Release Notes : BIG-IP APM 12.0.0

Applies To:

Show Versions Show Versions


  • 12.0.0
Release Notes
Original Publication Date: 06/19/2017 Updated Date: 04/18/2019


This release note documents the version 12.0.0 release of BIG-IP Access Policy Manager (APM).


Platform support

This version of the software is supported on the following platforms:

Platform name Platform ID
BIG-IP 1600 C102
BIG-IP 3600 C103
BIG-IP 3900 C106
BIG-IP 6900 D104
BIG-IP 8900 D106
BIG-IP 8950 D107
BIG-IP 11000 E101
BIG-IP 11050 E102
BIG-IP 2000s, BIG-IP 2200s C112
BIG-IP 4000s, BIG-IP 4200v C113
BIG-IP 5000s, 5050s, 5200v, 5250v C109
BIG-IP 7000s, 7050s, 7055, 7200v, 7250v, 7255 D110
BIG-IP 12250v D111
BIG-IP 10150s-NEBS, 10350v (AC), 10350v-NEBS (requires 12.0.0 HF1), 10350v-FIPS D112
BIG-IP 10000s, 10050s, 10055, 10200v, 10250v, 10255 D113
VIPRION B2100 Blade A109
VIPRION B2150 Blade A113
VIPRION B2250 Blade A112
VIPRION B4200, B4200N Blade A107, A111
VIPRION B4300, B4340N Blade A108, A110
VIPRION B4450 Blade A114
VIPRION C2200 Chassis D114
VIPRION C2400 Chassis F100
VIPRION C4400, C4400N Chassis J100, J101
VIPRION C4480, C4480N Chassis J102, J103
VIPRION C4800, C4800N Chassis S100, S101
Virtual Edition (VE) Z100
vCMP Guest Z101

These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.

Most of the support guidelines relate to memory. The following list applies for all memory levels:

  • vCMP supported platforms
    • VIPRION B2100, B2150, B2250, B4200
    • VIPRION B4300 blade in the 4400(J100)/4480(J102) and the 4800(S100)
    • BIG-IP 5200v, 5250v, 7200v, 7250v, 10200v, 10250v, 10350v, 12250v

Memory: 12 GB or more

All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.

Memory: 8 GB

The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)

  • No more than three modules should be provisioned together.
  • On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
  • To use Access Policy Manager (APM) and Secure Web Gateway (SWG) modules together on platforms with exactly 8 GB of memory, Local Traffic Manager (LTM) provisioning must be set to None.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category.)

  • No more than three modules (not including AAM) should be provisioned together.
  • Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
  • Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).

Memory: 4 GB or less

The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests provisioned with 4 GB or less of memory.

  • No more than two modules may be configured together.
  • AAM should not be provisioned, except as Dedicated.
  • ASM can be provisioned with this amount of memory, but a sizing exercise should be performed to ensure that it does not hit capacity issues.

vCMP memory provisioning calculations

The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory- 3 GB) x (cpus_assigned_to_guest/ total_cpus).

As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.

For certain platforms, the vCMP host can allocate a single core to a vCMP guest. However, because a single-core guest has relatively small amounts of CPU resources and allocated memory, F5 supports only the following products or product combinations for a single-core guest:
  • BIG-IP LTM standalone only
  • BIG-IP GTM standalone only
  • BIG-IP LTM and GTM combination only

Module combination support on the 3900

Note: The GTM+APM module combination is not supported on the 3900 product platform.

Although SOL10288 states that all modules are supported on all platforms as of BIG-IP version 11.4.0, this does not mean that all possible module combinations are allowed on every platform (especially, legacy platforms).

Configuration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

  • Microsoft Internet Explorer 11.x
  • Mozilla Firefox v40, or later
  • Google Chrome v44, or later

Compatibility of BIG-IQ products with BIG-IP releases

K14592: Compatibility of BIG-IQ products with BIG-IP releases provides a summary of version compatibility for specific features between the BIG-IQ system and BIG-IP releases.

APM client browser support

For a list of browser versions that the Access Policy Manager client supports, refer to the BIG-IP APM Client Compatibility Matrix.

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP APM / VE 12.0.0 Documentation page.

Evaluation support

If you have an evaluation license for BIG-IP APM VE, note that it does not include support for Oracle Access Manager.

New in 12.0.0

Application Access

Citrix StoreFront support

This release adds support for native StoreFront protocol, enabling end-to-end support for newer Citrix Receiver clients.

VMware Horizon View 6 support

This release adds support for VMware Horizon View 6 applications and Remote Desktop Session Host (RDSH)-based desktops and applications.

Smartcard support for VMware Horizon View

This release adds smartcard authentication support for VMware Horizon View 5.x and 6.x. Smart cards provide secure login with enhanced two-factor authentication, by verifying both what the person has (the smart card) and what the person knows (the PIN).

Authentication and Single Sign-On

SAML enhanced client or proxy profile (ECP) support

This release provides support for SSO (using SAML) for client-based apps (such as Microsoft Outlook apps) to work with Office 365 through support of SAML ECP profiles.

SAML multivalued attribute support

This release provides support for SAML federation for applications (such as Webex) that provide more than one database value (multivalued attributes).

SAML artifact binding support

This release provides support for SAML artifact binding, which secures the transport of SAML messages, while reducing the flow of SAML messages through browsers, addressing browser restrictions on query string or POST payloads. APM extends SSO support for automatically submitted forms that may not support JavaScript.

Additional SAML enhancements

In this release, SAML Identity Provider (IdP) and Service Provider (SP) support additional parameters. For an SP service, additional attributes can be sent with the authentication request. For an IdP service, new options enable support for a broader range of SaaS apps.

Also, a BIG-IP system configured as a SAML IdP can now support dynamic Assertion Consumer Service (ACS) URL and binding with one specific SP connector based on the received index.


Improved diagnostics for BIG-IP Edge Client for Windows

In this release, the client troubleshooting utility is incorporated into the client download for BIG-IP Edge Client for Windows. Users can run a troubleshooting report directly from the Edge Client user interface.

Forward Proxy

Application control

This release introduces F5 proprietary technology for monitoring web applications using forward proxy. It supports visibility, control, and monitoring of user access for a supported set of Internet-based applications that can be updated on a release-by-release basis. Application Filters can be defined and then assigned in a per-request policy to provide granular control on who can use which applications. Application Filtering is available on the Secure Web Gateway menu, but an SWG subscription is not required to use it.

Custom URL categories with flexible pattern matching

In this release, the ability to configure custom URL categories has been added into base APM functionality. Without a pre-defined set of URL categories, users can define their own categories using glob pattern matching capability. Custom URL categories can be used, for example, to whitelist and blacklist web site. URL Categories are available on the Secure Web Gateway menu, but an SWG subscription is not required to use the functionality.

Forward proxy authentication based on custom URL categories for APM and LTM

This release provides support for using forward proxy to enforce authentication and access control based on custom URL categories. Explicit or transparent forward proxy can now be enabled on APM without an SWG subscription.


Logging enhancements

This release brings granular high-speed remote logging capability to the majority of Access Policy Manager (APM) components.

Per-request authorization enhancements

This release introduces new agents for use in per-request policies. Logging can be used to create log messages that incorporate per-flow and session variables. HTTP Headers enables manipulation of HTTP and cookie headers that are being sent to back-end servers. These agents do not require an SWG subscription.

Session scope enhancement for increased security

In this release, Profile Scope, a new setting in the access profile, establishes additional criteria to ensure that a user who has established a session on one virtual server cannot use that same session to access other virtual servers and the resources behind them.

VPN access based on device posture from AirWatch and IBM MaaS360 (Fiberlink) MDM solutions

This release provides support for AirWatch (Hosted) and IBM MaaS360 (Hosted) Mobile Device Management systems for using device posture to control VPN access.

Webtop grouping customization

In this release, administrators can group and prioritize resources to display on the webtop to improve usability for end users.

Supported high availability configuration for Access Policy Manager

Access Policy Manager is supported in an Active/Standby configuration with 2 BIG-IP systems only.
Note: Access Policy Manager is not supported in an Active-Active or an N+M configuration.

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.

Installation checklist

Before you begin:

  • Use BIG-IP iHealth to verify your configuration file. For more information, see K12878: Generating BIG-IP diagnostic data using the qkview utility.
  • Update/reactivate your system or vCMP host license, if needed, to ensure that you have a valid service check date. For more information, see K7727: License activation may be required prior to a software upgrade for the BIG-IP or Enterprise Manager system.
  • Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
  • Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are running Application Acceleration Manager, set provisioning to Minimum.
  • If you are running Policy Enforcement Manager, set provisioning to Nominal.
  • If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
Installation method Command
Install to existing volume, migrate source configuration to destination tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 11.2.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP- volume HD1.3

Post-installation tasks

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.

After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Use BIG-IP iHealth to verify your configuration file. For more information, see K12878: Generating BIG-IP diagnostic data using the qkview utility.
  3. Log on to the browser-based Configuration utility.
  4. Run the Setup utility.
  5. Provision the modules.
  6. Convert any bigpipe scripts to tmsh. (Versions later than 10.x do not support the bigpipe utility.)
Note: You can find information about running the Setup utility and provisioning the modules in BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Upgrading from earlier versions

Your upgrade process differs depending on the version of software you are currently running.

