Release Notes : BIG-IP APM 11.5.2

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 11.5.2
Release Notes
Original Publication Date: 07/20/2016 Updated Date: 04/18/2019

Summary:

This release note documents the version 11.5.2 release of BIG-IP Access Policy Manager (APM).

Contents:

Platform support

This version of the software is supported on the following platforms:

Platform name Platform ID
BIG-IP 1600 C102
BIG-IP 3600 C103
BIG-IP 3900 C106
BIG-IP 6900 D104
BIG-IP 8900 D106
BIG-IP 8950 D107
BIG-IP 11000 E101
BIG-IP 11050 E102
BIG-IP 2000s, BIG-IP 2200s C112
BIG-IP 4000s, BIG-IP 4200v C113
BIG-IP 5000s, 5050s, 5200v, 5250v C109
BIG-IP 7000s, 7050s, 7055, 7200v, 7250v, 7255 D110
BIG-IP 12250v D111
BIG-IP 10150s-NEBS, 10350v (AC), 10350v-NEBS (requires 12.0.0 HF1), 10350v-FIPS D112
BIG-IP 10000s, 10050s, 10055, 10200v, 10250v, 10255 D113
VIPRION B2100 Blade A109
VIPRION B2150 Blade A113
VIPRION B2250 Blade A112
VIPRION B4200, B4200N Blade A107, A111
VIPRION B4300, B4340N Blade A108, A110
VIPRION B4450 Blade A114
VIPRION C2200 Chassis D114
VIPRION C2400 Chassis F100
VIPRION C4400, C4400N Chassis J100, J101
VIPRION C4480, C4480N Chassis J102, J103
VIPRION C4800, C4800N Chassis S100, S101
Virtual Edition (VE) Z100
vCMP Guest Z101

These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.

Most of the support guidelines relate to memory. The following list applies for all memory levels:

  • vCMP supported platforms
    • VIPRION B2100, B2150, B2250, B4200
    • VIPRION B4300 blade in the 4400(J100)/4480(J102) and the 4800(S100)
    • BIG-IP 5200v, 5250v, 7200v, 7250v, 10200v, 10250v, 10350v, 12250v

Memory: 12 GB or more

All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.

Memory: 8 GB

The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)

  • No more than three modules should be provisioned together.
  • On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
  • To use Access Policy Manager (APM) and Secure Web Gateway (SWG) modules together on platforms with exactly 8 GB of memory, Local Traffic Manager (LTM) provisioning must be set to None.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category.)

  • No more than three modules (not including AAM) should be provisioned together.
  • Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
  • Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).

Memory: 4 GB or less

The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests provisioned with 4 GB or less of memory.

  • No more than two modules may be configured together.
  • AAM should not be provisioned, except as Dedicated.
  • ASM can be provisioned with this amount of memory, but a sizing exercise should be performed to ensure that it does not hit capacity issues.

vCMP memory provisioning calculations

The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory- 3 GB) x (cpus_assigned_to_guest/ total_cpus).

As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.

For certain platforms, the vCMP host can allocate a single core to a vCMP guest. However, because a single-core guest has relatively small amounts of CPU resources and allocated memory, F5 supports only the following products or product combinations for a single-core guest:
  • BIG-IP LTM standalone only
  • BIG-IP GTM standalone only
  • BIG-IP LTM and GTM combination only

Module combination support on the 3900

Note: The GTM+APM module combination is not supported on the 3900 product platform.

Although SOL10288 states that all modules are supported on all platforms as of BIG-IP version 11.4.0, this does not mean that all possible module combinations are allowed on every platform (especially, legacy platforms).

Configuration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

  • Microsoft Internet Explorer 8.x, 11.x
  • Mozilla Firefox 27.x
  • Google Chrome 32.x

APM client browser support

For a list of browser versions that the Access Policy Manager client supports, refer to the BIG-IP APM Client Compatibility Matrix.

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP APM / VE 11.5.2 Documentation page.

Documentation changes in 11.5.0

In the 11.5.0 release, some manuals were consolidated to improve searchability and Configuration Guide for BIG-IP Access Policy Manager was replaced by two new manuals.

Table 1. Document consolidation and replacement
11.4.x document 11.5.x document
Configuration Guide for BIG-IP Access Policy Manager
  • BIG-IP Access Policy Manager: Implementations
  • BIG-IP Access Policy Manager: Visual Policy Editor
  • BIG-IP Access Policy Manager: Single Sign-On Configuration
  • BIG-IP Access Policy Manager: Authentication Configuration Guide
  • BIG-IP Access Policy Manager: SAML Configuration
BIG-IP Access Policy Manager: Authentication and SSO
  • BIG-IP Access Policy Manager: Hosted Content Implementations
  • BIG-IP Access Policy Manager: Managing OPSWAT Libraries
  • BIG-IP Access Policy Manager: Syncing Access Policies
BIG-IP Access Policy Manager: Implementations
  • BIG-IP Access Policy Manager: VMware Horizon View Integration Implementations
  • BIG-IP Access Policy Manager: Citrix Integration
  • BIG-IP Access Policy Manager: OAM Integration Guide
BIG-IP Access Policy Manager: Third Party Implementations
BIG-IP Access Policy Manager OPSWAT software integration support charts The information is now available by clicking a link on the Welcome page of the BIG-IP Configuration Utility.

Evaluation support

If you have an evaluation license for BIG-IP APM VE, note that it does not include support for Oracle Access Manager.

New in 11.5.2

In this release, there are no new APM features.

New in 11.5.1

In this release, there are no new APM features.

New in 11.5.0

In this release, APM supports the following new features and enhancements.

Secure Web Gateway

BIG-IP Access Policy Manager implements a Secure Web Gateway (SWG) by adding access control, based on URL categorization, to forward proxy. The access profile supports both transparent and explicit forward proxy modes. The access policy includes support for using a captive portal to collect credentials for transparent forward proxy mode and HTTP 407-based credential capture for explicit forward proxy mode. In addition to user identification by credentials, SWG provides the option to identify users transparently, providing access based on best effort identification. SWG also supports SSL traffic inspection. The benefits that SWG provides include:

  • URL filtering capability for outbound web traffic.
  • Identifying malicious content and providing the means to block it.
  • Applying web application controls for application types, such as social networking and Internet communication in corporate environments.
  • Monitoring and gating outbound traffic to maximize productivity and meet business needs.
  • User identification or authentication (or both) tied to monitoring, and access control compliance and accountability.
  • Visibility into SSL traffic.
Note: Secure Web Gateway is not supported on BIG-IP 1600 and 3600 platforms. SWG requires more memory than is available with those platforms.

Active Directory authentication enhancements

APM supports route domain and password reset for Active Directory.

Active Directory and LDAP group resource assignment enhancements

You can now import groups from AAA Active Directory and LDAP servers for use in group resource assignment.

Maximized Enterprise Application Delivery Value

To make it easier and more affordable to get the Software Defined Application Services capabilities all organizations need, F5 introduces three software bundle offerings: Good, Better, and Best.
Good
Provides intelligent local traffic management for increased operational efficiency and peak network performance of applications.
Better
Good plus enhanced network security, global server load balancing, and advanced application delivery optimization.
Best
Better plus advanced access management and total application security. Delivers the ultimate in security, performance, and availability for your applications and network.
You can learn more about these new software bundles from your F5 Networks Sales Representative.

Supported high availability configuration for Access Policy Manager

Access Policy Manager is supported in an Active/Standby configuration with 2 BIG-IP systems only.
Note: Access Policy Manager is not supported in an Active-Active or an N+M configuration.

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.

Installation checklist

Before you begin:

  • Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility.
  • Update/reactivate your system or vCMP host license, if needed, to ensure that you have a valid service check date. For more information, see SOL7727 - License activation may be required prior to a software upgrade for the BIG-IP or Enterprise Manager system.
  • Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
  • Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are running Application Acceleration Manager, set provisioning to Minimum.
  • If you are running Policy Enforcement Manager, set provisioning to Nominal.
  • If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
Installation method Command
Install to existing volume, migrate source configuration to destination tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 11.2.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP-11.2.0.2446.0.iso volume HD1.3

Post-installation tasks

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.

After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility.
  3. Log on to the browser-based Configuration utility.
  4. Run the Setup utility.
  5. Provision the modules.
  6. Convert any bigpipe scripts to tmsh. (Versions later than 10.x do not support the bigpipe utility.)
Note: You can find information about running the Setup utility and provisioning the modules in BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Upgrading from earlier versions

Your upgrade process differs depending on the version of software you are currently running.

