Release Notes : BIG-IP APM 11.5.4

Applies To:

Show Versions Show Versions


  • 11.5.4
Release Notes
Original Publication Date: 04/03/2018 Updated Date: 04/18/2019


This release note documents the version 11.5.4 release of BIG-IP Access Policy Manager (APM).


Platform support

This version of the software is supported on the following platforms:

Platform name Platform ID
BIG-IP 1600 C102
BIG-IP 3600 C103
BIG-IP 3900 C106
BIG-IP 6900 D104
BIG-IP 8900 D106
BIG-IP 8950 D107
BIG-IP 11000 E101
BIG-IP 11050 E102
BIG-IP 2000s, BIG-IP 2200s C112
BIG-IP 4000s, BIG-IP 4200v C113
BIG-IP 5000s, 5050s, 5200v, 5250v C109
BIG-IP 7000s, 7050s, 7055, 7200v, 7250v, 7255 D110
BIG-IP 12250v D111
BIG-IP 10150s-NEBS, 10350v (AC), 10350v-NEBS (requires 12.0.0 HF1), 10350v-FIPS D112
BIG-IP 10000s, 10050s, 10055, 10200v, 10250v, 10255 D113
VIPRION B2100 Blade A109
VIPRION B2150 Blade A113
VIPRION B2250 Blade A112
VIPRION B4200, B4200N Blade A107, A111
VIPRION B4300, B4340N Blade A108, A110
VIPRION B4450 Blade A114
VIPRION C2200 Chassis D114
VIPRION C2400 Chassis F100
VIPRION C4400, C4400N Chassis J100, J101
VIPRION C4480, C4480N Chassis J102, J103
VIPRION C4800, C4800N Chassis S100, S101
Virtual Edition (VE) Z100
vCMP Guest Z101

These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.

Most of the support guidelines relate to memory. The following list applies for all memory levels:

  • vCMP supported platforms
    • VIPRION B2100, B2150, B2250, B4200
    • VIPRION B4300 blade in the 4400(J100)/4480(J102) and the 4800(S100)
    • BIG-IP 5200v, 5250v, 7200v, 7250v, 10200v, 10250v, 10350v, 12250v

Memory: 12 GB or more

All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.

Memory: 8 GB

The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)

  • No more than three modules should be provisioned together.
  • On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
  • To use Access Policy Manager (APM) and Secure Web Gateway (SWG) modules together on platforms with exactly 8 GB of memory, Local Traffic Manager (LTM) provisioning must be set to None.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category.)

  • No more than three modules (not including AAM) should be provisioned together.
  • Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
  • Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).

Memory: 4 GB or less

The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests provisioned with 4 GB or less of memory.

  • No more than two modules may be configured together.
  • AAM should not be provisioned, except as Dedicated.
  • ASM can be provisioned with this amount of memory, but a sizing exercise should be performed to ensure that it does not hit capacity issues.

vCMP memory provisioning calculations

The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory- 3 GB) x (cpus_assigned_to_guest/ total_cpus).

As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.

For certain platforms, the vCMP host can allocate a single core to a vCMP guest. However, because a single-core guest has relatively small amounts of CPU resources and allocated memory, F5 supports only the following products or product combinations for a single-core guest:
  • BIG-IP LTM standalone only
  • BIG-IP GTM standalone only
  • BIG-IP LTM and GTM combination only

Module combination support on the 3900

Note: The GTM+APM module combination is not supported on the 3900 product platform.

Although SOL10288 states that all modules are supported on all platforms as of BIG-IP version 11.4.0, this does not mean that all possible module combinations are allowed on every platform (especially, legacy platforms).

Configuration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

  • Microsoft Internet Explorer 8.x, 11.x
  • Mozilla Firefox 27.x
  • Google Chrome 32.x

APM client browser support

For a list of browser versions that the Access Policy Manager client supports, refer to the BIG-IP APM Client Compatibility Matrix.

Compatibility of BIG-IQ products with BIG-IP releases

SOL14592: Compatibility between BIG-IQ and BIG-IP releases provides a summary of version compatibility for specific features between the BIG-IQ system and BIG-IP releases.

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP APM / VE 11.5.4 Documentation page.

Documentation changes in 11.5.0

In the 11.5.0 release, some manuals were consolidated to improve searchability and Configuration Guide for BIG-IP Access Policy Manager was replaced by two new manuals.

Table 1. Document consolidation and replacement
11.4.x document 11.5.x document
Configuration Guide for BIG-IP Access Policy Manager
  • BIG-IP Access Policy Manager: Implementations
  • BIG-IP Access Policy Manager: Visual Policy Editor
  • BIG-IP Access Policy Manager: Single Sign-On Configuration
  • BIG-IP Access Policy Manager: Authentication Configuration Guide
  • BIG-IP Access Policy Manager: SAML Configuration
BIG-IP Access Policy Manager: Authentication and SSO
  • BIG-IP Access Policy Manager: Hosted Content Implementations
  • BIG-IP Access Policy Manager: Managing OPSWAT Libraries
  • BIG-IP Access Policy Manager: Syncing Access Policies
BIG-IP Access Policy Manager: Implementations
  • BIG-IP Access Policy Manager: VMware Horizon View Integration Implementations
  • BIG-IP Access Policy Manager: Citrix Integration
  • BIG-IP Access Policy Manager: OAM Integration Guide
BIG-IP Access Policy Manager: Third Party Implementations
BIG-IP Access Policy Manager OPSWAT software integration support charts The information is now available by clicking a link on the Welcome page of the BIG-IP Configuration Utility.

Evaluation support

If you have an evaluation license for BIG-IP APM VE, note that it does not include support for Oracle Access Manager.

New in 11.5.4

In this release, there are no new APM features.

New in 11.5.3

In this release, there are no new APM features.

New in 11.5.2

In this release, there are no new APM features.

New in 11.5.1

In this release, there are no new APM features.

New in 11.5.0

In this release, APM supports the following new features and enhancements.

Secure Web Gateway

BIG-IP Access Policy Manager implements a Secure Web Gateway (SWG) by adding access control, based on URL categorization, to forward proxy. The access profile supports both transparent and explicit forward proxy modes. The access policy includes support for using a captive portal to collect credentials for transparent forward proxy mode and HTTP 407-based credential capture for explicit forward proxy mode. In addition to user identification by credentials, SWG provides the option to identify users transparently, providing access based on best effort identification. SWG also supports SSL traffic inspection. The benefits that SWG provides include:

  • URL filtering capability for outbound web traffic.
  • Identifying malicious content and providing the means to block it.
  • Applying web application controls for application types, such as social networking and Internet communication in corporate environments.
  • Monitoring and gating outbound traffic to maximize productivity and meet business needs.
  • User identification or authentication (or both) tied to monitoring, and access control compliance and accountability.
  • Visibility into SSL traffic.
Note: Secure Web Gateway is not supported on BIG-IP 1600 and 3600 platforms. SWG requires more memory than is available with those platforms.

Active Directory authentication enhancements

APM supports route domain and password reset for Active Directory.

Active Directory and LDAP group resource assignment enhancements

You can now import groups from AAA Active Directory and LDAP servers for use in group resource assignment.

Maximized Enterprise Application Delivery Value

To make it easier and more affordable to get the Software Defined Application Services capabilities all organizations need, F5 introduces three software bundle offerings: Good, Better, and Best.
Provides intelligent local traffic management for increased operational efficiency and peak network performance of applications.
Good plus enhanced network security, global server load balancing, and advanced application delivery optimization.
Better plus advanced access management and total application security. Delivers the ultimate in security, performance, and availability for your applications and network.
You can learn more about these new software bundles from your F5 Networks Sales Representative.

Supported high availability configuration for Access Policy Manager

Access Policy Manager is supported in an Active/Standby configuration with 2 BIG-IP systems only.
Note: Access Policy Manager is not supported in an Active-Active or an N+M configuration.

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.

Installation checklist

Before you begin:

  • Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility.
  • Update/reactivate your system or vCMP host license, if needed, to ensure that you have a valid service check date. For more information, see SOL7727 - License activation may be required prior to a software upgrade for the BIG-IP or Enterprise Manager system.
  • Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
  • Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are running Application Acceleration Manager, set provisioning to Minimum.
  • If you are running Policy Enforcement Manager, set provisioning to Nominal.
  • If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
Installation method Command
Install to existing volume, migrate source configuration to destination tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 11.2.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP- volume HD1.3

Post-installation tasks

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.

After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility.
  3. Log on to the browser-based Configuration utility.
  4. Run the Setup utility.
  5. Provision the modules.
  6. Convert any bigpipe scripts to tmsh. (Versions later than 10.x do not support the bigpipe utility.)
Note: You can find information about running the Setup utility and provisioning the modules in BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Upgrading from earlier versions

Your upgrade process differs depending on the version of software you are currently running.

Warning: Do not use the 10.x installation methods (the Software Management screens, the b software or tmsh sys software commands, or the image2disk utility) to install/downgrade to 9.x software or operate on partitions. Depending on the operations you perform, doing so might render the system unusable. If you need to downgrade from version 10.x to version 9.x, use the image2disk utility to format the system for partitions, and then use a version 9.x installation method described in the version 9.x release notes to install the version 9.x software.

Upgrading from version 10.1.0 (or later) or 11.x

When you upgrade from version 10.1.0 (or later) or 11.x software, you use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help.

Upgrading from versions earlier than 10.1.0 11.x

You cannot roll forward a configuration directly to this version from BIG-IP version 4.x, or from BIG-IP versions 9.0.x through 9.6.x. You must be running version 10.1.0 software. For details about upgrading to those versions, see the release notes for the associated release.

Automatic firmware upgrades

If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might reboot additional times to perform all necessary firmware upgrades.

Upgrading from earlier versions of APM

When you upgrade from an earlier version of Access Policy Manager (APM), you might need to resolve issues related to these configurations.

NTLM Auth Configuration

In 11.5.2, the DC FQDN list for an NTLM Auth Configuration is mandatory. Before you upgrade to 11.5.2, ensure that the DC FQDN list for each NTLM Auth Configuration contains at least one domain controller FQDN. You can perform this verification from the GUI or by using tmsh. In tmsh, you can add the following line: (dc-fqdn-list { <fqdn> } ) for each NTLM Auth configuration as shown in this example: apm ntlm ntlm-auth ntlm_test { app-service none dc-fqdn-list { } machine-account-name mdc1 partition Common service-id 2 }

Connectivity profiles

When upgrading from 10.x.x to 11.4.x, connectivity profiles are not fully recovered. You can work around the problem using one of these options:

  • Option 1: Upgrade from 10.x.x to 11.4.x, then reconfigure connectivity profiles in the Access Policy Secure Connectivity area of the Configuration utility.
  • Option 2: Upgrade from 10.x.x to 11.x.x, where 11.x.x is earlier than 11.4.x, then continue upgrading to 11.4.x.

Antivirus and firewall software checks in access policies

If your access policies include custom expressions that rely on session variables created by the antivirus or firewall software checks, after upgrade to 11.4.x, you must configure the antivirus or firewall software checks so that the Store information about client software in session variables property is set to Enabled. (It is disabled by default.)

If the custom expressions include multiple sub-expressions, you might need to edit the expressions.
Note: After version 11.5.2, the Store information about client software in session variables property is no longer included in endpoint software checks.

Citrix client packages

The version 11.4.x upgrade script cannot recover any file object with a name that includes space characters. If a Citrix client package file name includes a space, the configuration loads after upgrade, but the Citrix client package file does not function properly. To work around this problem:

  1. Outside of APM, name or rename a Citrix client package without spaces in the name.
  2. Use the correctly named Citrix client package.
    • To fix the problem before upgrade, replace any improperly named Citrix client package as needed.
    • To fix the problem after upgrade, upload a properly named Citrix client package and select it from the connectivity profiles.

Machine accounts for NTLM front-end authentication

APM does not restore NLAD connections when the configuration is restored from a UCS file. After upgrading to 11.4.x, if the previous configuration was using NTLM front-end authentication, the functionality is not restored. To work around this problem, after the upgrade, manually delete the existing machine account configurations and then recreate them.

Advanced customization

If you performed any advanced customization of files, you must upgrade these files manually.

Custom reports

Custom reports are lost after upgrade. To work around this issue, export your custom reports before you upgrade and then reimport them after you upgrade.

OAM configuration

When upgrading from version 10.2.x to 11.x with an OAM configuration, upgrade fails. To work around this issue: before you upgrade, delete the OAM configuration; after the upgrade is complete, create a new OAM configuration in version 11.x.

Access policies that use session variables

If you are upgrading from 10.x, you might need to update access policies that use session variables. Version 11.x introduces the concept of partitions. A partition is added to an object name. An access policy that compares a session variable against a value would behave differently after upgrade. This example shows the difference in the value of a session variable between these versions.

  • Version 10.x -
  • Version 11.x -

The partition, Common, is added to the version 11.x object name.

Fixes in 11.5.4

Cumulative fixes from BIG-IP 11.5.3 HF2 are included in release 11.5.4 in addition to the fixes listed in this table.

ID number Description
437611 An error referencing the access_license.c file is no longer logged during provisioning, system startup, reboot, or license upgrade.
446860 Now APM Exchange Proxy honors the tmm.access.maxrequestbodysize DB variable. Modify the tmm.access.maxrequestbodysize DB variable with a value larger than the maximum email body size you would like to support. The maximum supported value is 25000000 (25MB).
459584 TMM no longer crashes if request URI is longer than 4096 bytes in SCIM use case.
462598 Now when an APM renderer or renderer pool (used for serving internal pages) goes down, APM detects the unavailability and sends a TCP Reset to the client.
467256 When you delete EPSEC packages using the GUI, APM now correctly deletes the corresponding EPSEC ISO file from the filestore (/config/filestore/files_d/Common_d/epsec_package_d/). Before creating archives, administrators are now required to delete non-active EPSEC packages using the GUI to make sure that non-active EPSEC ISO files are not included in the archives. Although this issue has been resolved for newly downloaded EPSEC ISO files, you might still need to perform some cleanup: 1. You must remove previous leftover EPSEC ISO files as follows: a. Delete the EPSEC package from the GUI: Select System > Software Management > Antivirus Check Updates; select an existing EPSEC package from the list and click Delete. b. Go to /config/filestore/files_d/Common_d/epsec_package_d/ and find files for which there is no corresponding entry in /config/bigip.conf. c. Delete those extraneous files manually using the rm command. 2. You cannot import huge previously created UCS archives. Instead, you should delete non-active EPSEC packages prior to creating a UCS. 3. If you want to include only one (active) EPSEC ISO in a UCS archive, you must first delete non-active EPSEC packages using the GUI.
472093 Block the file upload with PHP content.
473685 WebSSO processes domain fields in Set-Cookie headers correctly.
480272 AccessGate init should now fail initialization and retry in case of an AccessGate ID mismatch. If all retries fail, then the AccessGate remains uninitialized. The administrator should clear the config cache for all the AccessGates and restart the EAM process.
482177 Accessing a SAML resource on the webtop after a SharePoint resource no longer causes SSO to break.
491080 The APM page caching now omits the unique identifier in the key. As a result, a single page, or a small fixed number of pages, can serve a multitude of clients without an increase in memory usage.
502269 The fix essentially does not modify the payload so the applications have no problem.
522791 The HTML "style" attribute is correctly rewritten for any tag.
526637 Added a check for a null reply. Converted the crash into a TCP reset.
528808 Restore the source address translation correctly even if an iRule has disabled APM.
530622 There was a memory usage issue in the EAM plugin that was caused by a huge object allocation for each connection. This issue is fixed by reducing the default size of client cert and payload arrays.
532340 A thread synchronization issue that caused tmm startup issues has been fixed.
532761 Now APM supports Citrix StoreFront 3.0 in integration mode with HTTP compression enabled on the StoreFront server.
533723 Content rewriting is suppressed on the client side for the textarea tag.
537227 BIG-IP Edge Client now correctly processes particular Network Access configurations.
537614 Machine certificate checker service works now with a display language other than English.
539229 EAM handles exceptions gracefully during the authentication process, when Oracle ASDK API determines whether authentication is required and determines the authentication type.
539270 The BIG-IP system processes particular NTLMSSP_NEGOTIATE messages properly without throwing an error, and users of the client are able to authenticate.
544992 The /Common/remotedesktop and /Common/vdi profiles can be assigned to a virtual server without affecting other profiles.
549588 EAM memory usage no longer grows. Cookie objects are deleted prior to deleting cookieMap from obAction destructor.
551764 Upon successful execution of the Access Policy in clientless mode, the request is forwarded to the configured backend as needed.
553330 You can create a new document with Microsoft SharePoint 2010.
555507 SSO plugin no longer overruns memory not owned by the plugin, so the system supports the following configuration without memory issues: BIG-IP is configured and used as SAML Identity Provider. Single Logout (SLO) protocol configured on attached SP connector. At least one user executed SAML webSSO profile.
558859 Control insertion to log_session_details table by Access policy logging level.

