Release Notes : BIG-IP APM 11.6.0

Applies To:

Show Versions Show Versions


  • 11.6.0
Release Notes
Original Publication Date: 08/03/2017 Updated Date: 04/18/2019


This release note documents the version 11.6.0 release of BIG-IP Access Policy Manager (APM).


Platform support

This version of the software is supported on the following platforms:

Platform name Platform ID
BIG-IP 1600 C102
BIG-IP 3600 C103
BIG-IP 3900 C106
BIG-IP 6900 D104
BIG-IP 8900 D106
BIG-IP 8950 D107
BIG-IP 11000 E101
BIG-IP 11050 E102
BIG-IP 2000s, BIG-IP 2200s C112
BIG-IP 4000s, BIG-IP 4200v C113
BIG-IP 5000s, 5050s, 5200v, 5250v C109
BIG-IP 7000s, 7050s, 7055, 7200v, 7250v, 7255 D110
BIG-IP 12250v D111
BIG-IP 10150s-NEBS, 10350v (AC), 10350v-NEBS (requires 12.0.0 HF1), 10350v-FIPS D112
BIG-IP 10000s, 10050s, 10055, 10200v, 10250v, 10255 D113
VIPRION B2100 Blade A109
VIPRION B2150 Blade A113
VIPRION B2250 Blade A112
VIPRION B4200, B4200N Blade A107, A111
VIPRION B4300, B4340N Blade A108, A110
VIPRION B4450 Blade A114
VIPRION C2200 Chassis D114
VIPRION C2400 Chassis F100
VIPRION C4400, C4400N Chassis J100, J101
VIPRION C4480, C4480N Chassis J102, J103
VIPRION C4800, C4800N Chassis S100, S101
Virtual Edition (VE) Z100
vCMP Guest Z101

These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.

Most of the support guidelines relate to memory. The following list applies for all memory levels:

  • vCMP supported platforms
    • VIPRION B2100, B2150, B2250, B4200
    • VIPRION B4300 blade in the 4400(J100)/4480(J102) and the 4800(S100)
    • BIG-IP 5200v, 5250v, 7200v, 7250v, 10200v, 10250v, 10350v, 12250v

Memory: 12 GB or more

All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.

Memory: 8 GB

The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)

  • No more than three modules should be provisioned together.
  • On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
  • To use Access Policy Manager (APM) and Secure Web Gateway (SWG) modules together on platforms with exactly 8 GB of memory, Local Traffic Manager (LTM) provisioning must be set to None.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category.)

  • No more than three modules (not including AAM) should be provisioned together.
  • Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
  • Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).

Memory: 4 GB or less

The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests provisioned with 4 GB or less of memory.

  • No more than two modules may be configured together.
  • AAM should not be provisioned, except as Dedicated.
  • ASM can be provisioned with this amount of memory, but a sizing exercise should be performed to ensure that it does not hit capacity issues.

vCMP memory provisioning calculations

The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory- 3 GB) x (cpus_assigned_to_guest/ total_cpus).

As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.

For certain platforms, the vCMP host can allocate a single core to a vCMP guest. However, because a single-core guest has relatively small amounts of CPU resources and allocated memory, F5 supports only the following products or product combinations for a single-core guest:
  • BIG-IP LTM standalone only
  • BIG-IP GTM standalone only
  • BIG-IP LTM and GTM combination only

Module combination support on the 3900

Note: The GTM+APM module combination is not supported on the 3900 product platform.

Although SOL10288 states that all modules are supported on all platforms as of BIG-IP version 11.4.0, this does not mean that all possible module combinations are allowed on every platform (especially, legacy platforms).

Configuration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

  • Microsoft Internet Explorer 8.x, 11.x
  • Mozilla Firefox 27.x
  • Google Chrome 32.x

APM client browser support

For a list of browser versions that the Access Policy Manager client supports, refer to the BIG-IP APM Client Compatibility Matrix.

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP APM / VE 11.6.0 Documentation page.

Evaluation support

If you have an evaluation license for BIG-IP APM VE, note that it does not include support for Oracle Access Manager.

New in 11.6.0

SAML Artifact Support

The SAML protocol provides three bindings for transmitting SAML messages. APM now supports the Artifact binding. It allows the transmission of SAML messages using, in part, direct connections between the Identity Provider (IdP) and the Service Provider (SP).

Native MSRDP Support

Support for native Microsoft RDP client enables seamless connection to backend remote desktop without establishing a VPN tunnel.

Per-Request Authorization

Support for a Per-Request policy that allows access controls based on elements in the transaction (URL, HTTP headers, protocol, and so on), the environment (for example, date and time) and user attributes (group membership, other AAA attributes, and so on) is added. A Per-Request policy is now required for using Secure Web Gateway (SWG).

RSA SecurID (with soft token) Automation

It is now easier for users to establish a VPN connection using F5 BIG-IP Edge Client while using RSA SecurID with soft token. After the user enters their RSA SecurID pin, Edge Client will now automatically fetch the passcode from RSA SecurID to authenticate with. This is supported only with F5 BIG-IP Edge Client for Windows "full client" and F5 BIG-IP Edge Client for Mac OS X "full client".

Note: To use this feature, clients must have installed or upgraded to the 11.6.0 client package for BIG-IP Edge Client for Windows or BIG-IP Edge Client for Mac. Both client packages are available for download from the APM user interface.

Secure Web Gateway Safesearch Filtering

With search filtering enabled, a safe search string is returned and the search results are filtered to exclude explicit content. Search filtering is supported on Ask, Bing, DuckDuckGo, Google, Lycos, and Yahoo. Supported search engines may change, depending on the search engine's features.

URL Category Lookup

URL Category Lookup allows a user to enter a complete URL, such as or a domain name, such as or to find the category information.

Customization Enhancements

Radio buttons can be used on the logon page. Additional improvements are also available to make customization easier and faster.

Supported high availability configuration for Access Policy Manager

Access Policy Manager is supported in an Active/Standby configuration with 2 BIG-IP systems only.
Note: Access Policy Manager is not supported in an Active-Active or an N+M configuration.

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.

Installation checklist

Before you begin:

  • Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility.
  • Update/reactivate your system or vCMP host license, if needed, to ensure that you have a valid service check date. For more information, see SOL7727 - License activation may be required prior to a software upgrade for the BIG-IP or Enterprise Manager system.
  • Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
  • Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are running Application Acceleration Manager, set provisioning to Minimum.
  • If you are running Policy Enforcement Manager, set provisioning to Nominal.
  • If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
Installation method Command
Install to existing volume, migrate source configuration to destination tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 11.2.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP- volume HD1.3

Post-installation tasks

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.

After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility.
  3. Log on to the browser-based Configuration utility.
  4. Run the Setup utility.
  5. Provision the modules.
  6. Convert any bigpipe scripts to tmsh. (Versions later than 10.x do not support the bigpipe utility.)
Note: You can find information about running the Setup utility and provisioning the modules in BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Upgrading from earlier versions

Your upgrade process differs depending on the version of software you are currently running.

Warning: Do not use the 10.x installation methods (the Software Management screens, the b software or tmsh sys software commands, or the image2disk utility) to install/downgrade to 9.x software or operate on partitions. Depending on the operations you perform, doing so might render the system unusable. If you need to downgrade from version 10.x to version 9.x, use the image2disk utility to format the system for partitions, and then use a version 9.x installation method described in the version 9.x release notes to install the version 9.x software.

Upgrading from version 10.1.0 (or later) or 11.x

When you upgrade from version 10.1.0 (or later) or 11.x software, you use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help.

Upgrading from versions earlier than 10.1.0 11.x

You cannot roll forward a configuration directly to this version from BIG-IP version 4.x, or from BIG-IP versions 9.0.x through 9.6.x. You must be running version 10.1.0 software. For details about upgrading to those versions, see the release notes for the associated release.

Automatic firmware upgrades

If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might reboot additional times to perform all necessary firmware upgrades.

Upgrading from earlier versions of APM

When you upgrade from an earlier version of Access Policy Manager (APM), you might need to resolve issues related to these configurations.

Secure Web Gateway 11.6.0 important post-upgrade tasks

Secure Web Gateway 11.6.0 provides improved functionality over that in 11.5 by allowing a flexible policy definition on a per-transaction basis. This allows new agents that implement functionality to be added as necessary to execute a policy, and allows the output of agents to steer policy decisions using expressions based on those outputs and other factors. Available agents include “dynamic date time”, “category lookup”, “response analytics”, “protocol lookup”, among many more.

When upgrading from 11.5 to 11.6, URL filter and URL category configuration from 11.5 is preserved. However, configuration data associated with an SWG scheme is gone. This data included content scanning settings and URL schedules that specified which URL filter to apply at any given time.

As a result, an Access Policy that includes an SWG Scheme Assign agent allows the client unfiltered access through the SWG Explicit or Transparent forward proxy. This amounts to a 'Default Allow' policy. Web sites that would be blocked will be allowed through. HTTP traffic will not be inspected.

To establish URL filtering, content scanning, SSL bypass or SSL intercept (without the use of a iRule), and so on, you must configure one or more per-request policies. (Both an access policy with an SWG Scheme Assign action and a per-request policy are required. The access policy and the per-request policy must both be assigned to the same virtual server.)