Warning: Do not use the 10.x installation methods (the Software Management screens, the b software or tmsh sys software commands, or the image2disk utility) to install/downgrade to 9.x software or operate on partitions. Depending on the operations you perform, doing so might render the system unusable. If you need to downgrade from version 10.x to version 9.x, use the image2disk utility to format the system for partitions, and then use a version 9.x installation method described in the version 9.x release notes to install the version 9.x software.

Upgrading from version 10.1.0 (or later) or 11.x

When you upgrade from version 10.1.0 (or later) or 11.x software, you use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help.

Upgrading from versions earlier than 10.1.0 11.x

You cannot roll forward a configuration directly to this version from BIG-IP version 4.x, or from BIG-IP versions 9.0.x through 9.6.x. You must be running version 10.1.0 software. For details about upgrading to those versions, see the release notes for the associated release.

Automatic firmware upgrades

If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might reboot additional times to perform all necessary firmware upgrades.

Upgrading from earlier versions of APM

When you upgrade from an earlier version of Access Policy Manager (APM), you might need to resolve issues related to these configurations.

NTLM Auth Configuration

In 11.5.2, the DC FQDN list for an NTLM Auth Configuration is mandatory. Before you upgrade to 11.5.2, ensure that the DC FQDN list for each NTLM Auth Configuration contains at least one domain controller FQDN. You can perform this verification from the GUI or by using tmsh. In tmsh, you can add the following line (dc-fqdn-list { <fqdn> } ) for each NTLM Auth configuration as shown in this example: apm ntlm ntlm-auth ntlm_test { app-service none dc-fqdn-list { site12-production.mynet.com } machine-account-name mdc1 partition Common service-id 2 }

Connectivity profiles

When upgrading from 10.x.x to 11.4.x, connectivity profiles are not fully recovered. You can work around the problem using one of these options:

  • Option 1: Upgrade from 10.x.x to 11.4.x, then reconfigure connectivity profiles in the Access Policy Secure Connectivity area of the Configuration utility.
  • Option 2: Upgrade from 10.x.x to 11.x.x, where 11.x.x is earlier than 11.4.x, then continue upgrading to 11.4.x.

Antivirus and firewall software checks in access policies

If your access policies include custom expressions that rely on session variables created by the antivirus or firewall software checks, after upgrade to 11.4.x, you must configure the antivirus or firewall software checks so that the Store information about client software in session variables property is set to Enabled. (It is disabled by default.)

If the custom expressions include multiple sub-expressions, you might need to edit the expressions.

Citrix client packages

The 11.4.x upgrade script cannot recover any file object with a name that includes space characters. If a Citrix client package file name includes a space, the configuration loads after upgrade, but the Citrix client package file does not function properly. To work around this problem:

  1. Outside of APM, name or rename a Citrix client package without spaces in the name.
  2. Use the correctly named Citrix client package.
    • To fix the problem before upgrade, replace any improperly named Citrix client package as needed.
    • To fix the problem after upgrade, upload a properly named Citrix client package and select it from the connectivity profiles.

Machine accounts for NTLM front-end authentication

APM does not restore NLAD connections when the configuration is restored from a UCS file. After upgrading to 11.4.x, if the previous configuration was using NTLM front-end authentication, the functionality is not restored. To work around this problem, after the upgrade, manually delete the existing machine account configurations and then recreate them.

Advanced customization

If you performed any advanced customization of files, you must upgrade these files manually.

Custom reports

Custom reports are lost after upgrade. To work around this issue, export your custom reports before you upgrade and then reimport them after you upgrade.

OAM configuration

When upgrading from version 10.2.x to 11.x with an OAM configuration, upgrade fails. To work around this issue: before you upgrade, delete the OAM configuration; after the upgrade is complete, create a new OAM configuration in version 11.x.

Access policies that use session variables

If you are upgrading from 10.x, you might need to update access policies that use session variables. Version 11.x introduces the concept of partitions. A partition is added to an object name. An access policy that compares a session variable against a value would behave differently after upgrade. This example shows the difference in the value of a session variable between these versions.

  • Version 10.x - session.ad.MyPolicy_act_active_directory_auth_ag.authresult
  • Version 11.x - session.ad./Common/MyPolicy_act_active_directory_auth_ag.authresult

The partition, /Common, is added to the version 11.x object name.

Fixes in 11.5.2

Cumulative fixes from BIG-IP 11.5.1 HF6 are included in release 11.5.2 in addition to the fixes listed in this table.

ID number Description
405348 Modify the db variable "tmm.access.maxrequestbodysize" with a value larger than the maximum email body size you would like to support. The maximum supported value is 25000000 (25MB).
470214 This version provides strengthened management of session mirroring so the system can more accurately track connection mirroring.
475049 In this release, the DC FQDN list for an NTLM Auth Configuration is mandatory. Before you upgrade, ensure that the DC FQDN list for each NTLM Auth Configuration contains at least one domain controller FQDN. You can perform this verification from the GUI or by using tmsh. In tmsh, you can add the following line (dc-fqdn-list { <fqdn> } ) for each ntlm auth configuration as shown in this example. apm ntlm ntlm-auth ntlm_test { app-service none dc-fqdn-list { dc01.example.com } machine-account-name mdc1 partition Common service-id 2 }
485579 The NTLM feature can now be used with an APM Limited license.
491488 EAM is a CMP plugin and spins up one thread per TMM.
485538 If an authparam is not found in the local cache, an empty string will be returned to the caller.
486529 A problem due to an uninitialized field no longer occurs in CRLDP or OCSP modules.
490526 The DC FQDN list for an NTLM Auth Configuration is now mandatory.
485536 Access policy changes are handled gracefully.
485500 The SecurID node secret file monitoring algorithm was updated so that a new node secret file can be detected. Also, the aced now authenticates with the mcpd so that any node secret file object changes will be accepted by the mcpd.
493993 In APM HA environments, the system now prevents global status from being updated before the initialization is completed on a standby device.
496113 Computer group policy settings are updated after establishing a VPN connection with Windows Logon Integration.
493030 CVE-2014-3513 CVE-2014-3567 CVE-2014-3566 CVE-2014-3568: Update OpenSSL to latest.
485534 After a network access session closes, if a PPP tunnel does not get closed in some time, a cleanup is forced on the server side.
490527 Windows, Mac, and Linux clients were updated to prevent a crash when establishing a VPN connection in certain conditions.
485499 Modify the db variable tmm.access.maxrequestbodysize with a value larger than the maximum email body size you would like to support. The maximum supported value is 25000000 (25MB).
485520 A JavaScript error screen no longer displays when using BIG-IP Edge Client to connect with a logon page that contains an additional select type.
492809 An issue has been fixed that resulted in a small, periodic mcpd memory leak associated with APM statistics.

Fixes in 11.5.1

ID number Description
392250 When Access Policy OAM Support is enabled on a virtual server and the AccessGate setting specifies a particular accessgate instead of Default, users are no longer intermittently redirected to an OAM error page.
424938 APD no longer crashes when processing an access policy with Tcl expressions; previously, this occurred rarely.
432260 An AAA server pool is reachable now even after "bigstart restart [mcpd]" command runs.
432925 You can now successfully create a macro from the Support for Microsoft Exchange macro template.
433227 F5 PCoIP proxy implementation is certified by VMware.
436556 Citrix apps render correctly on an APM webtop when a Citrix resource uses Kerberos single sign-on to Citrix XML Broker.
443139 Session variables have been made available during the ACCESS_SESSION_CLOSED event. As a result, session variables are still available even after issuing the "ACCESS::session remove" command, because the actual removal is deferred until after the current iRule completes. However, it is considered an error to access that data outside of the ACCESS_SESSION_CLOSED event.
446123 Online help is provided for the Groups screen for the LDAP and Active Directory AAA servers.
446207 The "state" value in the session variables created after a software check (antivirus, anti-spyware, firewall, patch management, peer-to-peer, health agent, and disk encryption) now contains the correct state of the specified product.
446425 The BIG-IP Edge Client for MAC now applies DNS server settings correctly.
447033 Now Java RDP and Java App Tunnels work without showing a security warning.
447089 Network access connections now succeed after failover without encountering an IPv4 allocation failure error: "leasepool <name>is out of addresses".
447130 Internal communication with the Secure Web Gateway (SWG) content scanning engine has been optimized. This results in significant performance improvements.
447239 Additional Secure Web Gateway (SWG) sessions are no longer created when a session expires.
447609 The installer for the BIG-IP Edge Client for Windows now prompts the user if a reboot is required, instead of silently rebooting the machine.
447654 When using Portal Access, an input tag in forms now can receive a value that is dynamically created by JavaScript on the client.
447658 An APM page that contains dynamic scripts now works correctly when a user opens it from another domain or protocol using the Chrome browser.
447685 The current HTML page continues to display without reloading, if a user clicks a link that contains an undefined URL.
447699 Now forms with an absolute path in the action are handled correctly.
448152 If the database download introduces a new URL category, it happens without producing an error in a log file.
448366 If the Secure Web Gateway (SWG) database download fails, the system no longer continues to retry the download.
448385 Now JavaScript arithmetic assignment operators are handled correctly on the server and on the client.
448461 Online help for Bandwidth Policy access policy item has been added to the visual policy editor.
448599 Some Secure Web Gateway (SWG) URL category names that were truncated when displayed, are now fully displayed.
448628 An AAA server pool is reachable now even after "bigstart restart [mcpd]" command runs.
448870 Now an APM webtop renders Citrix apps when a Citrix resource uses a pool and Kerberos SSO.
448874 Citrix apps render correctly on an APM webtop when a Citrix resource uses Kerberos single sign-on to Citrix XML Broker.
449236 Added an option to full webtop configuration: Show warning message when webtop screen closed. When this option is disabled, a user can close a webtop browser without also being prompted to close the Network Access tunnel (that was launched from the full webtop).
449573 The iRule event agent (in an access policy) no longer logs BIG-IP Edge Client for Linux CLI users out before they can establish network access.

