Release Notes : BIG-IP APM 11.5.3

Applies To:

Show Versions Show Versions


  • 11.5.3
Release Notes
Original Publication Date: 10/13/2017 Updated Date: 04/18/2019


This release note documents the version 11.5.3 release of BIG-IP Access Policy Manager (APM).


Platform support

This version of the software is supported on the following platforms:

Platform name Platform ID
BIG-IP 1600 C102
BIG-IP 3600 C103
BIG-IP 3900 C106
BIG-IP 6900 D104
BIG-IP 8900 D106
BIG-IP 8950 D107
BIG-IP 11000 E101
BIG-IP 11050 E102
BIG-IP 2000s, BIG-IP 2200s C112
BIG-IP 4000s, BIG-IP 4200v C113
BIG-IP 5000s, 5050s, 5200v, 5250v C109
BIG-IP 7000s, 7050s, 7055, 7200v, 7250v, 7255 D110
BIG-IP 12250v D111
BIG-IP 10150s-NEBS, 10350v (AC), 10350v-NEBS (requires 12.0.0 HF1), 10350v-FIPS D112
BIG-IP 10000s, 10050s, 10055, 10200v, 10250v, 10255 D113
VIPRION B2100 Blade A109
VIPRION B2150 Blade A113
VIPRION B2250 Blade A112
VIPRION B4200, B4200N Blade A107, A111
VIPRION B4300, B4340N Blade A108, A110
VIPRION B4450 Blade A114
VIPRION C2200 Chassis D114
VIPRION C2400 Chassis F100
VIPRION C4400, C4400N Chassis J100, J101
VIPRION C4480, C4480N Chassis J102, J103
VIPRION C4800, C4800N Chassis S100, S101
Virtual Edition (VE) Z100
vCMP Guest Z101

These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.

Most of the support guidelines relate to memory. The following list applies for all memory levels:

  • vCMP supported platforms
    • VIPRION B2100, B2150, B2250, B4200
    • VIPRION B4300 blade in the 4400(J100)/4480(J102) and the 4800(S100)
    • BIG-IP 5200v, 5250v, 7200v, 7250v, 10200v, 10250v, 10350v, 12250v

Memory: 12 GB or more

All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.

Memory: 8 GB

The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)

  • No more than three modules should be provisioned together.
  • On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
  • To use Access Policy Manager (APM) and Secure Web Gateway (SWG) modules together on platforms with exactly 8 GB of memory, Local Traffic Manager (LTM) provisioning must be set to None.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category.)

  • No more than three modules (not including AAM) should be provisioned together.
  • Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
  • Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).

Memory: 4 GB or less

The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests provisioned with 4 GB or less of memory.

  • No more than two modules may be configured together.
  • AAM should not be provisioned, except as Dedicated.
  • ASM can be provisioned with this amount of memory, but a sizing exercise should be performed to ensure that it does not hit capacity issues.

vCMP memory provisioning calculations

The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory- 3 GB) x (cpus_assigned_to_guest/ total_cpus).

As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.

For certain platforms, the vCMP host can allocate a single core to a vCMP guest. However, because a single-core guest has relatively small amounts of CPU resources and allocated memory, F5 supports only the following products or product combinations for a single-core guest:
  • BIG-IP LTM standalone only
  • BIG-IP GTM standalone only
  • BIG-IP LTM and GTM combination only

Module combination support on the 3900

Note: The GTM+APM module combination is not supported on the 3900 product platform.

Although SOL10288 states that all modules are supported on all platforms as of BIG-IP version 11.4.0, this does not mean that all possible module combinations are allowed on every platform (especially, legacy platforms).

Configuration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

  • Microsoft Internet Explorer 8.x, 11.x
  • Mozilla Firefox 27.x
  • Google Chrome 32.x

APM client browser support

For a list of browser versions that the Access Policy Manager client supports, refer to the BIG-IP APM Client Compatibility Matrix.

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP APM / VE 11.5.3 Documentation page.

Documentation changes in 11.5.0

In the 11.5.0 release, some manuals were consolidated to improve searchability and Configuration Guide for BIG-IP Access Policy Manager was replaced by two new manuals.

Table 1. Document consolidation and replacement
11.4.x document 11.5.x document
Configuration Guide for BIG-IP Access Policy Manager
  • BIG-IP Access Policy Manager: Implementations
  • BIG-IP Access Policy Manager: Visual Policy Editor
  • BIG-IP Access Policy Manager: Single Sign-On Configuration
  • BIG-IP Access Policy Manager: Authentication Configuration Guide
  • BIG-IP Access Policy Manager: SAML Configuration
BIG-IP Access Policy Manager: Authentication and SSO
  • BIG-IP Access Policy Manager: Hosted Content Implementations
  • BIG-IP Access Policy Manager: Managing OPSWAT Libraries
  • BIG-IP Access Policy Manager: Syncing Access Policies
BIG-IP Access Policy Manager: Implementations
  • BIG-IP Access Policy Manager: VMware Horizon View Integration Implementations
  • BIG-IP Access Policy Manager: Citrix Integration
  • BIG-IP Access Policy Manager: OAM Integration Guide
BIG-IP Access Policy Manager: Third Party Implementations
BIG-IP Access Policy Manager OPSWAT software integration support charts The information is now available by clicking a link on the Welcome page of the BIG-IP Configuration Utility.

Evaluation support

If you have an evaluation license for BIG-IP APM VE, note that it does not include support for Oracle Access Manager.

New in 11.5.3

In this release, there are no new APM features.

New in 11.5.2

In this release, there are no new APM features.

New in 11.5.1

In this release, there are no new APM features.

New in 11.5.0

In this release, APM supports the following new features and enhancements.

Secure Web Gateway

BIG-IP Access Policy Manager implements a Secure Web Gateway (SWG) by adding access control, based on URL categorization, to forward proxy. The access profile supports both transparent and explicit forward proxy modes. The access policy includes support for using a captive portal to collect credentials for transparent forward proxy mode and HTTP 407-based credential capture for explicit forward proxy mode. In addition to user identification by credentials, SWG provides the option to identify users transparently, providing access based on best effort identification. SWG also supports SSL traffic inspection. The benefits that SWG provides include:

  • URL filtering capability for outbound web traffic.
  • Identifying malicious content and providing the means to block it.
  • Applying web application controls for application types, such as social networking and Internet communication in corporate environments.
  • Monitoring and gating outbound traffic to maximize productivity and meet business needs.
  • User identification or authentication (or both) tied to monitoring, and access control compliance and accountability.
  • Visibility into SSL traffic.
Note: Secure Web Gateway is not supported on BIG-IP 1600 and 3600 platforms. SWG requires more memory than is available with those platforms.

Active Directory authentication enhancements

APM supports route domain and password reset for Active Directory.

Active Directory and LDAP group resource assignment enhancements

You can now import groups from AAA Active Directory and LDAP servers for use in group resource assignment.

Maximized Enterprise Application Delivery Value

To make it easier and more affordable to get the Software Defined Application Services capabilities all organizations need, F5 introduces three software bundle offerings: Good, Better, and Best.
Provides intelligent local traffic management for increased operational efficiency and peak network performance of applications.
Good plus enhanced network security, global server load balancing, and advanced application delivery optimization.
Better plus advanced access management and total application security. Delivers the ultimate in security, performance, and availability for your applications and network.
You can learn more about these new software bundles from your F5 Networks Sales Representative.

Supported high availability configuration for Access Policy Manager

Access Policy Manager is supported in an Active/Standby configuration with 2 BIG-IP systems only.
Note: Access Policy Manager is not supported in an Active-Active or an N+M configuration.

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.

Installation checklist

Before you begin:

  • Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility.
  • Update/reactivate your system or vCMP host license, if needed, to ensure that you have a valid service check date. For more information, see SOL7727 - License activation may be required prior to a software upgrade for the BIG-IP or Enterprise Manager system.
  • Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
  • Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are running Application Acceleration Manager, set provisioning to Minimum.
  • If you are running Policy Enforcement Manager, set provisioning to Nominal.
  • If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
Installation method Command
Install to existing volume, migrate source configuration to destination tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 11.2.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP- volume HD1.3

Post-installation tasks

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.

After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility.
  3. Log on to the browser-based Configuration utility.
  4. Run the Setup utility.
  5. Provision the modules.
  6. Convert any bigpipe scripts to tmsh. (Versions later than 10.x do not support the bigpipe utility.)
Note: You can find information about running the Setup utility and provisioning the modules in BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Upgrading from earlier versions

Your upgrade process differs depending on the version of software you are currently running.

Warning: Do not use the 10.x installation methods (the Software Management screens, the b software or tmsh sys software commands, or the image2disk utility) to install/downgrade to 9.x software or operate on partitions. Depending on the operations you perform, doing so might render the system unusable. If you need to downgrade from version 10.x to version 9.x, use the image2disk utility to format the system for partitions, and then use a version 9.x installation method described in the version 9.x release notes to install the version 9.x software.

Upgrading from version 10.1.0 (or later) or 11.x

When you upgrade from version 10.1.0 (or later) or 11.x software, you use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help.

Upgrading from versions earlier than 10.1.0 11.x

You cannot roll forward a configuration directly to this version from BIG-IP version 4.x, or from BIG-IP versions 9.0.x through 9.6.x. You must be running version 10.1.0 software. For details about upgrading to those versions, see the release notes for the associated release.

Automatic firmware upgrades

If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might reboot additional times to perform all necessary firmware upgrades.

Upgrading from earlier versions of APM

When you upgrade from an earlier version of Access Policy Manager (APM), you might need to resolve issues related to these configurations.

NTLM Auth Configuration

In 11.5.2, the DC FQDN list for an NTLM Auth Configuration is mandatory. Before you upgrade to 11.5.2, ensure that the DC FQDN list for each NTLM Auth Configuration contains at least one domain controller FQDN. You can perform this verification from the GUI or by using tmsh. In tmsh, you can add the following line: (dc-fqdn-list { <fqdn> } ) for each NTLM Auth configuration as shown in this example: apm ntlm ntlm-auth ntlm_test { app-service none dc-fqdn-list { } machine-account-name mdc1 partition Common service-id 2 }

Connectivity profiles

When upgrading from 10.x.x to 11.4.x, connectivity profiles are not fully recovered. You can work around the problem using one of these options:

  • Option 1: Upgrade from 10.x.x to 11.4.x, then reconfigure connectivity profiles in the Access Policy Secure Connectivity area of the Configuration utility.
  • Option 2: Upgrade from 10.x.x to 11.x.x, where 11.x.x is earlier than 11.4.x, then continue upgrading to 11.4.x.

Antivirus and firewall software checks in access policies

If your access policies include custom expressions that rely on session variables created by the antivirus or firewall software checks, after upgrade to 11.4.x, you must configure the antivirus or firewall software checks so that the Store information about client software in session variables property is set to Enabled. (It is disabled by default.)

If the custom expressions include multiple sub-expressions, you might need to edit the expressions.
Note: After version 11.5.2, the Store information about client software in session variables property is no longer included in endpoint software checks.

Citrix client packages

The version 11.4.x upgrade script cannot recover any file object with a name that includes space characters. If a Citrix client package file name includes a space, the configuration loads after upgrade, but the Citrix client package file does not function properly. To work around this problem:

  1. Outside of APM, name or rename a Citrix client package without spaces in the name.
  2. Use the correctly named Citrix client package.
    • To fix the problem before upgrade, replace any improperly named Citrix client package as needed.
    • To fix the problem after upgrade, upload a properly named Citrix client package and select it from the connectivity profiles.

Machine accounts for NTLM front-end authentication

APM does not restore NLAD connections when the configuration is restored from a UCS file. After upgrading to 11.4.x, if the previous configuration was using NTLM front-end authentication, the functionality is not restored. To work around this problem, after the upgrade, manually delete the existing machine account configurations and then recreate them.

Advanced customization

If you performed any advanced customization of files, you must upgrade these files manually.

Custom reports

Custom reports are lost after upgrade. To work around this issue, export your custom reports before you upgrade and then reimport them after you upgrade.

OAM configuration

When upgrading from version 10.2.x to 11.x with an OAM configuration, upgrade fails. To work around this issue: before you upgrade, delete the OAM configuration; after the upgrade is complete, create a new OAM configuration in version 11.x.