For how to create per-request policies, and for examples of per-request policies, refer to BIG-IP Access Policy Manager: Secure Web Gateway Implementations on the AskF5 web site at

Connectivity profiles

When upgrading from 10.x.x to 11.4.x, connectivity profiles are not fully recovered. You can work around the problem using one of these options:

  • Option 1: Upgrade from 10.x.x to 11.4.x, then reconfigure connectivity profiles in the Access Policy Secure Connectivity area of the Configuration utility.
  • Option 2: Upgrade from 10.x.x to 11.x.x, where 11.x.x is earlier than 11.4.x, then continue upgrading to 11.4.x.

Kerberos SSO

Kerberos SSO does not work after upgrading from 11.3.0 to 11.4.0 and later. This happens because, starting in 11.4.0 the password is saved in encrypted form, while the password in 11.3.0 is saved as clear text. Re-enter Kerberos SSO password after upgrading from 11.3.0.

Citrix client packages

The 11.4.x upgrade script cannot recover any file object with a name that includes space characters. If a Citrix client package file name includes a space, the configuration loads after upgrade, but the Citrix client package file does not function properly. To work around this problem:

  1. Outside of APM, name or rename a Citrix client package without spaces in the name.
  2. Use the correctly named Citrix client package.
    • To fix the problem before upgrade, replace any improperly named Citrix client package as needed.
    • To fix the problem after upgrade, upload a properly named Citrix client package and select it from the connectivity profiles.

Machine accounts for NTLM front-end authentication

APM does not restore NLAD connections when the configuration is restored from a UCS file. After upgrading to 11.4.x, if the previous configuration was using NTLM front-end authentication, the functionality is not restored. To work around this problem, after the upgrade, manually delete the existing machine account configurations and then recreate them.

Advanced customization

If you performed any advanced customization of files, you must upgrade these files manually.

Custom reports

Custom reports are lost after upgrade. To work around this issue, export your custom reports before you upgrade and then reimport them after you upgrade.

OAM configuration

When upgrading from version 10.2.x to 11.x with an OAM configuration, upgrade fails. To work around this issue: before you upgrade, delete the OAM configuration; after the upgrade is complete, create a new OAM configuration in version 11.x.

Access policies that use session variables

If you are upgrading from 10.x, you might need to update access policies that use session variables. Version 11.x introduces the concept of partitions. A partition is added to an object name. An access policy that compares a session variable against a value would behave differently after upgrade. This example shows the difference in the value of a session variable between these versions.

  • Version 10.x -
  • Version 11.x -

The partition, /Common, is added to the version 11.x object name.