Fixes in 11.5.3

Cumulative fixes from BIG-IP 11.5.2 HF1 are included in release 11.5.3 in addition to the fixes listed in this table.

ID number Description
441790 Fixed a threading pitfall that could cause deadlock between DB rotation and loading threads.
489364 Now an Internet Explorer window is correctly minimized to tray.
506740 Application icons (Finder, Spotlight, Launchpad, Notification Center, Dock, Menu Bar) have been updated for retina displays.
507153 BIG-IP Edge Client for Mac now follows HTTP 302 redirect if the new site has an untrusted self-signed certificate and the user will be able to log in successfully.
507155 BIG-IP Edge Client for Mac now passes machine certificate inspection when domain component is included in search criteria.
507160 Machine Certificate Checker matching criteria for FQDN has been improved.
507162 Now BIG-IP Edge Client disconnects from FirePass smoothly without delays.
507169 Fixed Network Access renegotiation procedure on TLS1.1 and TLS1.2 for Windows 7.
507168 Click-to-Run Office 2013 applications can start inside PWS now.
507171 JavaRDP client session starts correctly now, and the system does not process extraneous input that occurs before the handshake completes.
507173 BIG-IP Edge Client now keeps the DTLS connection until the IP address becomes invalid, as expected.
507178 Now BIG-IP Edge Client uses the set of icons that the configuration specifies. Also, F5 icons no longer display for a split second during application launch when the configuration specifies the generic set of icons.
507179 PAC file download mechanism now avoids a race condition if /etc/hosts is patched with the static entry of the host that contains PAC file.
507180 Fixed text shown in German language.
507181 All configured networks are now reachable when connecting to FirePass using a BIG-IP Edge Client for Mac downloaded from APM.
507187 A rare environment-based issue that prevented new users from logging in to Windows-based systems has been fixed.
507190 BIG-IP Edge Client for Mac can now establish a connection correctly. An issue with routing table patch coding deleting an essential route has been resolved.
507191 BIG-IP Edge Client for Mac does not fail intermittently with machine certificate inspection agent.
507194 The BIG-IP Edge Client for Mac displays the correct SSL protocol version now in Details.
507196 OpenSSL library updated to version 1.0.1l
507199 Network Access connection does not reset if a large proxy.pac file is configured.
507200 Merged (by F5 tunnel server) proxy.pac is now NOT truncated when sent to the browser even if its size is greater than ~65 KB.
507211 An access policy can now enter Windows Protected Workspace on Internet Explorer versions 10 and 11.
507764 Mistakes in French localization were fixed.
507766 The Machine Cert Auth agent no longer crashes if the Match Issuer setting is configured at the same time that a Mac client specifies Russian for the language and region setting.
507770 Now an Internet Explorer window is correctly minimized to tray.
507771 Browser client now selects the appropriate certificate when "match SubjectCN and FQDN" criteria is specified in Machine Cert.
507773 The CustomDialer component has been updated to prevent a rarely occurring deadlock.
508138 The issue is fixed by having the primary blade of the chassis/vCMP to recreate config snapshots if a secondary blade transitions from online to offline and vice versa.
508139 Support for generating a license usage alert when a threshold is crossed has been added.
508141 Releases with this fix will load the configuration properly. There is no need for users to first create the /shared/apm directory.
508145 You can import an access profile that includes an SSL certificate object in its configuration objects.
508154 APD is now more robust and handles exceptions in AD module properly.
508157 Now it is possible to configure charset decoding behavior. You can decode usernames and passwords into CP-1252 (original behavior) or use UTF-8 charset (in this case, RADIUS Auth sends the username and password unmodified).
508158 If multiple messages arrive from BIG-IP Edge Client in one payload, the system processes them correctly.
508163 Correct rewriting for obj.src = some_url was added to support Web Applications.
508165 Now the primary blade's TMM leasepool IP information is mirrored on the oldest secondary blade.
508171 Fixed an issue where Rewrite plugin could crash when collecting webtrace or debug logs for Portal Access.
508176 Network Access clients can reconnect now and the lease pool does not run out of IP addresses.
508182 After a policy sync operation, the Policy Sync history file objects no longer remain within the /config/.../policy_sync_d directory as expected.
508187 Logging to access_log continues after log rotation.
508193 A user can now load sys config even after removing the peer from the sync-only group.
508197 Passphrases, secrets, passwords, and so on, do not display in clear text and appear as "*****" on the Dashboard.
508200 Now, when an error occurs, the system prints an error code in hex. It will be easy to find the reason for the error.
508206 To fix the issue, we change the data structure to a more simplified form.
508209 If a session is expired and a query is made with an Access whitelist and query parameters, APM code did not handle the case properly and sent a logout page. APM now enables the user to revalidate by starting the Access policy again.
508212 APM checks config snapshots periodically and recreates them if any is missing.
508213 Rewrite plugin no longer crashes when Portal Access application cookies require more than 32k of storage.
508218 Now the title displays correctly on the logon page; RSA error messages are now sanitized.
508227 In this fix, we trim leading and trailing spaces from the user name before using it. So the user name is uniform everywhere.
508228 Now a self expiry is set for each memcache object (which is configurable). With this change, each user remains in the cache only for the configured duration.
508230 Problems with EventTarget.addEventListener() new feature support were fixed.
508234 TMM no longer restarts when connected to Office 365 as SP initiated SLO.
508237 The erroneous security check has been fixed, so accessing some content in a different domain now works as expected.
508241 Now, in some rare situations where previously apd or apmd would assert, the system logs proper error messages before exiting. This results in restarting apd, apmd.
508245 A problem with SAML single-logout has been fixed.
508255 Improved request parsing to make it more robust against invalid formats.
508263 Windows File check now works with a file name that starts with an ampersand (&).
508284 Initialized SAML memory region to prevent tmm panic.
508377 Disallow XML DTDs (doctypes), external general entities and external parameter entities to prevent XML external entity attack.
508964 A crash in MCPQ from bad user input is now prevented.
508993 Improved availability based on internal F5 testing.
508994 This release fixes a TMM core that occurred with APM provisioned.
509012 Now CTU correctly pick ups logs for Machine Cert service.
509016 Windows Phone 8.1 built-in browser is now properly detected by BIG-IP system.
509017 Network access can now be established with FirePass using APM BIG-IP Edge Client for Mac on OS X Yosemite.
509022 The title displays on the logon page now.
509341 On BIG-IP Edge Client for Mac on OS X 10.7, a user can successfully add a new server using IP address.
509549 Translated French text has been corrected to properly fit buttons in BIG-IP Edge Client on Windows-based systems.
509647 When using Chrome to send a new message on DWA, a JavaScript error occurred. The message was sent but the tab did not close. This no longer occurs.
509719 APM now correctly identifies BIG-IP Edge Client for Mac as an Edge Client even if the user opens a new session by clicking the link on the logout page that says "Click here to open new session".
509763 Now, the BIG-IP Edge Client does not show an incorrect cosmetic warning message.
509820 A timestamp is now prepended to each log message in logstatd.log for Policy Sync.
510325 SAML single logout is now supported on BIG-IP Edge Client.
510719 Improved the way that we process cookie values in an SWG blocked page.
510773 Proper checks were added before processing the URL so that, if there is a long initial URL, the BIG-IP system will not process it and a user might see a reset. After establishing the session in other tabs, the user can access the long URL again.
510813 BIG-IP Edge Client for Mac now supports Proxy.pac file size of up to 1 MB; previously, the limit was 32KB.
511617 The system now uses the correct system object to track current primary slot, which ensures that counters in leasepool_stat that have global context (that is, cur_member, cur_assigned, cur_free, max_assigned) are synced to all blades.
511843 JavaScript now correctly handles the X-UA-Compatible meta tag from clients using Microsoft Internet Explorer 11.
511858 BIG-IP as IdP can now successfully create SAML assertions even when BIG-IP configuration contains special XML characters.
511860 The localdbmgr process has been updated in order to gracefully handle corruption in the memcache contents.
511861 Fixed validation for the input data sent in the ICA connection so that for the invalid/non-patched Address it will reject the connection instead of crashing.

Fixes in 11.5.2

Cumulative fixes from BIG-IP 11.5.1 HF6 are included in release 11.5.2 in addition to the fixes listed in this table.

ID number Description
405348 Modify the db variable "tmm.access.maxrequestbodysize" with a value larger than the maximum email body size you would like to support. The maximum supported value is 25000000 (25MB).
470214 This version provides strengthened management of session mirroring so the system can more accurately track connection mirroring.
475049 In this release, the DC FQDN list for an NTLM Auth Configuration is mandatory. Before you upgrade, ensure that the DC FQDN list for each NTLM Auth Configuration contains at least one domain controller FQDN. You can perform this verification from the GUI or by using tmsh. In tmsh, you can add the following line (dc-fqdn-list { <fqdn> } ) for each ntlm auth configuration as shown in this example. apm ntlm ntlm-auth ntlm_test { app-service none dc-fqdn-list { } machine-account-name mdc1 partition Common service-id 2 }
485579 The NTLM feature can now be used with an APM Limited license.
491488 EAM is a CMP plugin and spins up one thread per TMM.
485538 If an authparam is not found in the local cache, an empty string will be returned to the caller.
486529 A problem due to an uninitialized field no longer occurs in CRLDP or OCSP modules.
490526 The DC FQDN list for an NTLM Auth Configuration is now mandatory.
485536 Access policy changes are handled gracefully.
485500 The SecurID node secret file monitoring algorithm was updated so that a new node secret file can be detected. Also, the aced now authenticates with the mcpd so that any node secret file object changes will be accepted by the mcpd.
493993 In APM HA environments, the system now prevents global status from being updated before the initialization is completed on a standby device.
496113 Computer group policy settings are updated after establishing a VPN connection with Windows Logon Integration.
493030 CVE-2014-3513 CVE-2014-3567 CVE-2014-3566 CVE-2014-3568: Update OpenSSL to latest.
485534 After a network access session closes, if a PPP tunnel does not get closed in some time, a cleanup is forced on the server side.
490527 Windows, Mac, and Linux clients were updated to prevent a crash when establishing a VPN connection in certain conditions.
485499 Modify the db variable tmm.access.maxrequestbodysize with a value larger than the maximum email body size you would like to support. The maximum supported value is 25000000 (25MB).
485520 A JavaScript error screen no longer displays when using BIG-IP Edge Client to connect with a logon page that contains an additional select type.
492809 An issue has been fixed that resulted in a small, periodic mcpd memory leak associated with APM statistics.

Fixes in 11.5.1

ID number Description
392250 When Access Policy OAM Support is enabled on a virtual server and the AccessGate setting specifies a particular accessgate instead of Default, users are no longer intermittently redirected to an OAM error page.
424938 APD no longer crashes when processing an access policy with Tcl expressions; previously, this occurred rarely.
432260 An AAA server pool is reachable now even after "bigstart restart [mcpd]" command runs.
432925 You can now successfully create a macro from the Support for Microsoft Exchange macro template.
433227 F5 PCoIP proxy implementation is certified by VMware.
436556 Citrix apps render correctly on an APM webtop when a Citrix resource uses Kerberos single sign-on to Citrix XML Broker.
443139 Session variables have been made available during the ACCESS_SESSION_CLOSED event. As a result, session variables are still available even after issuing the "ACCESS::session remove" command, because the actual removal is deferred until after the current iRule completes. However, it is considered an error to access that data outside of the ACCESS_SESSION_CLOSED event.
446123 Online help is provided for the Groups screen for the LDAP and Active Directory AAA servers.
446207 The "state" value in the session variables created after a software check (antivirus, anti-spyware, firewall, patch management, peer-to-peer, health agent, and disk encryption) now contains the correct state of the specified product.
446425 The BIG-IP Edge Client for MAC now applies DNS server settings correctly.
447033 Now Java RDP and Java App Tunnels work without showing a security warning.
447089 Network access connections now succeed after failover without encountering an IPv4 allocation failure error: "leasepool <name>is out of addresses".
447130 Internal communication with the Secure Web Gateway (SWG) content scanning engine has been optimized. This results in significant performance improvements.
447239 Additional Secure Web Gateway (SWG) sessions are no longer created when a session expires.
447609 The installer for the BIG-IP Edge Client for Windows now prompts the user if a reboot is required, instead of silently rebooting the machine.
447654 When using Portal Access, an input tag in forms now can receive a value that is dynamically created by JavaScript on the client.
447658 An APM page that contains dynamic scripts now works correctly when a user opens it from another domain or protocol using the Chrome browser.
447685 The current HTML page continues to display without reloading, if a user clicks a link that contains an undefined URL.
447699 Now forms with an absolute path in the action are handled correctly.
448152 If the database download introduces a new URL category, it happens without producing an error in a log file.
448366 If the Secure Web Gateway (SWG) database download fails, the system no longer continues to retry the download.
448385 Now JavaScript arithmetic assignment operators are handled correctly on the server and on the client.
448461 Online help for Bandwidth Policy access policy item has been added to the visual policy editor.
448599 Some Secure Web Gateway (SWG) URL category names that were truncated when displayed, are now fully displayed.
448628 An AAA server pool is reachable now even after "bigstart restart [mcpd]" command runs.
448870 Now an APM webtop renders Citrix apps when a Citrix resource uses a pool and Kerberos SSO.
448874 Citrix apps render correctly on an APM webtop when a Citrix resource uses Kerberos single sign-on to Citrix XML Broker.
449236 Added an option to full webtop configuration: Show warning message when webtop screen closed. When this option is disabled, a user can close a webtop browser without also being prompted to close the Network Access tunnel (that was launched from the full webtop).
449573 The iRule event agent (in an access policy) no longer logs BIG-IP Edge Client for Linux CLI users out before they can establish network access.