Fixes in 11.5.0

ID number Description
238494 The F5 Credential Management service now updates automatically on the BIG-IP Edge Client. To get SSO working after update, user should reboot the machine.
325296 Previously, APM supported only LDAP URLs for CRL distribution points. Now, APM also supports HTTP URLs.
381486 Information about session length, connection timeout and idle time is added to BIG-IP Edge Client. Information about used tunnel type, session length, idle time and session timeout is added to web browsers."
386888 Citrix application icons used on the APM webtop are cached on BIG-IP system now; this reduces load on the back end and improves icon loading time.
390462 Visual policy editor now supports Internet Explorer 10 and 11.
392250 When Access Policy OAM Support is enabled on a virtual server and the AccessGate setting specifies a particular accessgate instead of Default, users are no longer intermittently redirected to an OAM error page.
394176 The access policy item, Windows Registry, now supports REG_MULTI_SZ fields.
394184 Remote desktop Java client now supports connections to Windows 8 and Windows Server 2012 hosts.
394449 Now, AD and LDAP can parse multiple entries in LDAP response
396735 Prevent authentication failure if both SAML assertion and response are both signed
400433 Daemons (apd/apmd) are more robust.
401658 APM now hides network access, remote desktop, and application tunnel resources from APM webtops on Windows 8 ARM.
402297 An administrator can build visual policy editor rules to detect a "Windows 8" running on ARM processor and create appropriate branches.
402699 For BIG-IP Edge Client on Windows systems, when APM network access is configured to close idle connections, a notification about the idle connection displays ahead of time.
406916 The upgrade script now handles client-packaging with multiple folders in full path name.
407362 When a desktop requested by the user is not immediately available (as reported by XML Broker), APM waits for some time and retry launching attempt predefined number of times.
408665 The APM PCoIP Proxy implementation is compliant with Teradici certification.
409438 APM now supports SSL Relay when working with Web Interface site
413486 On the BIG-IP Edge Client for MAC OS X, the text copy and paste action, to and from the clipboard, now works correctly.
413661 Access policies that were copied from other policies no longer lose their images when the original policy is deleted.
414370 Clients no longer receive a TCP reset if an ASM profile is configured and access was disabled with the "ACCESS::disable" iRule.
415844 The BIG-IP system now assigns special identifier (SPI) values to VMware View clients. Clients no longer use self-generated SPIs.
416949 "Login failed" no longer displays as the caption of the Citrix Logon Dialog box on the APM webtop when the user successfully logs into a Citrix resource, but has no apps assigned to him.
417289 A Java remote desktop resource now uses the en-us keymap (US keyboard) for the logon screen by default. Previously, en-gb (UK keyboard) was the default keymap.
417908 Now accounts in Citrix Receiver for Windows can be registered by entering only the domain name of APM virtual server.
418082 APM webtop now supports VMware View HTML5 client.
418231 Now ICA Proxy does not attempt to modify an ICA file if it detects that an STA ticket is used. The list of STA servers configured through a session variable named "session.citrix.sta_servers" is used to resolve STA tickets. The list of STAs should contain one or more URLs delimited by semicolon.
418610 Various APM related cookies are now set to a secure option.
418976 Citrix apps icons on APM webtop are cached by the browser now, which improves webtop page load times.
419127 A new global variable, F5_noContextSwitching, turns off part of the processing on the client side in case of web application slowdown. You can use an iRule to set the variable on a page.
419237 APM now supports launching VMware View desktops from APM webtop using standalone View client.
419654 VMware View client for Linux 2.0 is supported by APM PCoIP proxy.
419780 APM now encodes URLs for the prevention of XSS attacks using a less aggressive mechanism.
419859 Visual policy editor configuration pages for peer-to-peer software, HD encryption software, health agent software checks are improved.
419955 CPU usage by Kerberos library during some error conditions is acceptable now.
419984 Sessions that share the same TCP connection are no longer terminated when a new client connects using the same connection.
420013 EMC applet works now.
420543 OPSWAT checks workflow is restored; it is possible to save after the changes
420706 APD process now takes significantly less time to apply an access policy.
420743 SAML IdP automation now gracefully handles a metadata file that is missing an EntityDescriptor tag.
420961 The Tcl encoding command is now available for use in visual policy editor expressions.
421055 It is now possible for an end user to change their AD password.
421068 When you use APM portal access that has an iframe or frame that runs an HTML file which includes a parent.document.write(some_html_with_script) statement, Internet browser response is now acceptable.
421259 Secure session variable now decrypts correctly and is the correct length.
421499 BIG-IP Edge Client for MAC OS X code now handles network access over a third party PPTP VPN connection.
421522 APM now handles an empty AVP-24 ("state") in a RADIUS Access-Challenge request.
421566 The root cause of a logd core has been corrected with thread save call to localtime_r().
421648 Documentation now contains correct values for the Machine Info agent.
421796 SAML single logout (SLO) now succeeds when a SAML Service Provider (SP) session times out, the user logs in to the SAML SP again, and the user initiates SLO.
422135 RSA Next Token and New PIN modes are supported for Citrix Xenith and Xenith2 clients using RADIUS server.
422194 Access no longer resets a TCP connection if a client requests the landing URI on the slave twice before completing an access policy.
422396 You can now start a Citrix application with an ampersand in its name from an APM webtop.
422516 A notification displays when reboot is required after the Cred Mgr has been updated.
422550 You can use APM local user database from iRules now.
422697 A Java remote desktop resource now works on a Mac system that is affected by an Oracle issue, bug 7180557.
422948 If you change a rule expression in a macro, the "Apply Access Policy" link now appears as expected.
423260 Now all software checks are directly available in the agent selector in a branch rule expression
423435 The access policy item, Windows Registry, now correctly compares pure numbers.
423751 A case where policy evaluation is in process and an existing client connection is disconnected is now handled correctly.
423848 Using Device Wizards (Network Access Setup Wizard for Remote Access) to create Network Access (with client-side checks enabled) for remote access now produces an antivirus action with entries.
423897 BIG-IP Edge Client for MAC OS X handles ending redirect correctly.
424067 Proper Windows 8.1 and Internet Explorer 11 detection implemented for BIG-IP APM.
424117 APM supports Windows Citrix Receiver 4.0
424199 Initial access to cookies on a page from a dynamically loaded script no longer causes intermittent Firefox browser halt.
424371 Protected Workspace code was changed to allow Internet Explorer 11 and Windows Explorer to start on Protected Workspace Desktop (on Windows 8.1).
424572 APM SAML can now operate with other systems using either or both of these groups of algorithms: RSA-SHA256/RSA-SHA512 XML signature algorithms SHA256/SHA512 digest algorithms. It continues to sign its own SAML messages (AuthnRequests and Assertions) using RSA-SHA1.
424577 Support for Windows 8.1 Inbox F5 VPN detection is available in APM visual policy editor; an additional branch was implemented for the Client Type Access Policy action.
424587 A SharePoint 2013 homepage can now successfully render in Internet Explorer 11 when it runs through APM content rewrite.
424607 APM portal access with split tunneling enabled now selects the action correctly for URLs containing the %0a' character string when requests are initiated by JavaScript.
424661 You should no longer see the following Tcl error message in the /var/log/ltm log file. TCL error: _sys_APM_activesync HTTP_REQUEST - can't read "actsync_401_http_body": no such variable while executing: "HTTP::respond 401 content $actsync_401_http_body Connection close".
424969 Fixed a rewrite plugin crash that could occur when sending POST requests with specific XML data through portal access.
425166 Fixed BIG-IP Edge Client crash which caused incorrect memory copying routine during disconnect process.
425853 Included Launch Application for MAC OS X to work if the string contains an ampersand.
425884 When an admin tries to upload and install a new epsec package, the admin will no longer see a Configuration error.
425904 Now Flash AS2 jump instructions should be properly rewritten.
426185 Flash AS2 content is properly rewritten now.
426439 Portal resource now opens properly after a Citrix or a View resource has been used on an APM webtop.
426685 Now Citrix/VMware View support works on virtual addresses of the 'traffic-group-local-only' as well.
426850 The BIG-IP system configured as a SAML service provider (SP) now processes encrypted assertions.
427076 An error no longer occurs during logon to a web application using client initiated form-based SSO.
427725 An issue in which TMM produces core files in access deployments has been fixed.
427743 iOS Receiver now works when APM is configured with StoreFront integration or when APM is configured for two-factor authentication.
427762 Fixed issue with session re-establishing for iOS Citrix Receiver.
427804 The IE 11 on Windows 7 user agent is now detected correctly.
427819 Network access restores proxy settings when a user signs out from a Windows-based session and schedules proxy cleanup operations to start on the next Windows user sign in.
427864 The VMware View client can now connect through APM when the backend replies with a chunked response.
428306 When using the svpn plugin proxy service on a Mac system, the plugin works correctly when it probes 127.0.0.1:44444.
428390 Log messages for client initiated form based and SAML SSO are working again.
428417 Support for Windows 8.1 platform detection implemented in Windows client code.
428450 The rewrite process no longer loops when working with malformed Flash files.
428595 A user who can access visual policy editor in read-only mode can now switch to the Branch Rules tab.
428784 Fixed absence of session timeout window on the logon page in Safari browsers that forced users to enter credentials again after the Login button is pressed. This fix will not affect already customized logon pages.
428933 Cookies created from JavaScript with the wrong date format in the expires field are processed correctly.
429031 Removed negative cases from expression builder for software checks
429163 Resolved issue where InstallerService is not installed and Internet Explorer is used so that the correct newer components are employed to avoid reconnect looping when per-user is used, instead of per-machine.
429171 Flash ActionScript 3 files from different domains with conflicting class definitions now work correctly through Portal Access.
429617 Windows RT users can now access webtop links and portal access resources on APM webtop.
429680 Response headers are parsed correctly for any responses with unsupported content.
429704 The Disable/Enable logic for Unlock User button is fixed.
429741 A Windows RT branch is added to the "Client OS" action in APM Access Policy.
430669 The issue where Internet Explorer 11 did not always allow access to "window.opener" is fixed.
430819 AD/LDAP non-printable attributes are now detected as such.
430899 Records installed in session db keep track of license counts during regular operation on chassis.
430962 Previously when F5 Networks VPN Adapter was disabled by user, manually connecting to the VPN would fail. Now the adapter is automatically enabled in this case and VPN connections can successfully be established.
430965 Resolved issue where Windows 8.1 SetupDiGetDeviceRegistryProperty function returned hardware IDs with spaces replaced with underscores, to allow VPN driver to be uninstalled. This addresses issues with the VPN driver update.
431076 Driver installer fixed to re-install client stonewall driver independently from VPN driver.
431216 Internet Explorer 11 does not recognize PAC files specified with the "file://" prefix. To work around this issue Network Access automatically enables "Client Proxy Uses HTTP for Proxy Autoconfig Script" for Internet Explorer 11 clients.
431377 and 431381 Improved JavaRDP compatibility with Windows 8 / 2012 Server hosts
431508 APM displays UTF-8 HTML pages correctly.
431976 Maximum number of entries in subject alternative name is not limited anymore in server certificate check module of Linux CLI.
432049 Sessions from BIG-IP Edge Client on iOS now can be filtered by CPU type in visual policy editor.
432096 Layered virtual with matching destination can now intercept MobileSDK and/or JavaPatcher traffic.
432721 RemoteDesktop module will use the configured search domain, while resolving short names for mobile app tunnel connections.
432851 Mac File and Linux File access policy items work correctly when the specified file size is greater than 1024 bytes.
433605 At the end of an APM network access session, the route is now restored for an interface that has a gateway and IP address on different subnets, provided that the gateway and IP address have not changed during the session.
433781 APM now correctly processes any HTTP headers.
433839 Now, if the peer is shut down, Kerberos immediately terminates the connection.
433982 Detection of Internet Explorer is improved in APM Portal Access.
434049 Fixes for supporting multiple customization_templates during tmsh load sys config merge.
434776 A Windows File, Mac File, or Linux File agent can be added to an access policy without causing APD or APMD to crash.
435329 Layered virtual servers are now assigned the correct IP addresses, and no longer conflict or interfere with each other.
435383 When deleting an Accessgate from OAM server configuration, wrong MCPD validation prevented deleting the second to last Accessgate. This fix will result in throwing the MCPD error, while deleting the last Accessgate only, as expected.
435436 Users can use APM with VMware View when the View resource uses pool of more than two View Connection servers
435449 Request no longer hangs and no errors occur.
435900 XDomainRequest is supported similar to XMLHTTPRequest.
436049 Fixed a rare case of crash in rewrite plugin.
436175 Upgrade script is fixed to handle empty bodied Citrix Client Bundle (all on one line).
436616 CTU correctly enables logs for 64-bit services on Windows systems.
436788 Corrected page handlers to return to OAM AAA Server listing page upon saving.
437227 Memory leak has been fixed in the rewrite daemon.
437731 Optimized tunnel works correctly with Internet Explorer now.
437952 VPN installation now launches under Protected Workspace (PWS) on Windows 8.1.
438219 The access policy daemon (apd) process no longer leaks memory with AD and LDAP Query agents.
438251 Now when using Outlook Web Access (OWA) 2010 from a portal access webtop, new messages are shown automatically in the mailbox and the message indicator changes accordingly depending on whether the messages are read or unread.
438664 F5 Client Traffic Control Service now works on Windows 7. Previously the service started and then stopped.
438709 Users can now open the calendar widget in SharePoint 2007 while using Internet Explorer browsers with portal access.