Warning: Do not use the 10.x installation methods (the Software Management screens, the b software or tmsh sys software commands, or the image2disk utility) to install/downgrade to 9.x software or operate on partitions. Depending on the operations you perform, doing so might render the system unusable. If you need to downgrade from version 10.x to version 9.x, use the image2disk utility to format the system for partitions, and then use a version 9.x installation method described in the version 9.x release notes to install the version 9.x software.

Upgrading from version 10.1.0 (or later) or 11.x

When you upgrade from version 10.1.0 (or later) or 11.x software, you use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help.

Upgrading from versions earlier than 10.1.0 11.x

You cannot roll forward a configuration directly to this version from BIG-IP version 4.x, or from BIG-IP versions 9.0.x through 9.6.x. You must be running version 10.1.0 software. For details about upgrading to those versions, see the release notes for the associated release.

Automatic firmware upgrades

If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might reboot additional times to perform all necessary firmware upgrades.

Upgrading from earlier versions of APM

When you upgrade from an earlier version of Access Policy Manager (APM), you might need to resolve issues related to these configurations.

Access Policy Logging

Many changes were made to the logging configuration. See the Upgrade Notes for Logging in these release notes.

Connectivity profiles

When upgrading from 10.x.x to 11.4.x, connectivity profiles are not fully recovered. You can work around the problem using one of these options:

  • Option 1: Upgrade from 10.x.x to 11.4.x, then reconfigure connectivity profiles in the Access Policy Secure Connectivity area of the Configuration utility.
  • Option 2: Upgrade from 10.x.x to 11.x.x, where 11.x.x is earlier than 11.4.x, then continue upgrading to 11.4.x.

Kerberos SSO

Kerberos SSO does not work after upgrading from 11.3.0 to 11.4.0 and later. This happens because, starting in 11.4.0 the password is saved in encrypted form, while the password in 11.3.0 is saved as clear text. Re-enter Kerberos SSO password after upgrading from 11.3.0.

Citrix client packages

The 11.4.x upgrade script cannot recover any file object with a name that includes space characters. If a Citrix client package file name includes a space, the configuration loads after upgrade, but the Citrix client package file does not function properly. To work around this problem:

  1. Outside of APM, name or rename a Citrix client package without spaces in the name.
  2. Use the correctly named Citrix client package.
    • To fix the problem before upgrade, replace any improperly named Citrix client package as needed.
    • To fix the problem after upgrade, upload a properly named Citrix client package and select it from the connectivity profiles.

Machine accounts for NTLM front-end authentication

APM does not restore NLAD connections when the configuration is restored from a UCS file. After upgrading to 11.4.x, if the previous configuration was using NTLM front-end authentication, the functionality is not restored. To work around this problem, after the upgrade, manually delete the existing machine account configurations and then recreate them.

Advanced customization

If you performed any advanced customization of files, you must upgrade these files manually.

Custom reports

Custom reports are lost after upgrade. To work around this issue, export your custom reports before you upgrade and then reimport them after you upgrade.

OAM configuration

When upgrading from version 10.2.x to 11.x with an OAM configuration, upgrade fails. To work around this issue: before you upgrade, delete the OAM configuration; after the upgrade is complete, create a new OAM configuration in version 11.x.

Access policies that use session variables

If you are upgrading from 10.x, you might need to update access policies that use session variables. Version 11.x introduces the concept of partitions. A partition is added to an object name. An access policy that compares a session variable against a value would behave differently after upgrade. This example shows the difference in the value of a session variable between these versions.

  • Version 10.x -
  • Version 11.x -

The partition, /Common, is added to the version 11.x object name.

Upgrade notes for access policy logging

Access Policy Manager now supports remote high-speed logging. Although local logging continues to be supported, a pool of remote high-speed logging servers is recommended.

Important: The BIG-IP system is not a logging server and has limited capacity for storing, archiving, and analyzing logs. For this reason a dedicated logging server is recommended.

In this release, most access policy log settings are no longer set at a system-wide level and applied to all sessions. To put logging into effect, log settings are specified for the individual access profiles. The exceptions are:

  • Portal access traffic log settings remain at the system-wide level.
  • Virtual desktop connections (VDI) log settings have been added at the system-wide level.
  • URL database logging is configured in the default-log-setting for system-wide use. (A URL database is only present on a BIG-IP system with an SWG subscription.)

The upgrade to APM 12.0 configures local logging at the access profile level so that logging continues to occur directly after the upgrade. You can make adjustments easily and set up remote high-speed logging later.

Deprecation of database variables for access policy logging

Previously, database variables controlled APM log levels system-wide. The log.access.db and log.access.syslog db variables still exist but are deprecated; they no longer have any effect on logging. Additionally, any iRule that uses the value of such a db variable will not work as it did in an earlier release. The upgrade creates a new default logging configuration and uses the values of the deprecated db variables in it.

Default log publisher and log destinations

The upgrade creates a log publisher, sys-db-access-publisher. The log destinations specified for the sys-db-access-publisher log publisher depend on the values of database variables.

If the log.access.db database variable enabled logging to the local database before the upgrade, the upgrade adds a local database logging destination, local-db, to the system-created log publisher, sys-db-access-publisher. Similarly, if the access.syslog database variable enabled local logging, the upgrade adds a local syslog logging destination, local-syslog, to the sys-db-access-publisher log publisher.

Default log settings

Access Policy Manager event log settings establish a minimum log level for an access policy, per-request policy, Secure Web Gateway (SWG) URL filtering activities, and so on. The upgrade creates the default-log-setting. In it, access system logging is enabled, the sys-db-access-publisher log publisher is specified, and the log levels that were specified for each object prior to the upgrade are retained.

The upgrade adds the default-log-setting to every access profile.

Upgrade result and post-upgrade configuration

Immediately after upgrade if you do no further configuration, the local logging (to the database or syslog) that was configured previously remains configured for access policy events. Additionally, any time an access profile is created, the default-log-setting is attached to it. You can remove it, replace it, or add other log settings to the access profile. For flexibility and redundancy, up to three log settings that specify access policy logging can be added to an access profile.

Note: To take advantage of remote high-speed logging, you must configure remote high-speed logging destinations, along with a pool of logging servers.

For instructions, see any of these documents:

  • BIG-IP Access Policy Manager: Application Access
  • BIG-IP Access Policy Manager: Authentication and Single-Sign On
  • BIG-IP Access Policy Manager: Edge Client and Application Configuration
  • BIG-IP Access Policy Manager: Implementations
  • BIG-IP Access Policy Manager: Network Access
  • BIG-IP Access Policy Manager: Portal Access
  • BIG-IP Access Policy Manager: Secure Web Gateway Implementations
  • BIG-IP Access Policy Manager: Third-Party Integration Implementations

Disposition of log messages from the previous release

When APM is upgraded to release 12.0, none of the log messages stored in the local database are carried over. The new database structure does not support the old log message format.

Upgrade notes for Secure Web Gateway logging

The existing event log settings for Secure Web Gateway (SWG) URL request logging are unchanged. SWG log messages, from which event log reports are generated are discarded. Data for the charts that display in the Overview is retained.

User interface changes for logging configuration

Access Policy Manager log-related settings were moved from the System > Logs > Configuration > Options screen, to log settings in the Access Policy > Event Logs > Log Settings screen. A Logs tab has been added to access profile configuration as well. APM reports now can be run from the Access Policy > Event Logs > Access System screen.