Access policies that use session variables

If you are upgrading from 10.x, you might need to update access policies that use session variables. Version 11.x introduces the concept of partitions. A partition is added to an object name. An access policy that compares a session variable against a value would behave differently after upgrade. This example shows the difference in the value of a session variable between these versions.

  • Version 10.x -
  • Version 11.x -

The partition, Common, is added to the version 11.x object name.

Fixes in 11.5.3

Cumulative fixes from BIG-IP 11.5.2 HF1 are included in release 11.5.3 in addition to the fixes listed in this table.

ID number Description
441790 Fixed a threading pitfall that could cause deadlock between DB rotation and loading threads.
489364 Now an Internet Explorer window is correctly minimized to tray.
506740 Application icons (Finder, Spotlight, Launchpad, Notification Center, Dock, Menu Bar) have been updated for retina displays.
507153 BIG-IP Edge Client for Mac now follows HTTP 302 redirect if the new site has an untrusted self-signed certificate and the user will be able to log in successfully.
507155 BIG-IP Edge Client for Mac now passes machine certificate inspection when domain component is included in search criteria.
507160 Machine Certificate Checker matching criteria for FQDN has been improved.
507162 Now BIG-IP Edge Client disconnects from FirePass smoothly without delays.
507169 Fixed Network Access renegotiation procedure on TLS1.1 and TLS1.2 for Windows 7.
507168 Click-to-Run Office 2013 applications can start inside PWS now.
507171 JavaRDP client session starts correctly now, and the system does not process extraneous input that occurs before the handshake completes.
507173 BIG-IP Edge Client now keeps the DTLS connection until the IP address becomes invalid, as expected.
507178 Now BIG-IP Edge Client uses the set of icons that the configuration specifies. Also, F5 icons no longer display for a split second during application launch when the configuration specifies the generic set of icons.
507179 PAC file download mechanism now avoids a race condition if /etc/hosts is patched with the static entry of the host that contains PAC file.
507180 Fixed text shown in German language.
507181 All configured networks are now reachable when connecting to FirePass using a BIG-IP Edge Client for Mac downloaded from APM.
507187 A rare environment-based issue that prevented new users from logging in to Windows-based systems has been fixed.
507190 BIG-IP Edge Client for Mac can now establish a connection correctly. An issue with routing table patch coding deleting an essential route has been resolved.
507191 BIG-IP Edge Client for Mac does not fail intermittently with machine certificate inspection agent.
507194 The BIG-IP Edge Client for Mac displays the correct SSL protocol version now in Details.
507196 OpenSSL library updated to version 1.0.1l
507199 Network Access connection does not reset if a large proxy.pac file is configured.
507200 Merged (by F5 tunnel server) proxy.pac is now NOT truncated when sent to the browser even if its size is greater than ~65 KB.
507211 An access policy can now enter Windows Protected Workspace on Internet Explorer versions 10 and 11.
507764 Mistakes in French localization were fixed.
507766 The Machine Cert Auth agent no longer crashes if the Match Issuer setting is configured at the same time that a Mac client specifies Russian for the language and region setting.
507770 Now an Internet Explorer window is correctly minimized to tray.
507771 Browser client now selects the appropriate certificate when "match SubjectCN and FQDN" criteria is specified in Machine Cert.
507773 The CustomDialer component has been updated to prevent a rarely occurring deadlock.
508138 The issue is fixed by having the primary blade of the chassis/vCMP to recreate config snapshots if a secondary blade transitions from online to offline and vice versa.
508139 Support for generating a license usage alert when a threshold is crossed has been added.
508141 Releases with this fix will load the configuration properly. There is no need for users to first create the /shared/apm directory.
508145 You can import an access profile that includes an SSL certificate object in its configuration objects.
508154 APD is now more robust and handles exceptions in AD module properly.
508157 Now it is possible to configure charset decoding behavior. You can decode usernames and passwords into CP-1252 (original behavior) or use UTF-8 charset (in this case, RADIUS Auth sends the username and password unmodified).
508158 If multiple messages arrive from BIG-IP Edge Client in one payload, the system processes them correctly.
508163 Correct rewriting for obj.src = some_url was added to support Web Applications.
508165 Now the primary blade's TMM leasepool IP information is mirrored on the oldest secondary blade.
508171 Fixed an issue where Rewrite plugin could crash when collecting webtrace or debug logs for Portal Access.
508176 Network Access clients can reconnect now and the lease pool does not run out of IP addresses.
508182 After a policy sync operation, the Policy Sync history file objects no longer remain within the /config/.../policy_sync_d directory as expected.
508187 Logging to access_log continues after log rotation.
508193 A user can now load sys config even after removing the peer from the sync-only group.
508197 Passphrases, secrets, passwords, and so on, do not display in clear text and appear as "*****" on the Dashboard.
508200 Now, when an error occurs, the system prints an error code in hex. It will be easy to find the reason for the error.
508206 To fix the issue, we change the data structure to a more simplified form.
508209 If a session is expired and a query is made with an Access whitelist and query parameters, APM code did not handle the case properly and sent a logout page. APM now enables the user to revalidate by starting the Access policy again.
508212 APM checks config snapshots periodically and recreates them if any is missing.
508213 Rewrite plugin no longer crashes when Portal Access application cookies require more than 32k of storage.
508218 Now the title displays correctly on the logon page; RSA error messages are now sanitized.
508227 In this fix, we trim leading and trailing spaces from the user name before using it. So the user name is uniform everywhere.
508228 Now a self expiry is set for each memcache object (which is configurable). With this change, each user remains in the cache only for the configured duration.
508230 Problems with EventTarget.addEventListener() new feature support were fixed.
508234 TMM no longer restarts when connected to Office 365 as SP initiated SLO.
508237 The erroneous security check has been fixed, so accessing some content in a different domain now works as expected.
508241 Now, in some rare situations where previously apd or apmd would assert, the system logs proper error messages before exiting. This results in restarting apd, apmd.
508245 A problem with SAML single-logout has been fixed.
508255 Improved request parsing to make it more robust against invalid formats.
508263 Windows File check now works with a file name that starts with an ampersand (&).
508284 Initialized SAML memory region to prevent tmm panic.
508377 Disallow XML DTDs (doctypes), external general entities and external parameter entities to prevent XML external entity attack.
508964 A crash in MCPQ from bad user input is now prevented.
508993 Improved availability based on internal F5 testing.
508994 This release fixes a TMM core that occurred with APM provisioned.
509012 Now CTU correctly pick ups logs for Machine Cert service.
509016 Windows Phone 8.1 built-in browser is now properly detected by BIG-IP system.
509017 Network access can now be established with FirePass using APM BIG-IP Edge Client for Mac on OS X Yosemite.
509022 The title displays on the logon page now.
509341 On BIG-IP Edge Client for Mac on OS X 10.7, a user can successfully add a new server using IP address.
509549 Translated French text has been corrected to properly fit buttons in BIG-IP Edge Client on Windows-based systems.
509647 When using Chrome to send a new message on DWA, a JavaScript error occurred. The message was sent but the tab did not close. This no longer occurs.
509719 APM now correctly identifies BIG-IP Edge Client for Mac as an Edge Client even if the user opens a new session by clicking the link on the logout page that says "Click here to open new session".
509763 Now, the BIG-IP Edge Client does not show an incorrect cosmetic warning message.
509820 A timestamp is now prepended to each log message in logstatd.log for Policy Sync.
510325 SAML single logout is now supported on BIG-IP Edge Client.
510719 Improved the way that we process cookie values in an SWG blocked page.
510773 Proper checks were added before processing the URL so that, if there is a long initial URL, the BIG-IP system will not process it and a user might see a reset. After establishing the session in other tabs, the user can access the long URL again.
510813 BIG-IP Edge Client for Mac now supports Proxy.pac file size of up to 1 MB; previously, the limit was 32KB.
511617 The system now uses the correct system object to track current primary slot, which ensures that counters in leasepool_stat that have global context (that is, cur_member, cur_assigned, cur_free, max_assigned) are synced to all blades.
511843 JavaScript now correctly handles the X-UA-Compatible meta tag from clients using Microsoft Internet Explorer 11.
511858 BIG-IP as IdP can now successfully create SAML assertions even when BIG-IP configuration contains special XML characters.
511860 The localdbmgr process has been updated in order to gracefully handle corruption in the memcache contents.
511861 Fixed validation for the input data sent in the ICA connection so that for the invalid/non-patched Address it will reject the connection instead of crashing.

Fixes in 11.5.2

Cumulative fixes from BIG-IP 11.5.1 HF6 are included in release 11.5.2 in addition to the fixes listed in this table.

ID number Description
405348 Modify the db variable "tmm.access.maxrequestbodysize" with a value larger than the maximum email body size you would like to support. The maximum supported value is 25000000 (25MB).
470214 This version provides strengthened management of session mirroring so the system can more accurately track connection mirroring.
475049 In this release, the DC FQDN list for an NTLM Auth Configuration is mandatory. Before you upgrade, ensure that the DC FQDN list for each NTLM Auth Configuration contains at least one domain controller FQDN. You can perform this verification from the GUI or by using tmsh. In tmsh, you can add the following line (dc-fqdn-list { <fqdn> } ) for each ntlm auth configuration as shown in this example. apm ntlm ntlm-auth ntlm_test { app-service none dc-fqdn-list { } machine-account-name mdc1 partition Common service-id 2 }
485579 The NTLM feature can now be used with an APM Limited license.
491488 EAM is a CMP plugin and spins up one thread per TMM.
485538 If an authparam is not found in the local cache, an empty string will be returned to the caller.
486529 A problem due to an uninitialized field no longer occurs in CRLDP or OCSP modules.
490526 The DC FQDN list for an NTLM Auth Configuration is now mandatory.
485536 Access policy changes are handled gracefully.
485500 The SecurID node secret file monitoring algorithm was updated so that a new node secret file can be detected. Also, the aced now authenticates with the mcpd so that any node secret file object changes will be accepted by the mcpd.
493993 In APM HA environments, the system now prevents global status from being updated before the initialization is completed on a standby device.
496113 Computer group policy settings are updated after establishing a VPN connection with Windows Logon Integration.
493030 CVE-2014-3513 CVE-2014-3567 CVE-2014-3566 CVE-2014-3568: Update OpenSSL to latest.
485534 After a network access session closes, if a PPP tunnel does not get closed in some time, a cleanup is forced on the server side.
490527 Windows, Mac, and Linux clients were updated to prevent a crash when establishing a VPN connection in certain conditions.
485499 Modify the db variable tmm.access.maxrequestbodysize with a value larger than the maximum email body size you would like to support. The maximum supported value is 25000000 (25MB).
485520 A JavaScript error screen no longer displays when using BIG-IP Edge Client to connect with a logon page that contains an additional select type.
492809 An issue has been fixed that resulted in a small, periodic mcpd memory leak associated with APM statistics.