Usability

Session ID rotation has been implemented, and starting from 11.2.0, it is on by default. This breaks compatibility with earlier BIG-IP Edge Client and plugin versions. For example, when APM is configured for session ID rotation, an 11.1.0 Edge client is not allowed to log in to Access Policy Manager (APM) version 11.2.x. The expected behavior in this case is for APM to present the login page to the Edge client after each login attempt. To disable session ID rotation per-box, you can use the following tmsh command: tmsh modify sys db apm.rotatesessionid value disable

Known issues

This release contains the following known issues.

Upgrade issues

ID number Description
417711 After the upgrade, if the previous configuration used NTLM front end authentication, the functionality is not restored. After the upgrade, manually delete the existing machine account configurations and recreate them again.
421456 Kerberos SSO does not work after upgrading from 11.3.0 to 11.4.0, because in 11.4.0 the password is saved in encrypted form while the password in 11.3.0 is saved as clear text. Re-enter Kerberos SSO password after upgrade to 11.4.0.
432900 APM upgrades fail if the /shared/apm directory is not present before you load the configuration. APM writes a configuration loading error to the /var/log/ltm file with content similar to this: Oct 25 08:42:11 localhost notice mcpd[6311]: 0107165d:5: copy_file: EPSEC::In copy_file - src (/config/filestore/files_d/Common_d/epsec_package_d/:Common:EPSEC:Images:epsec-1.0.0-160.0.iso_14866_1) dst (/shared/apm/images/epsec-1.0.0-160.0.iso) Oct 25 08:42:11 localhost notice mcpd[6311]: 0107165d:5: copy_file: Failed in file copy errno=(No such file or directory) .... 01071558:3: EPSEC - File Copy to /shared location failed Unexpected Error: Loading configuration process failed. To work around the problem, create the directory /shared/apm and try to load the configuration again.
490526 The DC FQDN list for an NTLM Auth Configuration is now mandatory. Before you upgrade to 11.5.2, ensure that the DC FQDN list for each NTLM Auth Configuration contains at least one domain controller FQDN. You can perform this verification from the GUI or by using tmsh. In tmsh, you can add the following line (dc-fqdn-list { <fqdn> } ) for each ntlm auth configuration as shown in this example. apm ntlm ntlm-auth ntlm_test { app-service none dc-fqdn-list { site12-production.mynet.com } machine-account-name mdc1 partition Common service-id 2 }