Fixes in 11.5.0

ID number Description
238494 The F5 Credential Management service now updates automatically on the BIG-IP Edge Client. To get SSO working after update, user should reboot the machine.
325296 Previously, APM supported only LDAP URLs for CRL distribution points. Now, APM also supports HTTP URLs.
381486 Information about session length, connection timeout and idle time is added to BIG-IP Edge Client. Information about used tunnel type, session length, idle time and session timeout is added to web browsers."
386888 Citrix application icons used on the APM webtop are cached on BIG-IP system now; this reduces load on the back end and improves icon loading time.
390462 Visual policy editor now supports Internet Explorer 10 and 11.
392250 When Access Policy OAM Support is enabled on a virtual server and the AccessGate setting specifies a particular accessgate instead of Default, users are no longer intermittently redirected to an OAM error page.
394176 The access policy item, Windows Registry, now supports REG_MULTI_SZ fields.
394184 Remote desktop Java client now supports connections to Windows 8 and Windows Server 2012 hosts.
394449 Now, AD and LDAP can parse multiple entries in LDAP response
396735 Prevent authentication failure if both SAML assertion and response are both signed
400433 Daemons (apd/apmd) are more robust.
401658 APM now hides network access, remote desktop, and application tunnel resources from APM webtops on Windows 8 ARM.
402297 An administrator can build visual policy editor rules to detect a "Windows 8" running on ARM processor and create appropriate branches.
402699 For BIG-IP Edge Client on Windows systems, when APM network access is configured to close idle connections, a notification about the idle connection displays ahead of time.
406916 The upgrade script now handles client-packaging with multiple folders in full path name.
407362 When a desktop requested by the user is not immediately available (as reported by XML Broker), APM waits for some time and retry launching attempt predefined number of times.
408665 The APM PCoIP Proxy implementation is compliant with Teradici certification.
409438 APM now supports SSL Relay when working with Web Interface site
413486 On the BIG-IP Edge Client for MAC OS X, the text copy and paste action, to and from the clipboard, now works correctly.
413661 Access policies that were copied from other policies no longer lose their images when the original policy is deleted.
414370 Clients no longer receive a TCP reset if an ASM profile is configured and access was disabled with the "ACCESS::disable" iRule.
415844 The BIG-IP system now assigns special identifier (SPI) values to VMware View clients. Clients no longer use self-generated SPIs.
416949 "Login failed" no longer displays as the caption of the Citrix Logon Dialog box on the APM webtop when the user successfully logs into a Citrix resource, but has no apps assigned to him.
417289 A Java remote desktop resource now uses the en-us keymap (US keyboard) for the logon screen by default. Previously, en-gb (UK keyboard) was the default keymap.
417908 Now accounts in Citrix Receiver for Windows can be registered by entering only the domain name of APM virtual server.
418082 APM webtop now supports VMware View HTML5 client.
418231 Now ICA Proxy does not attempt to modify an ICA file if it detects that an STA ticket is used. The list of STA servers configured through a session variable named "session.citrix.sta_servers" is used to resolve STA tickets. The list of STAs should contain one or more URLs delimited by semicolon.
418610 Various APM related cookies are now set to a secure option.
418976 Citrix apps icons on APM webtop are cached by the browser now, which improves webtop page load times.
419127 A new global variable, F5_noContextSwitching, turns off part of the processing on the client side in case of web application slowdown. You can use an iRule to set the variable on a page.
419237 APM now supports launching VMware View desktops from APM webtop using standalone View client.
419654 VMware View client for Linux 2.0 is supported by APM PCoIP proxy.
419780 APM now encodes URLs for the prevention of XSS attacks using a less aggressive mechanism.
419859 Visual policy editor configuration pages for peer-to-peer software, HD encryption software, health agent software checks are improved.
419955 CPU usage by Kerberos library during some error conditions is acceptable now.
419984 Sessions that share the same TCP connection are no longer terminated when a new client connects using the same connection.
420013 EMC applet works now.
420543 OPSWAT checks workflow is restored; it is possible to save after the changes
420706 APD process now takes significantly less time to apply an access policy.
420743 SAML IdP automation now gracefully handles a metadata file that is missing an EntityDescriptor tag.
420961 The Tcl encoding command is now available for use in visual policy editor expressions.
421055 It is now possible for an end user to change their AD password.
421068 When you use APM portal access that has an iframe or frame that runs an HTML file which includes a parent.document.write(some_html_with_script) statement, Internet browser response is now acceptable.
421259 Secure session variable now decrypts correctly and is the correct length.
421499 BIG-IP Edge Client for MAC OS X code now handles network access over a third party PPTP VPN connection.
421522 APM now handles an empty AVP-24 ("state") in a RADIUS Access-Challenge request.
421566 The root cause of a logd core has been corrected with thread save call to localtime_r().
421648 Documentation now contains correct values for the Machine Info agent.
421796 SAML single logout (SLO) now succeeds when a SAML Service Provider (SP) session times out, the user logs in to the SAML SP again, and the user initiates SLO.
422135 RSA Next Token and New PIN modes are supported for Citrix Xenith and Xenith2 clients using RADIUS server.
422194 Access no longer resets a TCP connection if a client requests the landing URI on the slave twice before completing an access policy.
422396 You can now start a Citrix application with an ampersand in its name from an APM webtop.
422516 A notification displays when reboot is required after the Cred Mgr has been updated.
422550 You can use APM local user database from iRules now.
422697 A Java remote desktop resource now works on a Mac system that is affected by an Oracle issue, bug 7180557.
422948 If you change a rule expression in a macro, the "Apply Access Policy" link now appears as expected.
423260 Now all software checks are directly available in the agent selector in a branch rule expression
423435 The access policy item, Windows Registry, now correctly compares pure numbers.
423751 A case where policy evaluation is in process and an existing client connection is disconnected is now handled correctly.
423848 Using Device Wizards (Network Access Setup Wizard for Remote Access) to create Network Access (with client-side checks enabled) for remote access now produces an antivirus action with entries.
423897 BIG-IP Edge Client for MAC OS X handles ending redirect correctly.
424067 Proper Windows 8.1 and Internet Explorer 11 detection implemented for BIG-IP APM.
424117 APM supports Windows Citrix Receiver 4.0
424199 Initial access to cookies on a page from a dynamically loaded script no longer causes intermittent Firefox browser halt.
424371 Protected Workspace code was changed to allow Internet Explorer 11 and Windows Explorer to start on Protected Workspace Desktop (on Windows 8.1).
424572 APM SAML can now operate with other systems using either or both of these groups of algorithms: RSA-SHA256/RSA-SHA512 XML signature algorithms SHA256/SHA512 digest algorithms. It continues to sign its own SAML messages (AuthnRequests and Assertions) using RSA-SHA1.
424577 Support for Windows 8.1 Inbox F5 VPN detection is available in APM visual policy editor; an additional branch was implemented for the Client Type Access Policy action.
424587 A SharePoint 2013 homepage can now successfully render in Internet Explorer 11 when it runs through APM content rewrite.
424607 APM portal access with split tunneling enabled now selects the action correctly for URLs containing the %0a' character string when requests are initiated by JavaScript.
424661 You should no longer see the following Tcl error message in the /var/log/ltm log file. TCL error: _sys_APM_activesync HTTP_REQUEST - can't read "actsync_401_http_body": no such variable while executing: "HTTP::respond 401 content $actsync_401_http_body Connection close".
424969 Fixed a rewrite plugin crash that could occur when sending POST requests with specific XML data through portal access.
425166 Fixed BIG-IP Edge Client crash which caused incorrect memory copying routine during disconnect process.
425853 Included Launch Application for MAC OS X to work if the string contains an ampersand.
425884 When an admin tries to upload and install a new epsec package, the admin will no longer see a Configuration error.
425904 Now Flash AS2 jump instructions should be properly rewritten.
426185 Flash AS2 content is properly rewritten now.
426439 Portal resource now opens properly after a Citrix or a View resource has been used on an APM webtop.
426685 Now Citrix/VMware View support works on virtual addresses of the 'traffic-group-local-only' as well.
426850 The BIG-IP system configured as a SAML service provider (SP) now processes encrypted assertions.
427076 An error no longer occurs during logon to a web application using client initiated form-based SSO.
427725 An issue in which TMM produces core files in access deployments has been fixed.
427743 iOS Receiver now works when APM is configured with StoreFront integration or when APM is configured for two-factor authentication.
427762 Fixed issue with session re-establishing for iOS Citrix Receiver.
427804 The IE 11 on Windows 7 user agent is now detected correctly.
427819 Network access restores proxy settings when a user signs out from a Windows-based session and schedules proxy cleanup operations to start on the next Windows user sign in.
427864 The VMware View client can now connect through APM when the backend replies with a chunked response.
428306 When using the svpn plugin proxy service on a Mac system, the plugin works correctly when it probes
428390 Log messages for client initiated form based and SAML SSO are working again.
428417 Support for Windows 8.1 platform detection implemented in Windows client code.
428450 The rewrite process no longer loops when working with malformed Flash files.
428595 A user who can access visual policy editor in read-only mode can now switch to the Branch Rules tab.
428784 Fixed absence of session timeout window on the logon page in Safari browsers that forced users to enter credentials again after the Login button is pressed. This fix will not affect already customized logon pages.
428933 Cookies created from JavaScript with the wrong date format in the expires field are processed correctly.
429031 Removed negative cases from expression builder for software checks
429163 Resolved issue where InstallerService is not installed and Internet Explorer is used so that the correct newer components are employed to avoid reconnect looping when per-user is used, instead of per-machine.
429171 Flash ActionScript 3 files from different domains with conflicting class definitions now work correctly through Portal Access.
429617 Windows RT users can now access webtop links and portal access resources on APM webtop.
429680 Response headers are parsed correctly for any responses with unsupported content.
429704 The Disable/Enable logic for Unlock User button is fixed.
429741 A Windows RT branch is added to the "Client OS" action in APM Access Policy.
430669 The issue where Internet Explorer 11 did not always allow access to "window.opener" is fixed.
430819 AD/LDAP non-printable attributes are now detected as such.
430899 Records installed in session db keep track of license counts during regular operation on chassis.
430962 Previously when F5 Networks VPN Adapter was disabled by user, manually connecting to the VPN would fail. Now the adapter is automatically enabled in this case and VPN connections can successfully be established.
430965 Resolved issue where Windows 8.1 SetupDiGetDeviceRegistryProperty function returned hardware IDs with spaces replaced with underscores, to allow VPN driver to be uninstalled. This addresses issues with the VPN driver update.
431076 Driver installer fixed to re-install client stonewall driver independently from VPN driver.
431216 Internet Explorer 11 does not recognize PAC files specified with the "file://" prefix. To work around this issue Network Access automatically enables "Client Proxy Uses HTTP for Proxy Autoconfig Script" for Internet Explorer 11 clients.
431377 and 431381 Improved JavaRDP compatibility with Windows 8 / 2012 Server hosts
431508 APM displays UTF-8 HTML pages correctly.
431976 Maximum number of entries in subject alternative name is not limited anymore in server certificate check module of Linux CLI.
432049 Sessions from BIG-IP Edge Client on iOS now can be filtered by CPU type in visual policy editor.
432096 Layered virtual with matching destination can now intercept MobileSDK and/or JavaPatcher traffic.
432721 RemoteDesktop module will use the configured search domain, while resolving short names for mobile app tunnel connections.
432851 Mac File and Linux File access policy items work correctly when the specified file size is greater than 1024 bytes.
433605 At the end of an APM network access session, the route is now restored for an interface that has a gateway and IP address on different subnets, provided that the gateway and IP address have not changed during the session.
433781 APM now correctly processes any HTTP headers.
433839 Now, if the peer is shut down, Kerberos immediately terminates the connection.
433982 Detection of Internet Explorer is improved in APM Portal Access.
434049 Fixes for supporting multiple customization_templates during tmsh load sys config merge.
434776 A Windows File, Mac File, or Linux File agent can be added to an access policy without causing APD or APMD to crash.
435329 Layered virtual servers are now assigned the correct IP addresses, and no longer conflict or interfere with each other.
435383 When deleting an Accessgate from OAM server configuration, wrong MCPD validation prevented deleting the second to last Accessgate. This fix will result in throwing the MCPD error, while deleting the last Accessgate only, as expected.
435436 Users can use APM with VMware View when the View resource uses pool of more than two View Connection servers
435449 Request no longer hangs and no errors occur.
435900 XDomainRequest is supported similar to XMLHTTPRequest.
436049 Fixed a rare case of crash in rewrite plugin.
436175 Upgrade script is fixed to handle empty bodied Citrix Client Bundle (all on one line).
436616 CTU correctly enables logs for 64-bit services on Windows systems.
436788 Corrected page handlers to return to OAM AAA Server listing page upon saving.
437227 Memory leak has been fixed in the rewrite daemon.
437731 Optimized tunnel works correctly with Internet Explorer now.
437952 VPN installation now launches under Protected Workspace (PWS) on Windows 8.1.
438219 The access policy daemon (apd) process no longer leaks memory with AD and LDAP Query agents.
438251 Now when using Outlook Web Access (OWA) 2010 from a portal access webtop, new messages are shown automatically in the mailbox and the message indicator changes accordingly depending on whether the messages are read or unread.
438664 F5 Client Traffic Control Service now works on Windows 7. Previously the service started and then stopped.
438709 Users can now open the calendar widget in SharePoint 2007 while using Internet Explorer browsers with portal access.


Session ID rotation has been implemented, and starting from 11.2.0, it is on by default. This breaks compatibility with earlier BIG-IP Edge Client and plugin versions. For example, when APM is configured for session ID rotation, an 11.1.0 Edge client is not allowed to log in to Access Policy Manager (APM) version 11.2.x. The expected behavior in this case is for APM to present the login page to the Edge client after each login attempt. To disable session ID rotation per-box, you can use the following tmsh command: tmsh modify sys db apm.rotatesessionid value disable

Known issues

This release contains the following known issues.