Fixes in 11.6.0

ID number Description
225651 The installation path for the BIG-IP Edge Client was updated to avoid collision with third-party software installations.
238350 The new network access setting, Use Local Proxy Settings, is introduced. When it is enabled, after the client establishes a network access connection, proxy settings configured on the client continue to be used.
337178 Now BIG-IP Edge Client falls back to TLS from DTLS if http-proxy is used.
337922 Previously, when the administrator configured password caching on the Edge Client through the connectivity profile, the cached password was not always automatically submitted. This issue has been fixed.
357360 Mac network access client now supports static host entries.
386641 Stonewall driver is correctly updated when updating from Firepass to APM now.
398134 Now APM supports non-ascii usernames and passwords when performing NTLM Front-end Authentication and NTLM Back-end SSO.
405348 Modify the db variable "tmm.access.maxrequestbodysize" with a value larger than the maximum email body size you would like to support.
410157 BIG-IP Edge Client now displays PPP disconnection/reconnection notification quickly.
413778 A detailed error message is logged now when Active Directory authentication fails because Kerberos Key Distribution Center (KDC) is unreachable.
416076 Applying Access Policy completes two steps now.
419809 An error message formatting issue was fixed.
420989 When using an access policy with Windows Logon Integration, if you are denied access once, you can try again.
420990 Support for smart cards was added to Client Cert Inspection and On Demand Cert Inspection with Windows Logon Integration.
421577 Now you can set VDI logging level from the administrative GUI.
422730 A JavaScript error no longer displays if you click Delete Favorite in the Report UI when the Favorites list is empty.
422818 "Store information about client software in session variables" setting is removed from the Visual Policy Editor for these Endpoint Security (Client-Side) software checks: Antivirus, Anti-Spyware, Firewall, Hard Disk Encryption, Patch Management, Peer-to-peer, and Windows Health Agent."
424006 Windows Integration now uses domain names of servers specified on the BIG-IP system instead of raw IPs.
424008 APM now supports smart card logon on Windows-based systems with APM Windows Logon Integration.
424368 Parent HTML page dynamic re-writing is supported in case of Internet Explorer 10-11: JavaScript statements like parent.document.write(some_html_with_script) are handled correctly.
424768 WebSSO does additional logging now at debug level when it first starts.
425070 The HTML profile code was improved for security reasons.
425507 An issue in which logd could start to consume 99% of CPU after table rotation has been fixed.
425731 A TCP reset is not longer sent to a client during access policy execution.
425882 Configuration file handling for the BIG-IP Edge Client was improved to prevent configuration corruption.
427962 A new option is added to full webtop configuration: "Show warning message when webtop window closed." When this option is disabled, a user can close a webtop browser without also being prompted to close the Network Access tunnel that was launched from the full webtop.
430435 Network access webtop shows VPN tunnel details and BIG-IP Edge Client shows notification when session is about to timeout.
430680 When you create a new expression in the Date Time access policy item for a weekend date, the expression is correct.
431355 BIG-IP Edge Client log entries for DNS Relay proxy have been improved.
431494 Windows Group Policy sandboxes and ending agents that used Windows Group Policy files have been removed from the configuration. Windows Group Policy is no longer supported.
431512 Now APM validates the origin header of the WebSocket handshake and accepts connections with correct origin only.
432260 An AAA server pool remains reachable after the bigstart restart [mcpd] command runs.
432333 Now Java Application Tunnels work when Internet Explorer 11 runs with Enhanced Protected Mode. However, the tunnel is bound to due to limitations of this mode.
432537 A call to ParseCookie() in PatchInfo::processSetCookie() no longer takes an improper length argument.
433243 BIG-IP IdP subtracts three minutes from the NotBefore timestamp in an assertion to accommodate Service Providers whose clocks might be behind.
433585 Now all URLs in RSS feeds are rewritten. Only fixed URL strings (such as XML namespaces, categories, and so on) are left untouched.
434675 The cause of a relatively rare crash issue in the rewrite plugin has been fixed.
435266 Internal communication with the Secure Web Gateway content scanning engine has been optimized. This results in significant performance improvements.
435449 When using Kerberos End User logon with 401 response agent and Request Based Auth option enabled, the first request is now processed correctly.
435575 APM can now act as Microsoft Remote Desktop Gateway. Native RDP clients for Windows/Mac/iOS/Android can be configured to use APM as RD Gateway and gain access to RDP backends through APM.
436556 The correct list of Citrix apps render on an APM webtop when a Citrix resource uses Kerberos single sign-on to Citrix XML Broker.
436569 Now icons are displayed for Citrix applications on an APM webtop when Kerberos SSO is used.
436616 CTU correctly enables logs for 64-bit services on Windows systems.
437347 Web applications should function normally now even with long header values.
437472 Compatibility with XenDesktop 7 has been improved.
437611 An error about the access_license.c file is no longer logged during provisioning, system start up, reboot, or license upgrade.
437652 An HTML page that is loaded using HTTPS and contains a script that uses the document.write() call to change a closed document now works correctly on Internet Explorer 11 in portal access mode.
437731 Optimized tunnel does not crashes Internet Explorer now.
438190 DSCP marking for client traffic control is now passed through APM VPN tunnel.
438256 Forms with an absolute path in the action are now handled correctly.
438433 Uploading an image without proper message ID is now ignored.
438436 Security improvements resulting from F5 internal testing were made.
438530 Image file names are now validated and must include these characters only: a-z A-Z 0-9 _ - . The Advanced Customization GUI displays the correct error message when the name for an image is invalid.
438595 [Mac][EPS] backward compatibility with FP has been fixed.
438664 F5 Client Traffic Control Service now works on Windows 7. Previously the service started and then stopped.
438696 Now Java RDP and Java App Tunnels work without showing a security warning.
438964 Template files now include a version number and the Component Installer service updates correctly.
438969 HTML5 VMware View Client now works with APM when the virtual server is on a non-default route domain.
439463 Now Citrix Receiver for Mac and iOS gets the correct config.xml file when working through a Wi-Fi router and APM is integrated with Citrix Web Interface.
439728 An APM page that contains dynamic scripts now works correctly when a user opens it from another domain or protocol using the Chrome browser.
440022 Now an APM webtop renders Citrix apps when a Citrix resource uses a pool and Kerberos SSO.
440290 APM now prevents the retransmission of policy sync requests that caused status messages to fluctuate.
440385 Support of Internet Explorer 10 (without compatibility mode) for machine certificate checker was added,
440432 The iRule event agent (in an access policy) no longer logs BIG-IP Edge Client for Linux CLI users out before they can establish network access.
440564 Citrix Session Sharing did not work properly in some cases. Now it is fixed.
440792 Client proxy settings specified in a Network Access resource are applied without an occasional miss now.
440841 This split tunnelling log message is no longer written at the notice level: "Username used for SSO contains domain information. Please enable 'Split domain from full Username option in the Logon Page if domain info should be separated from username for SSO to work properly" The log is now written at the informational level.
441073 When using Portal Access, an input tag in forms now can receive a value that is dynamically created by JavaScript on the client.
441210 The tmm process provides more robust handling for PCoIP traffic.
441256 Some Secure Web Gateway URL category names that were truncated when displayed are now fully displayed.
441507 SWF patcher behaves properly now.
441612 BIG-IP Edge Client for Mac now can connect to a BIG-IP system on which a machine information agent is included in the access policy.
441631 Now you cannot start more than one instance of WebSSO for every MCPD channel number. For example, if websso.3 is running, then you cannot manually start websso -c 3.
441659 Fixed User-mode installer service: it does not require admin rights for limited users anymore.
441681 You can now use the Firefox browser to successfully edit these actions from the Visual Policy Editor: Advanced Resource Assign, LDAP Group Mapping, AD Group Mapping, and BWC Resource Assign.
441809 Network access connections now succeed after failover without encountering an IPv4 allocation failure error: "leasepool <name>is out of addresses".
442026 On any partition, customer can create a Portal Access resource using the Wizard.
442393 APM will now attempt to terminate Citrix session when user logs out of APM Webtop.
442528 Long URLs (up to 16K long) are handled correctly.
444722 Extra Secure Web Gateway sessions are no longer created when a session expires.
445399 Support was added for Network Access over PPPoE.
445985 Now JavaScript arithmetic assignment operators are handled correctly on the server and on the client.
446207 The "state" value in the session variables created after a software check (antivirus, anti-spyware, firewall, patch management, peer-to-peer, health agent and disk encryption) now contains the state of the specified product.
447301 The current HTML page continues to display without reloading if a user clicks a link that contains an undefined URL.
447392 The installer for the BIG-IP Edge Client for Windows now prompts the user if a reboot is required.
448630 VDI Profile now depends on Access profile for TCP virtuals. Administrators will see a configuration error if they try to attach VDI profile w/o having Access profile.
448896 An HTML page with base URI (HREF attribute of the BASE tag) is rewritten correctly.
449141 Notifications to the user when the BIG-IP Edge Client must reboot to complete updates have been improved.
449225 Windows, Mac and Linux clients were updated to prevent a crash when establishing a VPN connection in certain conditions.
450021 User can view the log from the file /var/log/apm in Admin UI like System-> Logs-> System (Packet Filter, Local Traffic, and so on).
450161 Added support of Microsoft Software Key Storage Provider to Machine Certificate Checker
450298 Logging on to Outlook Web App 2013 (SP1) using portal access with Firefox browser now works without producing an error.
450299 Misleading error records have been removed from TunnelServer.exe.
450305 When accessing OWA 2013 through portal access, users can successfully create a new message, calendar, or task item.
450360 Now Citrix Session Sharing works correctly for any version of XenApp.
450687 After the GUI or the console displays an error message to a user who is configuring an SSO NTLMv1 (or NTLMv2) object, an incorrectly configured object is no longer created.
450728 Now APM correctly handles VMware View client requests with empty body.
450845 Under logging stress, logd no longer writes duplicate fd errors in the log.
450940 The default value for Max In Progress Sessions was previously set to 0. It now defaults to 128.
451118 Mistakes in French localization were fixed.
451233 The APD and ACCTD processes now parse any IP address that includes a route domain ID as a suffix.
451260 After upgrading directly from 11.4.0 to 11.6.0, the configuration loads successfully now even if it contains "citrix-client-package" files that were uploaded (and unzipped) using the GUI.
451387 Support of button-less logon pages is added to BIG-IP Edge Client.
451588 Portal access renders the data correctly when creating a new item on Sharepoint 2013.
451777 If a connection issue or a database problem occurs the first time that a user tries to create a custom report, an error message displays now.
451806 The network access GUI and default value for the Preserve Source Port Strict setting has changed. Preserve Source Port Strict has moved from Client Settings (Advanced) to General Settings (Basic). By default, the check box is cleared and the setting is disabled.
451864 Always preserve locally configured DNS suffixes when establishing VPN connection.
452061 The /var/tmp/logd.out file is moved and renamed to /var/log/logd.log. This change enables /var/log/logd.log file to be rotated like other log files.
452182 Flash ActionScript 3 rewriter now correctly rewrites URLs containing "../".
452753 Now EdgeClient clean up cookies for all intermediate hosts visited during connect
452895 Arrayed session variables, such as "session.machine_info.last.net_adapter.list.[0].mac_address", are evaluated and displayed correctly.
453164 Routes are restored after disconnecting from the Network Access connection.
453188 Custom Dialer no longer stays in an Authenticated state for 40 seconds to negotiate the IPv6 protocol when IPv6 is not enabled.
453455 SAML Single Logout is now supported on the BIG-IP Edge Client.
453514 A problem in memcached causing intermittent failures was fixed.
453531 Multidomain SSO no longer resets on secondary authentication domains.
453722 Alleviate issues such as GUI unresponsiveness or even disconnect when policy sync is applied to a device group that contains 5 or more members.
453843 An error that begins with iControlPortal.cgi[16404]: 0137010c:6:, is no longer printed to /var/log/ltm.
454010 APM now recognizes Internet Explorer in compatibility mode on Windows 8.1 correctly.
454086 When using portal access on Firefox with some applications, the browser would go into deadlock. This no longer occurs.
454248 Fixed unnecessary localdbmgr messages logged in /var/log/apm every minute at the notice level.
454322 When Allow Local DNS Servers option is enabled, DNS servers from interfaces which are down, won't be added to VPN exclusion list.
454369 The URLDB plugin comes up properly now and traffic proceeds normally.
454370 The messages that communicate status of PolicySync between devices can arrive unordered. This is now fixed.
454547 Forms - Client Initiated SSO authentication handles decryption failure correctly.
454550 Proxy auto configuration now works with Internet Explorer when a URL cannot be resolved on a client.
455039 Now Citrix HTML5 Receiver v.1.3 available with Storefront 2.5 can be hosted in APM Sandbox and launched from APM Full Webtop.
455113 ACCESS::session data get has been extended to return configuration variables: ACCESS::session data get [-sid <sid>] [-secure] [-config] [-ssid <ssid>] <key>
455426 Now a user with apostrophe in the name can log in with Citrix Receiver successfully.
455892 Now APM support AGEE SSO to new Citrix StoreFront 2.5 backends.
456302 APM clients heartbeat read overrun issue is now fixed.
456608 Correct rewriting for obj.src = some_url was added to support web applications.
457525 APM removes an app tunnel resource from a webtop only if all resource items are not DNS resolvable; otherwise, the app tunnel continues to work with resource items that are DNS resolvable.
457603 Web applications with portal access using Safari on iOS now work correctly when an 'onbeforeunload' event occurs.
457925 When BIG-IP as SAML SP, IdP-initiated authentication now works with the first attempt.
458199 Resource delete handler should check for the reference by psync-dynamic-resource.
458211 The EAM module now continues to function correctly when the size of a cookie in the HTTP request is greater than 4095.
458474 Support for htmlprinting ActiveX object "CLSID:62BC5DB2-0044-4040-B366-D628F3CFD551" was added.
458485 The code is updated so that APD no longer crashes on certain VPE expressions, such as Date Time check or 'encoding' command due to a change introduced by fixing 424938.
458737 When an AD or LDAP query is in use and the query returns binary attributes with the "|" character, APM now checks whether the value contains non-printable characters, and if so, hex encodes the value. If the value is printable, APM escapes the "\" and "|" characters because "|" is used as a separator for multivalue attributes.
459870 Now BIG-IP Edge Client in Always Connected mode properly processes cancelling captive portal detection.
459953 When an LDAP query runs and the user password is not retrieved or necessary, a misleading error message about NULL cyphertext is no longer logged.
459977 If there is a space in value for radio or select type input, logon page does not show the input elements. This is now fixed.
460030 In case the number terminal-out in a macros is added or subtracted manually, new validation code will catch this kind of discrepancy.
460062 Access policy export works correctly even when a resource with a long name has been assigned in the policy.
460762 Citrix apps consistently start from APM Webtop when using Kerberos SSO to XML Broker.
460939 Additional exception processing (for ObAccessException from the SDK) was added to the EAM module. The module now handles this exception by displaying an error.
461624 A problem with APD in chassis that resulted in the portal access connection terminating has been fixed.
462268 There is no limit on session variable value length in the variable assign agent.
462669 For Windows Phone clients in BIG-IP APM 11.6 session.client.platform value changed from "WinP8" to "WindowsPhone".
463651 After a network access session closes, if a PPP tunnel does not get closed in some time, a cleanup is forced on server side.
464159 JavaScript: Now isolated submit() calls are handled correctly and form action paths are rewritten at such calls. The situation when submit() call refers to separate function is also supported.
464687 Now it is possible to copy an access profile that contains a Machine Cert access policy item.
464748 In portal access, a cookie with an empty or wrong expires field no longer causes a JavaScript failure.
465338 The curl-apd component (curl7.25.0) no longer enables SSL_MODE_RELEASE_BUFFERS; it is no longer affected by OpenSSL vulnerability CVE-2010-5298.
465339 The curl-apd component (curl7.25.0) no longer enables SSL_MODE_RELEASE_BUFFERS and is no longer affected by OpenSSL vulnerability CVE-2014-0198.
466273 On Mac and Linux clients, recurrent checks do not end the user session when the access policy allows access on the fallback branch.
466488 Under high load conditions when the HTTP auth agent is configured in the access policy, now the access policy daemon (APD) continues to respond.
466605 JavaScript: Portal Access variable 'r' is now a local variable.
468395 Network Access clients can reconnect now and the lease pool does not run out of IP addresses.
469335 Validation is improved to ensure that a custom URL category includes at least one URL.
469754 User that is deleted from the local user database can no long log in regardless.
470214 This version provides strengthened management of session mirroring so the system can more accurately track connection mirroring.
470382 Location-specific objects display correctly in the Policy Sync GUI whether the Location Specific check box is cleared or selected on the Static Resources screen.
471893 A problem in which the BIG-IP system, configured as a SAML IdP , might reboot tmm when executing SLO protocol in certain conditions has been fixed.