Fixes in 12.0.0

ID number Description
238350 A new Network Access setting, Use Local Proxy Settings, is introduced. When it is enabled, after the client establishes a network access connection, proxy settings configured on the client continue to be used.
238527 Important information about a session is now logged to the apm log file as well as error messages, such as: Apr 14 19:05:23 bigip8910mgmt err acctd: 01490000:3: RadiusAcct.cpp func: "logRadiusError()" line: 1297 msg: radius accounting stop for 'aa' failed in sendto(): Operation not permitted (1) Apr 14 19:05:23 bigip8910mgmt err acctd: 01490000:3: RadiusAcct.cpp func: "logRadiusError()" line: 1318 msg: accounting message details: [username:aa][acct-session-id:e01c0b14][acct-status-type:2][acct-terminate-cause:1][acct-session-time:41][acct-input-octets:1782][acct-output-octets:7621][framed-ip-address:][tunnel-client-endpoint:]
340406 BIG-IP Edge Client for Mac is now completely localized.
382390 The OCSP Responder option has been removed from the Machine Cert Auth agent. Instead, the Machine Cert Auth agent registers two session variables to be used in the OCSP Auth agent: 1. session.check_machinecert.last.cert.cert and 2. session.check_machinecert.last.cert.issuer.cert. If you require OCSP validation for a machine certificate, then you should configure an access policy as follows. First, add the Machine Cert Auth agent to the access policy and, in its properties, enable the Save Certificate in a session variable option. Then, add the OCSP Auth agent on the Successful or Found branch after the Machine Cert Auth agent. In the OCSP Auth agent properties, set the Certificate Type option to Machine.
393817 When BIG-IP is configured as an IdP and SAML resources are assigned in the access policy, the access policy no longer requires that a webtop be assigned.
389328 The SecurID node secret file monitoring algorithm was updated so that a new node secret file can be detected. Also, aced now authenticates with mcpd so that any node secret file object changes will be accepted by the mcpd.
398657 The active session count graphs no longer becomes significantly large at times due to a counter underflow.
399693 It is now possible to use the -decode option for mcget command of a branch rule to decode a session variable before using it. When you create an agent and add a branch rule, the default value of the rule contains an mcget command to fetch the session variable. By default, the session variable is HEX encoded if it contains non-ASCII characters. You need to modify the command in advanced mode and insert the -decode option for mcget command, for example: expr { [mcget -decode {}] contains "non-ASCII-characters" }
400726 APM now supports multi-valued SAML attributes inside a SAML assertion.
402793 APM clients for Linux and Mac modified to perform better during secure re-negotiation.
403660 Application icons (Finder, Spotlight, Launchpad, Notification Center, Dock, Menu Bar) have been updated for Retina displays.
403991 BIG-IP Edge Client for Mac now supports Proxy.pac file size of up to 1 MB; previously, the limit was 32KB.
405309 Now, RADIUS Auth agent always sends the client IP address with a very first access-request packet using attribute client-tunnel-endpoint (66).
405769 A new configuration db variable, Tmm.Access.LogoutUrlRefererHeaderCheck was added to perform a Referer header check on all requests to APM logout page. The new db variable is disabled by default. Enabling this variable will cause a Referer header check to be performed for all requests that attempt to terminate an APM session. Use caution when enabling this db variable because it may affect logout functionality in some cases. Specifically, any custom iRules used to redirect users to logout URLs may not function properly. In addition, SAML single logout (although terminating a user's session) may reset the browser connection under certain conditions when the db variable is enabled.
407350 Client side checks, such as antivirus, firewall, file, process, and so on, will be skipped for Microsoft Windows Phone 8.
408851 Fixed bug that resulted in incorrect loading of Java applets (Java applications).
413590 ICA parameters can now be overridden on a per application basis. This is achieved by adding a named application section (such as [Notepad]) with parameters to override in the Custom Parameters of Citrix Remote Desktop resource on APM.
416115 Now BIG-IP Edge Client resolves the host name during reconnection and initiates full reconnection after an IP address change is detected.
418850 If used, the AD Auth agent no longer needs to be the last authentication agent in an access policy for VMware View. Now username, password, and domain from AD Auth are preserved and passed to the backend.
421901 You can specify showrestorebutton:i:0 in Custom Parameters for a remote desktop of the RDP type. The Restore down button will no longer display.
423282 The issue has been fixed by adding necessary JavaScript includes into every conditional branch.
425142 Responses sent from the renderer will now contain the Server header value as it is configured in the server-agent-name in the http profile. If an empty server-agent-name is configured in the http profile then the Server header would be deleted in the responses sent from the renderer. If the server-agent-name is not configured, the default value, BigIP, would be used as Server header value.
425377 BIG-IP Edge Client now correctly detects captive portal if requests go through tunnel and then through BIG-IP-defined proxy server.
426623 Improved PAC file download mechanisms.
428387 The BIG-IP system, when configured as an Identity Provider (IdP), can now successfully create SAML assertions even when the BIG-IP configuration contains special XML characters.
431149 The issue is fixed by having the primary blade of the chassis/vCMP to recreate config snapshots if a secondary blade transitions from online to offline and vice versa.
431467 The nslookup, host and dig utilities are now able to use DNS server and DNS search suffixes set by SSL-VPN.
431810 Processing is now provided for exceptions that could occur when using a Kerberos Auth agent in a multi-domain SSO configuration.
431980 Aggregation of data when traffic is very sparse with significant gaps is now done correctly, and also occurs when data is queried, instead of every 5 minutes in order to avoid a 5 minute CPU spiking issue.
432102 When the BIG-IP system is configured as a SAML Identity Provider (IdP) or Service Provider (SP), it now URL encodes (or decodes, as applicable) the RelayState parameter.
432423 Support for generating a license usage alert when a threshold is crossed has been added.
432900 Releases with this fix will load the configuration properly. There is no need for users to first create the /shared/apm directory.
433752 Now non-rewritten text is returned for event handlers. This allows a web application to edit these handlers.
433847 Crashes because of an uninitialized field in the CRLDP or OCSP module no longer occur.
433972 Portal Access now correctly displays a New Event window for Microsoft SharePoint 2013 from Internet Explorer 11.
435779 The BIG-IP system, when configured as a SAML Service Provider (SP), now supports numerical values as part of EntityId. Metadata export still works, but the resulting XML must be edited to replace the number with a proper URL for the Assertion Consumer Service URL. You must edit the XML before exporting it to other Identity Providers (IdPs).
436180 Security issue has been resolved.
436201 JavaScript now correctly handles the X-UA-Compatible meta tag from clients using Microsoft Internet Explorer 11.
436489 The BIG-IP system SAML Service Provider (SP) service now supports and processes session variables as part of the RelayState parameter.
437014 Now the NAS Identifier can contain session variables such as %{}. The session variable is replaced with its value before sending a RADIUS Auth or RADIUS Acct request to a backend server.
437670 Addressed race condition in APM client on modifying DNS search suffix on Windows-based systems.
437743 You can import an access profile that includes an SSL certificate object in its configuration objects.
437744 SAML metadata elements are exported in correct order.
438572 Now APM supports Email discovery for Citrix Receiver when configured as StoreFront proxy.
438730 Fixed BSOD caused by DNS relay filtering driver in very specific condition on Microsoft Windows XP SP3.
439330 The getAttribute() call returns unmodified source code for any event handler.
439518 A user can now sync the changes to all location-specific objects, such as, optimized-app in network-access, or pool item in pool, after setting the Use Source Configuration on Target option to YES in the policy sync dialog box.
439880 Now, when you create a Machine Account in APM, APM performs a domain join, retrieves the NetBIOS domain name from the Active Directory server, stores it in the configuration, and uses it for NTLM authentication. To use the new behavior, delete the existing machine account and recreate it. Otherwise, the machine account continues to obtain the NetBIOS name the way it did before version 12.0.0.
440380 Now Citrix Receiver for iOS can connect through APM when the ICA file generated by the backend is missing the following properties: DoNotUseDefaultCSL=On, HTTPBrowserAddress=!, LocHttpBrowserAddress=!.
440505 Default port is now removed from Location header (if present).
440615 Now APM supports two-factor authentication for Citrix Receiver 4.x for Windows clients when configured as StoreFront proxy.
441355 Improved VMware View native client error reporting and prompting for the new password.
441659 Fixed User-mode installer service: it does not require admin rights for limited users anymore.
441913 Internal memory management was refactored to all webtops to handle more resources.
442698 APD is now more robust and handles exceptions in AD module properly.
446425 BIG-IP Edge Client for Mac now applies DNS server settings correctly.
447302 APM correctly supports 'redirect' ending in an access policy for web browser clients when deployed for Citrix Web Interface in proxy mode.
450033 VMware View client 2.3 for Windows can consistently launch desktops using APM.
450940 The default value for Max In Progress Sessions was previously set to 0. It now defaults to 128.
451301 Now HTTP iRules do not affect Citrix HTML5 functionality.
452010 Now it is possible to configure charset decoding behavior. You can decode usernames and passwords into CP-1252 (original behavior) or use UTF-8 charset (in this case, RADIUS Auth sends the username and password unmodified).
452416 The system now uses the correct system object to track current primary slot, which ensures that counters in leasepool_stat that have global context (that is, cur_member, cur_assigned, cur_free, max_assigned) are synced to all blades.
452464 If multiple messages arrive from BIG-IP Edge Client in one payload, the system processes them correctly.
452527 Fixed issue that caused Machine Cert Checker service to always work in "Match Subject CN to FQDN" mode.
454493 VMware View applications are available on APM webtop now.
455284 Firewall rules no longer incorrectly interfere with TCP monitor traffic generated by the BIG-IP system on port 54321.
456403 Now APM supports native Citrix StoreFront protocol when APM is configured in proxy mode with Citrix StoreFront. To enable this protocol with existing configurations, please recreate accounts in Citrix Receiver clients.
456911 A certain scenario in GTM deployment was fixed where access to certain corporate resource might be denied despite network access connection.
457760 [OAM] Redirecting stdout/stderr from standard libraries to /var/log/apm. This is now fixed.
458450 ECA can properly handle HTTP cookie header longer than 1023 characters when log level is set to debug.
458928 If an authparam is not found in the local cache, an empty string will be returned to the caller. This is correct behavior.
459322 Prefix match has been replaced with Glob match support, which does not append the backslash (/), so the URL remains intact.
459409 The TCP configuration for HTTP forwarding internal virtual server can now be modified using these TCP profiles: 1. apm-forwarding-client-tcp for client-side connections and 2. apm-forwarding-server-tcp for server-side connections.
460427 Now the TMM leasepool IP information for the primary blade is mirrored on the oldest secondary blade, so the system no longer posts 'IPv4 Addr collision' messages.
461189 BIG-IP as Identity Provider now base64-encodes non-UTF8 attributes, as expected.
461327 The system now logs an error when an asynchronous command runs in ACCESS_SESSION_CLOSED events in iRules. This is correct behavior.
