create and export reports that contain fewer rows. Define a custom report with the required fields and report constraints. When you run the report, specify the time constraints appropriately. After the report is displayed, click Export to CSV File.

371763 If Application Access Resource type RDP is created with a host name and a DNS server is not configured, the resource is not assigned to a user session and is not be displayed on full webtop.

To work around this problem, configure a DNS server on the BIG-IP system (System > Configuration > Device > DNS) and make sure that the DNS server is up and running.

371887 Localization changes in one language are applied to all languages when using Access Policy Customization. The problem occurs when the Apply to all Locales check box is selected on the Branding tab. This setting should not affect the Localization tab, but appears to impact it.

To work around this issue, clear the Apply to all Locales check box on the Branding tab before making localization changes.

372114 On a chassis-based system after upgrade and first reboot if APM is configured, very rarely end users might be unable to log in to the virtual server. An access denied screen displays the following message:

Access policy configuration has changed on gateway. Please login again to comply with new access policy configuration.

To recover from this error, restart the primary blade. From the Configuration utility, select System > Configuration and select the Reboot Blade option.
374781 When upgrading from version 10.2.x to 11.x with an OAM configuration, the upgrade fails. To work around this issue: before you upgrade, delete the OAM configuration; after the upgrade is complete, create a new OAM configuration in version 11.x.
376615 User name and password are not sent when the On-Demand Cert Auth agent is used in an access policy; as a result, logon fails. The problem happens for these clients: iOS, Android, Windows Mobile, and Linux command line.

To work around this problem, configure the access policy so that the Logon page agent is before the On-Demand Cert Agent.

376890 The "Discover" function in Enterprise Manager 2.2 does not work through a default APM portal rewrite configuration.
378084 In some cases, the upgrade script does not fix a 10.x configuration to correctly load on the 11.x system (see step 5). Configuration rolls forward then fails. If this happens, you need to manually edit the 10.x configuration files before loading them onto an 11.x system. To work around this issue:
  1. Save the 10.x configuration into a UCS file using this command: bigpipe config save 10.x.UCS
  2. Disable the configuration roll forward: bigpipe db LiveInstall.SaveConfig disable
  3. Upgrade to 11.x without rolling the configuration forward automatically. (Be sure that you saved the configuration into a UCS file).
  4. After a clean upgrade, install the UCS file: tmsh load sys ucs 10.x.UCS
  5. Edit the /config/bigip/bigip*.conf file and fix the configuration by resolving these errors:
    1. 01071346:3: In AAA HTTP server (/Common/WebSSO-INT-HTTPS), Using Http auth agent against SSL backend is not allowed, please, create a layered virtual server with server SSL profile.

      This error indicates a form action that contains HTTPS URL is not allowed. Update the configuration to include an HTTP form action that points to a layered virtual server with server SSL enabled.

    2. 01071410:3: The Portal Access resource item in the resource '/Common/WebApp_GRC-CSP' - Invalid hostname: Hostname can only contain characters [a-zA-Z0-9-._?*] --&gt; in Hosts section, does not support http://. Host name validation has been modified to disallow these characters in the portal access resource item name.

      Update the portal access resource item name to include only the allowed characters and make sure to use the new name in other references in the bigip.conf file.

    3. 01070734:3: Configuration error: Virtual Server (/Common/VS_Mutualise1) has profile rewrite attached without connectivity profile.

      You must add a connectivity profile to the virtual server settings.

  6. After you finish fixing the errors in the bigip*.conf file, load the configuration by typing these commands:

    /usr/libexec/bigpipe daol

    tmsh save sys config partitions all

    tmsh load sys config partitions all

378524 The following problem occurs with Google Chrome support on Windows and Linux machines for the Citrix Web Interface 5.4 application in full webtop. If you open a full webtop and click an application icon on it, nothing happens.
380302 When Access Policy Manager is provisioned, EPSEC, EPSEC/Images and EPSEC/Status folders are created for use with OPSWAT library sync features. These folders are intended for internal use only and are not intended for use to hold any user-created objects. Please do not create any objects in these folders.
381488 When a proprietary application reports an HTTP user-agent string that APM does not recognize, APM treats it as a Windows-based application by default.
381490 Android Citrix Receiver does not support RSA New PIN mode if APM is configured for Session ID Rotation. Session ID Rotation can be turned off per-box with the following tmsh command: tmsh modify sys db apm.rotatesessionid value disable
382390 OCSP authentication support for the Machine Cert agent does not work.
383332 When an administrator makes changes in Advanced Customization mode and switches to Properties Customization mode, the changes are lost.
383341 When using form-based client-initiated Single Sign-On (SSO) with web applications that return chunked content, the chunking might not be removed when the modified logon page is returned to the client browser. Usually, this is harmless and does not break SSO. In rare cases, chunking occurs in the middle of HTML tags. If this occurs and SSO breaks, you should apply one of the following workarounds.
  • Create this iRule and attach it to the virtual server:

    when HTTP_RESPONSE { if [HTTP::header exists "Transfer-encoding"] { HTTP::payload rechunk } }
  • Alternatively, create this HTTP profile and attach it to the virtual server:

    ltm profile http http-rechunk { app-service none defaults-from http response-chunking rechunk }
383351 APM licensed for Virtual Edition (VE) running on Microsoft Hyper-V includes configuration options that are not valid. The Network Access Compression settings and Application Tunnel Compression settings should not be available and should not be used.
383355 In rare cases, when used with APM form-based authentication, client-initiated Single Sign-On (SSO), web applications display JavaScript errors in the browser, such as: Can't move focus to the control because it is invisible, not enabled, or of a type that does not accept the focus. This only happens when using Internet Explorer 8 or earlier. The error is generated because logon page content is forced to not be displayed during the SSO process, and the web application tries to set focus on one of the logon fields.

To work around this problem, disable the Display a notification about every script error option in Internet Explorer 7 and 8. To find the option and verify that it is disabled, select Tools > Internet Options > Advanced > Browsing.

383464 In reports, names that contain a single quote are displayed in hex-encoded format. For example, the name O'Brian might be displayed as O%27Brian.
383605 The following information is missing from the Logging and Reporting chapter of Configuration Guide for BIG-IP Access Policy Manager.

When running performance tests or under very high traffic loads, the /var/log/apm log file can grow to a very large size. Under these conditions, it is advised to disable logging to /var/log/apm/.

To disable logging to /var/log/apm/, use this command: tmsh modify sys db log.access.syslog value disable Alternatively, you can set the log level to emergency only by using this command: tmsh modify sys db log.accesscontrol.level value emergency

383607 Network Access: After a client loses connectivity and reconnects with another IP address, the client cannot open tunnels to optimized hosts for 4-7 minutes.
384020 Leasepool members created using the Configuration utility cannot be edited or deleted from the command line. However, leasepool members created from the command line can be edited and deleted with either the command line or the Configuration utility.
To work around this problem, use the Configuration utility to create and edit leasepool members. However, if you must edit or delete leasepool members with the command line, then edit the member list using these options:
  • Use members replace-all-with to insert a new list of members.
  • Use members none to delete the member list, then use members add to add a new list of members.
384115 Provisioning a VIPRION from vCMP to LTM + APM might bring down all blades. To prevent this problem:
  1. Remove the application volume for modules that use the disk, such as APM. (Do not provision APM yet.)
  2. When you are done with vCMP, unprovision vCMP and delete its volume. (To delete the vCMP volume, you can use the following tmsh command: tmsh delete sys disk application-volume vcmp volume)
  3. Provision APM.
384280 When you select an EPSEC package from the Antivirus Check Updates list and click Delete, a confirmation dialog box displays. If you try to close the confirmation dialog box by clicking the close icon, (X), the user interface displays a message that prevents you from doing further editing or work.

To avoid the problem, click No to close the dialog box instead of clicking X.

384405 With Access Policy Manager Portal Access, if you add a web-acceleration profile to the local traffic virtual server, it does not take effect until the you go to the command line and type: bigstart restart tmm. The web-acceleration profile is important to Portal Access performance, so this step is necessary to ensure caching occurs for Portal Access content.
384479 When you configure a virtual server for Oracle Access Manager integration (by selecting the OAM Support option), the option to select a specific AccessGate does not apply to OAM 10g environments.
384959 Documentation is missing for these new Active Directory features.
  • Active Directory password policy check is not documented in Configuration Guide for BIG-IP Access Policy Manager. The following information is missing:

    You can enable an Active Directory password policy check when you configure an AD Auth or AD Query agent in an access policy using the visual policy editor. (Select Enable for the Complexity check for password reset setting.) APM supports the following Active Directory password policies: Maximum password age, Minimum password age, Minimum password length, and Password must meet complexity requirements. APM must retrieve all related password policies from the domain to make the appropriate checks on the new password.

    Because this option might require administrative privileges, you should specify the administrator name and password on the AAA Active Directory server configuration page. Note that this option increases overall authentication traffic significantly because APM must retrieve password policies using LDAP protocol and must retrieve user information during the authentication process to properly check the new password.