Session ID rotation has been implemented, and starting from 11.2.0, it is on by default. This breaks compatibility with earlier BIG-IP Edge Client and plugin versions. For example, when APM is configured for session ID rotation, an 11.1.0 Edge client is not allowed to log in to Access Policy Manager (APM) version 11.2.x. The expected behavior in this case is for APM to present the login page to the Edge client after each login attempt. To disable session ID rotation per-box, you can use the following tmsh command: tmsh modify sys db apm.rotatesessionid value disable

Behavior changes in 11.6.0

ID number Description
413229 VDI functionality is now enabled using a new VDI Profile option in virtual server settings. A default profile, vdi, is provided for ease of configuration.
420104 Java launcher helped in automatic installation of the following components (taken from in the browser: 1) F5 Network Access Plug-in 2) F5 SAM Inspection Host Plug-in After the removal of Java launcher, Safari and Firefox browsers on OS X will no longer be able to do automatic installation of these components. Users will have an option (and instructions on the web page) to do a manual installation every time they install or upgrade these components.
430463 The feature flag apm_ep_grouppolicy is removed from license files generated by the F5 License Server. The corresponding functionality for Windows Group Policy has been deprecated from APM.
435575 Now users can configure native RDP clients for Windows, Mac, iOS, and Android to use APM as a Remote Desktop Gateway.
454976 Before this release, the global database (db) variable apm.ldapautoescape was used to escape special characters in session variables in the LDAP Auth and LDAP Query agents. However, using the db variable did not offer a way to escape or unescape special characters selectively. In this release, apm.ldapautoescape is deprecated. APM escapes special characters in LDAP DNs and LDAP filters by default. To unescape a specific session variable, add the suffix "":noconv"" to the session variable; for example, %{}.
457090 Starting from this release, Access Policy Manager matches portal access, iSession, and Mobile AppTunnel traffic against any server-specific matching virtual server enabled on the secure connectivity (tunnel) interface. If there is a match, server-side traffic goes to the matching virtual server before going out. This change is introduced to perform Secure Web Gateway-related checks on matching virtual server traffic.
457590 The VDI & Java Support check box in virtual server settings has been renamed to Application Tunnels (Java & Per-App VPN). This check box no longer controls VDI functionality. VDI is now enabled using a new VDI Profile option in virtual server settings.
459568 The following settings in the client SSL profile should no longer be configured when using the client SSL profile with Secure Web Gateway (SWG): Destination IP Bypass, Destination IP Intercept, Source IP Bypass, Source IP Intercept, Hostname Bypass, and Hostname Intercept.

Known issues

This release contains the following known issues.

Upgrade issues

ID number Description
384490 In advanced customization, when an access policy uses an image that includes spaces in its name, problems can occur. It can be impossible to export the access policy. Problems with upgrade can also occur. Workaround: Rename the image without spaces, upload the renamed image, and change customization to support the new named image instead of the old one.
417711 After the upgrade, if the previous configuration used NTLM front end authentication, the functionality is not restored.
421456 Kerberos SSO does not work after upgrading from 11.3.0 to 11.4.0, because in 11.4.0 the password is saved in encrypted form while the password in 11.3.0 is saved as clear text. Workaround: Re-enter Kerberos SSO password after upgrade.
432900 APM upgrades fail if the /shared/apm directory is not present before you load the configuration. APM writes a configuration loading error to the /var/log/ltm file with content similar to this: Oct 25 08:42:11 localhost notice mcpd[6311]: 0107165d:5: copy_file: EPSEC::In copy_file - src (/config/filestore/files_d/Common_d/epsec_package_d/:Common:EPSEC:Images:epsec-1.0.0-160.0.iso_14866_1) dst (/shared/apm/images/epsec-1.0.0-160.0.iso) Oct 25 08:42:11 localhost notice mcpd[6311]: 0107165d:5: copy_file: Failed in file copy errno=(No such file or directory) .... 01071558:3: EPSEC - File Copy to /shared location failed Unexpected Error: Loading configuration process failed. Workaround: Create the directory /shared/apm and try to load the configuration again.

Application access issues

ID number Description
223712 During a web applications session, when a user logs out of Microsoft Office Communicator and then attempts to log on again, the logon request fails.
339865 Microsoft SharePoint 2007 with Office Integration does not work in LTM+APM mode when Protected Workspace is used in an access policy. When you try to open a Microsoft Office document, an alert about a wrong URL is displayed.
340549 The rewrite plugin does not implement forwarding HTTPS requests through the HTTPS proxy correctly. (However, forwarding HTTP requests through the HTTP proxy does work correctly.) Workaround: Create a layered virtual to catch HTTPS traffic leaving APM and forward it to a HTTPS proxy server using CONNECT. Proxy authentication is not implemented and if response status from HTTPS proxy server is not 200, then use an iRule to close the connection.
343280 When using portal access in Safari 5.X, sometimes web pages do not load properly. A bug in Safari 5.X leads to accidental loss of all HTMLElement.prototype changes when setting HTMLElement.prototype properties in a window and accessing window.frameElement from any of its frames. (The problem also sometimes occurs in other less well-defined cases.)
347100 Every time the Hometab loads, a dialog box message is displayed stating: "This Page contains both secure and nonsecure items. Do you want to continue?" To work around this problem, disable the Hometab.
362325 Links in content are rewritten in HTML attachments from Outlook Web Access (OWA) after you open the attachments in the browser or save them to disk using the Save as action. This happens because APM application access patches the links in HTML attachments. This occurs with OWA 2003, 2007, and 2010.
404899 Webpage errors occur when opening a chat window in IBM Lotus iNotes 8.5 with Sametime through a portal access webtop. This happens only when using Internet Explorer 9. Workaround: To work around this problem, add a portal access item with the path "/sametime/stlinks/*" to the portal access resource and disable Home Tab for this item.
423282 JavaScript does not work if a page contains conditional comments inside its head tag. Workaround: To work around the problem, use an iRule. The exact commands to use depend on the situation.
424936 An extra line (that consists of "<?") appears at the top of the apm_mobile_ppc.css file and causes an error like this one: Jul 9 08:37:10 roeislfl4gm err httpd_sam[13917]: [error] [client] PHP Parse error: syntax error, unexpected '&lt;' in /var/sam/www/php_include/webtop/renderer/customization/general_ui/Common/tmsproext-apm_general_ui/en/apm_mobile_ppc.css on line 2
431337 The LinkedIn button is a part of the new feature, Apps in Outlook Web App, in Outlook Web App 2013. A JavaScript error occurs if you click the LinkedIn button in Outlook Web App 2013 while using Internet Explorer 11.
434464 If a JavaScript function contains an Internet Explorer conditional compilation directive and a 'try ... catch' block inside this directive, it becomes inaccessible before declaration after re-writing.
439887 Drag-and-drop and some other mouse operations work incorrectly in Outlook Web App (OWA) 2010 if accessed using APM portal access from the Chrome v.31.x browser.
444767 Access to Office365 Outlook Web Access services using portal access is broken for HTML5-supported browsers. The user is redirected to the APM Logout page after successfully logging in to Office365. Workaround: iRule below disables OWA offline-caching support.
454306 When HTML style attributes with HTML entities are rewritten, it results in direct or incorrect links to resources.
463642 Web-application misfunction.
474730 In some cases, a form with absolute path in the action is handled incorrectly in Internet Explorer 7, 8, and 9. The resulting action path is wrong and the form cannot be submitted.
475163 The result of submitting an HTML form that does not have an action attribute is a 404 error and 'null' in the request URL. Workaround: Add attribute "action=''" into the HTML form tag, either by modifying the source or by using an iRule.