ID number Description
223583 Inside Protected Workspace (PWS) on Microsoft Windows Vista, a user can create folders only in some locations using the context menu; that is, only a Folder item appears on the New menu. However, a user can create standard type files using the context menu directly on the desktop and in the user's home folder. Files can be created on the Desktop and then moved to the desired location.
223712 During a web applications session, when a user logs out of Microsoft Office Communicator and then attempts to log on again, the logon request fails.
224076 The keyboard security program Secure KeyStroke prevents users from entering Protected Workspace.
224145 The visual policy editor can, on rare occasions, return a non-specific failure when attempting to create new items. The failure is transient; the request invariably succeeds on retry.
224357 Misaligned text in warning message on Mac. In this version, when a user makes a connection to an Access Policy Manager virtual server that uses a self-signed certificate, on some Mac OS versions, the warning message appears with misaligned text.
224512 InstallerControl, Internet Explorer 8, and Windows XP (ID 224512). Currently, when a user installs the web client on Internet Explorer 8 on Windows XP, using the Internet Explorer information bar, the InstallerControl always installs for all users on the machine. All other components can be installed either per user or per machine."
238556 AAA types for SecurID and RADIUS in APM will not source packets from the floating IP address for the traffic group, as customers would expect. Because RSA authentication server is sensitive to the incoming IP address of the authentication packets, an extra virtual server is required to SNAT the authentication requests to the correct (floating) address so that the same source IP will be used in both members of an HA pair. Authentication will fail because RSA expects the source IP address to be specific, and will not tolerate changes for HA failover. You see this when you use RADIUS AAA or RSA AAA in an APM access policy.
294032 When you access an older version of APM software using the Windows system client and a pre-logon antivirus check is configured, the OPSWAT AV control gets loaded into your browser. The control does not unload successfully and, as a result, the antivirus check fails. You cannot log on until the control is unloaded. Reboot the client system.
339865 Microsoft SharePoint 2007 with Office Integration does not work in LTM+APM mode when Windows Protected Workspace is used in an access policy. When you try to open a Microsoft Office document, an alert about a wrong URL is displayed.
340549 The rewrite plugin does not implement forwarding HTTPS requests through the HTTPS proxy correctly. (However, forwarding HTTP requests through the HTTP proxy does work correctly.) To work around the problem, create a layered virtual server to catch HTTPS traffic leaving APM and forward it to a HTTPS proxy server using CONNECT. Proxy authentication is not implemented and if the response status from HTTPS proxy server is not 200, then use an iRule to close the connection.
342035 A SIP client cannot communicate with a SIP server when connecting over a Network Access tunnel. SIP protocol uses fixed UDP ports, and communication fails because Network Access tunnel translates the source port of the connection. To work around the problem, configure a layered virtual server using the SIP UDP port and set the Source Port option to Preserve Strict.
343280 When using Portal Access in Safari 5.X, sometimes web pages do not load properly. A bug in Safari 5.X leads to accidental loss of all HTMLElement.prototype changes when setting HTMLElement.prototype properties in a window and accessing window.frameElement from any of its frames. (The problem also sometimes occurs in other less well-defined cases.)
347100 Every time the Hometab loads, a dialog box message is displayed stating: "This Page contains both secure and nonsecure items. Do you want to continue?" To work around this problem, disable the Hometab.
351360 Sometimes when assigning different route domains to Network Access clients connecting to the same virtual server or using the same connectivity profile, traffic from the client can go out into the network associated with the wrong route domain. This could happen when two clients are assigned the same IP address (from different lease pools containing the same address ranges) and different route domains and try to access the same IP address on the internal network using the same TCP/IP protocol. To work around this problem, when sharing IP address ranges among route domains, use separate virtual servers for each route domain, with different connectivity profiles.
353403 Customization and images with CSS Sprites Image (ID 353403). When you make a change to the CSS Sprites Image for a webtop through the Customization feature, the change does not appear on the webtop for an hour. Alternatively, you can restart tmm with this command: bigstart restart tmm.
354406 When a virtual server is configured to use a SNAT pool for doing source NAT of the traffic between the virtual and backend servers, if one of the IP addresses used in SNAT pool is self-IP, the access policy does not work for the virtual server.
355490 TACACS+ accounting STOP messages are sent successfully and are properly logged on the TACACS+ accounting server. Sometimes, when the reply from the TACACS+ server is processed, "Invalid reply error message" is logged on APM. However, this message does not indicate any failure in sending the accounting STOP message to the TACACS+ server. This error message can be ignored because the accounting functionality works.
355981 APM CRLDP Authentication Agent binds anonymously to the LDAP server to retrieve CRL files. An option for a strong authentication bind is not currently supported.
356766 Removing or updating Network Access device or client components while the system has an active Network Access connection might cause the system to drop the existing connection and fail to establish a new connection until after a system reboot.
359639 Some long captions for resources can be longer than the bounding box in Firefox 7. This problem does not affect the workflow.
360141 Modifying the SSO configuration does not cause the Apply Access Policy button to show up on the Admin GUI or the visual policy editor. The configuration change takes effect immediately for new sessions established after the change. Old sessions (those that were already created before the configuration change) continue to use the old SSO configuration.
360248 If two administrators (a1 and a2) simultaneously use the admin UI and one of them (say a1) deletes an image when the other (a2) is in the process of using that image, the entire transaction (set of changes made by a2 in a session before clicking on the Save button) will be aborted and the Save will fail. The user (a2) will need to restart from the last saved change and apply all changes again. To work around the problem, revert and re-apply all the changes. This is a corner case since almost all the time, multiple administrators will likely not be be using the UI and making these changes simultaneously.
360734 When previewing pages, the Preview pane does not automatically refresh when the language is switched. To work around the problem, click on an item in the Preview tree pane to cause the page to refresh in the new language.
360742 When the logon page is customized in visual policy editor in multiple languages, the images appear broken. To work around the problem, customize the logon page using localization customization. (Refer to Access Policy > Customization.)
360889 For ACLs that are generated from a Portal Access resource, port 0 (zero) matches against port 80 (when the scheme is HTTP) and against port 443 (when the scheme is HTTPS). For ACLs otherwise, port 0 matches against any port.
362200 When customizing messages, you cannot use special characters, such as ', ", &, <. It poses a serious impact. Using these characters is always a problem. To work around this problem, do not use such characters, manually fix customization XMLs (not advised).
362325 Links in content are rewritten in HTML attachments from Outlook Web Access (OWA) after you open the attachments in the browser or save them to disk using the Save as action. This happens because APM application access patches the links in HTML attachments. This occurs with OWA 2003, 2007, and 2010.
362351 Branch names cannot start with the word fallback in the visual policy editor. Do not start branch names with the word fallback. The terminal name must begin with an alphabetic character (for example, a or A). The remainder of the name can contain only alphanumeric characters (numbers and letters), spaces, and these symbols ( + - _ ( ) [ ] ). The terminal name cannot begin with the text fallback. Please rename the terminal.
363188 Using a space in an alias for a virtual server can cause unexpected results when you use tmsh to add or update a connectivity profile. No spaces are allowed in aliases for virtual server.
363227 In APM Customization, common partition objects are not made read-only for managers of a partition.
364030 The Hometab disappears for Domino Web Access (DWA) 8.5 through reverse proxy.
364138 CPU usage spikes and an LDAP auth client on the BIG-IP system is unable to connect to an LDAP server during an LDAP query. This problem occurs when a very high volume of LDAP query load is put on the box and the BIG-IP client ephemeral ports enter time wait and do not leave time wait fast enough before wrapping around. "There are several possible workarounds: 1. Widen the client port range. It defaults to 32768-61000. echo "2048 65535" > /proc/sys/net/ipv4/ip_local_port_range 2. Change the number of available TIME_WAIT buckets. It defaults to 180,000. echo "2000" > /proc/sys/net/ipv4/tcp_max_tw_buckets 3. Decrease the TIME_WAIT timer. It defaults to 60 seconds. echo "10" > /proc/sys/net/ipv4/tcp_fin_timeout
365014 If you upgrade from APM 10.2.X to 11.2.0, you might run into this error: 012e0008:3: The requested command (connectivity resource) is invalid To prevent the error, perform these steps. 1. Switchboot back to version 10.2.X. 2. Use text editor vi or vim to open the /config/bigpipe/bigip.conf file. 3. Look for the pattern "connectivity resource" at the beginning of a line. 4. Within the scope of "connectivity resource", look for the line with pattern "patching type" and remove the line. 5. Save the file and exit the vi or vim editor. 6. Run "bigpipe load" to make sure that there is no error. 7. Redo the software upgrade."
365583 An IPv6 only Network Access configuration is not supported. Either IPv4 or IPv4&IPv6 are the supported IP versions.
365646 When a blade goes down while sessions are running in an Access Policy Manager process on that blade, a later session that accesses the session database can lead to a failure.
366001 If you have performed any advanced customization, you must upgrade the files manually when upgrading from 10.2 to 11.x.
366420 An IPv6 only Network Access configuration is not supported. Either IPv4 or IPv4&IPv6 are the supported IP versions.
367621 Access Policy Manager does not support IPv6 for communicating with the OCSP responder. Configuring the OCSP URL with an IPv6 address or a hostname that resolves to an IPv6 address will not work. Access Policy Manager uses OpenSSL BIO APIs to connect to the OCSP responder and these calls do not support IPv6.
368452 This issue is caused by the Java proxy in handling the proxy request. The first request goes to the proxy server as expected but then the Java proxy code makes a proxy to the APM server directly.
369478 When AAA OAM Server is configured and "options inet6" is set in /etc/resolv.conf, the EAM plugin will keep restarting due to an OAM ASDK crash. SR 3-4726570811 was filed against Oracle Support, and there is no better workaround for this as of today beside not to set "options inet6" in /etc/resolve.conf on the BIG-IP system." "Until this issue is addressed by next OAM ASDK patch, the limitation will be one of the following: 1) Do not configure AAA OAM server on the same BIG-IP system where "options inet6" must be set in /etc/resolv.conf 2) Do not set "options inet6" if OAM is configured on the same BIG-IP system.
371015 On chassis platforms, in some scenarios, more than one value is displayed under the Local Time column in the All Sessions report.
372114 On a chassis-based system after upgrade and first reboot if APM is configured, very rarely end users might be unable to log in to the virtual server. An access denied screen displays the following message: "Access policy configuration has changed on gateway. Please login again to comply with new access policy configuration" To recover from this error, restart the primary blade. From the configuration utility, select System > Configuration and select the Reboot Blade option."
373889 You can configure a Network Access tunnel to update a session (that is, to extend expiration time) based on a traffic threshold and a window of time. Traffic measurements are taken every 5 seconds, but they are not divided by 5 before being used in the calculation. As a result, instead of bytes per second, bytes per 5 seconds is calculated, which is incorrect." "To work around this problem, select the Network Access resource you want to update, then select Network Settings and Advanced from General Settings. Proceed as follows: 1. Set Session Update Threshold to 5 times the desired bytes/second rate. 2. Set Session Update Window to 2 or higher. Note: The session life management might not be exact.
375651 APM JavaPatcher implementation puts the more strict limitations on connections performed by unsigned applets than Java VM itself. Particularly, the unsigned applet can open socket connections to its native backend only by passing the same identifier (FQDN or IP address) for this host as it was originally specified on applet's loading stage. For instance, if there is a server at that is accessible by fqdn.intra.local name and the applet has been loaded from, it can only create sockets by providing them with the IP address of its backend ( but not FQDN (connections to the fqdn.intra.local will be rejected unless it is in fact the same host). The same will happen if applet is loaded by FQDN but tries to establish connection by IP address. This comes from security requirements for JavaPatcher implementation." Unsigned applet fails to connect is uses a different identifier (FQDN instead of IP address or IP address instead of FQDN) of the destination host. Unsigned applet is loaded from a web site using FQDN but attempts to connect to this site's IP address, or vice versa.
375658 APM JavaRDP does not work correctly on Mac OS X when Mozilla Firefox 3.6.x is used. This is caused by bug ID 606737 which affects JavaRDP component. The issue was fixed in later versions of Mozilla Firefox browser so they should be used to work properly with JavaRDP." JavaRDP fails to establish a remote desktop connection. JavaRDP is launched on Mac OS X with Firefox v3.6.x. To work around the problem, use Mozilla Firefox 4 or later instead.
376615 Username and password are not sent when the On-Demand Cert Auth agent is used in an access policy; as a result logon fails. The problem happens for these clients: iOS, Android, Windows Mobile, and Linux CLI. To work around the problem, put the Logon page agent before the On-Demand Cert Agent in the access policy.
380815 If an ACL and a resource have the same name, and one of them turns out to be the "Last" one in order, then creating a new resource with the order "Last" fails. To work around this problem, do not use the same name for resources and ACLs.
380994 If a webtop is placed in a path before a resource is assigned, the policy execution fails are runtime. To work around the problem, place the webtop after the resource has been assigned.
381258 Web-application misbehavior (exception, wrong rendering, and so on). Web-application functionality. "If the JavasScript operator 'with' is used in web-application code and, if after rewriting, 'F5_ScopeChain' is found within the 'with' statement in these contexts: ...F5_Inflate_xxxxx(F5_ScopeChain,... ...F5_Deflate_xxxxx(F5_ScopeChain,... ...F5_Invoke_xxxxx(F5_ScopeChain,... then there is probability of this issue." As a workaround, an iRule can be used for changing an 'interesting' variable name within the function's body. No general iRule exists. For each case, a custom iRule must be created as workaround.
381490 Android Citrix Receiver does not support RSA New PIN mode if APM is configured for Session ID Rotation. Session ID Rotation can be disabled per-box with the following tmsh command: tmsh modify sys db apm.rotatesessionid value disable" "APM is configured for Session ID Rotation. And using Citric Receiver release 3.1.4 for Android. To work around the problem, disable "Session ID Rotation" in tmsh: tmsh modify sys db apm.rotatesessionid value disable
381994 Some Portal Access settings might not be applied to end-users without cleaning up ramcache when APM virtual server uses WebAcceleration profile.
382542 When going through the list of SSOv2 configurations, if you use the keyboard to navigate through the list rapidly, a JavaScript error is generated. To work around the problem, use the mouse to select one row at a time or wait for the forms and headers to be displayed before selecting the next row.
382753 If a BIG-IP system with Web Acceleration profile enabled does not refresh page with Cache-Control: no-cache, set the "Ignore Headers" option of the Web Acceleration profile to None.
383464 In reports, names that contain a single quote are displayed in hex-encoded format. For example, the name O'Brian might be displayed as O%27Brian.
383511 The Device EPSEC Status screen should reflect the recent status of all devices in the device group. When a request to see the device status of a device group is made, the Changes pending link displays. After sync, the link should disappear and the status should be displayed. To work around the problem, perform Sync from group by clicking the Changes pending link. Then go to the Device EPSEC Status screen. The status displays.
383607 After a Network Access client loses connectivity and reconnects with another IP address, the client cannot open tunnels to optimized hosts for 4 to 7 minutes.
383769 A route entry is not created for Network Access if it is configured in a partition with a non-zero route domain.
384405 With Access Policy Manager Portal Access, if you add a web-acceleration profile to the Local Traffic virtual server, it does not take effect until the you go to the command line and type "bigstart restart tmm". The web-acceleration profile is important to Portal Access performance, so this step is necessary to ensure caching occurs for Portal Access content.
384479 When you configure a virtual server for Oracle Access Manager integration (by selecting the OAM Support option), the option to select a specific AccessGate does not apply to OAM 10g environments.
385039 You try but cannot delete an access policy with customized App Tunnel and Remote Desktop resources, due to this error: 01071349:3: File object by name (/Common/for_big_logs-cgimg_0001.png) is in use." "To work around the problem, perform these steps. 1. Delete the access profile without selecting images for deletion. 2. Delete the images from Image library.
389881 The Portal Access feature in APM does not support Flex Runtime Shared Libraries using ActionScript3.
390823 APM+LTM and Portal Access do not work on Virtual Servers configured for Citrix Replacement mode (with APM_Citrix_PNAgentProtocol data group) APM+LTM and Portal Access do not work Virtual Server is configured for Citrix Replacement mode (with APM_Citrix_PNAgentProtocol data group)