461597 BIG-IP Edge Client for Mac now follows HTTP 302 redirect if the new site has an untrusted self-signed certificate and the user will be able to log in successfully.
462258 Active Directory and LDAP server connection operations time out in 3 minutes, so a thread does not block any other, and service can recover as soon as the connection to the backend is restored.
462506 After upgrade to 12.0, users will not see the old log messages in the local database. This is the expected behavior.
462514 XMLHttpRequest rewriting is improved, so that patched objects behave the same way (or close enough) as original ones on a given browser.
462727 This version allows the iRule, ACCESS::session create, to work even when an access policy is not attached to the virtual server.
463230 Now, aced can restart a child process only. There is no need to exit the main process and restart all the children.
463642 The system now handles receipt of not-empty Anchor.href to Web-Applications for Anchor without href.
463679 APD no longer crashes when it loses connection to aced.
463776 VMware View client does not freeze when APM PC-over-IP (PCoIP) is used and user authentication fails against View Connection Server 5.3.
464547 VMware View client displays a proper message when a user enters invalid credentials.
464638 SAML metadata import no longer affects SSL configuration operations, so that SSL profiles can be created successfully.
464992 BIG-IP Edge Client for Mac now passes Machine Certificate inspection when domain component is included in search criteria.
465012 Fixed an issue where Rewrite plugin could crash when collecting webtrace or debug logs for Portal Access.
466325 Continuous policy checks now do not kill the session if a property that was configured to be ignored changes on the client side.
466454 Users can connect to HTML5 View Desktop when the View Connection Server returns the DNS name instead of the IP address for the desktop.
466579 The AD module now provides an error message to help administrator to investigate the issue: Oct 10 14:07:55 bigip8910mgmt debug apmd[23429]: 0149017c:7: 70a5a23e: AD module: Domain Controller is not specified for domain 'ENIGMA.LAB.FP.F5NET.COM', KDCs will be discovered using DNS Oct 10 14:08:05 bigip8910mgmt err apmd[23429]: 01490107:3: 70a5a23e: AD module: authentication with 'aa' failed: Failed to resolve KDCs by domain name (-1) Oct 10 14:08:05 bigip8910mgmt debug apmd[23429]: 01490111:7: 70a5a23e: AD module: locateKDC(): Failed to resolve KDCs by domain name (-1)
466617 Now, routes for Exclude Address Space are correctly removed when the Network Access connection is terminated if the client is switched to another network.
466745 In this release, an extra parameter, made up of two dashes (--), was added. When -- is inserted before a value, the value can start with a hyphen; for example, "ACCESS::session set data var_name -- -value".
466797 Now BIG-IP Edge Client shows warning about session expiration when maximum session timeout is reached.
466877 Issue with signature validation is fixed.
467059 Show appropriate error message in Admin UI.
467597 InspectionHost plugin will now be installed to the "current user" profile (as opposed to all users) and therefore will no longer prompt for administrative password.
467849 Split tunnel is improved when connecting to FirePass with an APM build of the BIG-IP Edge Client.
467981 Now DNS Relay proxy service uses both DNS servers.
468137 Now Network Access components print session ID in four messages: Starting pending session ID: %sessionid, Session %sessionid established, Session %sessionid closed: Status, and Failed to open session %sessionid.
468478 Now, when the 32 KB cookie storage limit is reached, the oldest application cookie is discarded, allowing the application to continue processing new data.
468584 The aced daemon now has several fixes to avoid memory/FDs leaks. It also restarts child processes gracefully if any failure occurs.
469100 JavaScript index expressions with list of values are now correctly rewritten by Portal Access.
469335 Validation is improved to ensure that a custom URL category includes at least one URL.
469824 Edge Client for Mac on Mac mini now uses the settings for the Mac Edge Client in the connectivity profile on BIG-IP system.
469960 The system now handles a large number of connection requests for authentication using a throttling mechanism to manage the requests.
469974 The issue is fixed by separating the timed out counter based on session state.
470225 Machine Certificate checker now works correctly in Internet Explorer 11.
470378 Session variable replacement function returned no error even if the session variable was not found in local cache for APMD. So the caller tried to dereference a null pointer and APMD cored. With this fix, if a value is not found in local cache for a session variable, the function returns an empty string.
470414 Portal Access no longer crashes when rewriting some incorrect Adobe Flash files.
470675 Improved security found by internal F5 testing.
471117 If an HTML page contains an iframe with JavaScript code in the src attribute, it is handled correctly in Internet Explorer 11 through Portal Access.
471125 Resolved rare condition that caused BIG-IP Edge Client to work improperly when a client uses proxy to connect to the BIG-IP system.
471331 Fixed intermittent resets when access policy execution in progress simultaneously from multiple browser tabs.
471421 Access policy changes are now handled gracefully.
471452 When URLs from multiple browser tabs start an access policy, the landing URL is set to the URL from the browser that finished the access policy execution.
471714 The APM Email agent now generates emails using CRLF at the end of the header and as a separator between the header and the email body, conforming to RFC 5322.
471825 Emails sent by the Email agent now include the Date: header in compliance with RFC 5322.
471874 The VDI plugin does not crash when trying to respond to a client after the client has disconnected.
472062 Calls of form.submit with arguments are now correctly handled by Portal Access.
472099 DisableCaptivePortalDetection registry key now works as expected.
472216 Fixed alignment of connection duration counter for customized BIG-IP Edge Client.
472825 Dashboard no longer displays a dip in active session count when primary blade comes back from a reboot.
473129 Logging to access_log continues after log rotation.
473255 Fixed an issue where Portal Access could incorrectly rewrite a form submit initiated from Javascript.
473344 With the fix, APMD correctly handles the request for Kerberos Request-Based Auth, and posts the proper error message.
473377 Fixed to accept NameID format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
473386 Machine cert check agent matching criteria for FQDN has been improved.
473697 HD Encryption check now provides a way to check encryption status of all drives or system drive only.
473728 Now absolute action path for any form in HTML page is rewritten correctly at submit time.
474058 Fixed issues that caused APD to restart when the BIG-IP system is configured as a SAML Service Provider and BIG-IP receives a signed assertion that contains an empty Reference URI in the Signature element.
474231 Access policy changes are handled gracefully.
474532 Proper validation was added to check correct messages were received on proper URL. Logging was added for failing cases.
474582 A timestamp is now prepended to each log message line in logstatd.log for Policy Sync.
474657 BIG-IP Edge Client no longer stops after authenticating through captive portal.
474730 Now forms with absolute action path and tag with id=action inside are handled correctly.
474779 EAM plugin initialization is fixed, now the plugin register with TMM process will not fail.
475049 In this release, the Domain Controller (DC) fully qualified domain name (FQDN) list for an NTLM Auth Configuration is mandatory. Before you upgrade, ensure that the DC FQDN list for each NTLM Auth Configuration contains at least one domain controller FQDN. You can perform this verification from the GUI or by using tmsh. In tmsh, you can add the following line (dc-fqdn-list { <fqdn> } ) for each ntlm auth configuration as shown in this example. apm ntlm ntlm-auth ntlm_test { app-service none dc-fqdn-list { } machine-account-name mdc1 partition Common service-id 2 }
475148 Microsoft RDP Client for Mac OS X ver. 8.0.9 now correctly works with BIG-IP APM.
475163 Now HTML forms without action attribute are handled correctly.
475262 Resolved this issue: when APM is configured with URL (https://....), BIG-IP Edge Client for Windows does not resolve the APM hostname while reconnecting.
475360 Resolved issue when BIG-IP Edge Client remembers a specific virtual server URI after it is redirected.
475363 ECA data plane additional security change against empty configuration. This works together with BZ 475049 on control plane side.
475505 Microsoft Windows Phone 8.1 built-in browser is now properly detected by the BIG-IP system.
475538 Total deletion of APM Access Policy with Customization Group Files now completes successfully using the GUI.
475650 Issue is fixed that caused TMM to occasionally restart when processing SLO messages.
475682 EAM used to send multiple cookies headers in HTTP message. Multiple HTTP headers like this are treated as comma-separated by some receivers. Now EAM adds a single Cookie header with the cookies delimited by semi-colon.
475735 A user can now load sys config even after removing the peer from the sync-only group.
475770 Improved routing table management for 2 and more network interfaces.
476032 Issue fixed. Now BIG-IP Edge Client disconnects from FirePass smoothly without delays.
476033 Support Microsoft Remote Desktop 8.0.8 client for iOS to work using APM as RD Gateway.
476038 On BIG-IP Edge Client for Mac on OS X 10.7, a user can successfully add a new server using IP address.
476133 Issue Fixed. _lastUseTime in OAM ObSSOCookie is updated on successful authentication and authorization process.
476736 For a certain set of IPv6 link local addresses, the IPv6 Network Access tunnel may not succeed due to listener lookup failure. This code change fixes this issue.
477274 Issue Fixed. A crash in mcpq from bad user input is now prevented.
477445 Client modified to restore routing table state and select active interface (on a system connected to the same network segment through multiple interfaces).
477474 HTML Attributes with names that include a hyphen (-) are now handled correctly in Portal Access.
477540 APMD no longer crashes with null Tcl interpreter object when used with the ACCESS::policy evaluate iRule command.
477642 In Portal Access assignment of empty string to location.hash property no longer causes page reload loop in Firefox.
477841 Safari 8 will now properly use the admin-defined proxy settings if available.
477933 Now, full validation is performed when an access policy is created or modified. No single access policy or access policy item can exist without an explicit reference to it from an access profile or access policy. Improved validation necessitates that all operations to create or modify an access policy definition be performed in a single transaction. When using tmsh from the command line, this can be effected in a batch mode transaction. In Perl, Python, or Tcl scripts where the tmsh interface is used, explicit transaction commands must be added to begin and commit the transaction. Here is an example Tcl script. proc script::run {} { tmsh::begin_transaction tmsh::create apm profile access /Common/test { access-policy /Common/test } tmsh::create apm policy access-policy /Common/test { default-ending /Common/test_end_allow items add { /Common/test_end_allow { } /Common/test_ent { } } start-item /Common/test_ent } tmsh::create apm policy policy-item /Common/test_end_allow { agents add { /Common/test_end_allow_ag { type ending-allow } } caption Allow color 1 item-type ending } tmsh::create apm policy policy-item /Common/test_ent { caption Start color 1 rules { { caption fallback next-item /Common/test_end_allow } } } tmsh::create apm policy agent ending-allow /Common/test_end_allow_ag { } tmsh::commit_transaction } Without the commands tmsh::begin_transaction and tmsh::commit_transaction, validation would find unresolved references and the script would fail.
478115 The action attribute value of a form HTML tag is now properly rewritten in the Minimal Content Rewriting mode when it starts with a forward slash (/).
478214 APM Native RDP Proxy will now allow users to authenticate without specifying a domain name. Previously, domain name was required.
478222 Seven new categories and one category name changed category in the URL Filter database.