Portal access issues

ID number Description
223712 During a web applications session, when a user logs out of Microsoft Office Communicator and then attempts to log on again, the logon request fails.
340549 The rewrite plugin does not implement forwarding HTTPS requests through the HTTPS proxy correctly. (However, forwarding HTTP requests through the HTTP proxy does work correctly.) Create a layered virtual to catch HTTPS traffic leaving APM and forward it to a HTTPS proxy server using CONNECT. Proxy authentication is not implemented and if response status from HTTPS proxy server is not 200, then use an iRule to close the connection.
343280 When using portal access in Safari 5.X, sometimes web pages do not load properly. A bug in Safari 5.X leads to accidental loss of all HTMLElement.prototype changes when setting HTMLElement.prototype properties in a window and accessing window.frameElement from any of its frames. (The problem also sometimes occurs in other less well-defined cases.)
347100 Every time the Hometab loads, a dialog box message is displayed stating: "This Page contains both secure and nonsecure items. Do you want to continue?" To work around this problem, disable the Hometab.
384405 With Access Policy Manager Portal Access, if you add a web-acceleration profile to the Local Traffic Virtual, it does not take effect until the you go to the command line and type "bigstart restart tmm". The web-acceleration profile is important to Portal Access performance, so this step is necessary to ensure caching occurs for Portal Access content.
404899 Webpage errors occur when opening a chat window in IBM Lotus iNotes 8.5 with Sametime through a portal access webtop. This happens only when using Internet Explorer 9. To work around this problem, add a portal access item with the path "/sametime/stlinks/*" to the portal access resource and disable Home Tab for this item.
406040 If an application uses a non-standard location for favicons (as permitted by the LINK meta tag) and you use Internet Explorer 10 for access to the application, then the BIG-IP system creates a new session for that URI. If you use Google Chrome version 25 or above, the BIG-IP system closes the current session during fetching favicons from the non-standard location. Related change in Google Chrome: https://code.google.com/p/chromium/issues/detail?id=114082 "An example of an iRule workaround is as follows: when HTTP_REQUEST { if { [string tolower [HTTP::path]] ends_with "favicon.ico" and [HTTP::cookie "MRHSession"] eq "" } { ACCESS::disable } }"
426963 When the client sends an HTTP post with an expect 100-continue, APM will fail to forward it to the backend server. "when HTTP_REQUEST { if {([HTTP::method] eq "POST") && [HTTP::header exists "Expect"] } { HTTP::header remove "Expect" SSL::respond "HTTP/1.1 100 Continue\r\n\r\n" } }"
439965 BIG-IP APM currently cannot handle multiple browser tabs trying to create sessions at the same time. The most common example is saving multiple homepages in a web browser. When the web browser opens, requests from these tabs are sent within milliseconds. This can cause very unpredictable behavior where sometimes it will function correctly, and other times there will be connection resets ir the user will see error pages. If the user is already authenticated and has a session, then multiple tabs can be opened. However, there is no workaround for session creation.
442528 Demangle filter crashes with a SIGBUF. To work around the problem, add this code to the iRule: when HTTP_REQUEST { log local0. "Refer length is [string length [HTTP::header Referer] ]" if { [string length [HTTP::header Referer] ] >4000 } { HTTP::header remove Referer } }
452182 Certain requests from rewritten Flash ActionScript 3 files might be missing the '/f5-w-xxx$$/' part of the path. These requests fail and this could adversely affect the functionality of the application and cause security issues. Flash applications could make HTTP request to other domains accessible through Portal Access without checks for cross-domain restrictions. As a workaround, this could be addressed with an iRule in most cases. If you can identify such a request, you can correct the mangled part of the URI within the HTTP_REQUEST event.

Client issues

ID Number Description
223583 Inside PWS on Windows Vista, a user can create folders only in some locations using the context menu; that is, only a "Folder" item appears on the "New" menu. However, a user can create standard type files using the context menu directly on the desktop and in the user's home folder. Files can be created on the Desktop and then moved to the desired location.
294032 When you access an older version of APM software using the Windows system client and a pre-logon antivirus check is configured, the OPSWAT AV control gets loaded into your browser. The control does not unload successfully and, as a result, the antivirus check fails. You cannot log on until the control is unloaded. Reboot the client system.
339865 Microsoft SharePoint 2007 with Office Integration does not work in LTM+APM mode when Protected Workspace is used in an access policy. When you try to open a Microsoft Office document, an alert about a wrong URL is displayed.
362325 Links in content are rewritten in HTML attachments from Outlook Web Access (OWA) after you open the attachments in the browser or save them to disk using the Save as action. This happens because APM application access patches the links in HTML attachments. This occurs with OWA 2003, 2007, and 2010.
393043 During an APM remote connection, the progress bar might not render correctly on a Linux system when using the Chrome browser.
399552 CD/DVD burning through SPTI inside PWS works even though the policy disallows it.
404890 This is a rare issue that happens for Internet Explorer when pop-up screens are set to be blocked by browser. When you launch a Java app-tunnel for the first time in Internet Explorer, the message "Allow pop-ups for this site?" is displayed. In rare cases, when you click Allow once, the Java app-tunnel freezes in the Initializing state and cannot be used. To work around the problem, add a virtual server to the allowed sites for pop-ups from Tools >Internet options in Internet Explorer.
408851 Some Java applications do not work through the BIG-IP server.
420550 WYSE client cannot launch any application if the APM session expired.
421577 Messages are logged from VMware View to /var/log/apm. However, you cannot enable debug logging for VMware View in APM using the Configuration utility. To enable debugging, you must go to the command line on the BIG-IP system and type one of these sets of commands: /usr/libexec/bigpipe db log.accesscontrol.level Debug /usr/libexec/bigpipe db log.vdi.level Debug or tmsh modify sys db log.accesscontrol.level value Debug tmsh modify sys db log.vdi.level value Debug When you are done debugging, type the commands again but substitute "Notice" for "Debug" to restore logging to the correct level."
424368 A statement such as: parent.document.write(some_html_with_script) hangs up the parent frame for Internet Explorer browsers
424936 An extra line (that consists of "<?") appears at the top of the apm_mobile_ppc.css file and causes an error like this one: Jul 9 08:37:10 roeislfl4gm err httpd_sam[13917]: [error] [client 127.1.1.4] PHP Parse error: syntax error, unexpected '&amp;lt;' in /var/sam/www/php_include/webtop/renderer/customization/general_ui/Common/tmsproext-apm_general_ui/en/apm_mobile_ppc.css on line 2" To work around the problem, remove the extra line ("<?") from var/sam/www/php_include/webtop/renderer/customization/general_ui/Common/tmsproext-apm_general_ui/en/apm_mobile_ppc.css.
431337 The LinkedIn button is a part of the new feature, Apps in Outlook Web App, in Outlook Web App 2013. A JavaScript error occurs if you click the LinkedIn button in Outlook Web App 2013 while using Internet Explorer 11.
432020 By default, Internet Explorer 11 starts with Enhanced Protected Mode enabled and the browser process runs inside AppContainer. Enhanced Protected Mode (AppContainer technology) in Internet Explorer 11 prevents the interception of connection requests. As a result APM App tunnels cannot redirect traffic to a proxy running on the loopback address. To work around the problem, you have 2 options to choose from: 1. Disable Enhanced Protected Mode in Internet Explorer 11 and 2. Add the backend server to the Trusted or Intranet Sites List.
431375 Citrix Receiver for HTML5 v. 1.1 does not work with Internet Explorer 11.
432515 The external logon page does not post the 'Action required' pop-up dialog box of BIG-IP Edge Client. To workaround this issue, you must inject the following Javascript code into the External Logon page: <body onload="OnLoad()"*gt; ... <script language="javascript"> function OnLoad() { try{ if ( "undefined" != typeof(window.external) && "unknown" != typeof(window.external) && "undefined" != typeof(window.external.WebLogonNotifyUser) && "unknown" != typeof(window.external.WebLogonNotifyUser) ){ window.external.WebLogonNotifyUser(); } }catch(e){alert(e)}; } </script>
433752 If a web application edits event handlers dynamically, the event handlers might become corrupted.
433972 When you access SharePoint 2013 through APM and use a rewrite profile, the rewritten New Event dialog box is shifted to the left and action widgets are not displayed above the Description field.
434831 When the client connects to APM (with Safari) and launches the Application Tunnel, the tunnel will be created, but the application configured to launch will not. There is no error, only indication is that application is not started by the Application Tunnel. To work around the problem: 1. Use Firefox browser. 2. Disable Safe mode for required host through following: Safari preferences >Security Tab... >Manage Website Settings... >Choose "Java" on left panel >Choose "Run in Unsafe mode" for required host.
436933 Auto logon does not work for APM remote desktop resources.
439887 Drag-and-drop and some other mouse operations work incorrectly in Outlook Web App (OWA) 2010 if accessed using APM portal access from the Chrome v.31.x browser.
440375 Under the Built-in Administrator account inside Protected Workspace, a VPN connection cannot be established if VPN components are not installed already. Install VPN components before Protected Workspace on an account other than Built-in Administrator.
440380 Citrix Receiver for iOS may fail to connect through APM in integration mode when ICA file generated by backend is missing the following properties: DoNotUseDefaultCSL=On, HTTPBrowserAddress=!, LocHttpBrowserAddress=!
444767 Access to Office365 Outlook Web Access services using portal access is broken for HTML5-supported browsers. The user is redirected to the APM Logout page after successfully logging in to Office365.
477090 The View Connections Server Settings for a VMware Horizon View server include Blast Secure Gateway settings. To be able to launch VMware View sessions from an APM webtop using an HTML5 client, ensure that the check box, Use Blast Secure Gateway for HTML access, is cleared.
483107 On OS X 10.10 systems, the BIG-IP Edge Client icon is highlighted if the user taps the icon. The highlight does not disappear until the user exits BIG-IP Edge Client.
477843 On OS X 10.10 systems, BIG-IP Edge Client displays the throughput as black text on the black menu bar. A user finds it difficult to read the text.
479242 On OS X 10.10 systems, Network Access does not work with modes such as Split Tunneling or Force all traffic. After a connection is established, the connection routes are not set to a MAC address route table.
480595 On OS X 10.10 systems, when a user taps Calender > New Event, the New Event page displays an empty page.
480592 On OS X 10.10 systems, the Send button on the New Message menu does not work.
495235 To use the Reuse Windows Logon Credentials option, you must include an uncustomized Logon Page action in the access policy. Other logon page actions do not support the Reuse Windows Logon Credentials option. If you add fields to the Logon Page action or if you remove F5-provided JavaScript from it, Windows logon credentials are not reused and the BIG-IP Edge Client prompts for credentials. This is expected behavior.
505010 Patch management checker checks for "Apple software update" on Mac which requires admin privilege to check the number of missing patches. Even when the user is logged in as admin, this check does not pass because BIG-IP Edge Client does not support privilege escalation for endpoint inspections currently.