392255 Under high load and in deployments where users logs in and logs out pretty frequently, APM crashes intermittently. This was happening as APM was trying to free a already freed session DB entry. This fix resolves the double free issue.
393043 During an APM remote connection, the progress bar might not render correctly on a Linux system when using the Chrome browser.
398074 Resetting the device-trust is analogous to removing the physical connection between two endpoints. The current infrastructure prevents cleaning up of the policy-sync related meta-data on all devices when device-trust is reset on one machine. This results in inconsistent policy-sync status on any machine. Workaround is to "Cancel in-progress sync" from the source device. Once the device-trust is re-established , one can start the Policy Sync again.
398149 The client IP address that the IP Subnet Match agent uses matches the type of virtual server. So, if virtual server has an IPv4 address, the agent uses the client's IPv4 address (the address from which the connection was established) regardless of whether or not the client has IPv6 configured. The same is true when the virtual server has an IPv6 address. The agent will base policy execution on the client's IPv6 address even if the client has IPv4 configured. The actual address from which the connection has been established will always be used. Because this is a server-side check only, we do not care if another type of IP address is configured on the client." IP Subnet Match agent uses clients IPv4 address, even if the client has IPv6 address configured. Virtual server is configured with IPv4 address. None. This is expected behavior.
398339 When you use the Fedora operating system with SELinux enabled and use the Firefox web browser to connect to APM for network access, you might get SELinux blocking notifications. "To work around the problem, perform these steps: A. Execute the following commands on a terminal as root user (not sudo): 1. "setsebool -P mozilla_plugin_enable_homedirs on" 2. "setsebool -P unconfined_mozilla_plugin_transition 0" B. Restart Firefox and try connecting to the APM server again.
398361 Not all configuration objects validate and reject an object name that contains the space character. As a best practice, when you create a configuration object do not include a space in the object name.
399552 CD/DVD burning through SPTI inside PWS works even though the policy disallows it. Despite policy being set yo disallow it, user is able to burn CD/DVD. "1. Policy is set to disallow CD/DVD burning. 2. User uses SPTI based CD/DVD burning tool."
399696 Selecting an SSO configuration with WEBSSO::select does not work for form-based client-initiated and SAML SSO configurations. "To work around the problem, use a variable to assign the configuration object name: set sso_config /Common/SAML-config WEBSSO::select $sso_config unset sso_config
400726 When the BIG-IP system acts as a SAML IdP, you cannot create the assertion with multi-valued attributes. When the BIG-IP system acts as a SAML SP and there is a multi-valued attribute inside the assertion, then the BIG-IP system processes only the first value of that multi-valued attribute. End user might not be able to access the SP service Or he might end up getting partial service depending on how the SP is configured. Administrator attempts to configure SAML multi-valued attribute. None
401546 Old Citrix servers (4.5 and earlier) have a bug in XML Broker that responds with incorrectly chunked-encoded HTTP response. This might lead to missing icons on webtop. Default icons are displayed on Access webtop. Older Citrix deployment (release 4.5 or earlier) To work around the problem, set registry value "HKLM\SOFTWARE\Citrix\XML Service\LegacyChunkHeader" of DWORD type to zero for XML Broker to start using correct chunked encoding.
402840 Oracle ASDK throws an unknown exception on using a non urlencoded % character in a URL parameter list. A fix needs to be implemented in the Oracle ASDK to avoid this unwanted exception.
403082 Networks Access cannot perform routing table clean-up if a user closes browser windows without logging out from the webtop, or if a user closes a browser window without waiting for the logout process to complete. To work around the problem, add the APM virtual server address to the Trusted Sites list.
403659 When configuring a BIG-IP system as a SAML Identity Provider, the displayed range of possible values in seconds for the assertion validity timeout is incorrect. The correct range is 1 - 86400 seconds.
403722 If you initiate an access policy sync from the Standby node, an admin must resolve any conflicts on the Active partner. Ideally, an access policy created on the Standby node would be synced to the Active node automatically without admin intervention. To work around this problem, avoid syncing an access policy from a Standby node. Otherwise, you must resolve conflicts, if any, on the Active node.
404766 When you select an access profile and click the Access Policy menu bar, the screen displays lists of the resources that are assigned in the policy. However, SAML resources are not included. To see which SAML resources are assigned to the access policy, you must view the properties of resource assignment actions in the visual policy editor.
404890 This is a rare issue that happens for Internet Explorer when pop-up screens are set to be blocked by browser. When you launch a Java app-tunnel for the first time in Internet Explorer, the message "Allow pop-ups for this site?" is displayed. In rare cases, when you click Allow once, the Java app-tunnel freezes in the Initializing state and cannot be used." To work around the problem, add a virtual server to the allowed sites for pop-ups from Tools > Internet options in Internet Explorer.
404896 When there is no space left on the /shared location for an epsec package to be uploaded, the epsec upload fails. If there is no space left on one of the peers, the status on the nodes becomes Sync Failed. You must manually clean up the /shared folder to make room for additional epsec packages.
404899 Webpage errors occur when opening a chat window in IBM Lotus iNotes 8.5 with Sametime through a Portal Access webtop. This happens only when using Internet Explorer 9. To work around this problem, add a Portal Access item with the path "/sametime/stlinks/*" to the Portal Access resource and disable Home Tab for this item.
404936 Files named core.xxxx, where xxxx is a number, are created in advanced customization directories during the build process when the customization build cores because of invalid characters in the default customization file. These core files are listed in the user interface.
405352 If you enter a bad FQDN for domain controller in an NTLM Auth configuration and a DNS server responds with DNS SERVFAIL, the NTLM Auth configuration does not work even after you fix the incorrect FQDN. "To work around this problem, after you correct the FQDN in the NTLM Auth configuration, restart the ECA plugin and NLAD daemon using this command: bigstart restart nlad. Note: To avoid future problems due to misconfigurations, you can configure your DNS server to return a negative response.
406040 If an application uses a non-standard location for favicons (as permitted by the LINK meta tag) and you use Internet Explorer 10 for access to the application, then the BIG-IP system creates a new session for that URI. If you use Google Chrome version 25 or above, the BIG-IP system closes the current session during fetching favicons from the non-standard location. Related change in Google Chrome: "An example of an iRule workaround is as follows: when HTTP_REQUEST { if { [string tolower [HTTP::path]] ends_with "favicon.ico" and [HTTP::cookie "MRHSession"] eq "" } { ACCESS::disable } }
406745 Office for Mac 2011 gets login page html instead of document when "open in Office" used SharePoint. Not able to view the document from Portal Access. Cannot open Office document using SharePoint. N/A
407855 When you use the GUI to delete an access policy, you have the option to delete the resources and AAA servers that are used in the policy. This option is presented only if the policy to be deleted is the only one using these resources or AAA servers. If you choose the option, an error displays to the effect that the resources or AAA servers are being used by the access policy and cannot be deleted. To work around this problem, delete the access policy first, then delete the resources or AAA servers.
409233 VMware View Client becomes unresponsive for about one minute after associated APM session is terminated by administrator. VMware View Client becomes unresponsive for about one minute. APM session associated with VMware View Client connection is terminated by administrator.
409323 On-Demand Cert Auth redirect does not honor a port other than 443 in virtual server. The redirect URL is missing the port information, hence subsequent client connections aren't successful. On-Demand Cert Auth is used in an access policy that's assigned to a virtual server with non-standard port. N/A
409462 When you update an SSO configuration that is associated with an access policy, the Apply Access Policy link does not display because it is not necessary. As soon as the SSO configuration changes, APM applies the SSO configuration to all sessions.
409777 You cannot open a Microsoft Office document on SharePoint. Error messages can be different based on the Microsoft Office and SharePoint versions." "To work around this problem: - APM virtual server certificate must be valid and its root certificate must be in the browser's Trusted Root CA list. - SharePoint must be in the browser's Trusted Sites list. - Use Internet Explorer. (This works only for Internet Explorer. Microsoft Office components cannot get cookies from Firefox yet.)
410775 Performance is low and messages in /var/log/ltm document "Inet port exhaustion..." BIG-IP system performance drops. "To work around the problem: If you use OCSP authentication, consider adding a host entry (using tmsh) instead of resolving the OCSP hostname through DNS. If you use RADIUS authentication, use the pool option with multiple RADIUS servers (in the AAA RADIUS server configuration). If you have only one server, add a SNAT pool with multiple source IP addresses to the virtual server.
413778 There are no error details in log messages when AD Auth fails because Kerberos Key Distribution Center (KDC) is unreachable." Administrator doesn't know the exact reason for Auth failure. "AD Auth is used. The configured KDC is unreachable or there is no available KDC for the configured domain (if the KDC field is empty)." None.
414411 When you use visual policy editor from the Chrome browser, images do not preload and as a result, the navigation bar flickers. To work around the problem, use Firefox or Internet Explorer.
415262 If you use tmsh to create a connectivity profile and set another connectivity profile as the parent, the profile that you create does not inherit the settings for Windows/Mac Edge Client, Server List, Location DNS list, and all mobile client settings. User may not see some attributes because they are not inherited from parent profile. This happens only in CLI. To work around the problem, if you create the profile in GUI, all the information is inherited.
416348 Looping occurs in visual policy editor when clicking the link for either the Decision Box or Message Box. Unable to proceed to backend server. Stuck in VP loop. This occurs with a VP evaluation loop with eca profile + eca iRule + decision box or message box configured in the access policy. Issue only occurs in Internet Explorer (not Chrome or Firefox). "The problem is that the NTLM-irule used to enable eca on the request is not run for internal URLs, such as /my.policy. This causes eca to not be enabled for the POST to my.policy. This causes the issues because it is expecting a 401 (which never comes). Internet Explorer behavior does not send data (such as which decision was selected in the decision box) when a 401 is sent. There are two workarounds: 1) You can enable eca for only the URLs you need (as opposed to enabling it for every single HTTP request which will cause the my.policy request to be sent as a type 1 message). 2) If you want to enable eca for every request, you can add the add the event to the NTLM-irule which allows the iRule to run for internal URLs as well. when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable }
416759 Microsoft Dynamics CRM might not work correctly through reverse proxy in some cases. SAML can be used to accomplish SSO.
417273 When upgrading from 10.X.X to 11.4.0, connectivity profiles cannot be fully recovered. As a result functionality lost due to lost configuration. "There are two options to work around the problem. Option 1: Upgrade from 10.X.X to 11.4.0, then reconfigure connectivity profiles in the Access Policy Secure Connectivity area of the Configuration Utility. Option 2: Upgrade from 10.X.X to 11.X.X, then finally to 11.4.0.
417711 After the upgrade, if the previous configuration used NTLM front end authentication, the functionality is not restored. After the upgrade, manually delete the existing machine account configurations and then recreate them.
419485 The configuration does not load after upgrade to 11.4 if it includes the iRule, "ACCESS::session create". The following error prints if loading the configuration from tmsh: error: [No timeout specified by -timeout option or access profile]" Config fails to load after upgrade. This happens during upgrade to TMOS 11.4 from an earlier version with the iRule "ACCESS::session create" in the config. "To work around the problem, change the iRule before you uprade. You can either comment out the ACCESS::session create iRule with a '#' or use the new syntax for the iRule. Syntax before 11.4.0 ACCESS::session create <timeout> [lifetime] Syntax after 11.4.0 ACCESS::session create -timeout <timeout> [-lifetime <lifetime>]
419748 After a hosted content file is referenced by a Portal Access resource, the file cannot be deleted, even if the link-type of the resource is not "hosted-content". Users cannot delete some unused sandbox files. This problem occurs in this sequence of steps. Use the GUI. Create a resource such as portal-access or webtop. Set the link-type to "hosted-content" and select a sandbox file. Now change the link-type to 'uri'. Try to delete the sandbox file. It will not be deleted, even if it is not in use. "To work around the problem, use tmsh to clear the sandbox file reference in the resource. Example: tmsh modify apm resource portal-access <NAME> sandbox-file none Now the sandbox file can be deleted.
419754 When using a local user database instance for authentication on APM, if a user that is flagged to change password leaves the password field empty, the user is prompted again to change password. Whether the user types a new password or leaves the password field empty again, the user is prompted again to change password. After the empty password is entered the first time, the user will continue to be prompted for a password. The next password entered will be rejected regardless of whether it is empty or not. "This occurs under all of the following conditions: 1. Local user database is used for authentication. 2. User is administratively flagged for password change. 3. User attempts to change his or her password. 4. User uses an empty password as the new password." APM handles a subsequently entered non-empty password correctly.
419836 When you switch from editing one file to editing another file in advanced customization without saving the first file, changes to the first file are lost. This is not user friendly as a user may spend a lot of time on editing the file. When clicking another file, the user does not know that changes will be lost and are not recoverable. A user can only modify the file again after the change is lost.
419996 When you import users to a local user database, any first or last name with a space in it is truncated to the first space.
420013 Applet loading fails with java.lang.NoSuchMethodError:;Ljava/lang/String;)Z
420087 EPSEC packages cannot be installed using tmsh commands. Users cannot use a script or tmsh commands to install EPSEC package. Use the GUI to install EPSEC packages.
420506 When using the Local Database agent with a write action, the list of properties available includes groups; however, this property is read-only and any attempt to write to it fails. There is no workaround. You cannot write to the groups property. Its appearance in this list is an error. It should show up only in the properties list for a read action. This issue arises when using the APM general purpose Local Database agent with an action that includes writing to the groups property.
421063 JavaScript code that deletes 'call' or 'apply' methods from Function.prototype does not work through Portal Access. Some web-applications might stop working or work with errors. Errors can occur. This issue has no workaround at this time.
421456 Kerberos SSO does not work after upgrading from 11.3.0 to 11.4.0, because in 11.4.0 the password is saved in encrypted form while the password in 11.3.0 is saved as clear text. Cannot access Kerberos server. Kerberos SSO password is saved as clear text in 11.3.0. Re-enter Kerberos SSO password after upgrade.
422525 Portal Access resources with proxy host configured and no DNS record available to BIG-IP will be blocked by APM ACL. All requests to these resources will result in APM DNS error page. Some resources accessible only via proxy cannot be configured to work through APM Portal Access. Use intranet DNS server for BIG-IP, or add resources behind proxy server to a DNS server configuration.
423137 The compression setting pull-down is available on the Network Access resource page. If an end-user sets this to GZIP when compression is not licensed, the system posts a TMM error explaining that compression license limit has been exceeded for the day. GZIP compression appears available when it is not. Set compression to 'GZIP compression' using a box that does not have compression licensed. Run traffic. Set compression to none.
423161 When a Network Access session and an APM session are closed simultaneously, one of these logs is written: apm logs: "VPN Cleanup: failed to release IPv4 ERR_ARG" tmm logs: "address <p> in leasepool <lease pool> is unassigned - can't release" This happens when a Network Access resource and a Network Access webtop are assigned using the Advanced Resource Assign action, and the Network Access session is closed." These are notice level logs and not errors.
424368 A statement such as: parent.document.write(some_html_with_script) hangs up the parent frame for Internet Explorer browsers Some web-applications are affected by this bug. Internet Explorer 10 through Internet Explorer 11
424704 Profile Access is a prefix for the names of Access Profile, Access Policy Actions, and Access Policy Agents. If you copy an access profile and Profile Access is very long, there is a possibility that the copy might result in an invalid configuration. Serious or Critical. Configuration fails to load. Exported configuration is failed to import. More than 80 letters in mcpd name of action multiple actions of similar type with first ever created action got deleted. (Very rare config) "If such configuration existed it necessary to manually edit bigip.conf with following steps: 0. Backup bigip.conf 1. Determine which actions share the same agent 2. Duplicated agent with different names 3. Change one action to use agent created on step 2. 4. Save edit bigip.conf 5. Reload configuration