Fixes in 11.5.1

ID number Description
392250 When Access Policy OAM Support is enabled on a virtual server and the AccessGate setting specifies a particular accessgate instead of Default, users are no longer intermittently redirected to an OAM error page.
424938 APD no longer crashes when processing an access policy with Tcl expressions; previously, this occurred rarely.
432260 An AAA server pool is reachable now even after "bigstart restart [mcpd]" command runs.
432925 You can now successfully create a macro from the Support for Microsoft Exchange macro template.
433227 F5 PCoIP proxy implementation is certified by VMware.
436556 Citrix apps render correctly on an APM webtop when a Citrix resource uses Kerberos single sign-on to Citrix XML Broker.
443139 Session variables have been made available during the ACCESS_SESSION_CLOSED event. As a result, session variables are still available even after issuing the "ACCESS::session remove" command, because the actual removal is deferred until after the current iRule completes. However, it is considered an error to access that data outside of the ACCESS_SESSION_CLOSED event.
446123 Online help is provided for the Groups screen for the LDAP and Active Directory AAA servers.
446207 The "state" value in the session variables created after a software check (antivirus, anti-spyware, firewall, patch management, peer-to-peer, health agent, and disk encryption) now contains the correct state of the specified product.
446425 The BIG-IP Edge Client for MAC now applies DNS server settings correctly.
447033 Now Java RDP and Java App Tunnels work without showing a security warning.
447089 Network access connections now succeed after failover without encountering an IPv4 allocation failure error: "leasepool <name>is out of addresses".
447130 Internal communication with the Secure Web Gateway (SWG) content scanning engine has been optimized. This results in significant performance improvements.
447239 Additional Secure Web Gateway (SWG) sessions are no longer created when a session expires.
447609 The installer for the BIG-IP Edge Client for Windows now prompts the user if a reboot is required, instead of silently rebooting the machine.
447654 When using Portal Access, an input tag in forms now can receive a value that is dynamically created by JavaScript on the client.
447658 An APM page that contains dynamic scripts now works correctly when a user opens it from another domain or protocol using the Chrome browser.
447685 The current HTML page continues to display without reloading, if a user clicks a link that contains an undefined URL.
447699 Now forms with an absolute path in the action are handled correctly.
448152 If the database download introduces a new URL category, it happens without producing an error in a log file.
448366 If the Secure Web Gateway (SWG) database download fails, the system no longer continues to retry the download.
448385 Now JavaScript arithmetic assignment operators are handled correctly on the server and on the client.
448461 Online help for Bandwidth Policy access policy item has been added to the visual policy editor.
448599 Some Secure Web Gateway (SWG) URL category names that were truncated when displayed, are now fully displayed.
448628 An AAA server pool is reachable now even after "bigstart restart [mcpd]" command runs.
448870 Now an APM webtop renders Citrix apps when a Citrix resource uses a pool and Kerberos SSO.
448874 Citrix apps render correctly on an APM webtop when a Citrix resource uses Kerberos single sign-on to Citrix XML Broker.
449236 Added an option to full webtop configuration: Show warning message when webtop screen closed. When this option is disabled, a user can close a webtop browser without also being prompted to close the Network Access tunnel (that was launched from the full webtop).
449573 The iRule event agent (in an access policy) no longer logs BIG-IP Edge Client for Linux CLI users out before they can establish network access.

Fixes in 11.5.0

ID number Description
238494 The F5 Credential Management service now updates automatically on the BIG-IP Edge Client. To get SSO working after update, user should reboot the machine.
325296 Previously, APM supported only LDAP URLs for CRL distribution points. Now, APM also supports HTTP URLs.
381486 Information about session length, connection timeout and idle time is added to BIG-IP Edge Client. Information about used tunnel type, session length, idle time and session timeout is added to web browsers."
386888 Citrix application icons used on the APM webtop are cached on BIG-IP system now; this reduces load on the back end and improves icon loading time.
390462 Visual policy editor now supports Internet Explorer 10 and 11.
392250 When Access Policy OAM Support is enabled on a virtual server and the AccessGate setting specifies a particular accessgate instead of Default, users are no longer intermittently redirected to an OAM error page.
394176 The access policy item, Windows Registry, now supports REG_MULTI_SZ fields.
394184 Remote desktop Java client now supports connections to Windows 8 and Windows Server 2012 hosts.
394449 Now, AD and LDAP can parse multiple entries in LDAP response
396735 Prevent authentication failure if both SAML assertion and response are both signed
400433 Daemons (apd/apmd) are more robust.
401658 APM now hides network access, remote desktop, and application tunnel resources from APM webtops on Windows 8 ARM.
402297 An administrator can build visual policy editor rules to detect a "Windows 8" running on ARM processor and create appropriate branches.
402699 For BIG-IP Edge Client on Windows systems, when APM network access is configured to close idle connections, a notification about the idle connection displays ahead of time.
406916 The upgrade script now handles client-packaging with multiple folders in full path name.
407362 When a desktop requested by the user is not immediately available (as reported by XML Broker), APM waits for some time and retry launching attempt predefined number of times.
408665 The APM PCoIP Proxy implementation is compliant with Teradici certification.
409438 APM now supports SSL Relay when working with Web Interface site
413486 On the BIG-IP Edge Client for MAC OS X, the text copy and paste action, to and from the clipboard, now works correctly.
413661 Access policies that were copied from other policies no longer lose their images when the original policy is deleted.
414370 Clients no longer receive a TCP reset if an ASM profile is configured and access was disabled with the "ACCESS::disable" iRule.
415844 The BIG-IP system now assigns special identifier (SPI) values to VMware View clients. Clients no longer use self-generated SPIs.
416949 "Login failed" no longer displays as the caption of the Citrix Logon Dialog box on the APM webtop when the user successfully logs into a Citrix resource, but has no apps assigned to him.
417289 A Java remote desktop resource now uses the en-us keymap (US keyboard) for the logon screen by default. Previously, en-gb (UK keyboard) was the default keymap.
417908 Now accounts in Citrix Receiver for Windows can be registered by entering only the domain name of APM virtual server.
418082 APM webtop now supports VMware View HTML5 client.
418231 Now ICA Proxy does not attempt to modify an ICA file if it detects that an STA ticket is used. The list of STA servers configured through a session variable named "session.citrix.sta_servers" is used to resolve STA tickets. The list of STAs should contain one or more URLs delimited by semicolon.
418610 Various APM related cookies are now set to a secure option.
418976 Citrix apps icons on APM webtop are cached by the browser now, which improves webtop page load times.
419127 A new global variable, F5_noContextSwitching, turns off part of the processing on the client side in case of web application slowdown. You can use an iRule to set the variable on a page.
419237 APM now supports launching VMware View desktops from APM webtop using standalone View client.
419654 VMware View client for Linux 2.0 is supported by APM PCoIP proxy.
419780 APM now encodes URLs for the prevention of XSS attacks using a less aggressive mechanism.
419859 Visual policy editor configuration pages for peer-to-peer software, HD encryption software, health agent software checks are improved.
419955 CPU usage by Kerberos library during some error conditions is acceptable now.
419984 Sessions that share the same TCP connection are no longer terminated when a new client connects using the same connection.
420013 EMC applet works now.
420543 OPSWAT checks workflow is restored; it is possible to save after the changes
420706 APD process now takes significantly less time to apply an access policy.
420743 SAML IdP automation now gracefully handles a metadata file that is missing an EntityDescriptor tag.
420961 The Tcl encoding command is now available for use in visual policy editor expressions.
421055 It is now possible for an end user to change their AD password.
421068 When you use APM portal access that has an iframe or frame that runs an HTML file which includes a parent.document.write(some_html_with_script) statement, Internet browser response is now acceptable.
421259 Secure session variable now decrypts correctly and is the correct length.
421499 BIG-IP Edge Client for MAC OS X code now handles network access over a third party PPTP VPN connection.
421522 APM now handles an empty AVP-24 ("state") in a RADIUS Access-Challenge request.
421566 The root cause of a logd core has been corrected with thread save call to localtime_r().
421648 Documentation now contains correct values for the Machine Info agent.
421796 SAML single logout (SLO) now succeeds when a SAML Service Provider (SP) session times out, the user logs in to the SAML SP again, and the user initiates SLO.
422135 RSA Next Token and New PIN modes are supported for Citrix Xenith and Xenith2 clients using RADIUS server.
422194 Access no longer resets a TCP connection if a client requests the landing URI on the slave twice before completing an access policy.
422396 You can now start a Citrix application with an ampersand in its name from an APM webtop.
422516 A notification displays when reboot is required after the Cred Mgr has been updated.
422550 You can use APM local user database from iRules now.
422697 A Java remote desktop resource now works on a Mac system that is affected by an Oracle issue, bug 7180557.
422948 If you change a rule expression in a macro, the "Apply Access Policy" link now appears as expected.
423260 Now all software checks are directly available in the agent selector in a branch rule expression
423435 The access policy item, Windows Registry, now correctly compares pure numbers.
423751 A case where policy evaluation is in process and an existing client connection is disconnected is now handled correctly.
423848 Using Device Wizards (Network Access Setup Wizard for Remote Access) to create Network Access (with client-side checks enabled) for remote access now produces an antivirus action with entries.
423897 BIG-IP Edge Client for MAC OS X handles ending redirect correctly.
424067 Proper Windows 8.1 and Internet Explorer 11 detection implemented for BIG-IP APM.
424117 APM supports Windows Citrix Receiver 4.0
424199 Initial access to cookies on a page from a dynamically loaded script no longer causes intermittent Firefox browser halt.
424371 Protected Workspace code was changed to allow Internet Explorer 11 and Windows Explorer to start on Protected Workspace Desktop (on Windows 8.1).
424572 APM SAML can now operate with other systems using either or both of these groups of algorithms: RSA-SHA256/RSA-SHA512 XML signature algorithms SHA256/SHA512 digest algorithms. It continues to sign its own SAML messages (AuthnRequests and Assertions) using RSA-SHA1.
424577 Support for Windows 8.1 Inbox F5 VPN detection is available in APM visual policy editor; an additional branch was implemented for the Client Type Access Policy action.
424587 A SharePoint 2013 homepage can now successfully render in Internet Explorer 11 when it runs through APM content rewrite.
424607 APM portal access with split tunneling enabled now selects the action correctly for URLs containing the %0a' character string when requests are initiated by JavaScript.
424661 You should no longer see the following Tcl error message in the /var/log/ltm log file. TCL error: _sys_APM_activesync HTTP_REQUEST - can't read "actsync_401_http_body": no such variable while executing: "HTTP::respond 401 content $actsync_401_http_body Connection close".
424969 Fixed a rewrite plugin crash that could occur when sending POST requests with specific XML data through portal access.
425166 Fixed BIG-IP Edge Client crash which caused incorrect memory copying routine during disconnect process.
425853 Included Launch Application for MAC OS X to work if the string contains an ampersand.
425884 When an admin tries to upload and install a new epsec package, the admin will no longer see a Configuration error.
425904 Now Flash AS2 jump instructions should be properly rewritten.
426185 Flash AS2 content is properly rewritten now.
426439 Portal resource now opens properly after a Citrix or a View resource has been used on an APM webtop.
426685 Now Citrix/VMware View support works on virtual addresses of the 'traffic-group-local-only' as well.
426850 The BIG-IP system configured as a SAML service provider (SP) now processes encrypted assertions.
427076 An error no longer occurs during logon to a web application using client initiated form-based SSO.
427725 An issue in which TMM produces core files in access deployments has been fixed.
427743 iOS Receiver now works when APM is configured with StoreFront integration or when APM is configured for two-factor authentication.
427762 Fixed issue with session re-establishing for iOS Citrix Receiver.
427804 The IE 11 on Windows 7 user agent is now detected correctly.
427819 Network access restores proxy settings when a user signs out from a Windows-based session and schedules proxy cleanup operations to start on the next Windows user sign in.
427864 The VMware View client can now connect through APM when the backend replies with a chunked response.
428306 When using the svpn plugin proxy service on a Mac system, the plugin works correctly when it probes
428390 Log messages for client initiated form based and SAML SSO are working again.
428417 Support for Windows 8.1 platform detection implemented in Windows client code.
428450 The rewrite process no longer loops when working with malformed Flash files.
428595 A user who can access visual policy editor in read-only mode can now switch to the Branch Rules tab.
428784 Fixed absence of session timeout window on the logon page in Safari browsers that forced users to enter credentials again after the Login button is pressed. This fix will not affect already customized logon pages.
428933 Cookies created from JavaScript with the wrong date format in the expires field are processed correctly.
429031 Removed negative cases from expression builder for software checks
429163 Resolved issue where InstallerService is not installed and Internet Explorer is used so that the correct newer components are employed to avoid reconnect looping when per-user is used, instead of per-machine.
429171 Flash ActionScript 3 files from different domains with conflicting class definitions now work correctly through Portal Access.
429617 Windows RT users can now access webtop links and portal access resources on APM webtop.
429680 Response headers are parsed correctly for any responses with unsupported content.
429704 The Disable/Enable logic for Unlock User button is fixed.
429741 A Windows RT branch is added to the "Client OS" action in APM Access Policy.
430669 The issue where Internet Explorer 11 did not always allow access to "window.opener" is fixed.
430819 AD/LDAP non-printable attributes are now detected as such.
430899 Records installed in session db keep track of license counts during regular operation on chassis.
430962 Previously when F5 Networks VPN Adapter was disabled by user, manually connecting to the VPN would fail. Now the adapter is automatically enabled in this case and VPN connections can successfully be established.
430965 Resolved issue where Windows 8.1 SetupDiGetDeviceRegistryProperty function returned hardware IDs with spaces replaced with underscores, to allow VPN driver to be uninstalled. This addresses issues with the VPN driver update.
431076 Driver installer fixed to re-install client stonewall driver independently from VPN driver.
431216 Internet Explorer 11 does not recognize PAC files specified with the "file://" prefix. To work around this issue Network Access automatically enables "Client Proxy Uses HTTP for Proxy Autoconfig Script" for Internet Explorer 11 clients.
431377 and 431381 Improved JavaRDP compatibility with Windows 8 / 2012 Server hosts
431508 APM displays UTF-8 HTML pages correctly.
431976 Maximum number of entries in subject alternative name is not limited anymore in server certificate check module of Linux CLI.
432049 Sessions from BIG-IP Edge Client on iOS now can be filtered by CPU type in visual policy editor.
432096 Layered virtual with matching destination can now intercept MobileSDK and/or JavaPatcher traffic.
432721 RemoteDesktop module will use the configured search domain, while resolving short names for mobile app tunnel connections.
432851 Mac File and Linux File access policy items work correctly when the specified file size is greater than 1024 bytes.
433605 At the end of an APM network access session, the route is now restored for an interface that has a gateway and IP address on different subnets, provided that the gateway and IP address have not changed during the session.
433781 APM now correctly processes any HTTP headers.
433839 Now, if the peer is shut down, Kerberos immediately terminates the connection.
433982 Detection of Internet Explorer is improved in APM Portal Access.
434049 Fixes for supporting multiple customization_templates during tmsh load sys config merge.
434776 A Windows File, Mac File, or Linux File agent can be added to an access policy without causing APD or APMD to crash.
435329 Layered virtual servers are now assigned the correct IP addresses, and no longer conflict or interfere with each other.
435383 When deleting an Accessgate from OAM server configuration, wrong MCPD validation prevented deleting the second to last Accessgate. This fix will result in throwing the MCPD error, while deleting the last Accessgate only, as expected.
435436 Users can use APM with VMware View when the View resource uses pool of more than two View Connection servers
435449 Request no longer hangs and no errors occur.
435900 XDomainRequest is supported similar to XMLHTTPRequest.
436049 Fixed a rare case of crash in rewrite plugin.
436175 Upgrade script is fixed to handle empty bodied Citrix Client Bundle (all on one line).
436616 CTU correctly enables logs for 64-bit services on Windows systems.
436788 Corrected page handlers to return to OAM AAA Server listing page upon saving.
437227 Memory leak has been fixed in the rewrite daemon.
437731 Optimized tunnel works correctly with Internet Explorer now.
437952 VPN installation now launches under Protected Workspace (PWS) on Windows 8.1.
438219 The access policy daemon (apd) process no longer leaks memory with AD and LDAP Query agents.
438251 Now when using Outlook Web Access (OWA) 2010 from a portal access webtop, new messages are shown automatically in the mailbox and the message indicator changes accordingly depending on whether the messages are read or unread.
438664 F5 Client Traffic Control Service now works on Windows 7. Previously the service started and then stopped.
438709 Users can now open the calendar widget in SharePoint 2007 while using Internet Explorer browsers with portal access.