Network access

ID number Description
342035 SIP client cannot communicate with SIP server when connecting over Network Access tunnel. SIP protocol uses fixed UDP ports, and communication fails because Network Access tunnel translates the source port of the connection. Configure a layered virtual server using the SIP UDP port and set the Source Port option to Preserve Strict.
351360 Sometimes when assigning different route domains to Network Access clients connecting to the same virtual server or using the same connectivity profile, traffic from the client can go out into the network associated with the wrong route domain. This could happen when two clients are assigned the same IP address (from different lease pools containing the same address ranges) and different route domains and try to access the same IP address on the internal network using the same TCP/IP protocol. To work around this problem, when sharing IP address ranges among route domains, use separate virtual servers for each route domain, with different connectivity profiles.
356766 Removing or updating Network Access device or client components while the system has an active Network Access connection might cause the system to drop the existing connection and fail to establish a new connection until after a system reboot.
364061 On a Linux client, the network access Show log file link does not display the log file unless gedit is installed. To work around this problem, install gedit on the Linux client.
373889 You can configure a network access tunnel to update a session (that is, to extend expiration time) based on a traffic threshold and a window of time. Traffic measurements are taken every 5 seconds, but they are not divided by 5 before being used in the calculation. As a result, instead of bytes per second, bytes per 5 seconds is calculated, which is incorrect. To work around this, select the network access resource you want to update, then select Network Settings and Advanced from General Settings. Proceed as follows: 1) Set Session Update Threshold to 5 times the desired bytes/second rate 2) Set Session Update Window to 2 or higher Note: The session life management might not be exact.
383607 After a network access client loses connectivity and reconnects with another IP address, the client cannot open tunnels to optimized hosts for 4 to 7 minutes.
398339 When you use the Fedora OS with SELinux enabled and use the Firefox web browser to connect to APM for network access, you might get SELinux blocking notifications. A. Execute the following command on terminal as root user (not sudo) 1. setsebool -P mozilla_plugin_enable_homedirs on 2. setsebool -P unconfined_mozilla_plugin_transition 0 B. Restart Firefox and try connecting to the APM server again.
423717 When the client connects to APM (with Safari) and the components need to be installed (first visit) or upgraded, APM runs a Java Applet to install the packages. The applet is loaded and runs, but the Installer is not able to run. Safari will state that the installation has failed and for user to manually install the plugin(s). There are two workarounds: 1. Use Mozilla Firefox or Google Chrome to install/upgrade components and go back to using Safari. 2. Safari: Try to connect to BIG-IP Edge gateway and install F5 plug-ins. If it fails, open Safari >preferences >Security >Manage website Settings; then click Java on the left column. On the right column you will see the BIG-IP Edge Gateway URL. Select "Run in Unsafe Mode" from the drop-down list in front of the BIG-IP Edge Gateway URL. Connect to BIG-IP Edge Gateway again.
433535 DTLS renegotiation stops after one try.
435182 DNS queries when connected to the APM Network Access tunnel (VPN) will not resolve correctly. The DNS server specified for the VPN will not be used. To work around: In Google Chrome, do the following: 1. Open a new tab 2. Type: chrome://flags/ 3. Find Built-in Asynchronous DNS Mac, Windows, Linux, Chrome OS setting 4. Set to Disable.
435542 In some cases re-installation of the VPN driver on Windows 8.1 requires a system reboot. Without reboot the user can be presented with this error: "The modem (or other connecting device) is already in use or is not configured properly."
438056 The APM network access client for Windows systems can fail to establish a VPN connection if the client SSL profile is configured with the options no-tls or sslv3 and the BIG-IP system selects an AES cipher. Windows Schannel API does not consider AES as a valid cipher for an SSLv3-only connection and can reject the connection to the BIG-IP system. If you restrict client SSL to SSLv3-only you might need to exclude AES ciphers (defined in RFC3268) by adding ':!AES' to the 'ciphers' option in the client-ssl profile to work around compatibility issues with Windows clients: for example ltm profile client-ssl clientssl_ssl3_only { ... ciphers SSLv3:!AES ... }