426209 If there are a large number of APM report records, exporting them to a CSV file might fail and the Admin GUI can then become inaccessible. The Admin UI is inaccessible. When the amount of report data is large. Avoid exporting large amounts of report data.
426963 When the client sends an HTTP POST with an expect 100-continue, APM will fail to forward it to the backend server. The client will wait about 3 seconds to timeout before sending the actual data of the POST request. The client will not receive a 100-continue. Usually, it waits for about 3 seconds and then forwards the data anyway. "The following iRule appears to resolve the issue. when HTTP_REQUEST { if {([HTTP::method] eq "POST") && [HTTP::header exists "Expect"] } { HTTP::header remove "Expect" SSL::respond "HTTP/1.1 100 Continue\r\n\r\n" } }
427745 In APM RSA SecurID authentication, when PIN reset is required for RSA and the APM logon page is localized to use o/n (oui/non in French) or si/no (in Spanish) in place of Y/N, it does not work; it only accepts y or n. APM RSA SecurID authentication PIN reset does not accept French or Spanish responses from an APM localized Logon page. In APM RSA SecurID authentication, when PIN reset is required for RSA and the APM logon page is Localized, o/n (oui/non in French) or si/no (in Spanish) for Y/N do not work. To work around the problem, use y/n in place of o/n (oui/non in French) or si/no (in Spanish).
428904 Printer redirection and keyboard redirection ('special keyboard commands') in non-fullscreen mode do not work on Microsoft Windows version 7 or 8. User is not able to use local printers remotely as well as 'special keyboard commands' (for example, ALT+TAB) in non-fullscreen mode. This happens when the client OS is Windows version 7 or 8. To work around the problem, use fullscreen mode to use local printers remotely as well as 'special keyboard commands' in Windows version 7 or 8.
429561 The list of User-defined ACLs is expected to display only ten listings per page. If more than ten ACLs exist, end-users can switch between listing pages by selecting the page number or the "Show All" option from the drop down element under the lower right of the main table. Similarly, end-users should be able to click the arrows that appear to either side of the aforementioned drop-down element to navigate to a different page of listings. Currently, only the first ten ACLs are listed even when end-user selects a different page number from the drop-down or when the navigation arrows are used." End user may be unaware of all ACLs that exist. When more than ten User-defined ACLs exist. "From the drop-down element, the "Show All" selection will still work to display all listings. The `tmsh list apm acl` can be run from the command line.
429915 It returns HTML representation of some internal data structure instead of actual things we added to the tag, and all the values we have not defined explicitly are in their default state. Additionally it tries to copy <param name="movie"... value to <param name="src"... and vice versa. In some corner cases of operations with innerHTML, we could lose the value of "movie" parameter." No video displayed. Display blank screen instead of video in Internet Explorer. "iRule workaround: when HTTP_REQUEST { set is_youtube 0 } when REWRITE_REQUEST_DONE { # workaround for IE/Flash ActiveX feature set is_youtube 0 if {"[HTTP::host][HTTP::path]" matches_glob "*.js" || "[HTTP::host][HTTP::path]" matches_glob "*/www_common_mod.js" } { set is_youtube 1 } if { $is_youtube == 1 } { if { [HTTP::version] eq "1.1" } { if { [HTTP::header is_keepalive] } { HTTP::header replace "Connection" "Keep-Alive" } HTTP::version "1.0" } } } when HTTP_RESPONSE { if { $is_youtube == 1} { if { [HTTP::header exists "Content-Length"] and [HTTP::header "Content-Length"] <= 1048576 } { HTTP::collect [HTTP::header Content-Length] } else { HTTP::collect 1048576 } } } when HTTP_RESPONSE_DATA { if { $is_youtube == 1 } { set yt_loc [string first {;} [HTTP::payload]] if { $yt_loc >= 0 } { HTTP::payload replace $yt_loc 1 {;e.src=} set is_youtube 0 } HTTP::release } }
430976 Some of Portal Access wrappers for client-side JavaScript code could use slow version of HTML rewriting code. In old versions of Internet Explorer, it could take more than a minute to process assignment of 2.5Mb of HTML code in JavaScript. User could notice it when browser window freezes for several seconds." Pages accessed through Portal Access might not be responsive for several seconds. This issue has no workaround at this time.
431077 You cannot use tmsh to change the logging level for Secure Web Gateway content analytics. End-user cannot modify the logging level for the Content Analytics Server using the tmsh CLI. "To work around the problem, you can perform the following steps: 1. Use SSH to connect and log into the BIG-IP system. 2. Change directory to /var/antserver/wsgsdk/config/ant_server. 3. Open the ant_server.config file for edit and modify the ANT_SERVER_LOG_LEVEL variable to desired level. Note: The ANT_SERVER_LOG_LEVEL variable can range from 0 (Log Nothing) to 8 (Extra Debug). The variable is set to 3 by default.
431337 The LinkedIn button is a part of the new feature, Apps in Outlook Web App, in Outlook Web App 2013. A JavaScript error occurs if you click the LinkedIn button in Outlook Web App 2013 while using Internet Explorer 11.
432020 By default, Internet Explorer 11 starts with Enhanced Protected Mode enabled and the browser process runs inside AppContainer. Enhanced Protected Mode (AppContainer technology) in Internet Explorer 11 prevents the interception of connection requests. As a result APM App tunnels cannot redirect traffic to a proxy running on the loopback address." "You can work around the problem in one of these ways: 1. Disable Enhanced Protected Mode in Internet Explorer 11. 2. Add the backend server to the Trusted Sites or the Intranet Sites list.
432338 If original JAR file has a long header (longer than 72 bytes) in Manifest file split onto several lines with continuations (each line is starting with a single SPACE), such header will be concatenated after APM JAR patching, which will cause Java exception (IOException: line too long). Broken JAR functionality. Portal access of JAR file with long (longer than 72 bytes) header in Manifest file. This issue has no workaround at this time.
432515 The external logon page does not post the Action required pop-up dialog box of BIG-IP Edge Client. The impact is that the user does not know that there are required actions to perform. This occurs when APM uses the external logon page. "To workaround this issue, you must inject the following JavaScript code into the External Logon page: <body onload="OnLoad()"> ... <script language="javascript"> function OnLoad() { try{ if ( "undefined" != typeof(window.external) && "unknown" != typeof(window.external) && "undefined" != typeof(window.external.WebLogonNotifyUser) && "unknown" != typeof(window.external.WebLogonNotifyUser) ){ window.external.WebLogonNotifyUser(); } }catch(e){alert(e)}; } </script>
433242 SAML Single Logout (SLO) does not work when all of the following are true: The BIG-IP system is acting as a SAML Identity Provider (IdP) or SAML Service Provier (SP); The other party configuration has SLO configured; The SP connector or IdP connector on the BIG-IP system is missing a SAML SLO Request URL or SAML SLO Response URL. SAML SLO does not work. If SAML SLO is configured with SAML other party and other party does not have both SLO Request URL and SLO Response URL. To work around the problem, configure both SAML SLO Request URL and SAML SLO Response URL for SP and IdP connectors.
433585 URLs in RSS feeds are not rewritten. URLs in RSS feeds are not rewritten. Rewriting XML that carries RSS feed content for browser.
433752 Web applications might rewrite their event handlers. Event handlers might become corrupted. If a web application edits event handlers dynamically. None.
434464 If a JavaScript function contains an Internet Explorer conditional compilation directive and a 'try ... catch' block inside this directive, it becomes inaccessible before declaration after re-writing. JavaScript code stops the execution if forward reference to such function exists. Invocation of JavaScript function with conditional compilation and try...catch block inside can't be used before declaration. To work around the problem, if possible, move the function definition prior to all references to this function. Custom iRule can be used to implement it. No general iRule exists.
434547 Intermittently, when deleting an AAA OAM server object, the corresponding configuration does not clear from the BIG-IP system at /config/aaa/oam/<partition_name>/. This does not impact any OAM functionality. Still as a workaround, administrator can manually delete the OAM server configuration directory under /config/aaa/oam/<partition_name>/ , if it is automatically deleted. This is an intermittent issue and happens on AAA OAM server deletion operation. After deleting the AAA OAM server object, manually delete the corresponding directory from BIG=IP system using rm -rf.
434831 When the client connects to APM (with Safari) and launches the Application Tunnel, the tunnel will be created, but the application configured to launch will not. There is no error; the only indication is that the application is not started by the Application Tunnel. As a result, a user can not auto-start an application on Application Tunnel start. User would need to open application manually. This happens after a user upgrades their OS X to version 10.9 (Mavericks), connects to APM and launches a Java Application Tunnel configured to launch an application when it starts. "To work around the problem: 1. Use Firefox browser. 2. Disable Safe mode for the required host. Select Safari preferences > Security Tab > Manage Website Settings >. 3. In the left panel, choose Java. 4. For the required host, choose Run in Unsafe mode.
434834 Content served with 'Last-Modified' or 'ETag' HTTP headers, and requested with 'If-Modified-Since' or 'If-None-Match' could be loaded from browser cache. Stale page content and JavaScript errors on pages served through Portal Access after upgrade of APM. In the case of APM upgrade this means that browser could use content patched with old version of APM Portal Access and this leads to all kinds of compatibility issues with F5 JavaScript code. Remove 'If-Modified-Since' and 'If-None-Match' headers in HTTP_REQUEST event with iRule.
434837 Portal Access should be able to check whether JavaScript files were processed by current version of BIG-IP APM. This leads to broken or incompletely rewritten web applications: stale script content and JavaScript errors on pages served through Portal Access after upgrade of APM. Scripts loaded from browser cache and rewritten by different version of Portal Access might be not compatible with current patching method. This issue has no workaround at this time.
435277 When an OAM AccessGate object is deleted from UI, the corresponding directory on the BIG-IP system does not get deleted automatically as expected. "BIG-IP system directory corresponding to deleted OAM AccessGate object is not deleted: /config/aaa/oam/<partition_name>/<aaa_oam_server_obj_name>/ )." OAM AccessGate object is deleted from UI.
435542 In some cases re-installation of the VPN driver on Windows 8.1 requires a system reboot. Without reboot the user can be presented with this error: "The modem (or other connecting device) is already in use or is not configured properly.""
435719 When AD Query is configured before AD Auth in an Access Policy, and the password expiration warning is enabled, or the user password is expired and the user types the wrong original password, then password change fails. However, the BIG-IP system continues to prompt for new credentials until reaching the value specified for Max Password Reset Attempts Allowed and all attempts fail because the original password is incorrect. As a result, a user cannot change password after first typing the wrong password at logon page. "The problem occurs when: 1. AD Query is configured before AD Auth in an Access Policy and password expiration warning is enabled or 2. The user password is expired and the user typed the wrong original password. You can work around the problem in one of these ways. 1. Close the tab or browser and open the logon page in a new tab or new browser window or 2. In the same browser, remove everything after FQDN/ and click Enter. That will initiate a new session.
435891 HTML5 Web Workers are not supported under Poratl Acess. HTML5 Web Workers can't be used in web-applications with Portal Access. If HTML5 Web Workers are used by web-application. None
436196 Searches on event logs for Secure Web Gateway time out when the number of records is close to the maximum, 1 million, that can be stored. User will see the timed out error in GUI. If the local db has the capacity volume such as 1 million records, GUI times out. A simple custom search works fine.
438056 The APM Network Access client for Windows systems can fail to establish a VPN connection if the client SSL profile is configured with the options no-tls or sslv3 and the BIG-IP system selects an AES cipher. Windows Schannel API does not consider AES as a valid cipher for an SSLv3-only connection and can reject the connection to the BIG-IP system. Only affects deployments in which the default configuration has been modified to disable TLS and enable SSLv3, an unlikely scenario. Explicitly disable TLS in client-ssl profile and enable SSLv3. An unlikely configuration in real customer deployments. "If you restrict client SSL to SSLv3-only, you might need to exclude AES ciphers (defined in RFC3268) by adding ':!AES' to the 'ciphers' option in the client-ssl profile to work around compatibility issues with Windows clients: for example ltm profile client-ssl clientssl_ssl3_only { ... ciphers SSLv3:!AES ... }
438344 APM WebSSO (SSOv1) incorrectly handles POST request to Start URI. WebSSO does not update Content-Length on sending to backend server. WebSSO appends SSO parameters to the payload from a POST request without adding the ampersand (&) delimiter. This issue has no workaround at this time.
438548 Access policy visual policy editor item created with a branch caption of "none" cannot be opened or edited properly after being exported and re-imported. Any access policy action. A branch caption of "none" for an access policy visual policy editor item. "In visual policy editor: Before you export an access policy, check for elements with caption "none" in branch rules and change the caption. To avoid this issue, refrain from using the name "none" for branch rules.
438958 If an administrator sets the Maximum Session Timeout to 0 (zero), APM interprets it as exactly 7 days instead of interpreting it as infinite as expected. Affects all versions after 11.0.0. Set the Maximum Session Timeout to 0. Put a really large value for the session timeout. For example, 999999999 is an allowed value, which will be about 31 years and 8 months, effectively "infinite".
439680 A BIG-IP system configured as a Service Provider (SP) supports only rsa-oaep for key transport ( When the BIG-IP system configured as SP receives a SAML assertion with an unsupported encryption algorithm (for example, rsa-1_5 for key transport instead of rsa-oaep), the BIG-IP system fails to report that algorithms are unsupported, and proceeds to the decryption phase, which fails. The only issue here is the error reported does not directly point to the cause of failure which makes troubleshooting more difficult." Troubleshooting could take longer. A BIG-IP system configured as an SP receives a SAML assertion that is encrypted or contains encrypted attributes. There is no workaround.
439808 Modifying the change_password field from 0 to 1 within a CSV file and then importing it has no effect. An administrator cannot force password changes by modifying a CSV file prior to import. This means that a bulk update is not possible. Modify the change_password field for an entry from 0 to 1 and import the modified file. An administrator can select the "Force Password Change" option when creating and updating the properties of Local User DB entries.
439887 Drag-and-drop and some other mouse operations work incorrectly in Outlook Web App (OWA) 2010 if accessed using APM Portal Access from the Chrome v.31.x browser. Navigation and message copy/move operations can be done using the keyboard only; mouse operations might not work. There is no workaround.
439965 BIG-IP APM currently cannot handle multiple browser tabs trying to create sessions at the same time. The most common example is saving multiple homepages in a web browser. When the web browser opens, requests from these tabs are sent within milliseconds. This can cause very unpredictable behavior where sometimes it will function correctly, and other times there will be connection resets or the user will see error pages. "This can cause very unpredictable behavior: sometimes it will work, other times there will be connection resets, and other times the user will see error pages. Affects All APM products, except SWG" This applies any time a user is attempting to create a new session. Once a session exists, multiple tabs are supported. If the user is already authenticated and has a session, then multiple tabs can be opened. However, there is no workaround for session creation.
440203 When you use an iApp to create an APM service, after the access policy and related objects are created, the notification Apply Access Policy on the GUI might still be enabled. This happens even though the generation number in the corresponding access profile has been increased by 1. To disable this notification, you can click the Apply Access Policy link. The Apply Access Policy notification on the GUI is turned on even though the generation number in the corresponding profile access has been increased by 1. The happens when you create an APM service with an iApp. "To work around this problem, you can click the Apply Access Policy link to turn off this notification. Alternatively, you can modify the iApp script by putting the command "tmsh modify apm profile access <NAME> generation-action increment" into a different transaction. You can do this by creating a shell script from the iApp script: 1. The shell script consists of two lines: sleep<SAY 5 SECONDS> tmsh modify apm profile access<NAME> generation-action increment 2. In the iApp script, execute the shell script in the background.
440375 Under the Built-in Administrator account inside Protected Workspace, a VPN connection cannot be established if VPN components are not installed already. User cannot connect using VPN if above conditions are met. This occurs when a user is using Built-in Administrator account on Windows 8 or 8.1 and tries to connect through VPN inside Protected Workspace and VPN components are not installed yet. To work around the problem, install VPN components before Protected Workspace on an account other than Built-in Administrator.
440395 If you have an HA pair and try to reset AD cache (group cache or PSO cache), the standby node logs this misleading message: Cannot cleanup cache if other options were changed for AAA AD Server." The message can be skipped. There is no functional impact. "HA is configured, AD module is configured to use caches (password warning option is enabled AND/OR fetch nested groups option is enabled AND/OR fetch primary group is enabled AND/OR password complexity check option is enabled) admin is trying to reset any of caches at active node."