Portal access issues

ID number Description
360889 For ACLs that are generated from a portal access resource, port 0 (zero) matches against port 80 (when the scheme is HTTP) and against port 443 (when the scheme is HTTPS). For ACLs otherwise, port 0 matches against any port.
384405 With Access Policy Manager Portal Access, if you add a web-acceleration profile to the Local Traffic Virtual, it does not take effect until the you go to the command line and type "bigstart restart tmm". The web-acceleration profile is important to Portal Access performance, so this step is necessary to ensure caching occurs for Portal Access content.
389881 The portal access feature in APM does not support Flex Runtime Shared Libraries using ActionScript3.
406040 If an application uses a non-standard location for favicons (as permitted by the LINK meta tag) and you use Internet Explorer 10 for access to the application, then the BIG-IP system creates a new session for that URI. If you use Google Chrome version 25 or above, the BIG-IP system closes the current session during fetching favicons from the non-standard location. Related change in Google Chrome: Workaround: An example of an iRule workaround is as follows: when HTTP_REQUEST { if { [string tolower [HTTP::path]] ends_with "favicon.ico" and [HTTP::cookie "MRHSession"] eq " } { ACCESS::disable } }
425142 When a customized server-agent header is configured via the http profile, the server header when adding APM doesn't change. Workaround: Admin can use an iRule to change the server header. (HTTP::header replace Server [<string>])
426492 Multidomain SSO does not support custom ports. For multidomain SSO, redirection back to the virtual server that was used for initial session access always goes back to a standard 80/443 port. The virtual server used for initial session access must be on port 80/443. For example, suppose we set up a virtual server for Accessing this URL redirects to the primary virtual server, and login proceeds normally. Afterward, the redirect back to the initially accessed virtual server goes to on the standard 443 port. This occurs for multidomain SSO and nonstandard ports on the virtual server used for initial access. Administrators cannot configure multidomain SSO on ports other than 80 or 443. To work around the problem, only use ports 80 and 443.
426963 When the client sends an HTTP post with an expect 100-continue, APM will fail to forward it to the backend server. The client will wait about 3 seconds to timeout before sending the actual data of the post request.
428268 Some URLs might contain '&' separated parameters. If each '&' separated parameter is not followed with an equal sign (=), the APM system does not recognize it as a proper query string, and the redirection from the primary virtual server back to the secondary virtual server will be incorrectly parsed. Workaround: URL-Encode "&" and "=" in original URL before passing it to APM. Or follow every parameter with "=" or "=value". Both workarounds require application changes.
428894 When a user logs in with Multidomain SSO, some cookies are set. At logout, one set of these cookies does not have a domain set, and are not deleted. Workaround: Clearing the cookies allows the user to log in again. The problem does not seem to occur if you change "Cookie Scope" to "Domain" instead of "Host".
439965 BIG-IP APM currently cannot handle multiple browser tabs trying to create sessions at the same time. The most common example is saving multiple homepages in a web browser. When the web browser opens, requests from these tabs are sent within milliseconds. This can cause very unpredictable behavior where sometimes it will function correctly, and other times there will be connection resets or the user will see error pages. If the user is already authenticated and has a session, then multiple tabs can be opened. However, there is no workaround for session creation.
441284 With APM and ASM configured, the http "username" will always be inserted on the client-side of the proxy, and removed on the server-side. Any existing "username" headers will be removed in this process. Workaround: "when ACCESS_ACL_ALLOWED { set myusername [HTTP::header username] } when HTTP_REQUEST_RELEASE { if { [info exists myusername] } { HTTP::header replace username $myusername } }"
441913 When a large number of resources (more than 25) is assigned to access policy with full webtop, the system displays an empty webtop when accessed second time. Workaround: To work around the problem, you can only use fewer resources.
460590 If one of two name servers returns a response of "No such name" for a domain query, then the same domain query will not be tried in the second name server.
461327 Most of the time when ACCESS_SESSION_CLOSED is raised, it happens during session expire or an explicit logout. In such cases, no flow is attached to the event. As a result, if an asynchronous command were to be used in this event, it would not have a flow to park on - hence, ACCESS_SESSION_CLOSED was never designed to support such commands. Workaround: Do not use asynchronous commands in ACCESS_SESSION_CLOSED.
468130 When Kerberos auth is used with RBA enabled, the first POST request sent to the BIG-IP system could replaced by a dummy POST and authentication then fails. This can occur when the BIG-IP system is configured as a SAML Identity Provider and the http-post SSO binding is used. Workaround: Disable RBA in Kerberos agent.
471331 Sometimes the APM RBA plugin resets and writes an error to the log that includes this phrase: [0x19fd874:459] Internal error (APM::RBA requested abort (trans end error)). The problem can happen intermittently and usually occurs when multiple tabs are used.
471421 When there is a high load on the system and a user changes an access policy, it can lead to slow rendering of the webtop or the access page.
473092 After evaluating the access policy with an on-demand cert auth agent, there will be a connection reset.
473592 The external logon page is unable to find the original landing URI for a request, leading to a reset when the access policy completes.

Client issues

ID Number Description
223583 Inside PWS on Windows Vista, a user can create folders only in some locations using the context menu; that is, only a "Folder" item appears on the "New" menu. However, a user can create standard type files using the context menu directly on the desktop and in the user's home folder. Workaround: Files can be created on the Desktop and then moved to the desired location.
376615 Username and password are not sent when the On-Demand Cert Auth agent is used in an access policy; as a result logon fails. The problem happens for these clients: iOS, Android, Windows Mobile, and Linux CLI. To work around this problem, configure the access policy so that the Logon page agent is before the On-Demand Cert Agent. Workaround: To work around the problem, put the Logon page agent before the On-Demand Cert Agent in the access policy.
393043 During an APM remote connection, the progress bar might not render correctly on a Linux system when using the Chrome browser.
399552 CD/DVD burning through SPTI inside PWS works even though the policy disallows it.
404890 This is a rare issue that happens for Internet Explorer when pop-up screens are set to be blocked by browser. When you launch a Java app-tunnel for the first time in Internet Explorer, the message "Allow pop-ups for this site?" is displayed. In rare cases, when you click Allow once, the Java app-tunnel freezes in the Initializing state and cannot be used. Workaround: To work around the problem, add a virtual server to the allowed sites for pop-ups from Tools > Internet options in Internet Explorer.
409233 VMware View Client becomes unresponsive for about one minute after associated APM session is terminated by administrator.
420550 WYSE client cannot launch any application if the APM session expired.
428904 Printer redirection and keyboard redirection ('special keyboard commands') in non-fullscreen mode do not work on Win7/Win8
432020 By default, Internet Explorer 11 starts with Enhanced Protected Mode enabled and the browser process runs inside AppContainer. Enhanced Protected Mode (AppContainer technology) in Internet Explorer 11 prevents the interception of connection requests. As a result APM App tunnels cannot redirect traffic to a proxy running on the loopback address. To work around the problem, you have 2 options to choose from: 1. Disable Enhanced Protected Mode in Internet Explorer 11 and 2. Add the backend server to the Trusted or Intranet Sites List.
432515 The external logon page does not post the 'Action required' pop-up dialog box of BIG-IP Edge Client. Workaround: To workaround this issue, you must inject the following Javascript code into the External Logon page: <body onload="OnLoad()"> ... <script language="javascript"> function OnLoad() { try{ if ( "undefined" != typeof(window.external) && "unknown" != typeof(window.external) && "undefined" != typeof(window.external.WebLogonNotifyUser) && "unknown" != typeof(window.external.WebLogonNotifyUser) ){ window.external.WebLogonNotifyUser(); } }catch(e){alert(e)}; } </script>
434831 When the client connects to APM (with Safari) and launches the Application Tunnel, the tunnel will be created, but the application configured to launch will not. There is no error, only indication is that application is not started by the Application Tunnel.
440375 Under the Built-in Administrator account inside Protected Workspace, a VPN connection cannot be established if VPN components are not installed already. Workaround: Install VPN components before Protected Workspace on an account other than Built-in Administrator.
440380 Citrix Receiver for iOS may fail to connect throught APM in integration mode when ICA file generated by backend is missing the following properties: DoNotUseDefaultCSL=On, HTTPBrowserAddress=!, LocHttpBrowserAddress=!
462985 Remote Desktop session terminates after TCP idle timeout without any activity from the client. Workaround: Configure AD policy: Set "keep-alive connection interval" of 1 minute for the terminal servers: Set "idle session limit" to "Never" for Remote Desktop Services sessions: Increase TCP idle timeout to 900 seconds on the BIG-IP system if the RDP clients that you support do not send keep-alive packets.
466454 APM PCoIP Proxy cannot connect to a View Desktop (either native or HTML5) that advertises its address as an FQDN. Workaround: To work around the problem, reconfigure View Desktop so that it returns an IP address.
469110 Microsoft Remote Desktop for iOS might hang if invalid credentials are entered. Workaround: Restarting the Microsoft Remote Desktop for iOS application and entering valid credentials remedies the issue.
469727 Users are unable to launch the Citrix HTML5 client from the APM Webtop. To work around this issue, perform the following steps: 1. Go to Access Policy->Hosted Content->Manage Profile Access. 2. Select the check box next to the Access Profile that is associated with the Citrix Virtual Server and click OK.
471117 If an HTML page contains an iframe with JavaScript code in 'src' attribute, some web applications might not work correctly through portal access in Internet Explorer 11.
472382 VMware View Logon page for RADIUS does not display challenge message when challenge occurs on RADIUS server Workaround: Use RSA instead.
477090 The View Connections Server Settings for a VMware Horizon View server include Blast Secure Gateway settings. To be able to launch VMware View sessions from an APM webtop using an HTML5 client, ensure that the check box, Use Blast Secure Gateway for HTML access, is cleared.
477841 On OS X 10.10 systems, Safari 8 does not use Network Access proxy settings that are applied to the system. A user can launch Network Access proxies on other browsers, excluding Safari 8.
483113 On OS X 10.10 systems, when a user displays a list of servers, white squares appear next to each server name in the list. The Remove Server icon that displays to the right of each server name also displays a white background.
483107 On OS X 10.10 systems, the BIG-IP Edge Client icon is highlighted if the user taps the icon. The highlight does not disappear until the user exits BIG-IP Edge Client.
477843 On OS X 10.10 systems, BIG-IP Edge Client displays the throughput as black text on the black menu bar. A user finds it difficult to read the text.
479242 On OS X 10.10 systems, Network Access does not work with modes such as Split Tunneling or Force all traffic. After a connection is established, the connection routes are not set to a MAC address route table.
480595 On OS X 10.10 systems, when a user taps Calender > New Event, the New Event page displays an empty page.
480592 On OS X 10.10 systems, the Send button on the New Message menu does not work.
495235 To use the Reuse Windows Logon Credentials option, you must include an uncustomized Logon Page action in the access policy. Other logon page actions do not support the Reuse Windows Logon Credentials option. If you add fields to the Logon Page action or if you remove F5-provided JavaScript from it, Windows logon credentials are not reused and the BIG-IP Edge Client prompts for credentials. This is expected behavior.
505010 Patch management checker checks for "Apple software update" on Mac which requires admin privilege to check the number of missing patches. Even when the user is logged in as admin, this check does not pass because BIG-IP Edge Client does not support privilege escalation for endpoint inspections currently.