478261 WinInet handle leak was eliminated.
478285 An issue with routing table not being restored correctly in multi-homed environment when server settings disallow local subnet access is now fixed.
478333 Now BIG-IP Edge Client for Windows correctly handles a profile located on a different partition.
478397 Now deletes AddrInfo structure correctly.
478491 Fix has improved iOS client recognition so that it works fine for the latest released version.
478492 Now HTML tag attributes with HTML entities inside their values are processed correctly.
478658 Window.postMessage supports sending objects.
478751 Fixed all the issues found during the testing of OAM Form-based AuthN scheme, for both single domain and multiple domain.
479451 APM correctly validates Outlook credentials and creates new APM session for users that come from the same IP and have identical passwords.
479524 Portal Access no longer crashes if a URL in a Refresh header matches a Portal Access bypass list entry.
479715 The errant behavior is caused by an improper URL being presented by the error page. When APM checks the improper URL, it causes it to issue the same error page. This has now been corrected.
480047 BIG-IP Edge Client for Windows now enables you to generate a client troubleshooting report from the user interface.
480242 Now, when an error occurs, the system prints an error code in HEX, which facilitates finding the reason for the error.
480272 After this fix, AccessGate init should fail initialization and retry in case of the AccessGate ID mismatch. If all the retries fail, then the AccessGate will remain uninitialized. Administrator should clear config cache for all the AccessGates and restart EAM process.
480761 Fixed issue that caused TunnelServer to crash during reconnect.
481020 Resolved intermittent routing table issue that caused Traffic not to flow through tunnel if proxy server is load balanced.
481046 The wrapper for scriptTag.text='source script' now rewrites 'source script' for all browsers.
481203 While creating memcache entry, we now normalize the username into utf8 lowerecase. This makes sure, there is only one entry for all combination of usernames.
481210 All values are now populated as session variables as expected.
481987 The NTLM frontend authentication (ECA) feature can now be used with an APM Limited license. Typically, this is for Exchange deployments.
482134 APD and APMD no longer core during shutdown of a second occurrence of APD or APMD.
482251 Added rewriting for: Location.href(some_url)
482260 APM captive portal probe URL in BIG-IP Edge Client for Windows can now be customized on x64 Windows-based platforms in the same way as for x86 Windows-based platforms.
482269 APM now supports out-of-the-box detection of Microsoft Windows 10 in visual policy editor action items, such as, Client OS and Client Type.
482699 Visual policy editor works correctly on Google Chrome.
482710 SSLv3 protocol is disabled in APM clients. All clients must connect using TLS based ciphers.
483020 Fixed so that the policy does not hang with the iRule event in place.
483113 A cosmetic issue with the server selection menu showing white background is now fixed.
483379 An issue with BIG-IP Edge Client for Mac consuming high CPU and having an unresponsive menu icon on OS X 10.10 Yosemite is now fixed.
483601 If a session is expired and a query is made with an Access whitelist and query parameters, APM code did not handle the case properly and sent a logout page. APM now enables the user to revalidate by starting the Access policy again.
483792 When the iSession control channel is disabled through db variable, then some of the Network Access resources, including App tunnel, Microsoft RDP, and optimized tunnel resources, will not be assigned to the session.
483810 Now, APM-generated ICA files contain a section with the real application or desktop name instead of [Application]. This can support, for example, distinguishing among several open desktops by window titles (because they now contain the desktop name).
484284 On the Logon Page properties screen, when you select checkbox as the Type for field3, the default text for the field remains as Field 3.
484298 Now, the aced process behaves as expected. A child process never listens at server port.
484454 APM checks config snapshots periodically and recreates them if any are missing.
484582 Rewrite plugin no longer crashes when Portal Access application cookies require more than 32 KB of storage.
484793 RDP Custom Parameters can now be applied if more than one parameter is specified.
484856 Now when a remote desktop has auto logon enabled and has no resources assigned for the user, its folder icon is hidden from APM webtop.
485355 Click-to-Run Office 2013 applications can start inside Microsoft Windows Protected Workspace (PWS) now.
485396 Online help has been updated to clarify the use of persistent cookies for SSO Across Authentication Domains. Persistent cookies are supported only when a session is started using an LTM-APM access profile type.
485465 The system now handles Single Logout (SLO) response/request so that TMM no longer restarts.
485906 APM virtual servers that can cause the resource to switch during request handling (as is most noticed with OneConnect profiles attached to them) will no longer cause TMM to crash and restart.
485948 The Machine Info agent now differentiates between legacy logon clients and web logon clients by creating an error session variable. The error session variable is set to 1 when legacy logon clients connect to APM and 0 otherwise.
486268 Now the title displays correctly on the logon page; RSA error messages are now sanitized.
486303 Patching for content loaded by AJAX is now blocked.
486344 Translated French text has been corrected to properly fit buttons in BIG-IP Edge Client on Windows-based systems.
486597 Fixed Network Access renegotiation procedure on TLS1.1 and TLS1.2 for Microsoft Windows 7.
487170 Added support for scenarios where proxy host name resolves to multiple addresses.
487859 When we try to import a Local DB user with UID not set, the code has been updated to generate a Unique ID and then store the user details in the database.
488105 Access whitelist entries are refcount-ed to prevent freeing of the memory while it is still being used.
488736 iNotes 9 Sametime (instant messaging) is working now.
488892 JavaRDP client session starts correctly now, and the system does not process extraneous input that occurs before the handshake completes.
489382 Browser client now selects the appropriate certificate when the match SubjectCN and FQDN criteria is specified in the Machine Cert Auth agent.
489888 Now the admin UI does not allow a user to configure VDI profile when APM is not provisioned.
490482 Access Policy can now successfully contain a macro attached but does not use the macro anywhere.
490675 In this fix, we trim leading and trailing spaces from the user name before using it. So the user name is uniform everywhere.
490681 Now a self expiry is set for each memcache object (which is configurable). With this change, each user remains in the cache only for the configured duration.
490844 Problems with EventTarget.addEventListener() new feature support were fixed.
491233 The CustomDialer component has been updated to prevent a rarely occurring deadlock.
491478 EAM is a CMP plugin and spins up one thread per TMM.
491887 Fixed to allow for name changes to the macro endings, so that macros are no longer required to end in out.
492122 Now "f5 Pre-Logon User" is created only once, which allows a Domain or System Administrator to manage it (because the SSID does not change). When the user is no longer required (logon process is done), the user is disabled and remains in disabled state until next usage.
492149 Now JavaScript code with HTML entities inside is processed correctly.
492153 BIG-IP Edge Client now keeps the DTLS connection until the IP address becomes invalid, as expected.
492238 TMM no longer restarts when a user initiates single logout (SLO) from Microsoft Office 365 configured as a SAML Service Provider (SP).
492305 Now session is interrupted when file required for recurring file check is missing.
492701 Customized LSO values on target device from previous Policy Sync will be retained after a new Policy Sync with new LSO.
492844 Microsoft Office 365 generated SAML SLO message no longer causes browser connection to reset.
493164 The erroneous security check has been fixed, so accessing some content in a different domain now works as expected.
493360 Fixed possible issue that could cause BIG-IP Edge Client for Windows to crash during reconnect.
493385 Now BIG-IP Edge Client uses the set of icons that the configuration specifies. Also, F5 icons no longer display for a split second during application launch when the configuration specifies the generic set of icons.
493487 Indirect method call using Function::call() or Function::apply() works properly now.
494033 Now the Logon Page agent uses a session variable name as a trigger. While looping through POST variables, if the associated session variable name is username then the Logon Page agent splits it into username and domain name when the option Split domain from full Username is enabled.
494088 Now, in some rare situations where previously APD or APMD would assert, the system logs proper error messages before exiting. This results in restarting APD or APMD.
494098 PAC file download mechanism now avoids a race condition if /etc/hosts is patched with the static entry of the host that contains PAC file.
494176 Network access can now be established with FirePass using APM BIG-IP Edge Client for Mac on OS X Yosemite.
494189 Clipboard channel has significantly better performance now.
494284 For BIG-IP Edge Client for Mac with primary language of German, the content that displays under disconnected status is now correct, without any unneeded text.
494637 The localdbmgr process has been updated in order to gracefully handle corruption in the memcache contents.
495265 A problem with SAML single-logout has been fixed.
495273 A new session variable is introduced: session.ldap.last.errmsgext which contains extended error information at any log level. The existing session.ldap.last.errmsg variable contains only simple error message (decoded error code).
495319 All configured networks are now reachable when connecting to FirePass using a BIG-IP Edge Client for Mac downloaded from APM.
495336 The code has been fixed to reset the relevant session variable after the successful password change.
495638 Fixed internal race conditions inside TunnelServer.
495702 BIG-IP Edge Client for Mac can now be downloaded from the connectivity profile screen of the APM GUI.
495901 Additional check implemented in tunnel server before accepting incoming connection.
496440 Apply route domain configured in visual policy editor to Java RDP connections.
496441 Apply route domain configured in visual policy editor to Java AppTunnel connections.
496447 APM applies the route domain that is configured in visual policy editor to Citrix or VMware View connections when the Citrix or the VMware View backend is specified in the resource using a hostname or an IP address.
496449 APM supports using session variables for the destination address in Citrix and VMware View remote desktop resources.
496817 Added backward compatibility changes to BIG-IP Edge Client for Windows to work properly with FirePass.
496894 An issue where TMM would restart under certain conditions is now fixed.
497118 TMM will no longer restart when SAML SLO is triggered.
497325 A rare, environment-based issue that prevented new users from logging in to Windows-based systems has been fixed.
497436 BIG-IP Edge Client for Mac can now establish a connection correctly. An issue with routing table patch coding deleting an essential route has been resolved.
497455 A rarely occurring issue where BIG-IP Edge Client for Mac would crash randomly during regular Network Access connection has been fixed.
497596 Fixed French translation in Network Access screen.
497627 TMM does not core now.
497662 Improved request parsing to make it more robust against invalid formats.
498038 Config sync with Full Sync enabled now succeeds after AAA AD server with pool is deleted.
498469 BIG-IP Edge Client for Mac does not fail intermittently with machine certificate inspection agent.
498782 Now APD uses a short time interval for periodic checking of config snapshots right after failover happens. If config snapshots are found to be missing, APD recreates them. After a few such cycles, APD reverts to using a long time interval for the check.
498993 The LDAP Query resolves group membership including nested groups as expected.
499427 Access policy Windows File check now works with a file name that starts with an ampersand (&).