  • New options for AD Auth and AD Query agents are not documented in the visual policy editor online help. Information is missing for these options:

    Max Password Reset Attempts Allowed.  This option specifies the number of times that APM allows the user to try to change password.

    Complexity check for Password Reset.  This option controls whether APM performs a password policy check.

385039 You are unable to delete an access policy with customized App Tunnel and Remote Desktop resources due to this error: 01071349:3: File object by name (/Common/for_big_logs-cgimg_0001.png) is in use. To work around this problem:
  1. Delete the access profile without selecting images for deletion.
  2. Delete the images from Image library.
385518 Some untranslated strings exist in APM. You can find them on these screens and in these error messages.
  • From the Main tab, under Access Policy:

    Logout Access not found page reject message

    Access not found page title

  • Error messages:

    AAA errors

    AD domain password reset error on minimum password age

    AD domain password reset error: new password does not meet complexity requirements

    AD domain password reset error: password has been used recently

    All OAM errors

To work around this problem, translate the strings using APM Customization.

386277 Visual policy editor can time out when you edit some complex policies, possibly those that assign many resources. The workaround is to change the max_execution_time in php.ini to a higher value. The default is 30. Changing it to 120 seems to work.
To perform the workaround, take these steps:
  1. Mount /usr as read-write by typing this at the command line: mount -o remount,rw /usr
  2. Edit the /usr/local/lib/php.ini file, looking for max_execution_time and changing the value to 120 (should be 30).
  3. Type this at the command line: bigstart restart httpd
  4. Put /usr back into the original state by typing this at the command line: mount -o remount,ro /usr
387566 When Java patching is disabled, any applets that are served through APM are placed into ramcache. Subsequently, if you enable Java patching, it might not appear to take effect until you clear ramcache. To work around this problem, make sure that Java patching is disabled before you start testing it and ask the administrator to clear ramcache on APM.
386661 Custom reports do not show any data when you search by a user name that contains \, such as domain\username.

To work around the problem, escape the '\' character with a second '\' character. For example, to search for 'domain\username', specify 'domain\\username'.

387688 Some unnecessary configuration steps are included in the BIG-IP Access Policy Manager: Citrix Integration Guide in these chapters:
  • Integrating with a Citrix Web Interface Site
  • Integrating with Citrix Servers Behind a Firewall
Note: No serious consequences result if you perform the unnecessary configuration steps.
You do not need to perform the task, Creating an SSO configuration for a Citrix Web Interface site. Additionally, when you create an access policy (as documented in Creating an access policy for Citrix Web Interface SSO), you do not need to add the SSO configuration to the access profile that is required as a prerequisite. (You must still create an access profile with default settings, however.)
392974 An APM virtual server occasionally rejects a request to a renderer with reset cause "TCP 3WHS rejected". This happens when the TCP profile has an idle timeout value larger than 300 seconds.

To work around the problem, apply this iRule:

when SERVER_CONNECTED { if { ([TCP::remote_port] == 8080) && ([IP::addr [IP::remote_addr] equals]) } { # log local0. "renderer [IP::remote_addr]:[TCP::remote_port] connected" IP::idle_timeout 250 } }
421648 The online help and Configuration Guide for BIG-IP Access Policy Manager state the session variable names for the Machine Info action incorrectly, as session.machine_info.<attribute>. The correct session variable names are session.windows_machine_info.<attribute>.
477841 On OS X 10.10 systems, Safari 8 does not use Network Access proxy settings that are applied to the system. A user can launch Network Access proxies on other browsers, excluding Safari 8.
483113 On OS X 10.10 systems, when a user displays a list of servers, white squares appear next to each server name in the list. The Remove Server icon that displays to the right of each server name also displays a white background.
480247 On OS X 10.10 systems, Edge Client sometimes creates a config.f5c file in the Edge Client application folder that causes the user to see an error.
483107 On OS X 10.10 systems, the Edge Client icon is highlighted if the user taps the icon. The highlight does not disappear until the user exits Edge Client.
477843 On OS X 10.10 systems, Edge Client displays the throughput as black text on the black menu bar. A user finds it difficult to read the text.
483379 On OS X 10.10 systems, tapping on the F5 menu icon causes high CPU consumption.
479242 On OS X 10.10 systems, Network Access does not work with modes such as Split Tunneling or Force all traffic. After a connection is established, the connection routes are not set to a MAC address route table.
480595 On OS X 10.10 systems, when a user taps Calender > New Event, the New Event page displays an empty page.
480592 On OS X 10.10 systems, the Send button on the New Message menu does not work.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802

For additional information, please visit

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.


AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to from the email address you are using to subscribe. Unsubscribe by sending a blank email to

Legal notices