Session ID rotation has been implemented, and starting from 11.2.0, it is on by default. This breaks compatibility with earlier BIG-IP Edge Client and plugin versions. For example, when APM is configured for session ID rotation, an 11.1.0 Edge client is not allowed to log in to Access Policy Manager (APM) version 11.2.x. The expected behavior in this case is for APM to present the login page to the Edge client after each login attempt. To disable session ID rotation per-box, you can use the following tmsh command: tmsh modify sys db apm.rotatesessionid value disable

Known issues

This release contains the following known issues.

Upgrade issues

ID number Description
365014 If you upgrade from APM 10.2.X to 11.2.0, you might run into this error: 012e0008:3: The requested command (connectivity resource) is invalid To prevent the error, perform these steps. 1. Switchboot back to version 10.2.X. 2. Use text editor vi or vim to open the /config/bigpipe/bigip.conf file. 3. Look for the pattern "connectivity resource" at the beginning of a line. 4. Within the scope of "connectivity resource", look for the line with pattern "patching type" and remove the line. 5. Save the file and exit the vi or vim editor. 6. Run "bigpipe load" to make sure that there is no error. 7. Redo the software upgrade.
366001 If you have performed any advanced customization, you must upgrade the files manually when upgrading from 10.2 to 11.x.
382390 OCSP support for the Machine Cert Auth agent has been broken for several releases. Machine Cert Auth agent is configured to use OCSP validation. Machine Cert Auth always fails to validate a certificate at the OCSP responder. Workaround: None.
417273 When upgrading from 10.X.X to 11.4.0, connectivity profiles cannot be fully recovered. There are two options to work around the problem. Option 1: Upgrade from 10.X.X to 11.4.0, then reconfigure connectivity profiles in the Access Policy Secure Connectivity area of the Configuration Utility. Option 2: Upgrade from 10.X.X to 11.X.X, then finally to 11.4.0.
417711 After the upgrade, if the previous configuration used NTLM front end authentication, the functionality is not restored. After the upgrade, manually delete the existing machine account configurations and recreate them again.
419485 The configuration does not load after upgrade to 11.4 if it includes the iRule, "ACCESS::session create". The following error prints if loading the configuration from tmsh: error: [No timeout specified by -timeout option or access profile] To work around the problem, change the iRule before you uprade. You can either comment out the ACCESS::session create iRule with a '#' or use the new syntax for the iRule. Syntax before 11.4.0 ACCESS::session create <timeout> [lifetime] Syntax after 11.4.0 ACCESS::session create -timeout <timeout> [-lifetime <lifetime>]
421456 Kerberos SSO does not work after upgrading from 11.3.0 to 11.4.0, because in 11.4.0 the password is saved in encrypted form while the password in 11.3.0 is saved as clear text. Re-enter Kerberos SSO password after upgrade.
440924 Configuration will not load. BIG-IP system is nonfunctional after upgrade to 11.6.0. Log message: "Configuration error: cannot attach profile (/Common/rewriteplugin) to virtual server (/Common/apm_virtual_server): To work around the problem, manually edit bigip.conf to remove: /Common/rewriteplugin { } from the Virtual Server configuration stanza

Application access issues

ID number Description
223712 During a web applications session, when a user logs out of Microsoft Office Communicator and then attempts to log on again, the logon request fails.
339865 Microsoft SharePoint 2007 with Office Integration does not work in LTM+APM mode when Protected Workspace is used in an access policy. When you try to open a Microsoft Office document, an alert about a wrong URL is displayed.
340549 The rewrite plugin does not implement forwarding HTTPS requests through the HTTPS proxy correctly. (However, forwarding HTTP requests through the HTTP proxy does work correctly.) To work around the problem, create a layered virtual to catch HTTPS traffic leaving APM and forward it to a HTTPS proxy server using CONNECT. Proxy authentication is not implemented and if response status from HTTPS proxy server is not 200, then use an iRule to close the connection.
343280 When using Portal Access in Safari 5.X, sometimes web pages do not load properly. A bug in Safari 5.X leads to accidental loss of all HTMLElement.prototype changes when setting HTMLElement.prototype properties in a window and accessing window.frameElement from any of its frames. (The problem also sometimes occurs in other less well-defined cases.)
347100 Every time the Hometab loads, a dialog box message is displayed stating: "This Page contains both secure and nonsecure items. Do you want to continue?" To work around this problem, disable the Hometab.
352865 Firefox 4 beta crashes or displays a warning, Unresponsive script for cache-fm.js. This happens after you navigate to a web application through reverse proxy from a Windows client and then log in.
353403 Customization and images with CSS Sprites Image (ID 353403). When you make a change to the CSS Sprites Image for a webtop through the Customization feature, the change does not appear on the webtop for an hour. Alternatively, you can restart tmm with this command: bigstart restart tmm.
360154 NTLM-based SSO method should be used when configuring Portal Access with MS SharePoint backend. A user cannot save new document on the server if HTTP Basic SSO method is used.
362325 Links in content are rewritten in HTML attachments from Outlook Web Access (OWA) after you open the attachments in the browser or save them to disk using the Save as action. This happens because APM application access patches the links in HTML attachments. This occurs with OWA 2003, 2007, and 2010.
364257 When using Microsoft Communicator through reverse proxy, an error occurs when you click Home on the Hometab in the Conversation window. The error differs depending on the browser. Internet Explorer displays access denied in a popup screen. FireFox displays F5_HT_SP is not defined in the error console.
367917 When using Portal Access to access Microsoft SharePoint 2010 using Google Chrome, uploading an image through Image Library might fail with a 401 response.
372114 On a chassis-based system after upgrade and first reboot if APM is configured, very rarely end users might be unable to log in to the virtual server. An access denied screen displays the following message: "Access policy configuration has changed on gateway. Please login again to comply with new access policy configuration" To recover from this error, restart the primary blade. From the configuration utility, select System > Configuration and select the Reboot Blade option.
375651 APM JavaPatcher implementation puts the more strict limitations on connections performed by unsigned applets than Java VM itself. Particularly, the unsigned applet can open socket connections to its native backend only by passing the same identifier (FQDN or IP address) for this host as it was originally specified on applet's loading stage. For instance, if there is a server at that is accessible by fqdn.intra.local name and the applet has been loaded from, it can only create sockets by providing them with the IP address of its backend ( but not FQDN (connections to the fqdn.intra.local will be rejected unless it is in fact the same host). The same will happen if applet is loaded by FQDN but tries to establish connection by IP address. This comes from security requirements for JavaPatcher implementation.
381994 Some Portal Access settings might not be applied to end-users without cleaning up ramcache when APM virtual server uses WebAcceleration profile.
382753 If a BIG-IP system with Web Acceleration profile enabled does not refresh page with Cache-Control: no-cache, set the "Ignore Headers" option of the Web Acceleration profile to None.
389881 The Portal Access feature in APM does not support Flex Runtime Shared Libraries using ActionScript3.
404899 Webpage errors occur when opening a chat window in IBM Lotus iNotes 8.5 with Sametime through a portal access webtop. This happens only when using Internet Explorer 9. To work around this problem, add a portal access item with the path "/sametime/stlinks/*" to the portal access resource and disable Home Tab for this item.
409777 You cannot open a Microsoft Office document on SharePoint. Error messages can be different based on the Microsoft Office and SharePoint versions. To work around this problem: - APM virtual server certificate must be valid and its root certificate must be in the browser's Trusted Root CA list. - SharePoint must be in the browser's Trusted Sites list. - Use Internet Explorer. (This works only for Internet Explorer. Microsoft Office components cannot get cookies from Firefox yet.)
416759 Microsoft Dynamics CRM might not work correctly through reverse proxy in some cases.
420013 Applet loading fails with java.lang.NoSuchMethodError:;Ljava/lang/String;)Z
431337 The LinkedIn button is a part of the new feature, Apps in Outlook Web App, in Outlook Web App 2013. A JavaScript error occurs if you click the LinkedIn button in Outlook Web App 2013 while using Internet Explorer 11.
434464 If a JavaScript function contains an Internet Explorer conditional compilation directive and a 'try ... catch' block inside this directive, it becomes inaccessible before declaration after re-writing. To work around the problem, if possible, move the function definition prior to all references to this function.
439887 Drag-and-drop and some other mouse operations work incorrectly in Outlook Web App (OWA) 2010 if accessed using APM portal access from the Chrome v.31.x browser.
444767 Access to Office365 Outlook Web Access services using portal access is broken for HTML5-supported browsers. The user is redirected to the APM Logout page after successfully logging in to Office365.
446460 Content is not properly blocked according to the Content-Security-Policy back-end response header. To work around the problem, tune up APM ACLs accordingly to the desired back-ends with Content-Security-Policy headers or stricter.
450136 Occasionally, users see chunk boundaries as part of HTTP response if the virtual server is configured with rewrite profile variant and some other profiles. To workaround this problem, use an iRule to rechunk the HTTP response always.
454306 When HTML style attributes with HTML entities are rewritten, it results in direct or incorrect links to resources. There is no general workaround, but custom iRules can be used.
467054 Portal access intermittently seems to send no response.
469884 Rewrite engine hangs. Portal resources never load in browser.
478492 If an HTML tag attribute contains HTML entities inside its value, this value may not be processed correctly by Portal Access. For example, if a form action begins with '&#x2f;' instead of '/', it will be rewritten although absolute action path should be left untouched. This leads to incorrect behavior of this web application.
478657 If a web application uses HTTP URLs with embedded credentials, then they do not work with Portal Access.
480283 Some backend servers cannot be accessed using BIG-IP Edge Portal for iOS over *mobile* networks. Authentication fails; (a cookie related to authentication goes missing). It also happens when connected using WiFi but much less often (possibly due to timing).
482625 Some pages cannot be displayed. A page has a Content-type header with charset utf-8. The payload has a META tag with charset utf-16. Actual data appears to be utf-8. Rewriting the page inserts a utf-16 BOM in the response, causing the page to not load. An iRule can be used to fix the META charset and allow the page to load.
494135 If 'eval' JavaScript call is redefined in HTML page, event handlers may not work correctly.
519397 With Microsoft Internet Explorer (IE) browsers at logout from APM, session windows with different domains are displaying APM logout page.