Admin issues

ID number Description
224145 The visual policy editor can, on rare occasions, return a non-specific failure when attempting to create new items. The failure is transient; the request invariably succeeds on retry. The failure is transient; the request invariably succeeds on retry.
359639 Some long captions for resources can be longer than the bounding box in Firefox 7. This problem does not affect the workflow.
360141 Modifying the SSO configuration does not cause the Apply Access Policy button to show up on the Admin GUI or the visual policy editor. The configuration change takes effect immediately for new sessions established after the change. Old sessions (those that were already created before the configuration change) continue to use the old SSO configuration.
360734 When previewing pages, the Preview pane does not automatically refresh when the language is switched. Click on an item in the Preview tree pane to cause the page to refresh in the new language.
360742 When the logon page is customized in VPE in multiple languages, the images appear broken. To work around the problem, customize the logon page using localization customization. (Refer to Access Policy >Customization.)
362200 When customizing messages, you cannot use special characters, such as ', ", &, <
362351 Branch names cannot start with the word fallback in the visual policy editor. Do not start branch names with the word "fallback". The terminal name must begin with an alphabetic character (for example, a or A). The remainder of the name can contain only alphanumeric characters (numbers and letters), spaces, and these symbols ( + - _ ( ) [ ] ). The terminal name cannot begin with the text fallback. Please rename the terminal.
363188 Using a space in an alias for a virtual server can cause unexpected results when you use tmsh to add or update a connectivity profile. No spaces are allowed in aliases for virtual server.
371015 On chassis platforms, in some scenarios, more than one value is displayed under the 'Local Time' column in the 'All Sessions' report.
383464 In reports, names that contain a single quote are displayed in hex-encoded format. For example, the name O'Brian might be displayed as O%27Brian.
384490 In advanced customization, when an access policy uses an image that includes spaces in its name, problems can occur. It can be impossible to export the access policy. Problems with upgrade can also occur. Rename the image without spaces, upload the renamed image, and change customization to support the new named image instead of the old one.
398361 Not all configuration objects validate and reject an object name that contains the space character. As a best practice, when you create a configuration object do not include a space in the object name.
403722 If you initiate an access policy sync from the Standby node, an admin must resolve any conflicts on the Active partner. Ideally, an access policy created on the Standby node would be synced to the Active node automatically without admin intervention. To work around this problem, avoid syncing an access policy from a Standby node. Otherwise, you must resolve conflicts, if any, on the Active node.
404936 Files named core.xxxx, where xxxx is a number, are created in advanced customization directories during the build process when the customization build cores because of invalid characters in the default customization file. These core files are listed in the user interface.
419104 In the Advanced Customization Image Browser, it is not possible to delete an image if you are using Google Chrome. Use other browser for it or keep images forever.
419748 After a hosted content file is referenced by a portal access resource, the file cannot be deleted, even if the link-type of the resource is not "hosted-content". Use tmsh to clear the sandbox file reference in the resource. Example: tmsh modify apm resource portal-access <NAME>sandbox-file none Now the sandbox file can be deleted.
419836 When you switch from editing one file to editing another file in advanced customization without saving the first file, changes to the first file are lost. User need to modify the file again after the change is lost.
426209 If there are a large number of APM report records, exporting them to a CSV file might fail and the Admin GUI can then become inaccessible. Avoid to export large report data.
430680 The Date Time item in the visual policy editor generates the wrong expression when you select the Weekend template. Edit the generated expression, changing "expr { [clock format [mcget {session.user.starttime}] -format %u] == 0 }" to "expr { [clock format [mcget {session.user.starttime}] -format %u] == 7 }""
431549 If you click Access Policy >Hosted Content >Manage Profile Access from any partition other than Common, the screen grays out and a loading icon displays and spins continuously.
437743 An access profile configuration that uses an SSL Certificate fails to import. This happens because of a change in the method to import SSL certificates. You can either exclude above-mentioned objects prior to export and then recreate them after the import or (not recommended) or edit the config manually and import the SSL certificate prior to import.
438684 If you start to create an access profile and you set the Profile Type to SSO, you cannot complete the configuration from the New Profile screen unless an SSO configuration already exists. To work around this problem, you can create an SSO Configuration prior to creating the new Access Profile of Type SSO.
440177 If you type or cut and paste an image file name into the Advanced Customization GUI, the file name does not fit the expected naming convention. After you save the file and reopen it, errors occur if you click Restore Default. Always use the image selector widget to change image files.

Authentication and SSO-related issues

ID number Description
355490 TACACS+ accounting STOP messages are sent successfully and are properly logged on the TACACS+ accounting server. Sometimes when the reply from the TACACS+ server is processed, "Invalid reply error message" is logged on APM. However, this message does not indicate any failure in sending the accounting STOP message to the TACACS+ server. This error message can be ignored because the accounting functionality works.
355981 APM CRLDP Authentication Agent binds anonymously to the LDAP server to retrieve CRL files. An option for a strong authentication bind is not currently supported.
367621 Access Policy Manager does not support IPv6 for communicating with the OCSP responder. Configuring the OCSP URL with an IPv6 address or a hostname that resolves to an IPv6 address will not work. Access Policy Manager uses OpenSSL BIO APIs to connect to the OCSP responder and these calls do not support IPv6.
376615 Username and password are not sent when the On-Demand Cert Auth agent is used in an access policy; as a result logon fails. The problem happens for these clients: iOS, Android, Windows Mobile, and Linux CLI. To work around this problem, configure the access policy so that the Logon page agent is before the On-Demand Cert Agent.
382390 OCSP authentication support for the Machine Cert agent does not work.
399696 Selecting an SSO configuration with WEBSSO::select does not work for form-based client-initiated and SAML SSO configurations. Use a variable to assign the configuration object name: set sso_config /Common/SAML-config WEBSSO::select $sso_config unset sso_config
400726 When the BIG-IP system acts as a SAML IdP, you cannot create the assertion with multi-valued attributes. When the BIG-IP system acts as a SAML SP and there is a multi-valued attribute inside the assertion, then the BIG-IP system processes only the first value of that multi-valued attribute.
403659 When configuring a BIG-IP system as a SAML Identity Provider, the displayed range of possible values in seconds for the assertion validity timeout is incorrect. The correct range is 1 - 86400 seconds.
404765 If you export an access policy with a SAML SP connector that uses a certificate, the certificate name (including partition) is not formatted correctly. This prevents import from working. To work around the problem, create the SP connector and import the associated certificate on the target system.
405352 If you enter a bad FQDN for domain controller in an NTLM Auth configuration and a DNS server responds with DNS SERVFAIL, the NTLM Auth configuration does not work even after you fix the incorrect FQDN. To work around this problem, after you correct the FQDN in the NTLM Auth configuration, restart the ECA plugin and NLAD daemon using this command: bigstart restart nlad. Note: To avoid future problems due to misconfigurations, you can configure your DNS server to return a negative response.
419754 When using a local user database instance for authentication on APM, if a user that is flagged to change password leaves the password field empty, the user is prompted again to change password. Whether the user types a new password or leaves the password field empty again, the user is prompted again to change password. APM handles a subsequently entered non-empty password correctly.
420506 When using the Local Database agent with a "write" action, the list of properties available includes "groups"; however, this property is a read-only property and any attempt to write to it fails.
428387 AuthRequest and Assertion generation could fail if the configuration (IdpEntityID, ACS, SAML Attributes, and so on) contain special XML characters, such as [&,<, >,",']. Replace special XML characters with XML-escape codes in the configuration: " &quot; ' &apos; < &lt; > &gt; & &amp; For example, replace "http://f5.com/acs_url?user=5&password=pass" with "http://f5.com/acs_url?user=5&amp;password=pass""
428894 When a user logs in with Multidomain SSO, some cookies are set. At logout, one set of these cookies does not have a domain set, and are not deleted. "Clearing the cookies allows the user to log in again. The problem does not seem to occur if you change "Cookie Scope" to "Domain" instead of "Host"
432102 If the RelayState parameter includes HTML and XHTML special characters, then BIG-IP as IdP or BIG-IP as SP does not process them correctly. To use reserved characters in HTML (",',&,<,>) as part of SAML RelaySate, convert them to their HTML entities (&#34; &#39; &#38; &#60; &#62;).
439452 SAML single log out (SLO) does not work if the NameID value in the SAML Assertion contains spaces. If the NameID value includes a space, then URL encode the space to %20. Type %20 in place of space into the Assertion Subject Value field. You configure this field when the BIG-IP system acts as a SAML Identity Provider (IdP) and you are configuring a Local IdP Service and setting Assertion Settings for it.
439680 The BIG-IP system as SP supports only rsa-oaep (as defined here: http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p) for key transport. When the BIG-IP system configured as SP receives a SAML assertion with an unsupported encryption algorithm (for example, rsa-1_5 for key transport instead of rsa-oaep), the BIG-IP system fails to report that algorithms are unsupported, and proceeds to the decryption phase, which fails. The only issue here is that the error reported does not directly point to the cause of failure which makes troubleshooting more difficult.
440395 If you have an HA pair and try to reset AD cache (group cache or PSO cache), the standby node logs this misleading message: Cannot cleanup cache if other options were changed for AAA AD Server.
440468 When the BIG-IP system is configured as a SAML Service Provider (SP), APD can crash if the IdP connector object that is used specifies a single logout URL. A crash occurs only when the SP receives a SAML assertion that does not include a SessionIndex attribute in the AuthnStatement element. "To work around the problem: 1. Reconfigure IdP to send Assertion with SessionIndex attribute in AuthnStatement element, or 2. Clear single-logout-url in IdP connector object on the BIG-IP system.
452282 If an AAA RADIUS server is configured on a partition other than /Common with a default route domain, authentication will fail.
475977 The BIG–IP system supports exclusive canonicalization only, which is recommended in the SAML 2.0 specification. As a result, signed messages canonicalized with other algorithms are rejected by the BIG-IP system. The supported algorithm is documented at http://www.w3.org/2001/10/xml-exc-c14n#.
485387 An encrypted assertion from an external IdP can contain the RetrievalMethod element to specify a link to the EncryptedKey element. The EncryptedKey element contains the key for decrypting the CipherData associated with an EncryptedData element. BIG-IP as SP does not support the RetrievalMethod element while processing an encrypted assertion. As a result, the assertion is not processed properly, and error messages are printed to the log files: - Cannot decrypt SAML Assertion - failed to process encrypted assertion, error: Cipher value from EncryptedKey element not found.