499620 The BIG-IP Edge Client for Mac displays the correct SSL protocol version now in Details.
500450 The APM websso module is modified to handle an ASM use case. Now the websso reparses the HTTP 401 response header from the server at the client side in addition to the current parsing at server-side processing. With this fix any Set-Cookie modification or addition by ASM is sent to server in the response to 401 header.
501338 Now if cache init failure occurs, an error message is logged into /var/log/apm logfile to explain the reason, which is administrator credentials required.
501494 After window.unload=null, null is returned by getting value of window.onload;
502016 Client components for Mac now log version numbers in log files.
502441 Network Access connection does not reset if a large proxy.pac file is configured.
503790 Keyboard shortcuts for the APM Java client have been added to BIG-IP Access Policy Manager: Application Access.
504031 Web application JavaScript can successfully redefine document.write and document.writeln.
504245 BIG-IP Edge Client for Windows sends the API dll version in the User-Agent header. This is the version of f5fpapi.dll that is located with the Edge Client binary. However, Edge Client consists of many components; the actual version of a component might differ from the API version.
504266 Now DNS Relay proxy forwards dynamic update DNS requests.
504880 TMM crash is fixed for the scenario where RDP client connects to APM configured as Remote Desktop Gateway.
505662 The location of the <Signature> element is now correct in exported signed metadata, whether the BIG-IP system is configured as a SAML Identity Provider (IdP) or Service Provider (SP).
505755 Fixed an issue in Portal Access that could affect script execution in documents.
506223 Portal Access rewrites URIs correctly.
506349 APM now correctly identifies BIG-IP Edge Client for Mac as an Edge Client even if the user opens a new session by clicking the link on the logout page that says "Click here to open new session".
507318 When using Chrome to send a new message on DWA, a JavaScript error occurred. The message was sent but the tab did not close. This no longer occurs.
507681 Window.postMessage() now works in Internet Explorer 11.
507782 Fixed validation for the input data sent in the ICA connection so that for the invalid/non-patched Address it will reject the connection instead of crashing.
507789 Now, the Local User DB does not change when manually saving or loading a UCS file.
508030 Per-App VPN, JavaRDP, Java AppTunnel, Java Patcher, Citrix connections now complete successfully when Connection Rate Limit is configured.
508630 An additional fix was made to restore DNS suffixes correctly.
508719 The title displays on the logon page now.
508767 When the Logon Page configuration specifies that the username field is Read Only, APM no longer logs the username, which is always empty in this case. When the Logon Page configuration requires the user to enter a username, APM continues to log the username.
509758 Now, the BIG-IP Edge Client does not show an incorrect cosmetic warning message.
509956 Improved the way that we process cookie values in an SWG blocked page.
510337 The page-not-found result for APM now uses the correct stylesheet.
510709 Websso config start URI parsing was wrong when there are multiple lines in start URI configuration. Websso start URI parsing is fixed.
511441 Portal Access no longer leaks memory on large Cookie request headers from the client.
511648 On a standby system, TMM no longer cores after it comes up when an active system sends leasepool HA commands to the standby device.
511854 This release fixes client-side URL rewriting for multi-line URLs.
511961 Clients using the BIG-IP Edge Client for Mac supplied with this APM release can continue to log in and do not get stuck at a "Connecting..." screen.
512245 Machine Cert Auth agent passes on OS X 10.8 and OS X 10.9.
512345 Now APM handles the condition in which a dynamic user record is removed from memcache but remains in MySQL due to an intermittent race condition between apmd/memcache and localdbmgr.
512507 Forms Client Initiated SSO configuration names now undergo enforced validation.
512999 Do not try to resolve group membership if the group belongs to a foreign domain.
513098 Orphaned dynamic user records are now correctly deleted.
513201 BIG-IP Edge Client is correctly localized for Japanese locale.
513283 APM no longer detects BIG-IP Edge Client for Mac as a browser when a user clicks "Start a New session" on access policy expired page.
513545 The -decode option works as expected for single-value and multi-value session variables.
513547 Now there are no delimiters included if the memberof attribute contains only one group (single value). The new behavior makes the format of a memberOf attribute that contains only one value consistent with the format of other single-value attributes.
513646 APM(ACCESS)/SWG filter operation no longer results in orphaned timers.
513706 Fixed an issue causing incorrect metric restoration on Network Access on disconnect.
513953 Now RADIUS Auth and RADIUS Acct agents can successfully parse packets of sizes up to 4K, which is the maximum allowed RADIUS packet size. At the moment the BIG-IP system does not support RADIUS packet fragmentation.
513969 Now Machine Certificate Check service is used for certificate verification even for non-limited users.
514220 Newer iOS-based VPN clients can successfully create IPv6 VPN tunnels.
514277 APM now enables connection bar for Citrx desktops by default. This can be disabled by specifying ConnectionBar=0 in Custom Parameters of the Citrix Remote Desktop resource.
514636 When Category Lookup is configured to use Subject.CN as input, if the certificate subject does not contain a CN, APM processes the error correctly by logging an error.
516075 Linux command line client works with On-Demand Cert Auth now.
516462 Fixed reason causing this issue; now excluded address routes are applied correctly even if a client machine roams between different networks.
517146 Log ID 01450538 prints correctly to /var/log/apm now.
517409 In Microsoft Internet Explorer 7 and 8, visual policy editor AD Group Resource Assign and LDAP Group Resource Assign now render properly.
517564 LDAP groups can now be retrieved from an LDAP server that uses a non-default port (a port other than 389).
517872 Now proxy hostname is printed to logfile when resolution fails.
517988 Upon access profile update, cleanup of the previous profile data is deferred until there are no active connections referencing it.
518136 An access profile has a setting that controls the scope of the sessions it creates. By default, the scope is profile, meaning that the session is valid on that profile (possibly shared on multiple virtual servers). With profile scope, users can access the resources behind virtual servers that use the same access profile. If the scope is set to virtual-server, the session is invalid on virtual servers different from the one on which the session was established. With virtual-server scope, users can access only the resources behind the virtual server on which the session was established. If the scope is global, the session is valid on any profile that also has set its scope to global. With global scope, users can access resources behind any virtual server with an access profile for which scope set to global.
518260 NTLM client that depends on NTLMSSP_TARGET_INFO flag can complete NTLM authentication using NTLMv2 protocol.
518981 Previously, the BIG-IP system would not send an accounting stop message if class attributes were more than 512 bytes total size. Now, BIG-IP system sends the accounting stop message, but does not include class attributes.
519090 Fixed issue with assignment value to window.onerror in an empty window.
519198 APM allows a user to log in as any admin user to sync policy in any partition.
519398 Logout content now displays only on a page from the APM domain.
519415 iRules get executed on Ephemeral listeners.
519864 L7 Dynamic ACL is no longer leaking memory.
519966 APM Session Variables report masks user passwords, displaying ************ instead.
520118 Single entry in the server list.
520145 APM allows a user to sync a large and complex policy.
520205 Rewrite plugin no longer crashes on truncated or malformed Adobe Flash files with incorrect ActionScript 3 method body blocks.
520298 Java applets now work correctly through Portal Access.
520390 Reuse existing option works properly for SMTP servers.
520642 Rewrite plugin now correctly processes Adobe Flash files with invalid length in file or tag header.
521464 APM properly reverts the internal states so that iRule events such as ACCESS_ACL_ALLOWED, and URI classification-based features, such as logout URI, work again when clientless-mode header is inserted on every request.
521506 Fixed issues causing improper routing table management.
521835 A user can include a customized logo in a connectivity profile and sync it.
522655 Significantly improved processing speed for large Flash ActionScript 3 files.
523313 The aced process no longer intermittently generates a core file.
523327 Now both service and elevation helper can find those specific certificates.
523390 Fixed memory leaks in SAML Identity Provider (IdP) when when SLO is configured in a Service Provider (SP) connector.
523431 One of the PHP files for cache control has a regex that looks for invalid access profile names. This regex had previously flagged any profile name with a period to be invalid. The regex has been updated to allow periods.
525384 Now Network Access components can obtain PAC file from SMB share.
526084 BIG-IP APM was enhanced to report session.client.platform session variable for BIG-IP Edge Client on Windows 10.
526492 DNS resolution is successful for static and optimized tunnels on Microsoft Windows 10.
526578 Now proxy settings are correctly applied on client machine with German localization and Internet Explorer 10. However, Windows still shows empty fields in proxy settings GUI of Internet Explorer.
526617 TMM no longer crashes when logging a matching ACL entry for IP datagram with protocol set to 255.
528675 Captive portal detection request modified to properly close HTTP connection.
528726 Removed an unnecessary attribute from cache. As a result, the group cache size and APD process size have been reduced.
528727 Now HTML inline body.onload event handler is executed correctly in all cases if the page is accessed through Portal Access.
528768 Now an Active Directory server DNS name that contains an underscore (_) can be used for a machine account and NTLM authentication.
529169 APM documentation now includes instructions for ensuring correct processing of RDP client traffic on a BIG-IP system on which both of the following are configured: SWG explicit forward proxy and APM configured as a gateway for RDP clients.
529392 Internet Explorer 11 on Microsoft Windows 10 is detected correctly now if local proxy autoconfig script is configured with DIRECT rule for BIG-IP.
530622 There was a memory usage issue in the EAM plugin that was caused by a huge object allocation for each connection. This issue is fixed by reducing the default size of client cert and payload arrays.
531541 Now APM supports Citrix Receiver 4.3 for Windows in PNAgent mode.
531910 The problem was fixed by variable protection in related modules.
532096 Fixed issue causing Machine Certificate checker agent backward incompatibility.
532340 Thread synchronization issue causing TMM startup issues has been fixed.
534755 Access Filter now ignores the ERR_NOT_FOUND error when deleting the profile stats namespace.
535131 The BIG-IP system, when configured as a SAML Service Provider (SP), will now accept RelayState from an Identity Provider (IdP) to be used as a resource to serve to users after completion of SAML SSO.
594388 In TMOS v.11.3 through v.11.6 releases there is only one certificate which can be configured for SAML SP connector ( apm sso saml-sp-connector, "sp-certificate" attribute). This certificate is used by Identity Provider both for verifying the signature of incoming ArtifactResolve request and encrypting (if encryption is enabled in IdP settings) of assertion and/or specified SAML attributes. This restriction does not allow for supporting SP configurations where separate keys/certs are used for encryption and signing.
In version 12.0 it is now possible to configure SP connector objects with two certificates:
  • sp-certificate < -- certificate used by IdP to validate signatures on messages received from SP.
  • sp-encryption-certificate < -- certificate used by IdP to encrypt assertion/subject/attributes when encryption is enabled.