Portal access issues

ID number Description
354406 When a virtual server is configured to use a SNAT pool for doing source NAT of the traffic between the virtual and backend servers, if one of the IP addresses used in SNAT pool is self-IP, the access policy does not work for the virtual server.
383769 A route entry is not created for Network Access if it is configured in a partition with a non-zero route domain.
384405 With Access Policy Manager Portal Access, if you add a web-acceleration profile to the Local Traffic virtual server, it does not take effect until the you go to the command line and type "bigstart restart tmm". The web-acceleration profile is important to Portal Access performance, so this step is necessary to ensure caching occurs for Portal Access content.
392974 An APM virtual server occasionally rejects a request to a renderer with reset cause "TCP 3WHS rejected". This happens when the TCP profile has an idle timeout value larger than 300 seconds.
406040 If an application uses a non-standard location for favicons (as permitted by the LINK meta tag) and you use Internet Explorer 10 for access to the application, then the BIG-IP system creates a new session for that URI. If you use Google Chrome version 25 or above, the BIG-IP system closes the current session during fetching favicons from the non-standard location. Related change in Google Chrome:
426492 Multidomain SSO does not support custom ports. For multidomain SSO, redirection back to the slave virtual server will always go back to a standard 80/443 port. The slave virtual server must be on port 80/443. For example, suppose we set up a virtual server for Accessing this will redirect to the primary virtual, and login will proceed normally. When we redirect back to the slave virtual, we will redirect to on the standard 443 port.
426963 When the client sends an HTTP POST with an expect 100-continue, APM will fail to forward it to the backend server. The client will wait about 3 seconds to timeout before sending the actual data of the POST request.
428268 Some URLs might contain ampersand (&)-separated parameters. If each '&' separated parameter is not followed with an equal sign (=), the APM system does not recognize it as a proper query string, and the redirection from the primary virtual server back to the secondary virtual server will be incorrectly parsed.
428894 When a user logs in with Multidomain SSO, some cookies are set. At logout, one set of these cookies does not have a domain set, and are not deleted.
439965 BIG-IP APM currently cannot handle multiple browser tabs trying to create sessions at the same time. The most common example is saving multiple homepages in a web browser. When the web browser opens, requests from these tabs are sent within milliseconds. This can cause very unpredictable behavior where sometimes it will function correctly, and other times there will be connection resets or the user will see error pages.
455975 Using MIB F5-BIGIP-APM-MIB::apmGlobalConnectivityStatCurConns displays incorrect information and description.
460590 If one of two nameservers returns a response of "No such name" for a domain query, then the same domain query is not tried on the second nameserver.
462598 When APM/Access renderer or renderer pool, which is used for serving internal pages, goes down for an unknown reason, tmm goes into retry loop and sod kills the tmm. This condition causes a crash due to an unresponsive tmm and will trigger a failover. This has only been observed with a mangled iRule. So it is likely that fixing an associated iRule to operate as intended will resolve the problem. If this happens without an associated iRule, there is no workaround.
468130 When Kerberos authentication is used with RBA enabled, the first POST request sent to the BIG-IP system could be replaced by a dummy POST and authentication then fails. This can occur when the BIG-IP system is configured as a SAML Identity Provider and the http-post SSO binding is used.
470389 Garbled characters (or control characterss) are seen in the /var/log/apm log file.
479348 Multidomain SSO works by running the policy on the primary authentication virtual server and redirecting the request back to the virtual server that it landed on. While running the policy on the primary virtual server, if there is a redirect ending that does redirect to some URI, it seems to be ignored. Multidomain SSO then redirects to the secondary virtual server.
497746 A vulnerability scanner noted that /vdesk/timeoutagent-i.php does not have X-Frame-Options: header set, and also returns 200 OK when a GET is sent. Therefore this URI is vulnerable to click-jacking.
501509 If username field is disabled at logon page, then session variables session.logon.last.username and session.logon.last.logonname are not registered.

Client issues

ID Number Description
223583 Inside PWS on Windows Vista, a user can create folders only in some locations using the context menu; that is, only a Folder item appears on the New menu. However, a user can create standard type files using the context menu directly on the desktop and in the user's home folder.
342129 BIG-IP Edge Client on Mac OS and user accounts (ID 342129). Mac OS users cannot install the BIG-IP Edge Client under a User account. The Edge Client install requires Admin account privileges.
366420 An IPv6 only Network Access configuration is not supported. Either IPv4 or IPv4&IPv6 are the supported IP versions.
375658 APM JavaRDP does not work correctly on Mac OS X when Mozilla Firefox 3.6.x is used. This is caused by bug that affects JavaRDP component. The issue was fixed in later versions of Mozilla Firefox browser so they should be used to work properly with JavaRDP. To work around the problem, use Mozilla Firefox 4 or later instead.
376615 Username and password are not sent when the On-Demand Cert Auth agent is used in an access policy; as a result logon fails. The problem happens for these clients: iOS, Android, Windows Mobile, and Linux CLI. To work around this problem, configure the access policy so that the Logon page agent is before the On-Demand Cert Agent.
381490 Android Citrix Receiver does not support RSA New PIN mode if APM is configured for Session ID Rotation. Session ID Rotation can be disabled per-box with the following tmsh command: tmsh modify sys db apm.rotatesessionid value disable
381892 BIG-IP Edge Client from previous release will not work with current release if used under limited user without installer service.
390823 When APM is configured to replace Citrix Web Interface for Citrix Receiver clients (using the APM_Citrix_PNAgentProtocol data group), APM+LTM and Portal Access do not work.
393043 During an APM remote connection, the progress bar might not render correctly on a Linux system when using the Chrome browser.
399552 CD/DVD burning through SPTI inside PWS works even though the policy disallows it. Files can be created on the Desktop and then moved to the desired location.
401546 Old Citrix servers (4.5 and earlier) have a bug in XML Broker that responds with incorrectly chunked-encoded HTTP response. This might lead to missing icons on webtop. To work around the problem, set registry value "HKLM\SOFTWARE\Citrix\XML Service\LegacyChunkHeader" of DWORD type to zero for XML Broker to start using correct chunked encoding.
403668 When using XenDesktop backend servers, low resolution application icons are displayed to Citrix PNAgent clients.
404890 This is a rare issue that happens for Internet Explorer when pop-up screens are set to be blocked by browser. When you launch a Java app-tunnel for the first time in Internet Explorer, the message "Allow pop-ups for this site?" is displayed. In rare cases, when you click Allow once, the Java app-tunnel freezes in the Initializing state and cannot be used. To work around the problem, add a virtual server to the allowed sites for pop-ups from Tools > Internet options in Internet Explorer.
409233 VMware View Client becomes unresponsive for about one minute after associated APM session is terminated by administrator.
416754 Citrix Receiver for Mac OS X does not work with a custom path to Citrix Web Interface sites published using APM. To work around the problem, use the default path, /Citrix/PNAgent/config.xml, at Citrix Web Interface configuration.
420550 WYSE client cannot launch any application if the APM session expired.
428904 Printer redirection and keyboard redirection ('special keyboard commands') in non-fullscreen mode do not work on Microsoft Windows version 7 or 8. To work around the problem, use fullscreen mode to use local printers remotely as well as 'special keyboard commands' in Windows version 7 or 8.
432020 By default, Internet Explorer 11 starts with Enhanced Protected Mode enabled and the browser process runs inside AppContainer. Enhanced Protected Mode (AppContainer technology) in Internet Explorer 11 prevents the interception of connection requests. As a result APM App tunnels cannot redirect traffic to a proxy running on the loopback address. You can work around the problem in one of these ways: 1. Disable Enhanced Protected Mode in Internet Explorer 11. 2. Add the backend server to the Trusted or Intranet Sites List.
433128 Java App Tunnels report TLS Encrypted Alert and break Application Tunnels when downloading web pages using Internet Explorer 11 on Windows 8.1. To work around the problem, add a virtual server to the allowed sites for pop-ups from Tools > Internet options in Internet Explorer.
434831 When the client connects to APM (with Safari) and launches the Application Tunnel, the tunnel will be created, but the application configured to launch will not. There is no error; the only indication is that the application is not started by the Application Tunnel. To work around the problem: 1. Use Firefox browser. 2. Disable Safe mode for the required host. Select Safari preferences > Security Tab > Manage Website Settings >. 3. Choose "Java" on left panel. 4. Choose "Run in Unsafe mode" for the required host.
440375 Under the Built-in Administrator account inside Protected Workspace, a VPN connection cannot be established if VPN components are not installed already. To work around the problem, install VPN components before Protected Workspace on an account other than Built-in Administrator.
469110 Microsoft Remote Desktop for iOS might hang if invalid credentials are entered. Restarting the Microsoft Remote Desktop for iOS application and entering valid credentials remedies the issue.
472382 VMware View Logon page for RADIUS does not display challenge message when challenge occurs on RADIUS server. To work around the problem, use RSA.
488811 When a user logs on using Network Logon in Windows, it triggers access policy execution, and the policy creates a temporary user, f5 Pre-Logon User. This causes the operating system to create a profile folder on the computer. After several executions, these folders start to accumulate because they are not removed properly after policy execution is complete. Each time the access policy runs, it creates a user folder of the form f5 Pre-Logon User.<HOSTNAME>.xyz in the C:\Users folder. To work around the problem, delete folders manually.
505010 Patch management checker checks for "Apple software update" on Mac which requires admin privilege to check the number of missing patches. Even when the user is logged in as admin this check does not pass because Edge Client does not support privilege escalation for endpoint inspections currently.
517846 View Client cannot change Active Directory password in Cross Domain mode.