Network access

ID number Description
342035 A SIP client cannot communicate with a SIP server when connecting over a network access tunnel. Workaround: SIP protocol uses fixed UDP ports, and communication fails because Network Access tunnel translates the source port of the connection. Configure a layered virtual server using the SIP UDP port and set the Source Port option to Preserve Strict.
351360 Sometimes when assigning different route domains to Network Access clients connecting to the same virtual server or using the same connectivity profile, traffic from the client can go out into the network associated with the wrong route domain. This could happen when two clients are assigned the same IP address (from different lease pools containing the same address ranges) and different route domains and try to access the same IP address on the internal network using the same TCP/IP protocol. Workaround: To work around this problem, when sharing IP address ranges among route domains, use separate virtual servers for each route domain, with different connectivity profiles.
356419 On Linux, PPP routes might be lost if network access is configured with the allow local subnet option enabled. This behavior is rare. Workaround: To work around the problem, disconnect from the server using the "f5fpc -o" command and then reconnect to the server.
356766 Removing or updating Network Access device or client components while the system has an active Network Access connection might cause the system to drop the existing connection and fail to establish a new connection until after a system reboot.
364061 On a Linux client, the network access Show log file link does not display the log file unless gedit is installed. Workaround: To work around this problem, install gedit on the Linux client.
373889 You can configure a network access tunnel to update a session (that is, to extend expiration time) based on a traffic threshold and a window of time. Traffic measurements are taken every 5 seconds, but they are not divided by 5 before being used in the calculation. As a result, instead of bytes per second, bytes per 5 seconds is calculated, which is incorrect. Workaround: To work around this, select the network access resource you want to update, then select Network Settings and Advanced from General Settings. Proceed as follows: 1) Set Session Update Threshold to 5 times the desired bytes/second rate 2) Set Session Update Window to 2 or higher Note: The session life management might not be exact.
383607 After a network access client loses connectivity and reconnects with another IP address, the client cannot open tunnels to optimized hosts for 4 to 7 minutes.
398339 When you use the Fedora OS with SELinux enabled and use the Firefox web browser to connect to APM for network access, you might get SELinux blocking notifications. Workaround: A. Execute the following command on terminal as root user (not sudo) 1. "setsebool -P mozilla_plugin_enable_homedirs on" 2. "setsebool -P unconfined_mozilla_plugin_transition 0" B. Restart Firefox and try connecting to the APM server again.
403082 Networks Access cannot perform routing table clean-up if user closes browser windows without logouting from webtop or if user closes browser window without waiting for logout process to complete.
416412 A network access webtop does not show warning windows about session expiration. A full webtop does not show warnings intermittently.
423161 When a network access session and an APM session are closed simultaneously, one of these logs is written: apm logs: "VPN Cleanup: failed to release IPv4 ERR_ARG" tmm logs: "address <p> in leasepool <lease pool> is unassigned - can't release" This happens when a network access resource and a network access webtop are assigned using the Advanced Resource Assign action, and the network access session is closed.
425245 If TM.TcpSegmentationOffload is enabled then we would see larger TCP segments size; and for network access use case icmp fragmentation needed would be seen; this increases the response time for Network access traffic mostly non-http traffic. Workaround: "Disable TcpSegmentationOffload /usr/libexec/bigpipe db TM.TcpSegmentationOffload disable"
433535 DTLS renegotiation stops after one try.
435542 In some cases re-installation of the VPN driver on Windows 8.1 requires a system reboot. Without reboot the user can be presented with this error: "The modem (or other connecting device) is already in use or is not configured properly."
438056 The APM network access client for Windows systems can fail to establish a VPN connection if the client SSL profile is configured with the options no-tls or sslv3 and the BIG-IP system selects an AES cipher. Windows Schannel API does not consider AES as a valid cipher for an SSLv3-only connection and can reject the connection to the BIG-IP system. Workaround: If you restrict client SSL to SSLv3-only you might need to exclude AES ciphers (defined in RFC3268) by adding ':!AES' to the 'ciphers' option in the client-ssl profile to work around compatibility issues with Windows clients: for example ltm profile client-ssl clientssl_ssl3_only { ... ciphers SSLv3:!AES ... }
469852 Users lose connectivity to resources through VPN when forwarding virtual servers are disabled. Workaround: The Network Access connectivity works if all the forwarding virtual servers are enabled or deleted completely.

Admin issues

ID number Description
224145 The visual policy editor can, on rare occasions, return a non-specific failure when attempting to create new items. Workaround: The failure is transient; the request invariably succeeds on retry.
359639 Some long captions for resources can be longer than the bounding box in Firefox 7. This problem does not affect the workflow.
360141 Modifying the SSO configuration does not cause the Apply Access Policy button to show up on the Admin GUI or the visual policy editor. The configuration change takes effect immediately for new sessions established after the change. Old sessions (those that were already created before the configuration change) continue to use the old SSO configuration.
360734 When previewing pages, the Preview pane does not automatically refresh when the language is switched. Workaround: Click on an item in the Preview tree pane to cause the page to refresh in the new language.
360742 When the logon page is customized in visual policy editor in multiple languages, the images appear broken. Workaround: To work around the problem, customize the logon page using localization customization. (Refer to Access Policy > Customization.)
362200 When customizing messages, you cannot use special characters, such as ', ", &, <
362351 Branch names cannot start with the word fallback in the visual policy editor.
363188 Using a space in an alias for a virtual server can cause unexpected results when you use tmsh to add or update a connectivity profile. No spaces are allowed in aliases for virtual server.
384479 When you configure a virtual server for Oracle Access Manager integration (by selecting the OAM Support option), the option to select a specific AccessGate does not apply to OAM 10g environments.
398361 Not all configuration objects validate and reject an object name that contains the space character. As a best practice, when you create a configuration object do not include a space in the object name.
403659 When configuring a BIG-IP system as a SAML Identity Provider, the displayed range of possible values in seconds for the assertion validity timeout is incorrect. The correct range is 1 - 86400 seconds.
403722 If you initiate an access policy sync from the Standby node, an admin must resolve any conflicts on the Active partner. Ideally, an access policy created on the Standby node would be synced to the Active node automatically without admin intervention. Workaround: To work around this problem, avoid syncing an access policy from a Standby node. Otherwise, you must resolve conflicts, if any, on the Active node.
404765 If you export an access policy with a SAML SP connector that uses a certificate, the certificate name (including partition) is not formatted correctly. This prevents import from working. Workaround: To work around the problem, create the SP connector and import the associated certificate on the target system.
404936 Files named core.xxxx, where xxxx is a number, are created in advanced customization directories during the build process when the customization build cores because of invalid characters in the default customization file. These core files are listed in the user interface.
405352 If you enter a bad FQDN for domain controller in an NTLM Auth configuration and a DNS server responds with DNS SERVFAIL, the NTLM Auth configuration does not work even after you fix the incorrect FQDN. Workaround: To work around this problem, after you correct the FQDN in the NTLM Auth configuration, restart the ECA plugin and NLAD daemon using this command: bigstart restart nlad. Note: To avoid future problems due to misconfigurations, you can configure your DNS server to return a negative response.
414411 When you use visual policy editor from the Chrome browser, images do not preload and as a result, the navigation bar flickers. Workaround: Use Firefox or Internet Explorer.
419748 After a hosted content file is referenced by a portal access resource, the file cannot be deleted, even if the link-type of the resource is not "hosted-content". Workaround: Use tmsh to clear the sandbox file reference in the resource. Example: tmsh modify apm resource portal-access <NAME> sandbox-file none Now the sandbox file can be deleted.
419754 When using a local user database instance for authentication on APM, if a user that is flagged to change password leaves the password field empty, the user is prompted again to change password. Whether the user types a new password or leaves the password field empty again, the user is prompted again to change password. Workaround: APM handles a subsequently entered non-empty password correctly.
419836 When you switch from editing one file to editing another file in advanced customization without saving the first file, changes to the first file are lost. Workaround: User need to modify the file again after the change is lost.
419996 When you import users to a local user database, any first or last name with a space in it is truncated to the first space.
420506 When using the Local Database agent with a "write" action, the list of properties available includes "groups"; however, this property is a read-only property and any attempt to write to it fails.
435514 If you export an access profile in which you selected Secure Web Gateway log settings, the selections are lost.
437743 An access profile configuration that uses an SSL Certificate fails to import. This happens because of a change in the method to import SSL certificates. Workaround: You can either exclude above-mentioned objects prior to export and then recreate them after the import or (not recommended) or edit the config manually and import the SSL certificate prior to import.
440177 If you type or cut and paste an image file name into the General Customization interface, the file name does not fit the expected naming convention. After you save the file and reopen it, errors occur if you click Restore Default. Always use the image selector to change image files.
451982 In some cases the GUI will show that a Access Policy Sync Operation has failed with the specific error "The folder /Common/POLICYSYNC_ap1 cannot be deleted because it is not empty."
458241 The last system authentication profile cannot be deleted even if it is not active. Workaround: If an Admin wants to delete the associated profile they must first complete the following two steps: 1) Ensure that an Auth type other then Remote - APM Based is selected. 2) Run `tmsh delete auth apm-auth all`