Session ID rotation has been implemented, and starting from 11.2.0, it is on by default. This breaks compatibility with earlier BIG-IP Edge Client and plugin versions. For example, when APM is configured for session ID rotation, an 11.1.0 Edge client is not allowed to log in to Access Policy Manager (APM) version 11.2.x. The expected behavior in this case is for APM to present the login page to the Edge client after each login attempt. To disable session ID rotation per-box, you can use the following tmsh command: tmsh modify sys db apm.rotatesessionid value disable

Behavior changes in 12.0.0

ID number Description
382390 The OCSP Responder option has been removed from Machine Cert Auth agent. Instead, the Machine Cert Auth agent registers two session variables to be used in the OCSP Auth agent: 1. session.check_machinecert.last.cert.cert and 2. session.check_machinecert.last.cert.issuer.cert. A Certificate Type option has been added to the OCSP Auth agent; OCSP Auth can now verify revocation status for a machine certificate or for a user certificate. If OCSP validation is required for a machine certificate, then the administrator should configure the access policy as follows: 1. Add the Machine Cert Auth agent and, in its properties, enable the Save Certificate in a session variable option. 2. On the Successful or the Found branch, add the OCSP Auth agent and in its properties, set the Certificate Type to Machine.
440074 In previous releases when using tmsh, it was possible to create a RADIUS AAA Server without a server mode or with server mode specified as none. If that happened, it was not possible to open the RADIUS AAA Server configuration using the GUI. It is no longer possible to create a RADIUS AAA Server in tmsh if server mode is not specified.
495273 A new session variable is introduced, session.ldap.last.errmsgext, which contains extended error information at any log level. The existing session.ldap.last.errmsg variable now contains only a simple error message (decoded error code). Branch rules in visual policy editor based on extended error message will not work correctly.
512507 In previous releases, it was possible to create a Forms Client Initiated SSO configuration with an invalid name. In this release, APM validates the name of this object to prevent a vulnerability. When you upgrade to this release, if any Forms Client Initiated SSO configuration on the BIG-IP system has an invalid name, validation errors will occur. Before you upgrade, make sure that each Forms Client Initiated SSO configuration on the BIG-IP system has a valid name. To be valid, a name must meet all of these requirements. 1. The name must be from 1 to 255 characters in length. 2. The name cannot be any of the following reserved names: sso, config, method, http, username, redirects, password, ntlm, ntlmv1, params, ntlmv2, start, domain, action, source, form, aaa, oam, server, header, headers, kerberos, realm, kdc, account, name, spn, pattern, ticket, lifetime, sso-config, basic, eam-only, form-based, form-basedv2, all, delete, disable, enable, help, list, none, show, None 3. The name must start with either an alphabetic character, or underscore (_). 4. After the first character, the name can include only these characters: any alphanumeric character, underscore (_), dash (-) and dot (.)
520705 BIG-IP Edge Client for Mac no longer shows duplicate entries in the servers list.
530118 Now server list will collapse if any server is deleted from the list on BIG-IP Edge Client for Mac.

Known issues

This release contains the following known issues.

Upgrade issues

ID number Description
417711 After the upgrade, if the previous configuration used NTLM front end authentication, the functionality is not restored. After the upgrade, manually delete the existing machine account configurations and recreate them again.
421456 Kerberos SSO does not work after upgrading from 11.3.0 to 11.4.0, because in 11.4.0 the password is saved in encrypted form while the password in 11.3.0 is saved as clear text. Kerberos SSO password is saved as clear text in 11.3.0. Re-enter the Kerberos SSO password after upgrade.
440924 Configuration will not load. BIG-IP system is nonfunctional after upgrade to 11.6.0. Log message: Configuration error: cannot attach profile (/Common/rewriteplugin) to virtual server (/Common/apm_virtual_server) This happens on upgrade from 11.4.1 to 11.6.0. As a result, the site is down after upgrade. To work around the problem, manually edit bigip.conf to remove: /Common/rewriteplugin { } from the Virtual Server configuration stanza.
462296 The Windows Group Policy feature is no longer supported starting with version 11.6.0. For this reason all WGP files are removed from version 11.6.0. However, during upgrade from 11.X.X to 11.6.0, if the old configuration has no APM access policy configured, the symbolic links to WGP files will not be removed. You can find these symbolic links in the following directories: /config/filestore/files_d/Common_d/sandbox_file_d/ /config/filestore/files_d/Common_d/windows_group_policy_file_d/ The symbolic links to WGP files can be removed without causing any harm. Old configuration has no APM access policy. Because of this symbolic links to Windows Group Policy files from the old configuration will not be removed. No impact, since the Windows Group Policy feature is removed from version 11.6.0.
510792 During upgrade to v11.6.0 or later, the configuration load may fail due to the following error. "01071203:3: Caption (Failure) of the rule in macrocall (/Common/mc-1) must be identical to the caption (Caption) of terminalout. Unexpected Error: Validating configuration process failed" This happens when loading a configuration file that was saved by pre-v11.6.0 onto v11.6.0 (or later) with an policy access-policy of type macro where there are terminal-out items, but the "priority" order does not match the order of the rules in the corresponding apm policy policy-item that makes the macrocall. Configuration load failure occurs at upgrade. To work around the problem, manually edit the config so the priority order matches the rule order for captions.