Network access

ID number Description
224357 Misaligned text in warning message on Mac. In this version, when a user makes a connection to an Access Policy Manager virtual server that uses a self-signed certificate, on some Mac OS versions, the warning message appears with misaligned text.
224512 InstallerControl, Internet Explorer 8, and Windows XP (ID 224512). Currently, when a user installs the web client on Internet Explorer 8 on Windows XP, using the Internet Explorer information bar, the InstallerControl always installs for all users on the machine. All other components can be installed either per user or per machine.
342035 A SIP client cannot communicate with a SIP server when connecting over a Network Access tunnel. SIP protocol uses fixed UDP ports, and communication fails because Network Access tunnel translates the source port of the connection. To work around the problem, configure a layered virtual server using the SIP UDP port and set the Source Port option to Preserve Strict.
351360 Sometimes when assigning different route domains to Network Access clients connecting to the same virtual server or using the same connectivity profile, traffic from the client can go out into the network associated with the wrong route domain. This could happen when two clients are assigned the same IP address (from different lease pools containing the same address ranges) and different route domains and try to access the same IP address on the internal network using the same TCP/IP protocol. To work around this problem, when sharing IP address ranges among route domains, use separate virtual servers for each route domain, with different connectivity profiles.
356419 On Linux, PPP routes might be lost if Network Access is configured with the Allow Local Subnet option enabled. This behavior is rare. To work around the problem, disconnect from the server using the "f5fpc -o" command and then reconnect to the server.
356766 Removing or updating Network Access device or client components while the system has an active Network Access connection might cause the system to drop the existing connection and fail to establish a new connection until after a system reboot.
364061 On a Linux client, the network access Show log file link does not display the log file unless gedit is installed. To work around this problem, install gedit on the Linux client.
365583 An IPv6 only Network Access configuration is not supported. Either IPv4 or IPv4&IPv6 are the supported IP versions.
368452 This issue is caused by the Java proxy in handling the proxy request. The first request goes to the proxy server as expected but then the Java proxy code makes a proxy to the APM server directly.
373889 You can configure a Network Access tunnel to update a session (that is, to extend expiration time) based on a traffic threshold and a window of time. Traffic measurements are taken every 5 seconds, but they are not divided by 5 before being used in the calculation. As a result, instead of bytes per second, bytes per 5 seconds is calculated, which is incorrect. To work around this, select the Network Access resource you want to update, then select Network Settings and Advanced from General Settings. Proceed as follows: 1. Set Session Update Threshold to 5 times the desired bytes/second rate. 2. Set Session Update Window to 2 or higher. Note: The session life management might not be exact.
383607 After a Network Access client loses connectivity and reconnects with another IP address, the client cannot open tunnels to optimized hosts for 4 to 7 minutes.
398339 When you use the Fedora operating system with SELinux enabled and use the Firefox web browser to connect to APM for network access, you might get SELinux blocking notifications. To work around the problem, perform these steps: A. Execute the following command on terminal as root user (not sudo) 1. "setsebool -P mozilla_plugin_enable_homedirs on" 2. "setsebool -P unconfined_mozilla_plugin_transition 0" B. Restart Firefox and try connecting to the APM server again.
403082 Networks Access cannot perform routing table clean-up if user closes browser windows without logging out from webtop or if user closes browser window without waiting for the logout process to complete. To work around the problem, add BIG-IP APM virtual address to trusted sites list.
404239 APM client for Microsoft Windows fails to establish a VPN connection if DTLS is configured on a link with 50-200 msec delay. APM client does not fall back to TLS.
404654 MAC client shows status as connected but traffic does not flow through the tunnel. To work around the problem, perform one of these steps. 1) Enable "prohibit routing table changes" on server OR 2) Disconnect the client before switching networks If the client is already in this state, restarting the client will fix this issue.
416412 A Network Access webtop does not show warning windows about session expiration. A full webtop does not show warnings intermittently.
423161 When a Network Access session and an APM session are closed simultaneously, one of these logs is written: apm logs: "VPN Cleanup: failed to release IPv4 ERR_ARG" tmm logs: "address <p> in leasepool <lease pool> is unassigned - can't release" This happens when a Network Access resource and a Network Access webtop are assigned using the Advanced Resource Assign action, and the Network Access session is closed.
427125 Network Access status window does not display properly when client access is from Japanese OS. To work around the problem, select Access Policy > Customization. Change the view from Basic to Advanced. In the navigation tree, find Customization Settings > Webtops ><Your webtop name> > Full Webtop popup settings and set 'Show statistics table' to 'on'.
435542 In some cases re-installation of the VPN driver on Windows 8.1 requires a system reboot. Without reboot the user CLIENT can be presented with this error: "The modem (or other connecting device) is already in use or is not configured properly."
438056 The APM Network Access client for Windows systems can fail to establish a VPN connection if the client SSL profile is configured with the options no-tls or sslv3 and the BIG-IP system selects an AES cipher. Windows Schannel API does not consider AES as a valid cipher for an SSLv3-only connection and can reject the connection to the BIG-IP system. If you restrict client SSL to SSLv3-only you might need to exclude AES ciphers (defined in RFC3268) by adding ':!AES' to the 'ciphers' option in the client-ssl profile to work around compatibility issues with Windows clients: for example ltm profile client-ssl clientssl_ssl3_only { ... ciphers SSLv3:!AES ... }
442656 Under specific sequence of PPP tunnel establishments and teardowns due to timeout, records of assigned leasepool IP addresses may not be cleaned up properly. The problem prevents future tunnels from reusing these addresses and there is no way to reclaim these addresses. "IP Addr collision" warning messages will appear in /var/log/apm whenever a new tunnel attempts to re-use any of the leasepool addresses that are marked in use due to improper cleanup.
465978 Connectivity profile compression setting specifies compression level for BIG-IP-to-client direction. Compression from BIG-IP-APM-to-client is still present even if it is disabled in connectivity profile. To work around the problem, change compression.strategy db variable value to "speed": tmsh modify sys db compression.strategy value speed
469852 Users lose connectivity to resources through VPN when forwarding virtual servers are disabled. Network Access connectivity works if all the forwarding virtual servers are enabled or deleted completely.
476279 Network Access with snatpool establish fails with access policy having route domain and snat agent with snatpool selected. To work around this issue, set automap setting in route domain and SNAT agent.
482976 AppTunnel fails with two resources, one with protocol type and other with port range. This occurs when the following conditions are met: - App tunnel resource contains a resource item configured with a protocol type and order 1. - App tunnel has another resource item configured with port range and order 2. To work around the problem, reverse the order, making the port range resource item 'order 1' and the protocol type 'order 2.'
495128 If a client machine uses proxy and Network Access does not specify any proxy, then Safari should not use proxy for some Network Access resource after the Network Access tunnel is created. However, Safari does so. This problem occurs with Safari 8. Other versions of Safari and other browsers work as expected in our testing. Apple has been notified: rdar://problem/18651124
500938 Network Access connection breaks if second NIC disconnects. Both NICs should be connected to same network. This happens for a specific Network Access configuration: Full tunnel with "Prohibit routing table changes during Network Access connection" set to true; Split tunneling with "Prohibit routing table changes during Network Access connection" set to true; Address space is

Admin issues

ID number Description
224145 The visual policy editor can, on rare occasions, return a non-specific failure when attempting to create new items. The failure is transient; the request invariably succeeds on retry.
359639 Some long captions for resources can be longer than the bounding box in Firefox 7. This problem does not affect the workflow.
360141 Modifying the SSO configuration does not cause the Apply Access Policy button to show up on the Admin GUI or the visual policy editor. The configuration change takes effect immediately for new sessions established after the change. Old sessions (those that were already created before the configuration change) continue to use the old SSO configuration.
360248 If two administrators (a1 and a2) simultaneously use the admin UI and one of them (say a1) deletes an image when the other (a2) is in the process of using that image, the entire transaction (set of changes made by a2 in a session before clicking on the Save button) will be aborted and the Save will fail. The user (a2) will need to restart from the last saved change and apply all changes again. To work around the problem, revert and re-apply all the changes.
360734 When previewing pages, the Preview pane does not automatically refresh when the language is switched. To work around the problem, click on an item in the Preview tree pane to cause the page to refresh in the new language.
360742 When the logon page is customized in visual policy editor in multiple languages, the images appear broken. To work around the problem, customize the logon page using localization customization. (Refer to Access Policy > Customization.)
362200 When customizing messages, you cannot use special characters, such as ', ", &, <. To work around this problem, do not use such characters, manually fix customization XMLs (not advised).
362351 Branch names cannot start with the word fallback in the visual policy editor. Do not start branch names with the word "fallback". The terminal name must begin with an alphabetic character (for example, a or A). The remainder of the name can contain only alphanumeric characters (numbers and letters), spaces, and these symbols ( + - _ ( ) [ ] ). The terminal name cannot begin with the text fallback. Please rename the terminal.
363188 Using a space in an alias for a virtual server can cause unexpected results when you use tmsh to add or update a connectivity profile. No spaces are allowed in aliases for virtual server.
363227 In APM Customization, common partition objects are not made read-only for managers of a partition.
364030 The Hometab disappears for Domino Web Access (DWA) 8.5 through reverse proxy.
373051 You cannot automatically upload a customized BIG-IP Edge Client package into APM hosted content. To work around this problem: 1) Download a customized BIG-IP Edge Client package from the Access Policy > Secure Connectivity area of the user interface. 2) Upload the BIG-IP Edge Client package from the Access Policy > Hosted Content area of the user interface.
380815 If an ACL and a resource have the same name, and one of them turns out to be the "Last" one in order, then creating a new resource with the order "Last" fails. To work around this problem, do not use the same name for resources and ACLs.
380994 If a webtop is placed in a path before a resource is assigned, the policy execution fails are runtime. To work around the problem, place the webtop after the resource has been assigned.
382542 When going through the list of SSOv2 configurations, if you use the keyboard to navigate through the list rapidly, a JavaScript error is generated. To work around the problem, use the mouse to select one row at a time or wait for the forms and headers to be displayed before selecting the next row.
383450 A device group cannot be deleted immediately either after EPSEC installation on a specific device group or after viewing device status on a device group. The device group is referenced by EPSEC/Images, EPSEC/Status folders. To work around the problem, use the tmsh CLI: modify sys folder EPSEC/Images { devicegroup default traffic-group default } modify sys folder EPSEC/Status { devicegroup default traffic-group default } After you do this, you should be able to delete the device group.
384479 When you configure a virtual server for Oracle Access Manager integration (by selecting the OAM Support option), the option to select a specific AccessGate does not apply to OAM 10g environments.
384490 In advanced customization, when an access policy uses an image that includes spaces in its name, problems can occur. It can be impossible to export the access policy. Problems with upgrade can also occur. To work around the problem, rename the image without spaces, upload the renamed image, and change customization to support the new named image instead of the old one.
385039 You try but cannot delete an access policy with customized App Tunnel and Remote Desktop resources, due to this error: 01071349:3: File object by name (/Common/for_big_logs-cgimg_0001.png) is in use. To work around the problem, perform these steps. 1. Delete the access profile without selecting images for deletion. 2. Delete the images from Image library.
398074 Resetting the device-trust is analogous to removing the physical connection between two endpoints. The current infrastructure prevents cleaning up of the policy-sync related meta-data on all devices when device-trust is reset on one machine. This results in inconsistent policy-sync status on any machine. Workaround is to "Cancel in-progress sync" from the source device. Once the device-trust is re-established , one can start the Policy Sync again.
398361 Not all configuration objects validate and reject an object name that contains the space character. As a best practice, when you create a configuration object do not include a space in the object name.
403659 When configuring a BIG-IP system as a SAML Identity Provider, the displayed range of possible values in seconds for the assertion validity timeout is incorrect. The correct range is 1 - 86400 seconds.
403722 If you initiate an access policy sync from the Standby node, an admin must resolve any conflicts on the Active partner. Ideally, an access policy created on the Standby node would be synced to the Active node automatically without admin intervention. To work around this problem, avoid syncing an access policy from a Standby node. Otherwise, you must resolve conflicts, if any, on the Active node.
403935 Sporadically and very infrequently, during a second or subsequent sync of an access policy, an error is displayed: 'Failed to create sync object for policy'. Additional information in the error message describes the object. To work around this problem: 1. Start tmsh: tmsh 2. cd to the folder that is mentioned in the error message; for example: cd POLICYSYNC_ap_simple 3. Type these commands: delete apm policy psync-status all delete apm policy psync-data all delete sys folder <foldername>
404764 When you copy an access profile that assigns a SAML resource, the SAML service provider (SP) connector object is copied too. When you delete the copied access profile, the copy of the SP connector is not deleted.
404765 If you export an access policy with a SAML SP connector that uses a certificate, the certificate name (including partition) is not formatted correctly. This prevents import from working. To work around the problem, create the SP connector and import the associated certificate on the target system.
404766 When you select an access profile and click the Access Policy menu bar, the screen displays lists of the resources that are assigned in the policy. However, SAML resources are not included. To see which SAML resources are assigned to the access policy, you must view the properties of resource assignment actions in the visual policy editor.
404896 When there is no space left on the /shared location for an epsec package to be uploaded, the epsec upload fails. If there is no space left on one of the peers, the status on the nodes becomes Sync Failed. You must manually clean up the /shared folder to make room for additional epsec packages.
404936 Files named core.xxxx, where xxxx is a number, are created in advanced customization directories during the build process when the customization build cores because of invalid characters in the default customization file. These core files are listed in the user interface.
405352 If you enter a bad FQDN for domain controller in an NTLM Auth configuration and a DNS server responds with DNS SERVFAIL, the NTLM Auth configuration does not work even after you fix the incorrect FQDN. To work around this problem, after you correct the FQDN in the NTLM Auth configuration, restart the ECA plugin and NLAD daemon using this command: bigstart restart nlad. Note: To avoid future problems due to misconfigurations, you can configure your DNS server to return a negative response.
407855 When you use the GUI to delete an access policy, you have the option to delete the resources and AAA servers that are used in the policy. This option is presented only if the policy to be deleted is the only one using these resources or AAA servers. If you choose the option, an error displays to the effect that the resources or AAA servers are being used by the access policy and cannot be deleted. To work around this problem, delete the access policy first, then delete the resources or AAA servers.
414411 When you use visual policy editor from the Chrome browser, images do not preload and as a result, the navigation bar flickers. To work around the problem, use Firefox or Internet Explorer.
419748 After a hosted content file is referenced by a Portal Access resource, the file cannot be deleted, even if the link-type of the resource is not "hosted-content". To work around the problem, use tmsh to clear the sandbox file reference in the resource. Example: tmsh modify apm resource portal-access <NAME> sandbox-file none Now the sandbox file can be deleted.
419754 When using a local user database instance for authentication on APM, if a user that is flagged to change password leaves the password field empty, the user is prompted again to change password. Whether the user types a new password or leaves the password field empty again, the user is prompted again to change password. APM handles a subsequently entered non-empty password correctly.
419836 When you switch from editing one file to editing another file in advanced customization without saving the first file, changes to the first file are lost. A user can only modify the file again after the change is lost.
419996 When you import users to a local user database, any first or last name with a space in it is truncated to the first space.
420506 When using the Local Database agent with a "write" action, the list of properties available includes "groups"; however, this property is read-only and any attempt to write to it fails.
423137 The compression setting pull-down is available on the Network Access resource page. If an end-user sets this to GZIP when compression is not licensed, the system posts a TMM error explaining that compression license limit has been exceeded for the day.
426844 Importing users from a file into a local user database takes a long time. The admin must wait until all users get created. The wait time depends of number of users.
440177 If you type or cut and paste an image file name into the Advanced Customization interface, the file name does not fit the expected naming convention. After you save the file and reopen it, errors occur if you click Restore Default. Always use the image selector to change image files.
451982 In some cases the web interface will show that an Access Policy Sync Operation has failed with the specific error "The folder /Common/POLICYSYNC_ap1 cannot be deleted because it is not empty." Administrator must ensure that differently named Access Policies are used when performing Policy Sync to different Device Groups. The easiest way to use the same Access Policy with different names would be to select the "Copy..." link on the Access Policy > Access Profiles List GUI page. Provide a new name for the profile being copied. Once the Access Profile is copied, the administrator will need to select the new name from the Access Policy Sync page to sync to the second device group. This would need to be performed for each device group beyond the first.
458241 The last system authentication profile cannot be deleted even if it is not active. If an Admin wants to delete the associated profile, they must first complete the following two steps: 1) Ensure that an Auth type other then Remote - APM Based is selected. 2) Run `tmsh delete auth apm-auth all`.
465863 When using BIG-IP Edge Client to connect to Network Access, the system posts an 'Object doesn't support property or method 'trim'' error; however, the system still connects. To work around the problem, add the following lines to the customization file. if(typeof String.prototype.trim !== 'function') { String.prototype.trim = function() { return this.replace(/^\s+|\s+$/g, ''); }; } ... snipped ... ?><!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta http-equiv="pragma" content="no-cache"> <meta http-equiv="cache-control" content="no-cache"> <title>%{}</title> <link rel="stylesheet" type="text/css" HREF="/public/include/css/apm.css"> <script language="JavaScript" src="/public/include/js/session_check.js" ></script> <script language="javascript"> <!-- <? include_customized_page("logout", "session_expired.js"); ?> if(typeof String.prototype.trim !== 'function') { String.prototype.trim = function() { return this.replace(/^\s+|\s+$/g, ''); }; } var globalRestartOnSubmit = false; ... snipped ...
476644 User logged in as Auditor cannot view SAML IdP configuration data; the Edit button is greyed out. User may view the read-only object details using tmsh command.
512166 Custom Parameters is displayed for Java RDP in admin UI.