440505 Browser recognizes page loaded with URL without default port and page loaded after receiving Location header that contains rewritten URL with default port included in it as different pages and loads page twice. Resource is loaded twice and this can possibly change behavior of backend. Resource is loaded through Portal Access; page is loaded after receiving Location header with default port included in rewritten part; navigation occurs to this page without default port in domain part (for example, to anchor in this page). This issue has no workaround at this time.
441397 Oracle Access Manager (OAM) Access Gate initialization in simple mode takes 2-3 minutes for completion. This delay is noticed only in OAM simple mode while generating certificate and 1024 bit RSA private key. When no config cache exists, OAM initialization generatea a new SSL certificate, and private key generation leads to delay. User experiences unnecessary delay. OAM set to simple mode. Total impact of delay can be reduced by resetting the environment variable OAM_WEBGATE_INIT_RETRY_COUNT to a lower value in /etc/bigstart/scripts/eam. OAM_WEBGATE_INIT_RETRY_COUNT variable determines the number of retry attempts made when an accessgate initialization fails.
441537 In APM form-based SSO, some special characters are incorrectly URL-encoded for certain fields, such as hidden parameters. (This does not apply to form-based client-initiated SSO.) Form might not work as expected. This occurs when using form-based client-initiated SSO with a hidden parameter that contains a special character, such as dash ( - ), underscore ( _ ), period ( . ), exclamation mark ( ! ), tilde ( ~ ), asterisk ( * ), left round bracket ( ( ), right round bracket ( ) ), and backslash ( \ ). To work around the problem, use form-based client-initiated SSO if possible. Form-based client-initiated SSO has the correct URL encoding implementation. Alternatively, use an iRule to change the special ASCII characters back to the correct character.
442532 Response could not be sent to remote client. This happens rarely with huge access policy configuration. We could not reproduce the issue. Box still works okay. Reconnect works. Conditions leading to this issue are not yet known. This issue has no workaround at this time.
444767 Access to Office365 Outlook Web Access services using Portal Access is broken for HTML5-supported browsers. The user is redirected to the APM Logout page after successfully logging in to Office365. User cannot get access to Mailbox in Office365 Outlook Web Access through Portal Access using HTML5-supported browsers. "This example iRule disables OWA offline-caching support: when HTTP_REQUEST { if { [string tolower [HTTP::uri]] contains "/owa/manifests/appcachemanifesthandler.ashx" } { HTTP::respond 404 } }
446187 If a certain BIG-IP service is started and working and another instance of the same service is started manually, the original one spins in a loop, consumes around 100% CPU and, becomes nonfunctional. These services are affected: apd, websso, eam, acctd, aced, rba." Service becomes unavailable. "A service is started manually either using a binary located at search path, for example /usr/bin/ or using a script located at /etc/bigstart/scripts/ Never start any daemon manually. The proper way to start, stop, and restart daemons on the BIG-IP system is to use the bigstart utility: bigstart start<name> bigstart stop<name> bigstart restart<name>
447051 Access Policy import fails if the policy has at least one customization image file associated with it. Users are unable to import the exported policy. Policy contains at least one customization image file. "Use the following steps to work around the issue: 1. cd /shared/tmp/impor. 2. Open the import-abcd-abcd.conf file. 3. Delete the duplicate occurrence of config entry for the file corresponding to the error, such as the following: ' apm policy image-file /Common/swapnil-img_0_HQ_1.jpg { local-path /shared/tmp/import/imp-140131-213953-995/res/5_Common_img_0_HQ.jpg }'. 4. Run the command: tmsh load sys conf merge file<filename.conf>.
450136 Occasionally, users see chunk boundaries as part of HTTP response if the virtual server is configured with rewrite profile variant and some other profiles. Customer will see chunk boundaries on the web page. Virtual server with rewrite profile variant and some other profiles like OneConnect and NTLM could cause HTTP response to be double-chunked. To workaround this problem, use an iRule to rechunk the HTTP response always.
451982 In some cases the web interface will show that an Access Policy Sync Operation has failed with the specific error "The folder /Common/POLICYSYNC_ap1 cannot be deleted because it is not empty." Administrator cannot sync an Access Policy with the same name to more than one Device Group. This issue occurs when Administrator attempts to sync an Access Policy with the same name to more than one Device Group. "Administrator must ensure that differently named Access Policies are used when performing Policy Sync to different Device Groups. The easiest way to use the same Access Policy with different names would be to select the "Copy..." link on the Access Policy >> Access Profiles List GUI page. Provide a new name for the profile being copied. Once the Access Profile is copied, the administrator will need to select the new name from the Access Policy Sync page to sync to the second device group. This would need to be performed for each device group beyond the first.
452059 When the storage partition for MySQL is full and the system is under a heavy load, logd can go into a busy wait looping state. Daemons that depend on logd might also get into a state waiting for logd services. Only when disk partition of MySQL is full. This is an error case; the MySQL shall rotate, also logd produces chatty logs only during stress tests. To work around the problem, clean up the disk partition of MySQL.
453166 Rewrite writes many recovery logs. Portal Access is not available. Rewrite plugin recovery procedure sometimes resets the plugin to an unstable state.
454306 When HTML style attributes with HTML entities are rewritten, it results in direct or incorrect links to resources. It results in broken styles in web application. This occurs when using HTML style attributes with HTML entities. There is no general workaround, but custom iRules can be used.
454509 The on screen keyboard doesn't work inside Windows Protected Workspace for Windows 8 tablets. On screen keyboard cannot be used. Windows 8 tablet is used to connect to APM and Protected Workspace is configured on the server. There is no workaround.
458737 In non-printable values of AD/LDAP attributes, BIG-IP processing escapes the "|" (pipe) character. This creates a problem when the value is processed back to its previous value, a process that includes removing the escape characters. In this case, the resulting data does not match the original binary data. This occurs when there is an AD/LDAP query in use and and the query returns binary attributes with the "|" (pipe) character. Unescape binary attribute values after hexdecode manipulation to match the original value.
461084 When the BIG-IP system is configured with Kerberos Auth agent and the client sends a request with an Authorization header prior to the "HTTP 401" challenge, authentication fails. Authentication can fail and the client might see a login prompt again when the IP address changes. An auth request to the BIG-IP systems contains Authorization header; Kerberos Auth is configured. None
463230 If a child process is killed, cored, or dies, the parent process does not restart it and the service stops serving SecurID authentication. SecurID authentication failed, but service recovered by runsv. In some exceptional cases, the child process exits.
468130 When Kerberos authentication is used with request-based authentication (RBA) enabled, the first POST request sent to the BIG-IP system could be replaced by a dummy POST and authentication then fails. This can occur when the BIG-IP system is configured as a SAML Identity Provider (IdP) and the http-post SSO binding is used. Some functionality may not behave properly; for example, when the BIG-IP system is configured as a SAML IdP and an http-post SSO binding is used, AuthnRequest can get lost and authentication will fail. "The problem occurs under these conditions: 1. RBA is enabled. 2. Kerberos Auth is used. 3. The first request to the BIG-IP system before session has been established is a POST request." To work around the problem, edit the access policy and, in the properties for the Kerberos Auth item, set Request Based Auth to Disabled.
469852 Users lose connectivity to resources through VPN when forwarding virtual servers are disabled. User loses connectivity to resources through VPN. This occurs when forwarding virtual servers are disabled and the connectivity profile is enabled. Network Access connectivity works if all the forwarding virtual servers are enabled or deleted completely.
469974 The timed out/error value shown in the APM New Session performance graph is supposed to show only the count for sessions that were terminated due to inactivity or error while in the access policy evaluation state. However, it also include sessions that were timed out after they passed access policy evaluation. As a result, the timed out/error value is larger than the actual value. N/A If sessions are timed out in established state, the stats will show up in the New Session graph. None
469974 The timed out/error value shown in the APM New Session performance graph is supposed to show only the count for sessions that were terminated due to inactivity or error while in the access policy evaluation state. However, it also includes sessions that were timed out after they passed access policy evaluation. As a result, the timed out/error value is larger than the actual value. N/A If sessions are timed out in established state, the stats will show up in the New Session graph. None
470389 Garbled characters (or control characters) are seen in the /var/log/apm log file. Unnecessary garbled characters occur in log messages. This issue occurs under the following conditions: username/password are not provided when accessing the virtual; Network Access resource is launched and VPN is established; and when accessed from another browser, the first session is killed and sometimes garbled characters appear. There is no workaround at this time.
472382 The VMware View Logon page for RADIUS does not display a challenge message when challenge occurs on the RADIUS server. The user will see a generic message that a challenge event occurs. The next tokencode challenge process consists of three steps, each with a different challenge message, but the user sees one standard message on all three steps." RADIUS authentication is used for View Client. To work around the problem, use RSA SecurID authentication.
472446 A config sync or tmsh transaction might fail and make mcpd restart if the config sync or tmsh transaction includes a misconfigured object and simultaneously includes a customization group template file. The config sync or tmsh transaction fails, and mcpd exits. Note: Avoid configurations that put customization group template file objects through a config sync or tmsh transaction, when that transaction might contain an object configured with an invalid value. This results in a configuration error. Here is one example of the types of messages you might see when this occurs: -- info mcpd[12395]: 01071528:6: Device group '/Common/f5omb' sync inconsistent, Incremental config sync may not be complete on one or more devices in this devicegroup, Sync status may not be consistent until incremental config sync is complete. -- err mcpd[12395]: 01070734:3: Configuration error: Cannot apply template as cache path for (customization template file customization group /Common/ap_deptSharePt_act_logon_page_ag) cannot be empty. -- err mcpd[12395]: 01070596:3: An unexpected failure has occurred, - apm/validation/APMCustomizationFileObject.cpp, line 1825, exiting... -- info sod[5467]: 010c0009:6: Lost connection to mcpd - reestablishing. -- err zxfrd[12033]: 0153e0f7:3: Lost connection to mcpd." The config sync or tmsh transaction includes a misconfigured object and includes a customization group template file. None.
473488 Access policy daemon (apd) consumes approximately 100% CPU and puts a heavy load on the network sometimes when resolving nested groups in AD Query. The AD Group Cache updates in a loop. The impact of this issue is that the user will be unable to resolve nested groups and unable to finish AD Query. This issue occurs when the user belongs to a parent domain, and is a member of a group that belongs to a sub-domain. For example, user belongs to, group belongs to; the user is a member of the group. The "fetch nested groups" option is enabled for AD Query." There is no workaround at this time.
480283 Some backend servers cannot be accessed using BIG-IP Edge Portal for iOS over mobile networks. Authentication fails; (a cookie related to authentication goes missing). It also happens when connected using WiFi but much less often (possibly due to timing). The impact of this issue is that web-application logic can be broken. Web-application fails to update cookie when running Edge Portal on mobile networks. The issue is intermittent and hard to reproduce." This issue has no workaround at this time.
480553 The log entry with geo data will always be found in /var/log/apm, but it might now show up in the local log database. This problem happens intermittently in version 11.2.0 and 11.2.1. The impact of this issue is that no geo data is found in log reports for some APM session. Conditions leading to this issue include: Error in log macros. This issue has no workaround at this time.
481659 Recurring check fails during connection. Recurring check fails. The problem occurs when APM BIG-IP virtual server DNS record has been updated or DNS load balancing is used. Mac or Linux client is used."
482976 AppTunnel fails with two resources, one with protocol type and the other with port range. This occurs when the following conditions are met: 1. The App tunnel resource contains a resource item configured with a protocol type and order 1. 2. The App tunnel has another resource item configured with port range and order 2. AppTunnel cannot be established. This occurs when the following conditions are met: 1. The App tunnel resource contains a resource item configured with a protocol type and order 1. 2. The App tunnel has another resource item configured with port range and order 2. To work around the problem, reverse the order, making the port range resource item order 1 and the protocol type order 2.
485465 TMM may restart when Single Logout (SLO) request/response contains an invalid 'Issuer' attribute. TMM restarts. SLO is configured on BIG-IP as SP or IdP. SLO request or response is received from SP/IdP for which there is no current session." Disable SLO.
487859 Importing local db users from a CSV file that has no UID set, displays incorrect information in the GUI. All users imported without UIDs will be mapped to one user's detail entry (that is, fname, lname, email, and so on). So all such users show the same first name, last name, email, and other user details. When importing the local DB user from the CSV file, with no UID value provided. There is no workaround.
488811 When a user logs on using Network Logon in Windows, it triggers access policy execution, and the policy creates a temporary user, f5 Pre-Logon User. This causes the operating system to create a profile folder on the computer. After several executions, these folders start to accumulate because they are not removed properly after policy execution is complete. Each time the access policy runs, it creates a user folder of the form f5 Pre-Logon User.<HOSTNAME>.xyz in the C:\Users folder." Disk runs out of space and user is confused. A user logs on to the computer using Network Logon in Windows. (Windows Logon Integration) To work around the problem, delete folders manually.
492122 Temporary user "f5 Pre-Logon User" is created and deleted each time it is used which prevents the performance of domain operations like adding that user to specific domain group or setting properties because the SSID changes every time. As a result, it is impossible to manage the temporary user "f5 Pre-Logon User". This happens when both of these conditions exist: 1. Windows Logon Integration is used. 2. Enforce access policy execution option is selected."
493106 The HTTP parser logs a clear text password in the /var/log/apm log file from a debug log message. This occurs only when the accesscontrol log level is debug and HTTP authentication of type Basic is used in the access policy. A clear text password is logged in /var/log/apm. The accesscontrol log level is debug and HTTP authentication of type Basic is used in the access policy. Change the accesscontrol log level to informational or higher.
494135 If 'eval' JavaScript call is redefined in HTML page, event handlers may not work correctly. Web application may not work correctly. In the worst case scenario, the browser (Internet Explorer 9 or later) may crash. There may be many ways to re-define 'eval'. For example: %lt;form> %lt;button name=eval onclick="someFunction();">Button</button> </form> In this case 'onclick' event handler will not work through Portal Access." There is no workaround at this time.
494435 Policy sync fails with error status "Created failed on target" on target devices. Policy sync function fails. 1. Create a connectivity or rewrite profile from the default one. 2. Create another child profile using the one created above as parent. 3. Create a virtual server, with the child connectivity and/or rewrite profile, and an access policy. 4. Initiate a policy sync for the access profile." To work around the problem, create connectivity or rewrite profile, only use the default profile as parent; or, have the non-default parent profile sync first to target devices.
495128 If a client machine uses proxy and Network Access does not specify any proxy, then Safari should not use proxy for some Network Access resource after the Network Access tunnel is created. However, Safari does so. This problem occurs with Safari 8. Other versions of Safari and other browsers work as expected in our testing. Apple has been notified: rdar://problem/18651124" As a result, some Network Access resource might be unavailable. The problem occurs when all of these conditions exist: 1. OS = Mac OS X Yosemite. 2. Configuration = Client machine has local proxy configured and Network Access on BIG-IP system access policy does not specify any proxy. 3. Action = Accessing Network Access resource after tunnel is created." There is no workaround at this time.
502016 Some client components do not log version numbers in the log file. Lack of version numbers in the log file. Mac client components. None.
507899 In a custom APM report, the Assigned IP field shows IPv4 instead of the assigned IP value. The report content is not correct. If user creates a custom report with 'Assigned IP' as a field and runs the report, the content of Assigned IP is the IP type rather than the correct IP. Use one of the built-in reports, All Sessions or Current Sessions, to get the correct content for the Assigned IP field.
509010 It takes about 30 seconds to add or to delete a local user. The add or delete operation incurs a delay of approximately 30 seconds. The occurs when using the GUI to add or delete local users (on the GUI Access Policy :: Local User DB :: Manage Users screen). None.
510337 The page-not-found result for APM uses the incorrect stylesheet, resulting in incorrect page formatting (404 response). Inconsistent page appearance for the 404 response page. This can happen when user enters an invalid URL suffix after the BIG-IP system management address. Modify the file main.css to apm.css.