Authentication and SSO-related issues

ID number Description
355490 TACACS+ accounting STOP messages are sent successfully and are properly logged on the TACACS+ accounting server. Sometimes when the reply from the TACACS+ server is processed, "Invalid reply error message" is logged on APM. However, this message does not indicate any failure in sending the accounting STOP message to the TACACS+ server. This error message can be ignored because the accounting functionality works.
355981 APM CRLDP Authentication Agent binds anonymously to the LDAP server to retrieve CRL files. An option for a strong authentication bind is not currently supported.
367621 Access Policy Manager does not support IPv6 for communicating with the OCSP responder. Configuring the OCSP URL with an IPv6 address or a hostname that resolves to an IPv6 address will not work. Acess Policy Manager uses OpenSSL BIO APIs to connect to the OCSP responder and these calls do not support IPv6.
399696 Selecting an SSO configuration with WEBSSO::select does not work for form-based client-initiated and SAML SSO configurations. Workaround: Use a variable to assign the configuration object name: set sso_config /Common/SAML-config WEBSSO::select $sso_config unset sso_config
400726 When the BIG-IP system acts as a SAML IdP, you cannot create the assertion with multi-valued attributes. When the BIG-IP system acts as a SAML SP and there is a multi-valued attribute inside the assertion, then the BIG-IP system processes only the first value of that multi-valued attribute.
427745 In APM RSA SecurID authentication, when PIN reset is required for RSA and the APM logon page is localized to use o/n (oui/non in French) or si/no (in Spanish) in place of Y/N do not work; it only accepts y or n.
428387 SAML AuthRequest and Assertion generation could fail if the configuration (IdpEntityID, ACS, SAML Attributes, and so on) contain special XML characters, such as [&,<,>,",'].
432102 If the RelayState parameter includes HTML and XHTML special characters, then BIG-IP as IdP or BIG-IP as SP does not process them correctly, and does not send complete RelayState value to the Peer.
433242 SAML Single Logout (SLO) does not work when all of the following are true: The BIG-IP system is acting as a SAML Identity Provider (IdP) or SAML Service Provier (SP); The other party configuration has SLO configured; The SP connector or IdP connector on the BIG-IP system is missing a SAML SLO Request URL or SAML SLO response URL. Workaround: To work around the problem, configure both SAML SLO Request URL and SAML SLO Response URL for SP and IdP connectors.
434547 Intermittently, when deleting an AAA OAM server object, the corresponding configuration does not clear from the BIG-IP system at /config/aaa/oam/<partition_name>/ .
435277 When an OAM AccessGate object is deleted from UI, the corresponding directory on Bigip (/config/aaa/oam/<partition_name>/<aaa_oam_server_obj_name>/ ) does not get deleted automatically as expected.
435719 When AD Query is configured before AD Auth in an Access Policy, and "password expiration warning" is enabled OR the user password is expired AND the user types the wrong original password, then password change fails. However, the BIG-IP system continues to prompt for new credentials until reaching the "Max Password Reset Attempts Allowed" and all attempts fail because the original password is incorrect.
439452 SAML single log out (SLO) does not work if the NameID value in the SAML Assertion contains spaces. Workaround: If the NameID value includes a space, then URL encode the space to %20. Type %20 in place of space into the Assertion Subject Value field. You configure this field when the BIG-IP system acts as a SAML Identity Provider (IdP) and you are configuring a Local IdP Service and setting Assertion Settings for it.
439680 The BIG-IP system as SP supports only rsa-oaep (as defined here: for key transport. When the BIG-IP system configured as SP receives a SAML assertion with an unsupported encryption algorithm (for example, rsa-1_5 for key transport instead of rsa-oaep), the BIG-IP system fails to report that algorithms are unsupported, and proceeds to the decryption phase, which fails. The only issue here is that the error reported does not directly point to the cause of failure which makes troubleshooting more difficult.
440395 If you have an HA pair and try to reset AD cache (group cache or PSO cache), the standby node logs this misleading message: Cannot cleanup cache if other options were changed for AAA AD Server.
440468 When the BIG-IP system is configured as a SAML Service Provider (SP), APD can crash if the IdP connector object that is used specifies a single logout URL. A crash occurs only when the SP receives a SAML assertion that does not include a SessionIndex attribute in the AuthnStatement element. Workaround: To work around the problem: 1. Reconfigure IdP to send Assertion with SessionIndex attribute in AuthnStatement element, or 2. Clear single-logout-url in IdP connector object on the BIG-IP system.
441537 In APM form-based SSO (v1), the dash character '-' should not be URL-encoded for fields such as hidden parameter.
442698 The APD Active Directory module might leak memory if an exception happens.
446187 If a certain BIG-IP service is started and working and another instance of the same service is started manually, the original one spins in a loop, consumes around 100% CPU and, becomes nonfunctional. These services are affected: apd, websso, eam, acctd, aced, rba.
451409 When performing Access Policy sync with SAML resources we receive an error that the saml_sp_connector object cannot be found on the receiving device. Feb 27 13:30:40 cooper-apm-11-4-1-2 err mcpd[6222]: 01070734:3: Configuration error: Cannot find saml_sp_connector object /Common/SomethingTOSync associated with saml_sso_config object /Common/" Workaround: Create the saml-sp-connector on the second BIG-IP system and then perform the sync. Sync will complete successfully for the other objects. Here are tmsh commands for creating a SAML SP connector: apm sso saml-sp-connector SomethingTOSync { assertion-consumer-uri http://SomethingToSync entity-id } (It appears that when creating a new object, the order is not correct and the saml-sp-connector does not get created before the resource object.)
452010 RADIUS Authentication fails when the logon name contains non-ASCII characters. The problem is caused due to failure in conversion from UTF8 to Windows1252.
452022 System authentication using APM methods will not work if the user name and password contains Unicode characters (e.g., Chinese characters) or the symbols &, :, <, and '.
461189 Generated by BIG-IP assertion may contain HEX-encoded attributes under certain conditions. Workaround: On SP side values could be treated as HEX.
463230 If a child process is killed or cored or dies, the parent process does not restart it and the service stops serving SecureID authentication.
473488 Access policy daemon (apd) consumes about 100% CPU and puts a heavy load on the network sometimes when resolving nested groups in AD Query. The AD Group Cache updates in a loop.
475049 NTLM authentication feature requires at least one Domain Controller to be specified in the list. This is a design as NTLM authentications can cause unwanted load to the server as authentication shall be perform per connection basis, and we need to have the administrator to specify a particular server(s). There is no DC autodiscovery mechanism implemented for this by design. Having this list empty caused a unexpected behavior which authentication is not being performed, and considered a success. This Domain Controller configuration is different with Domain Controller for NTLM machine account. For this case, BIG-IP shall automatically discover one of available DCs using DNS method or administrator can specify one. We are asking the administrator to specify this DC configuration.
475977 The BIG–IP system supports exclusive canonicalization only, which is recommended in the SAML 2.0 specification. As a result, signed messages canonicalized with other algorithms are rejected by the BIG-IP system. The supported algorithm is documented at
485387 An encrypted assertion from an external IdP can contain the RetrievalMethod element to specify a link to the EncryptedKey element. The EncryptedKey element contains the key for decrypting the CipherData associated with an EncryptedData element. BIG-IP as SP does not support the RetrievalMethod element while processing an encrypted assertion. As a result, the assertion is not processed properly, and error messages are printed to the log files: - Cannot decrypt SAML Assertion - failed to process encrypted assertion, error: Cipher value from EncryptedKey element not found.

Secure Web Gateway issues

ID number Description
504852 Documentation provides the incorrect instructions for updating URL blocking messages. To customize messages for display after a per-request policy terminates at a reject ending, you must customize the logout messages for the access profile. 1. Select Access Policy > Customization > General. 2. From the left pane, select the Text tab. 3. Expand Access Profiles. 4. Find the access profile and expand it. 4. Expand Logout and click General. 5. In the right pane, customize the messages. 6. When you are done, click the Save icon in the toolbar. 7. Click the Apply Access Policy link at the top of the page. 8. Verify that the updated access profile is selected from the list and click the Apply Access Policy button.
431077 You cannot use tmsh to change the logging level for Secure Web Gateway content analytics.
436138 If you use Kerberos authentication with the Request Based Auth option set to Enabled and you use Secure Web Gateway explicit forward proxy, access to web sites fails. Workaround: Set the Request Based Auth option to Disabled.
436224 Secure Web Gateway transparent proxy configuration fails to authenticate user when using Kerberos with Request Based Authentication option enabled. Workaround: Set Request Based Authentication option to "disable".
451849 This information is missing from BIG-IP Access Policy Manager: Secure Web Gateway Implementations. For safe search filtering to work correctly,the URL of a supported search engine site cannot be added to a custom category. The search engine's domain must remain categorized in the Search Engines and Portals category.
455284 Ant server listens on port 54321 on all interfaces. IP table rules were added to protect ant server from security vulnerabilities. But, this is blocking traffic for port 54321 even in deployments without Secure Web Gateway where the ant server is not running. To work around this, add the following iptables to /config/startup: /sbin/iptables -D INPUT -p tcp --dport 54321 -j REJECT --reject-with icmp-port-unreachable /sbin/iptables -D INPUT -p tcp -m tcp --dport 54321 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset /sbin/iptables -A INPUT -p tcp -m tcp --dport 54321 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset.
479287 When using an HTTP 407 Response or HTTP 401 Response agent in an access policy for SWG-Explicit or SWG-Transparent profile type, respectively, without additional configuration Kerberos authentication attempts always fail. The session variable,, seems to be set to the actual website to which the client is trying to connect instead of to the proxy URL (virtual server proxy domain name). This results in GSS-API errors when getting credential information for Kerberos authentication. The access policy (with access profile type SWG+Explicit or SWG+Transparent) includes HTTP 407 Response (for SWG+Expliceit) or HTTP 401 Response (for SWG+Transparent) and Kerberos Auth actions and an Allow ending. (For APM versions earlier than 11.6.0, the access policy would include an SWG Scheme action before the ending.) Users cannot authenticate to the SWG-Explicit or the SWG-Transparent proxy if attempting to use Kerberos authentication. To work around the problem, add a Variable Assign agent to the access policy after the HTTP 407 Response (or HTTP 401 Response) action. Add a Variable Assign entry as follows. Type this custom variable in the left pane: and, in the right pane, select Text and type the appropriate domain name.