Authentication and SSO-related issues

ID number Description
355490 TACACS+ accounting STOP messages are sent successfully and are properly logged on the TACACS+ accounting server. Sometimes, when the reply from the TACACS+ server is processed, "Invalid reply error message" is logged on APM. However, this message does not indicate any failure in sending the accounting STOP message to the TACACS+ server. This error message can be ignored because the accounting functionality works.
355981 APM CRLDP Authentication Agent binds anonymously to the LDAP server to retrieve CRL files. An option for a strong authentication bind is not currently supported.
362812 When all timeout values (inactivity timeout, Access Policy timeout, and maximum session timeout) are set to greater than 5 minutes, users that log into the portal 5 minutes after accessing the login page, observe that the login fails.
364138 CPU usage spikes and an LDAP auth client on the BIG-IP system is unable to connect to an LDAP server during an LDAP query. This problem occurs when a very high volume of LDAP query load is put on the box and the BIG-IP client ephemeral ports enter time wait and do not leave time wait fast enough before wrapping around. There are several possible workarounds: 1. Widen the client port range. It defaults to 32768-61000. echo "2048 65535" > /proc/sys/net/ipv4/ip_local_port_range 2. Change the number of available TIME_WAIT buckets. It defaults to 180,000. echo "2000" > /proc/sys/net/ipv4/tcp_max_tw_buckets 3. Decrease the TIME_WAIT timer. It defaults to 60 seconds. echo "10" > /proc/sys/net/ipv4/tcp_fin_timeout
365646 When a blade goes down while sessions are running in an Access Policy Manager process on that blade, a later session that accesses the session database can lead to a failure.
367621 Access Policy Manager does not support IPv6 for communicating with the OCSP responder. Configuring the OCSP URL with an IPv6 address or a hostname that resolves to an IPv6 address will not work. Acess Policy Manager uses OpenSSL BIO APIs to connect to the OCSP responder and these calls do not support IPv6.
369478 When AAA OAM Server is configured and "options inet6" is set in /etc/resolv.conf, the EAM plugin will keep restarting due to an OAM ASDK crash. SR 3-4726570811 was filed against Oracle Support, and there is no better workaround for this as of today beside not to set "options inet6" in /etc/resolve.conf on the BIG-IP system. Until this issue is addressed by next OAM ASDK patch, the limitation will be one of the following: 1) Do not configure AAA OAM server on the same BIG-IP system where "options inet6" must be set in /etc/resolv.conf 2) Do not set "options inet6" if OAM is configured on the same BIG-IP system.
398149 The client IP address that the IP Subnet Match agent users matches the type of virtual server. So, if virtual server has an IPv4 address, the agent uses the client's IPv4 address (the address from which the connection was established) regardless of whether or not the client has IPv6 configured. The same is true when the virtual server has an IPv6 address. The agent will base policy execution on the client's IPv6 address even if the client has IPv4 configured. The actual address from which the connection has been established will always be used. Because this is a server-side check only, we do not care if another type of IP address is configured on the client.
399696 Selecting an SSO configuration with WEBSSO::select does not work for form-based client-initiated and SAML SSO configurations. To work around the problem, use a variable to assign the configuration object name: set sso_config /Common/SAML-config WEBSSO::select $sso_config unset sso_config"
400726 When the BIG-IP system acts as a SAML IdP, you cannot create the assertion with multi-valued attributes. When the BIG-IP system acts as a SAML SP and there is a multi-valued attribute inside the assertion, then the BIG-IP system processes only the first value of that multi-valued attribute.
410775 Performance is low and messages in /var/log/ltm document "Inet port exhaustion..." To work around the problem: - If you use OCSP authentication, consider adding a host entry (using TMSH) instead of resolving the OCSP hostname through DNS. - If you use RADIUS authentication, use the pool option with multiple RADIUS servers (in the AAA RADIUS server configuration). If you have only one server, add a SNAT pool with multiple source IP addresses to the virtual server.
424244 Client-initiated form-based SSO could intermittently fail when using Internet Explorer. Traffic capture shows password token 'f5-sso-token' being sent to the application server instead of actual user's password. None.
427745 In APM RSA SecurID authentication, when PIN reset is required for RSA and the APM logon page is localized to use o/n (oui/non in French) or si/no (in Spanish) in place of Y/N, it does not work; it only accepts y or n. To work around the problem, use y/n in place of o/n (oui/non in French) or si/no (in Spanish).
433242 SAML Single Logout (SLO) does not work when all of the following are true: The BIG-IP system is acting as a SAML Identity Provider (IdP) or SAML Service Provier (SP); The other party configuration has SLO configured; The SP connector or IdP connector on the BIG-IP system is missing a SAML SLO Request URL or SAML SLO response URL. To work around the problem, configure both SAML SLO Request URL and SAML SLO Response URL for SP and IdP connectors.
435719 When AD Query is configured before AD Auth in an Access Policy, and "password expiration warning" is enabled, or the user password is expired and the user types the wrong original password, then password change fails. However, the BIG-IP system continues to prompt for new credentials until reaching the "Max Password Reset Attempts Allowed" and all attempts fail because the original password is incorrect. You can work around the problem in one of these ways. 1. Close the tab/browser and open the logon page in a new tab/browser screen. 2. In the same browser, remove everything after FQDN/ and click Enter. That will initiate new session.
436138 If you use Kerberos authentication with the Request Based Auth option set to Enabled and you use Secure Web Gateway explicit forward proxy, access to web sites fails. To work around the problem, set the Request Based Auth option to Disabled.
436224 Secure Web Gateway transparent proxy configuration fails to authenticate user when using Kerberos with Request Based Authentication option enabled. To work around the problem, set Request Based Authentication option to "disable".
438344 APM Websso (SSOv1) incorrectly handles POST request to Start URI.
439680 BIG-IP system configured as a Service Provider (SP) supports only 'rsa-oaep' for key transport ( When the BIG-IP system configured as SP receives a SAML Assertion with an unsupported encryption algorithm (for example, rsa-1_5 for key transport instead of rsa-oaep), the BIG-IP system fails to report that algorithms are unsupported, and proceeds to the decryption phase, which fails. The only issue here is the error reported does not directly point to the cause of failure which makes troubleshooting more difficult.
440395 If you have an HA pair and try to reset AD cache (group cache or PSO cache), the standby node logs this misleading message: Cannot cleanup cache if other options were changed for AAA AD Server.
441537 In APM form-based SSO (v1), some special characters are incorrectly URL-encoded for certain fields, such as hidden parameters. To work around the problem, use SSO (v2) if possible. SSO (v2) has the correct URL encoding implementation. Alternatively, use an iRule to change the special ASCII characters back to the correct character.
442532 Response could not be sent to remote client.
448853 EAM plugin encountered segmentation fault inside boost library trying to release memory on processing an OAM authentication request.
448861 EAM plugin failed after receiving SIGABRT on memory allocation failure while checking if the request is authorized. This issue has no workaround at this time.
451409 When performing Access Policy sync with SAML resources, you receive an error that the saml_sp_connector object cannot be found on the receiving device. "Feb 27 13:30:40 cooper-apm-11-4-1-2 err mcpd[6222]: 01070734:3: Configuration error: Cannot find saml_sp_connector object /Common/SomethingTOSync associated with saml_sso_config object /Common/" To work around the problem, create the saml-sp-connector on the second BIG-IP system and then perform the sync. Sync will complete successfully for the other objects. Here are tmsh commands for creating a SAML SP connector: apm sso saml-sp-connector SomethingTOSync { assertion-consumer-uri http://SomethingToSync entity-id } (It appears that when creating a new object, the order is not correct and the saml-sp-connector does not get created before the resource object.)
461084 When the BIG-IP system is configured with Kerberos Auth agent and the client sends a request with an Authorization header PRIOR to the "HTTP 401" challenge, authentication fails.
485387 An encrypted assertion from an external IdP can contain the RetrievalMethod element to specify a link to the EncryptedKey element. The EncryptedKey element contains the key for decrypting the CipherData associated with an EncryptedData element. BIG-IP as SP does not support the RetrievalMethod element while processing an encrypted assertion. As a result, the assertion is not processed properly, and error messages are printed to the log files: - Cannot decrypt SAML Assertion - failed to process encrypted assertion, error: Cipher value from EncryptedKey element not found. To work around the problem, reconfigure IdP to use embedded EncryptedKey instead of using RetrievalMethod.
489562 NTLM authentication cannot be completed in the following circumstances. It is observed that some non-Microsoft HTTP clients might start NTLM authentication by sending a NTLMSSP_NEGOTIATE message together with a payload. As part of NTLM protocol, the response to this request should be a 401 status with an NTLMSSP_CHALLENGE message which renders the payload from the initial request unnecessary. However, the issue is that currently the BIG-IP system has a limit of 4KB for initial buffer, and does not drop it. This causes a deadlock between the BIG-IP server and HTTP client, as the BIG-IP notifies the client that it cannot receive the payload any more by closing the TCP receive window, and the client tries to complete sending all of the request to be able to send the final NTLMSSP_AUTHENTICATE message.
499690 The localdbmgr process keeps crashing repeatedly.
513165 When the BIG-IP system is used as SAML Service Provider, and SP-initiated Single Logout (SLO) is executed, the SLO request message does not contain the 'SessionIndex' attribute'. As a result, the external IdP might not be able to terminate the user's session.