511385 <SecurID Soft Token Messages> are not translated Minimal. They are valid customization entries in English and could be translated by admin. Always in case of SecurID soft token error. Customization has entries for this, so they are translatable
518153 Policy Sync fails for an access policy that was generated from an iApp. Policy sync function does not work for policy created by iApp. Use iApp template to create an application which includes access policy. Initiate a policy sync on the access policy." Use Config Sync at least initially to sync the iApp template, the application. and even all the objects in the application to the target device. Afterwards, you can use policy sync to sync the policy.
518550 Incorrect value of "action" form attribute may be used inside "onsubmit" event handlers if original "action" is an absolute path. Web application may work incorrectly. HTML form with absolute path in "action" attribute; "onsubmit" event handler for this form." There is no general workaround. But if "action" value can be converted to relative path or to full URL (with host), this can be done using iRule.
519059 Any attribute URL in a HTML content is rewritten as "javascript:location=..." if is<base> tag is situated before the tag with the attribute, a content hint is not set in the HTML rules for the attribute and it's not the cookieless mode. Rewritten links are not accessible. Webapp link is not properly patched. N/A
520088 When trying to connect with Citrix HTML5 Receiver, the initial tour screen does not display properly. A badly formatted page without icons displays. Bad GUI experience. User is presented with a badly formatted page without icons. APM is configured for Citrix replacement mode and Citrix HTML5 Receiver client 1.4-1.6 is used. 1. Open /config/bigip.conf for edit. 2. Replace "content-type text/plain" with "content-type text/css" in HTML5Client(.*).css sections. 3. Replace "content-type text/plain" with "content-type text/javascript" in HTML5Client(.*).js sections/ 4. Save the file. 5. From the console, type this command: tmsh load sys config
521822 Referer header received by backend contains in the path component(s) 'f5-w-doubledot'. Backend can be confused after receiving referer header with different value. There were doubledot components in referer URL (for example: '../../test.html'). Custom iRule can be used to fix referer header value; no general iRule exists.
522124 Secondary MCPD restarts when the admin creates APM SAML IdP Connector (or SP Connectors) from attached metadata on the primary blade. Secondary slot's MCPD restarts. BIG-IP chassis with multiple blades where the configuration includes APM SAML IdP Connector or SP Connector created from attached metadata file.
522590 DNS Relay proxy service does not resolve static hosts if no DNS server is configured at the Network Access resource. Static hosts are not resolvable on client. The problem occurs under these conditions: DNS Relay proxy service is installed on machine; A DNS server is configured at the Network Access resource; Full Tunnel mode is used." Specify a bogus DNS server in Network Access resource (for example Virtual Server address).
527119 The body of a dynamically created iframe document could be initialized asynchronously after APM rewriting. The issue is specific to Chrome browser and results in JavaScript errors on the following kind of code: iframe.contentDocument.write(html); iframe.contentDocument.close(); <any operation with iframe.contentDocument.body> One of applications known to contain such code and fail after APM rewriting is TinyMCE editor." Some JavaScript applications might not work correctly when accessed through Portal Access. Revert rewriting of the document.write call with a post-processing iRule. The workaround iRule will be unique for each affected application.
528424 Tooltips/Toast notification are not displayed when Network Access changes state (Connect, Disconnect, Reconnect, etc). Beginning with Microsoft Windows 8, tooltips are replaced by Toast Notifications; Windows does not convert tooltips to toast notification for F5 WebComponent in Windows 10. User is not notified about state change. The problem occurs under these conditions: Internet Explorer 11. Windows 10. Networks Access changes state. To enable tooltips, in Group Policy change this setting: "User Configuration \ Administrative Templates \ Start Menu and Taskbar \ Disable showing balloon notifications as toasts" to Enable.
529503 BIG-IP Edge Client continues to connect to a previously resolved IP address even when the DNS server points to a different server for that name. Client will connect to old IP address. Edge Client has made successful connection to old address. User disconnects and and connects again. Quit and restart Edge Client. This issue is caused by Windows caching of the resolved IP address.
531983 Routing table is not updated correctly in connected state when new adapter is added to the system. Routing table might be corrupted. SSL VPN tunnel is established and new adapter is added to the system. For example, Wi-Fi connected when tunnel is established already over Ethernet adapter. Restart OS X.
532713 VPN establishment fails and client goes in retry loop without notifying user of any error. BIG-IP Edge Client goes in reconnect loop without notifying user of any error. Network access configuration has remote PAC file configured. Client fails to download this PAC file during VPN connection establishment." User can check Edge Client logs to see whether VPN connection failed due to failure to download PAC file.
534057 Three F5 Java class methods, getImage(), getAudioClip(), and play(), cannot take more than one parameters. Backend video cannot be played. F5 Java class methods not properly implemented. iRule workaround specific to the backend web app available upon request.
536575 For an access policy that includes On-Demand Cert Auth, Dynamic ACL, Per-App VPN, and other components, the Session Variable Report output can be blank. The Session Variable report is empty. On-Demand Cert Auth in an access policy. DACL in access policy. Per-App VPN access policy. probably others." Check the session variable using command sessiondump.
536724 Policy sync status of source device gets stuck at "Initiated" and never transitions to completed. Policy sync cannot complete and status remains "Initiated". 1. Create two sync-only device groups so that one contains all the members of the other. 2. Initiate a policy sync to the bigger group. 3. Initiate a policy sync to the smaller group." Upgrade to 12.0.
539018 TMM stack trace when killed by monitoring process when stuck in loop always logged in parent TMM thread log file instead of looping TMM thread log file. Unclear which TMM thread was looping and resulted in crash and failover. TMM stuck in a loop and aborted by monitor process.
541261 The failure happens when we get the redirect to /vdesk/webtop.eui. This is in the whitelist as a portal protected URI, and when it doesn't have a valid sid, the action is to create a new session. Because this is clientless mode, there aren't any cookies, so it thinks it needs to create a new session. Then the old session is deleted, causing the logs to report a logout due to user request. VPN connection Failed; stating error invalid credentials. Logs show session deleted due to user logout request. Windows 8.1 + APM 11.5.3. Logon page -> irule agent -> Advanced resource assign (NA+NA webtop) -> Allow (no auth for logon page, everything should lead to allow) Try to log on with the Windows inbox VPN client." None.
542636 Customer will see the copyright valid to 1999-2014 Customer will see the copyright valid to 1999-2014 Customer will see the copyright valid to 1999-2014 Go to customization & select the profile and change footer text.
543344 When a BIG-IP system is configured with explicit HTTP proxy, ACCESS iRule does not work reliably in HTTP_PROXY_REQUEST. The issue happens when the current ACCESS iRule searches the associated session ID from the connection itself in these ways: either the session ID is embedded in the request, or the connection has been processed by ACCESS previously. When neither condition is satisfied, then current ACCESS iRule cannot find the associated session ID. Whenever ACCESS iRule commands cannot find the associated session ID, ACCESS iRule commands are processed as if the caller provided an empty session ID in its arguments. As a result, ACCESS::iRule commands return an empty result. ACCESS iRule such as ACCESS::session data get/set, ACCESS::session exists, session ID is not provided by the caller, and caller expects the session ID to be resolved internally. If possible, use ACCESS_ACL_ALLOWED as the event for the iRule, when the session ID is known. This would work for a BIG-IP system configured for reverse proxy or forward proxy.
545527 BIG-IP Edge Client endpoint checking component cannot detect real-time protection state of ESET Endpoint Security software version 6.2.2021.0 on Microsoft Windows. Endpoint check fails, resulting in denied session. ESET Endpoint Security software version 6.2.2021.0 is installed on user's machine and real-time protection is enabled. Access policy requires presence of this software with real-time protection enabled." No workaround.
549086 Windows 10 is not detected when the Firefox browser is used. The Client OS agent chooses an incorrect branch. Network Access might be disabled for such a client. Windows 10 and Firefox (at least versions 40 and 41). There is no workaround.
552498 401 responses containing Set-Cookie headers might not be processed correctly. Domains that begin with a dot will be truncated and the cookies will not be sent to back end servers. Cookies assigned during the authentication handshake might not be sent to back end servers. An access policy needs to use Basic or NTLM authentication and one or more of the 401 responses must contain Set-Cookie headers. If a domain is specified and the domain begins with a dot, it will not be processed correctly. An iRule can be used to process the 401 responses and remove any leading dots from domain fields of Set-Cookie headers.
552571 For Domino Web Access 8.5 with Safari on Mac OS X 10.11, check names does not work. User unable use 'check names' functionality. Steps to Reproduce: 1. Create new message. 2. Enter the beginning of recipient name and press Check Names. 3. If there are some users whose names start with the same substring, a screen displays with possible names; select one of them. Steps 3 fail with APM reverse proxy. No windows pop up with possible name." There is no workaround at this time.
553037 When a user clicks an app, a window displays with this message: "Cannot start the requested App. Select More info for further details." Customer cannot launch app. An iOS Citrix Receiver in Web interface connection type and a BIG-IP system in Web interface configuration. 1. In the Citrix Receiver, you can use the native GUI with Access-Gateway Enterprise edition type with this URI: https://<BIG-IP system virtual server FQDN>/ 2. Define an LTM data-group with FQDN set to /config/<storename>/pnagent/config.xml
554228 OneConnect is a feature that reuses server side connections. When WEBSSO is enabled, it always creates a new server side connection and doesn't reuse pooled connections. Not so much impact as few sites use WEBSSO with OneConnect. WEBSSO and OneConnect.
554626 The Logging agent truncates log values greater than 1024. If the log value size is greater than 4060, the field is empty or null. The reporting UI displays null or empty fields when the logged value is too large in size, such as a huge session variable. Logging into local database with log values (such as session variables) greater than 1024. If this size is too high (> 4060), the field displays as empty or null in reports. No workaround.
554993 1. The current active sessions, current pending sessions, and current established sessions counts shown in commands 'tmsh show /apm profile access' and 'tmctl profile_access_stat' become zero after failover. 2. The system posts an error message to /var/log/apm: 01490559:3: 00000000: Access stats encountered error: SessionDB operation failed (ERR_NOT_FOUND)." The current active sessions, current pending sessions, and current established sessions counts of profile access stat will remain zero after failover. This issue happens when the following conditions are met: 1. The HA configuration is running a release prior to 11.5.3 HF2. 11.6.0 HF6, or 12.0.0. 2. The standby unit is upgraded to 11.5.3 HF2. 11.6.0 HF6, or 12.0.0. 3. Failover is triggered." Upgrade both devices in the HA configuration to the same release and reboot them simultaneously.
555457 Attempt to establish a VPN connection from a Windows 10, Windows 8.1, Windows 8, Windows 7, or Vista desktop fails if F5 components have been removed previously and the desktop was not rebooted. Typically this issue can be identified by these log records: <snip> DIALER, 48, \driverstatechecker.cpp, 10, dump, WAN Miniport (SSTP) DIALER, 48, \driverstatechecker.cpp, 10, dump, WAN Miniport (SSTP) DIALER, 48, \driverstatechecker.cpp, 10, dump, F5 Networks VPN Adapter <--- Two F5 Devices DIALER, 48, \driverstatechecker.cpp, 10, dump, F5 Networks VPN Adapter (7) <--- Two F5 Devices DIALER, 48, \driverstatechecker.cpp, 155, GetVPNDriverRASDeviceName, found device, F5 Networks VPN Adapter <snip> DIALER, 1, \urdialer.cpp, 1573, CURDialer::OnRasCallback(), RAS error (state=RASCS_OpenPort, error=633: The modem (or other connecting device) is already in use or is not configured properly.)" End users cannot establish a VPN connection from Windows-based clients. Windows desktop. Existing F5 components uninstalled. Reboot was not performed after uninstall." Reboot the affected Windows desktop.
558631 VPN connections may cause memory usage to increase with the memory never being reclaimed. Slow memory leak over time with eventual out-of-memory condition, performance degradation, and traffic outage. The APM Network Access feature is configured and VPN connections are being established. No workaround short of not using the APM Network Access feature.
563135 When the SWG Explicit Proxy is configured to perform a 407 Authentication Request, if the client accesses a non-standard HTTP port (e.g. the first request after authentication will fail. The first request after authentication will fail. SWG Explicit Proxy configured HTTP 407 Authorization configured in Per-Request Policy for authentication Client requests a non-standard HTTP port in request" If the user refreshes their browser request, subsequent requests will work as expected.
563443 This issue is rarely reproducible. This happens due to operation on a global data structure by multiple threads (one updating while another is reading). With a greater number of worker threads, the possibility of encountering the problem increases. Core dumps. When two threads read and update on cache data structure at the same time. None
564496 When an add-on license is applied on the active node, the effective license limit is not updated even though telnet output shows that it is. The actual number of sessions that can be established remains unchanged after adding an add-on license. 1. Set up an HA pair with a base APM license. 2. Apply an APM add-on license to increase Access and CCU license limits. 1. Remove HA so that each device becomes standalone. 2. Re-license both nodes and then re-establish HA for the two devices.
564521 JavaScript passed to can be erroneously unescaped if Adobe SWF is version 24 or less. Arbitrary Adobe Flash application malfunction. Adobe Action Script 3 SWF version 24 or less. There is no workaround.
564890 In some cases, access policy evaluation might fail. Access policy will be evaluated incorrectly. User is connecting to APM on Windows 10. Access policy has an endpoint check configured. Access decision is made based on last scan time. Client system has Windows Defender v4.8.10240.16384 installed on it." Don't use "last scan time" in access policy.
565231 If an exported access policy includes two object names profile_name-aaa and aaa, import might fail or be incorrect. Serious but very rare. Import of such a policy fails. For example: access policy name "test" access policy item name "test-empty" access policy item name "empty" For example: access policy name "test" access policy item name "test-empty" macro name "empty" One of the objects could be renamed in the bigip.conf file to avoid such a naming pattern.
566646 When accessing a large 'text/plain' file from server with Internet Explorer version 7 through 10 client browsers, Portal Access sometimes holdz response until it fetches and processes the entire file contents. This can take several dozen seconds, or even minutes. Large text files can't be accessed or downloaded through Portal Access. Irule that does any of following: a) Preferred: append F5CH=I to request uri in HTTP_REQUEST for affected requests. b) Call REWRITE::disable for affected requests.
566908 Webserver listening on local Wifi or ethernet IP cannot be accessed after VPN if proxy.pac is defined in a way that forwards all web traffic over VPN. local web server is inaccessible if proxy.pac is defined in a way that forwards all traffic over VPN to corporate proxy server. proxy.pac, network access, OS X machine
570640 The user may encounter the following configuration error when adding a new APM sandbox-contained object in a non-default partition (other than /Common) if the user has ever attempted (but failed) to delete this partition (for example, couldn't delete it because it was not empty). 01070734:3: Configuration error: Cannot create symbolic link to sandbox. Error: No such file or directory. If you have access to bash shell, try to run command: ln -s /config/filestore/files_d/p1_d/sandbox_file_d /var/sam/www/webtop/sandbox/files_d/p1_d/sandbox_file_d. Then try to upload file again. Unexpected Error: Validating configuration process failed. No more APM sandbox object such as Hosted-Content can be added to the partition. Upgrade may fail to install configuration with the impacted sandbox object." The user has ever attempted (but failed) to delete the partition. Manually use the shell command 'mkdir -p' to re-create the missing folder where the symbolic link is suppsed to be created as shown in the error message.
657732 After you generate log message reports in APM and export them to CSV files, the CSV files contain only the parameters for the log messages. To rebuild the actual log messages from the CSV file requires log templates and they are not available. This occurs when exporting to CSV by navigating to Access Policy :: Reports: View Reports : General Reports: System Messages : Run Report (right-click) : displaying log messages : Export to CSV File. CSV log files are hard to interpret without the log templates and the templates are not available. (Beginning in version 12.0.0, log messages in CSV reports generated and downloaded from the APM UI include complete log messages.)
For some Network Access configurations, a VPN cannot be established with Mac using F5 Edge client or Browser helper apps. The following conditions must be true:
1- The Network Access resource Traffic Options setting is configured for Force all Traffic Through Tunnel.
2- The Network Access resource Allow Local Subnet setting is disabled.
(Both of these options are defaults.)

As a workaround, do the following.
1- Navigate to the Network Access resource.
2- Modify the Network Access resource Allow Local Subnet checkbox setting to Enabled.
3- Save the setting and apply the Access Policy.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802

For additional information, please visit

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.


AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to from the email address you are using to subscribe. Unsubscribe by sending a blank email to

Legal notices