Other issues

ID number Description
294032 When you access an older version of APM software using the Windows system client and a pre-logon antivirus check is configured, the OPSWAT AV control gets loaded into your browser. The control does not unload successfully and, as a result, the antivirus check fails. You cannot log on until the control is unloaded. Workaround: Reboot the client system.
371015 On chassis platforms, in some scenarios, more than one value is displayed under the 'Local Time' column in the 'All Sessions' report.
382390 OCSP authentication support for the Machine Cert agent does not work.
383464 In reports, names that contain a single quote are displayed in hex-encoded format. For example, the name O'Brian might be displayed as O%27Brian.
383511 The Device EPSEC Status screen should reflect the recent status of all devices in the device group. When a request to see the device status of a device group is made, the Changes pending link displays. After sync, the link should disappear and the status should be displayed. Workaround: Perform "Sync from group" by clicking the Changes pending link and navigate to the Device EPSEC Status screen. The status displays.
415262 If you use tmsh to create a connectivity profile and set another connectivity profile as the parent, the profile that you create does not inherit this information: Win/Mac Edge client, Server List, Location DNS list, All Mobile client settings.
424704 Profile Access is a prefix for the names of Access Profile, Access Policy Actions, and Access Policy Agents. If you copy an access profile and Profile Access is very long, there is a possibility that the copy might result in an invalid configuration. Workaround: If such configuration existed it necessary to manually edit bigip.conf with following steps: 0. Backup bigip.conf 1. Determine which actions share the same agent 2. Duplicated agent with different names 3. Change one action to use agent created on step 2. 4. Save edit bigip.conf 5. Reload configuration.
431149 In scenarios where there are multiple slots on a chassis in an HA pair (in both vCMP and chassis only mode), the error "Access Policy configuration has changed on gateway" might be displayed when a user connects to a virtual server.
436196 Searches on event logs for Secure Web Gateway time out when the number of records is close to the maximum, 1 million, that can be stored. Workaround: Simple custom search works fine.
440203 When you use an iApp to create an APM service, after the access policy and related objects are created, the notification Apply Access Policy on the GUI might still be enabled. This happens even though the generation number in the corresponding access profile has been increased by 1. To disable this notification, you can click the Apply Access Policy link. Workaround: Click the "Apply Access Policy" to turn off this notification. Another workaround is to modify the iApp script by putting the command "tmsh modify apm profile access <NAME> generation-action increment" into a different transaction. This can be done by creating a shell script from the iApp script. The shell script consists of two lines: sleep <SAY 5 SECONDS> tmsh modify apm profile access <NAME> generation-action increment Then in the iApp script execute this shell script in the background.
441482 Although there is a tmsh provision command shown for Secure Web Gateway (SWG) on platforms with less than 8 GB of memory, running the command fails because there is no support for SWG on those platforms. This applies to certain BIG-IP appliances that have less than 8 GB of memory, and to vCMP and VE guests with less than 8 GB of memory allocated. (For memory information, see the Platform Guide for your platform.) Provisioning fails with a message similar to the following: Provisioning failed with error 1 - 'Memory limit exceeded. 5656 MB are required to provision these modules, but only 3964 MB are available.' Workaround: You may provision APM plus SWG only on platforms with 8 GB of memory or more. To use APM and SWG together on platforms with exactly 8 GB of memory, LTM provisioning must be set to None. (To do so, uncheck the box next to Local Traffic (LTM) on the Resources Provisioning screen, if applicable.) To fully support the LTM-APM-SWG combination, reserve at least 12 GB of memory for VE instances, or at least 16 GB for vCMP guests on BIG-IP or VIPRION platforms.
452059 When the storage partition for MySQL is full and the system is under a heavy load, logd can go into a busy wait looping state. Workaround: To work around the problem, clean up the disk partition of MySQL.
452321 APM does not support more than one traffic group with different HA order. Here is an example configuration: cm traffic-group /Common/traffic-group-1 { ha-order { /Common/ } unit-id 1 } cm traffic-group /Common/traffic-group-2 { ha-order { /Common/ } unit-id 2 } This configuration causes the creation of an Active/Active HA pair and APM does not support this configuration.
457773 The wrong datatype is used to represent the apmAccessStatCurrentActiveSessions OID.
464693 The following schema changes were made in 11.6: Removed all attributes for swg-scheme except name, and description; Removed all attributes for Endpoint-window-group-policy agent because it is no longer supported; Removed the fetch-nested-groups attribute for the AAA LDAP agent.
472256 When running the command "tmctl profile_access_stat", the values displayed for sessions_eval_cur, sessions_active_cur, and/or sessions_estab_cur may be unusually high. name vs_name sessions_tot estab_sessions_tot -------------- ----------------- ------------ ------------------ /Common/MyVirt /Common/MyVirt_vs 1 2 /Common/access _listener 0 0 _tmm_apm_acl _listener 0 0 access _listener 0 0 sessions_active_cur sessions_eval_cur sessions_estab_cur sessions_logout -------------------- -------------------- ------------------ --------------- 18446744073709551615 18446744073709551615 0 2 0 0 0 0 0 0 0 0 0 0 0 0 sessions_admin_term sessions_misc_term acc_policy_allow acc_policy_deny ------------------- ------------------ ---------------- --------------- 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 acc_policy_redir acc_policy_redir_session allowed_requests denied_requests ---------------- ------------------------ ---------------- --------------- 0 0 7 0 0 0 0 0 0 0 0 0 0 0 0 0 Same issue also happens when showing profile access stat in tmsh: root@(c2400-vcmp5mgmt)(cfg-sync Standalone)(/S3-green-P:Active)(/Common)(tmos)# show apm profile access MyVirt ---------------------------------------------------------- ACCESS Profile: MyVirt ---------------------------------------------------------- User Session Statistics: ---------------------------------------------------------- total sessions: 1 total established sessions: 2 current active sessions: 18446744073709551616.0E current pending sessions: 18446744073709551616.0E current established sessions: 0 sessions terminated due to user logged out: 2 sessions terminated due to admin termination: 0 sessions terminated due to timeout or errors: 0 sessions resulted into allow ending: 2 sessions resulted into deny ending: 0 sessions resulted into redirect ending: 0 sessions resulted into redirect ending with session: 0 requests allowed by ACL: 7 requests denied by ACL: 0
657732 After you generate log message reports in APM and export them to CSV files, the CSV files contain only the parameters for the log messages. To rebuild the actual log messages from the CSV file requires log templates and they are not available. This occurs when exporting to CSV by navigating to Access Policy :: Reports: View Reports : General Reports: System Messages : Run Report (right-click) : displaying log messages : Export to CSV File. CSV log files are hard to interpret without the log templates and the templates are not available. (Beginning in version 12.0.0, log messages in CSV reports generated and downloaded from the APM UI include complete log messages.)

Windows 7 Support Known issues

ID number Description
436201 Internet Explorer 11 ignores the X-UA-Compatible tag when Internet Explorer 11 specifies it after a script tag in the HTML head.
435566 Internet Explorer 11 always prompts to save credentials on the APM logon page.
437652 Internet Explorer 11 generates security exception with document.write()call in HTTPS.
4431337 Internet Explorer outputs a JavaScript error when you click the LinkedIn button.
440785 When using Internet Explorer 11 with enabled EPM on Windows 7 (64 bit),the APM full webtop is empty.
432668 On Windows 7 Protected Workspace does not exit after user logs out from BIG-IP APM.
437485 When you log into SharePoint 2013, go to Recent > Announcements > New Announcements, and click the Calendar icon that is located opposite of the Expires field, the Calendar does not show up.

Windows 8.1 Support Known issues

ID number Description
386472 Rewritten SharePoint uses HTTP instead of DAV when user open file through direct link or context menu.
417139 Modifying Session state through iRules may cause issues over Gx. To work around this issue, do not modify the session state if session is active.
431083 When you download and install an old VPN driver, and then select Update Driver Software, the VPN driver does not update.
439280 If client components without BZ430965 fixed are installed and then uninstalled on Windows 8.1 F5 Networks VPN Adapter will be uninstalled only partially. A subsequent attempt to install VPN Adapter driver on such client machine may lead to BSOD. To work around this issue, you must uninstall the VPN Adapter driver completely.
  • Open Device Manager.
  • In the main menu select View > Show hidden devices.
  • Expand Network adapters.
  • Right-click on F5 Networks VPN Adapter.
  • In the popup menu, select Uninstall.
  • In the next screen, select Delete the driver software for this device.
441830 If you have an older VPN driver (such as 7050, 2011, 607, 846 10.2.4 HF7), when you try to update components with a browser or package and establish a connection, you will get either an error or a BSOD.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802

For additional information, please visit

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.


AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to from the email address you are using to subscribe. Unsubscribe by sending a blank email to

Legal notices