Secure Web Gateway issues

ID number Description
431077 You cannot use tmsh to change the logging level for Secure Web Gateway content analytics. To work around the problem, you can perform the following steps: 1. Use SSH to connect and log into the BIG-IP system. 2. Change directory to /var/antserver/wsgsdk/config/ant_server. 3. Open the ant_server.config file for edit and modify the ANT_SERVER_LOG_LEVEL variable to desired level. Note: The ANT_SERVER_LOG_LEVEL variable can range from 0 (Log Nothing) to 8 (Extra Debug). The variable is set to 3 by default.
446573 Event logs for blocked request show username as "(anonymous)".
479287 When using an HTTP 407 Response or HTTP 401 Response agent in an access policy for SWG-Explicit or SWG-Transparent profile type, respectively, without additional configuration Kerberos authentication attempts always fail. The session variable,, seems to be set to the actual website to which the client is trying to connect instead of to the proxy URL (virtual server proxy domain name). This results in GSS-API errors when getting credential information for Kerberos authentication. The access policy (with access profile type SWG+Explicit or SWG+Transparent) includes HTTP 407 Response (for SWG+Expliceit) or HTTP 401 Response (for SWG+Transparent) and Kerberos Auth actions and an Allow ending. (For APM versions earlier than 11.6.0, the access policy would include an SWG Scheme action before the ending.) Users cannot authenticate to the SWG-Explicit or the SWG-Transparent proxy if attempting to use Kerberos authentication. To work around the problem, add a Variable Assign agent to the access policy after the HTTP 407 Response (or HTTP 401 Response) action. Add a Variable Assign entry as follows. Type this custom variable in the left pane: and, in the right pane, select Text and type the appropriate domain name.

Mac OS X 10.11 issues

ID number Description
389335 If users configure a network access with the option "Launch Applications" and establish a connection with the OS X system, after users close the connection, the route tunnel still appears in the MAC route table.

To work around this issue, close the application to delete the route tunnel.

549529 When users install Avast Mac Security or AVG Antivirus on OS X 10.11 and configure an access policy with antivirus check, the check fails and follows the fallback branch.
549641 When users connect Edge Client to a virtual server from a Mac OS X 10.11 virtual machine, then disconnect and reconnect the network adapter, Edge Client is not able to reconnect.
549526 When users open the Edge Client Details window and view the logs, Edge Client cannot export the logs on OS X 10.11.

Other issues

ID number Description
224076 The keyboard security program Secure KeyStroke prevents users from entering Protected Workspace.
238556 AAA types for Securid and RADIUS in APM will not source packets from the floating IP address for the traffic group, as customers would expect. Because RSA authentication server is sensitive to the incoming IP address of the authentication packets, an extra virtual server is required to SNAT the authentication requests to the correct (floating) address so that the same source IP will be used in both members of an HA pair.
294032 When you access an older version of APM software using the Windows system client and a pre-logon antivirus check is configured, the OPSWAT AV control gets loaded into your browser. The control does not unload successfully and, as a result, the antivirus check fails. You cannot log on until the control is unloaded. Reboot the client system.
360889 For ACLs that are generated from a Portal Access resource, port 0 (zero) matches against port 80 (when the scheme is HTTP) and against port 443 (when the scheme is HTTPS). For ACLs otherwise, port 0 matches against any port.
371015 On chassis platforms, in some scenarios, more than one value is displayed under the 'Local Time' column in the 'All Sessions' report.
383464 In reports, names that contain a single quote are displayed in hex-encoded format. For example, the name O'Brian might be displayed as O%27Brian.
383511 The Device EPSEC Status screen should reflect the recent status of all devices in the device group. When a request to see the device status of a device group is made, the Changes pending link displays. After sync, the link should disappear and the status should be displayed. Perform "Sync from group" by clicking the Changes pending link and navigate to the Device EPSEC Status screen. The status displays.
398261 Intermittently, after an admin runs a few reports, the same report displays no matter what report the admin runs in Internet Explorer 8 or Internet Explorer 9. To work around the problem, refresh the web page or clear the Internet Explorer browser cache.
409462 When you update an SSO configuration that is associated with an access policy, the Apply Access Policy link does not display because it is not necessary. As soon as the SSO configuration changes, APM applies the SSO configuration to all sessions.
414420 Sideband connects do not work from an ACCESS_SESSION_CLOSED event. If this is attempted, currently, it causes a TMM crash. Do not use sideband connects from an ACCESS_SESSION_CLOSED event.
415262 If you use tmsh to create a connectivity profile and set another connectivity profile as the parent, the profile that you create does not inherit the settings for Win/Mac Edge Client, Server List, Location DNS list, and all mobile client settings. To work around the problem, if you create the profile in GUI, all the information is inherited.
416348 Looping occurs in visual policy editor when clicking the link for either the Decision Box or Message Box. The problem is that the NTLM-irule used to enable eca on the request is not run for internal URLs, such as /my.policy. This causes eca to not be enabled for the POST to my.policy. This causes the issues because it is expecting a 401 (which never comes). Internet Explorer behavior does not send data (such as which decision was selected in the decision box) when a 401 is sent. There are two workarounds: 1) You can enable eca for only the URLs you need (as opposed to enabling it for every single HTTP request which will cause the my.policy request to be sent as a type 1 message). 2) If you want to enable eca for every request, you can add the add the event to the NTLM-irule which allows the iRule to run for internal URLs as well. when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable }
420087 EPSEC packages cannot be installed using tmsh commands. To work around the problem, use GUI to install EPSEC package.
435617 There is no GUI or CLI support to archive a Secure Web Gateway local log database. Use mysqldump command to archive SWG local log database.
435619 There is no GUI or CLI support to reset a Secure Web Gateway local log database. Use mysql command to truncate a database table.
436196 Searches on event logs for Secure Web Gateway time out when the number of records is close to the maximum, 1 million, that can be stored. A simple custom search works fine.
440013 Updating EPSEC package on Standby system initiates a configsync operation from Standby to Active without notice. Always apply the EPSEC changes from the active device.
440203 When you use an iApp to create an APM service, after the access policy and related objects are created, the notification Apply Access Policy on the GUI might still be enabled. This happens even though the generation number in the corresponding access profile has been increased by 1. To disable this notification, you can click the Apply Access Policy link. Click the Apply Access Policy link to turn off this notification. Another workaround is to modify the iApp script by putting the command "tmsh modify apm profile access <NAME> generation-action increment" into a different transaction. This can be done by creating a shell script from the iApp script. The shell script consists of two lines: sleep <SAY 5 SECONDS> tmsh modify apm profile access <NAME> generation-action increment Then in the iApp script execute this shell script in the background.
441386 When user deletes an access policy that was created using the wizard, some internally referenced Customization Group objects are not deleted. You can work around the problem by performing deletion through bigpipe command or editing of bigip.conf file.
447051 Access Policy import fails if the policy has at least one customization image file associated with it. Use the following steps to work around the issue: 1. cd /shared/tmp/impor. 2. Open the import-abcd-abcd.conf file. 3. Delete the duplicate occurrence of config entry for the file corresponding to the error, such as the following: ' apm policy image-file /Common/swapnil-img_0_HQ_1.jpg { local-path /shared/tmp/import/imp-140131-213953-995/res/5_Common_img_0_HQ.jpg }'. 4. Run the command: tmsh load sys conf merge file <filename.conf>.
452059 When the storage partition for MySQL is full and the system is under a heavy load, logd can go into a busy wait looping state. To work around the problem, clean up the disk partition of MySQL.
452321 APM does not support more than one traffic group with different HA order. Here is an example configuration: cm traffic-group /Common/traffic-group-1 { ha-order { /Common/ } unit-id 1 } cm traffic-group /Common/traffic-group-2 { ha-order { /Common/ } unit-id 2 } This configuration causes the creation of an Active/Active HA pair and APM does not support this configuration. APM supports Active/Standby HA pair only.
457773 The wrong datatype is used to represent the apmAccessStatCurrentActiveSessions OID.
466527 Sync might fail if sending a change to a customization template file. To work around the problem, use the 'Overwrite Configuration' option and restart the sync.
472256 When running the command 'tmctl profile_access_stat', the values displayed for sessions_eval_cur, sessions_active_cur, and/or sessions_estab_cur mignt be unusually high.
473386 Machine Certificate Checker might fail if the certificate was issued with extended fields or to a domain machine.
477177 Using tmsh to create ACL entries causes the source and destination IP addresses to default to Host type set to ::/128. This is different behavior compared to UI where the default is 'Any'.
481659 Recurring check fails during connection.
483286 APM stores session reporting data in "apm" MySQL database, under log_session_details table, but never does any cleanup. This causes the table to continuously grow. Eventually this consumes all disk, potentially corrupting the SQL data, and stopping services on BIG-IP system that rely on MySQL. Workaround is to manually clean up the log_session_details table in MySQL database. First, retrieve the randomly generated MySQL password per box, using the following shell command as the root user. For example, # perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw PjL7mq+fFJ where PjL7mq+fFJ is the random password at MySQL installation in this example. Use this password in the following command for clean-up. # /usr/bin/mysql -uroot -pPjL7mq+fFJ --database=apm -e "delete from log_session_details where active = 'N';" This will delete all those rows that are referred to by an inactive session.
488588 An APM session is invalidated when accessing the /public folder URLs on modifying session cookie information. If the modified LastMRHSession cookie collides with an existing session but the full MRHSession does not, then APM kills the closest matching session when accessing /public URLs. The following iRule can be used to remove the cookie to prevent the issue: when HTTP_REQUEST { if {[HTTP::path] contains "/public"} { HTTP::cookie remove "LastMRH_Session" HTTP::cookie remove "MRHSession" } }
494435 Policy sync fails with error status "Created failed on target" on target devices. To work around the problem, create connectivity or rewrite profile only use the default profile as parent, or have the non-default parent profile sync first to target devices.
507899 In a custom APM report, the Assigned IP field shows IPv4 instead of the assigned IP value. Use the built-in reports All Sessions or Current Sessions to get the correct content of Assigned IP.
510034 APD has a TCL interpreter that can process commands provided inside an Access policy, for variable assignment or other purposes. The TCL environment provided does not reliably clear TCL variables assigned in prior executions, so care must be taken to initialize the potentially dirty variables if they are used. User uses some TCL variables that can potentially be not initialized. For example, a variable assign: session.test = regexp {(.+)} "[mcget {session.logon.last.username}]" foo captured; return $captured Note that here, the regex may match or not match depending on the user input. If it does not match, the variable "captured" *may* contain the results from a different user who logged in previously. To work around the problem, any variable that was used must be checked. For example, instead of the regex statement above, this could be used: if { [regexp {(.+)} "[mcget {session.logon.last.username}]" foo captured] == 1 } { return $captured; } else { return "nomatch"; } This way, if the regex does NOT match, then the result will be "nomatch" instead of potentially containing results from a previous session.
564496 When an add-on license is applied on the active node, the effective license limit is not updated even though telnet output shows that it is. The actual number of sessions that can be established remains unchanged after adding an add-on license. 1. Set up an HA pair with a base APM license. 2. Apply an APM add-on license to increase Access and CCU license limits. 1. Remove HA so that each device becomes standalone. 2. Re-license both nodes and then re-establish HA for the two devices.
657732 After you generate log message reports in APM and export them to CSV files, the CSV files contain only the parameters for the log messages. To rebuild the actual log messages from the CSV file requires log templates and they are not available. This occurs when exporting to CSV by navigating to Access Policy :: Reports: View Reports : General Reports: System Messages : Run Report (right-click) : displaying log messages : Export to CSV File. CSV log files are hard to interpret without the log templates and the templates are not available. (Beginning in version 12.0.0, log messages in CSV reports generated and downloaded from the APM UI include complete log messages.)

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802

For additional information, please visit

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.


AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to from the email address you are using to subscribe. Unsubscribe by sending a blank email to

Legal notices