Secure Web Gateway issues

ID number Description
431077 You cannot use tmsh to change the logging level for Secure Web Gateway content analytics. To work around the problem, you can perform the following steps: 1. Use SSH to connect and log into the BIG-IP system. 2. Change directories to /var/antserver/wsgsdk/config/ant_server 3. Open the ant_server.config file for edit and modify the ANT_SERVER_LOG_LEVEL variable to desired level. Note: The ANT_SERVER_LOG_LEVEL variable can range from 0 (Log Nothing) to 8 (Extra Debug). The variable is set to 3 by default.
433127 When creating schedules for Secure Web Gateway Schemes, the option to press a button labeled "Now" can be used to obtain the current time. This time is local to where the Admin GUI is located. To work around this problem, you can type the desired time into the schedule field, or you can use the slider bars to adjust the time range.
436138 If you use Kerberos authentication with the Request Based Auth option set to Enabled and you use Secure Web Gateway explicit forward proxy, access to web sites fails. To work around the problem, set the Request Based Auth option to Disabled.
436196 Searches on event logs for Secure Web Gateway time out when there is a very large number of records, close to the 1 million records that can be stored. Simple custom search works fine.
441458 An iRule is used to implement SSL bypass in Secure Web Gateway. The current iRule does not check for situations where more than one category has been returned for a give URL. This can cause bypass to fail. The likelihood of this event is generally rare.
479287 When using an HTTP 407 Response or HTTP 401 Response agent in an access policy for SWG-Explicit or SWG-Transparent profile type, respectively, without additional configuration Kerberos authentication attempts always fail. The session variable, session.server.network.name, seems to be set to the actual website to which the client is trying to connect instead of to the proxy URL (virtual server proxy domain name). This results in GSS-API errors when getting credential information for Kerberos authentication. The access policy (with access profile type SWG+Explicit or SWG+Transparent) includes HTTP 407 Response (for SWG+Expliceit) or HTTP 401 Response (for SWG+Transparent) and Kerberos Auth actions and an Allow ending. (For APM versions earlier than 11.6.0, the access policy would include an SWG Scheme action before the ending.) Users cannot authenticate to the SWG-Explicit or the SWG-Transparent proxy if attempting to use Kerberos authentication. To work around the problem, add a Variable Assign agent to the access policy after the HTTP 407 Response (or HTTP 401 Response) action. Add a Variable Assign entry as follows. Type this custom variable in the left pane: session.server.network.name and, in the right pane, select Text and type the appropriate domain name.

Other issues

ID number Description
360889 For ACLs that are generated from a portal access resource, port 0 (zero) matches against port 80 (when the scheme is HTTP) and against port 443 (when the scheme is HTTPS). For ACLs otherwise, port 0 matches against any port.
383511 The Device EPSEC Status screen should reflect the recent status of all devices in the device group. When a request to see the device status of a device group is made, the Changes pending link displays. After sync, the link should disappear and the status should be displayed. Perform "Sync from group" by clicking the Changes pending link and navigate to the Device EPSEC Status screen. The status displays.
384479 When you configure a virtual server for Oracle Access Manager integration (by selecting the OAM Support option), the option to select a specific AccessGate does not apply to OAM 10g environments.
389881 The portal access feature in APM does not support Flex Runtime Shared Libraries using ActionScript3.
409233 When an admin terminates an APM session and an associated View Client connection is proxied through APM, the connection stalls for one minute during which time APM displays a frozen View Client screen to the user.
414411 When you use visual policy editor from the Chrome browser, images do not preload and as a result, the navigation bar flickers. Use Firefox or Internet Explorer.
414420 Sideband connects do not work from an ACCESS_SESSION_CLOSED event. If this is attempted, currently, it causes a TMM crash. Do not use sideband connects from an ACCESS_SESSION_CLOSED event.
415262 If you use tmsh to create a connectivity profile and set another connectivity profile as the parent, the profile that you create does not inherit this information: Win/Mac Edge client, Server List, Location DNS list, All Mobile client settings. If you create the profile in GUI, all the information is inherited.
419996 When you import users to a local user database, any first or last name with a space in it is truncated to the first space.
424704 Profile Access is a prefix for the names of Access Profile, Access Policy Actions, and Access Policy Agents. If you copy an access profile and Profile Access is very long, there is a possibility that the copy might result in an invalid configuration. "If such configuration existed it necessary to manually edit bigip.conf with following steps: 0. Backup bigip.conf 1. Determine which actions share the same agent 2. Duplicated agent with different names 3. Change one action to use agent created on step 2. 4. Save edit bigip.conf 5. Reload configuration"
431149 "Access Policy configuration has changed on gateway" can be seen in scenarios where there are multiple slots on a chassis in an HA pair (in both vCMP and chassis only mode). To work around the problem, type the command "bigstart restart apd" on the primary slot.
440203 When you use an iApp to create an APM service, after the access policy and related objects are created, the notification Apply Access Policy on the GUI might still be enabled. This happens even though the generation number in the corresponding access profile has been increased by 1. To disable this notification, you can click the Apply Access Policy link. "Click the "Apply Access Policy" to turn off this notification. Another workaround is to modify the iApp script by putting the command "tmsh modify apm profile access <NAME>generation-action increment" into a different transaction. This can be done by creating a shell script from the iApp script. The shell script consists of two lines: sleep <SAY 5 SECONDS> tmsh modify apm profile access <NAME>generation-action increment Then in the iApp script execute this shell script in the background."
441482 Although there is a tmsh provision command shown for Secure Web Gateway (SWG) on platforms with less than 8 GB of memory, running the command fails because there is no support for SWG on those platforms. This applies to certain BIG-IP appliances that have less than 8 GB of memory, and to vCMP and VE guests with less than 8 GB of memory allocated. (For memory information, see the Platform Guide for your platform.) Provisioning fails with a message similar to the following: Provisioning failed with error 1 - 'Memory limit exceeded. 5656 MB are required to provision these modules, but only 3964 MB are available.' Workaround: You may provision APM plus SWG only on platforms with 8 GB of memory or more. To use APM and SWG together on platforms with exactly 8 GB of memory, LTM provisioning must be set to None. (To do so, uncheck the box next to Local Traffic (LTM) on the Resources Provisioning screen, if applicable.) To fully support the LTM-APM-SWG combination, reserve at least 12 GB of memory for VE instances, or at least 16 GB for vCMP guests on BIG-IP or VIPRION platforms.
446187 If a daemon is started and working, and another instance of the same daemon is started manually, the original one spins in a loop, consumes around 100% CPU, and becomes nonfunctional. To work around the problem, never start any daemon manually. The proper way to start, stop, and restart daemons on the BIG-IP system is to use the bigstart utility: bigstart start <name> bigstart stop <name> bigstart restart <name> These daemons are affected: apd, websso, eam, acctd, aced, rba.
451575 Under certain conditions (exact cause still unknown) the logging daemon, logd, might consume 99% of CPU when it tries to rotate tables in the local database. To work around the problem, restart logd.
459652 The default VE disk space of 100 GB is not enough to support more than one installed image when both APM and SWG are installed and provisioned. This issue is specific to VE versions 11.5.0 and 11.5.1. An attempt to install a new release or a hotfix on the second default volume fails with a disk-full error message. Workaround: Stop VE and increase the size of the VE disk to at least 124 GB. Then restart VE. For information on how to increase VE disk size, see SOL14952: Extending disk space on BIG-IP Virtual Edition, available here: http://support.f5.com/kb/en-us/solutions/public/14000/900/sol14952.html.
477090 To launch sessions from a webtop using an HTML5 client, there is an additional requirement. The View Connections Server settings for a VMware Horizon View server include Blast Secure Gateway settings. To be able to launch VMware View sessions from an APM webtop using an HTML5 client, ensure that the check box, Use Blast Secure Gateway for HTML access, is cleared. The requirement is missing from BIG-IP Access Policy Manager: Third-Party Integration Implementations.
495769 To prevent duplicate logon prompts, there is an additional requirement. APM displays a login prompt for the View client. To prevent another login prompt from being displayed by the View Connection Server, disable the Display a pre-login message setting on the VMware Horizon View server. Note: To display a disclaimer message for a View client, add a VMware View Logon Page with type Disclaimer in the access policy. The requirement is missing from BIG-IP Access Policy Manager: Third-Party Integration Implementations.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.

Legal notices