Admin issues

ID number Description
224145 The visual policy editor can, on rare occasions, return a non-specific failure when attempting to create new items. The failure is transient; the request invariably succeeds on retry.
359639 Some long captions for resources can be longer than the bounding box in Firefox 7. This problem does not affect the workflow.
360141 Modifying the SSO configuration does not cause the Apply Access Policy button to show up on the Admin GUI or the visual policy editor. The configuration change takes effect immediately for new sessions established after the change. Old sessions (those that were already created before the configuration change) continue to use the old SSO configuration.
360734 When previewing pages, the Preview pane does not automatically refresh when the language is switched. To work around the problem, click on an item in the Preview tree pane to cause the page to refresh in the new language.
360742 When the logon page is customized in visual policy editor in multiple languages, the images appear broken. To work around the problem, customize the logon page using localization customization. (Refer to Access Policy > Customization.)
362200 When customizing messages, you cannot use special characters, such as ', ", &, <. Using these characters is always a problem. It poses a serious impact. To work around this problem, do not use such characters, manually fix customization XMLs (not advised).
362351 Branch names cannot start with the word fallback in the visual policy editor. Do not start branch names with the word fallback. The terminal name must begin with an alphabetic character (for example, a or A). The remainder of the name can contain only alphanumeric characters (numbers and letters), spaces, and these symbols ( + - _ ( ) [ ] ). The terminal name cannot begin with the text fallback. Please rename the terminal.
363188 Using a space in an alias for a virtual server can cause unexpected results when you use tmsh to add or update a connectivity profile. No spaces are allowed in aliases for virtual server.
384479 When you configure a virtual server for Oracle Access Manager integration (by selecting the OAM Support option), the option to select a specific AccessGate does not apply to OAM 10g environments.
398361 Not all configuration objects validate and reject an object name that contains the space character. As a best practice, when you create a configuration object do not include a space in the object name.
403659 When configuring a BIG-IP system as a SAML Identity Provider, the displayed range of possible values in seconds for the assertion validity timeout is incorrect. The correct range is 1 - 86400 seconds.
403722 If you initiate an access policy sync from the Standby node, an admin must resolve any conflicts on the Active partner. Ideally, an access policy created on the Standby node would be synced to the Active node automatically without admin intervention. To work around this problem, avoid syncing an access policy from a Standby node. Otherwise, you must resolve conflicts, if any, on the Active node.
404765 If you export an access policy with a SAML SP connector that uses a certificate, the certificate name (including partition) is not formatted correctly. This prevents import from working. This always occurs. The impact is serious. User blocked from import of certain types of profiles. To work around the problem, create the SP connector and import the associated certificate on the target system.
404936 Files named core.xxxx, where xxxx is a number, are created in advanced customization directories during the build process when the customization build cores because of invalid characters in the default customization file. These core files are listed in the user interface.
405352 If you enter a bad FQDN for domain controller in an NTLM Auth configuration and a DNS server responds with DNS SERVFAIL, the NTLM Auth configuration does not work even after you fix the incorrect FQDN. To work around this problem, after you correct the FQDN in the NTLM Auth configuration, restart the ECA plugin and NLAD daemon using this command: bigstart restart nlad. Note: To avoid future problems due to misconfigurations, you can configure your DNS server to return a negative response.
414411 When you use visual policy editor from the Chrome browser, images do not preload and as a result, the navigation bar flickers. To work around the problem, use Firefox or Internet Explorer.
419748 After a hosted content file is referenced by a Portal Access resource, the file cannot be deleted, even if the link-type of the resource is not "hosted-content". This problem occurs in this sequence of steps. Use the GUI. Create a resource such as portal-access or webtop. Set the link-type to "hosted-content" and select a sandbox file. Now change the link-type to 'uri'. Try to delete the sandbox file. It will not be deleted, even if it is not in use. Users cannot delete some unused sandbox files. To work around the problem, use tmsh to clear the sandbox file reference in the resource. Example: tmsh modify apm resource portal-access <NAME> sandbox-file none Now the sandbox file can be deleted.
419754 When using a local user database instance for authentication on APM, if a user that is flagged to change password leaves the password field empty, the user is prompted again to change password. Whether the user types a new password or leaves the password field empty again, the user is prompted again to change password. This occurs under all of the following conditions: 1. Local user database is used for authentication. 2. User is administratively flagged for password change. 3. User attempts to change his or her password. 4. User uses an empty password as the new password. After the empty password is entered the first time, the user will continue to be prompted for a password. The next password entered will be rejected regardless of whether it is empty or not. APM handles a subsequently entered non-empty password correctly.
419836 When you switch from editing one file to editing another file in advanced customization without saving the first file, changes to the first file are lost. This is not user friendly as a user may spend a lot of time on editing the file. When clicking another file, the user does not know that changes will be lost and are not recoverable. A user can only modify the file again after the change is lost.
419996 When you import users to a local user database, any first or last name with a space in it is truncated to the first space.
420506 When using the Local Database agent with a write action, the list of properties available includes groups; however, this property is read-only and any attempt to write to it fails. This issue arises when using the APM general purpose Local Database agent with an action that includes writing to the groups property. There is no workaround. You cannot write to the groups property. Its appearance in this list is an error. It should show up only in the properties list for a read action.
423137 The compression setting pull-down is available on the Network Access resource page. If an end-user sets this to GZIP when compression is not licensed, the system posts a TMM error explaining that compression license limit has been exceeded for the day. GZIP compression appears available when it is not.
426844 Importing users from a file into a local user database takes a long time. The admin must wait until all users get created. The wait time depends of number of users. This happens when importing a long list of users from a CSV file to a local user database. Because loading users takes a long time, an administrator user might not know what to do and retry multiple times. An administrator must wait until the users load to the database without making additional attempts.
440177 If you type or cut and paste an image file name into the General Customization interface, the file name does not fit the expected naming convention. After you save the file and reopen it, errors occur if you click Restore Default. Always use the image selector to change image files.
458241 The last system authentication profile cannot be deleted even if it is not active. If an Admin wants to delete the associated profile, they must first complete the following two steps: 1) Ensure that an Auth type other then Remote - APM Based is selected. 2) Run `tmsh delete auth apm-auth all`.
476644 A user that is logged in as Auditor cannot view SAML Identity Provider (IdP) configuration data; the Edit button is not available. This happens to users that are not authorized and to any user in the partition "All [Read Only]". User cannot view object details in read-only mode only. The user can view read-only object details using tmsh commands.
512166 Custom Parameters displays for Java RDP in admin GUI, but is not implemented for Java RDP. You see this when you configure a Java RDP resource. The Custom Parameters feature is not implemented for Java RDP. It is confusing to see it in the GUI. There is no workaround at this time.
519087 Modal popup will be rendered with error "Unrecoverable communications error, please close this window and log in using the BIG-IP Configuration Utility". The problem occurs only when a NAT port-forward to admin GUI using a different TCP port, is created and used to access the Dashboard. The dashboard is not usable. There is no workaround at this time.
522670 Starting with v12, a BIG-IP system, configured as an Identity Provider (IdP) or as a Service Provider (SP) supports Detached Signature for SAML Authentication Requests when using the SAML Redirect Binding. Prior to v12, only Enveloped signatures are supported. For BIG-IP as IdP, which consumes AuthN requests, the support is automatic. Signatures that come in Detached format will be processed normally without any configuration required. For BIG-IP as SP, which produces AuthN requests, the support must be explicitly configured in the associated IdP connector object using tmsh. It is not possible to configure it in the GUI. This affects configurations in which BIG-IP is configured as the SP and external IdPs, such as Ping Identity and others, require Detached Signature instead of Enveloped Signature. Because the configuration for Detached Signature is not available in the GUI, administrators can be confused about how to set this up. After creating the IdP connector object with signature enabled, go to tmsh: 1. Issue the command: modify apm aa saml-idp-connector <idp connector object name> want-detached-signature true 2. Then issue this command: save sys config After this, when BIG-IP as SP creates an AuthN request for the associated IdP, it will use the Detached Signature mechanism instead of Enveloped Signature.

Application access issues

ID number Description
223712 During a web applications session, when a user logs out of Microsoft Office Communicator and then attempts to log on again, the logon request fails.
339865 Microsoft SharePoint 2007 with Office Integration does not work in LTM+APM mode when Windows Protected Workspace is used in an access policy. When you try to open a Microsoft Office document, an alert about a wrong URL is displayed.
340549 The rewrite plugin does not implement forwarding HTTPS requests through the HTTPS proxy correctly. (However, forwarding HTTP requests through the HTTP proxy does work correctly.) To work around the problem, create a layered virtual server to catch HTTPS traffic leaving APM and forward it to a HTTPS proxy server using CONNECT. Proxy authentication is not implemented and if the response status from HTTPS proxy server is not 200, then use an iRule to close the connection.
343280 When using Portal Access in Safari 5.X, sometimes web pages do not load properly. A bug in Safari 5.X leads to accidental loss of all HTMLElement.prototype changes when setting HTMLElement.prototype properties in a window and accessing window.frameElement from any of its frames. (The problem also sometimes occurs in other less well-defined cases.)
347100 Every time the Hometab loads, a dialog box message is displayed stating: "This Page contains both secure and nonsecure items. Do you want to continue?" To work around this problem, disable the Hometab.
362325 Links in content are rewritten in HTML attachments from Outlook Web Access (OWA) after you open the attachments in the browser or save them to disk using the Save as action. This happens because APM application access patches the links in HTML attachments. This occurs with OWA 2003, 2007, and 2010.
389881 The Portal Access feature in APM does not support Flex Runtime Shared Libraries using ActionScript3.
404899 Webpage errors occur when opening a chat window in IBM Lotus iNotes 8.5 with Sametime through a Portal Access webtop. This happens only when using Internet Explorer 9. To work around this problem, add a Portal Access item with the path "/sametime/stlinks/*" to the Portal Access resource and disable Home Tab for this item.
416759 Microsoft Dynamics CRM might not work correctly through reverse proxy in some cases. SAML can be used to accomplish SSO.
431337 The LinkedIn button is a part of the new feature, Apps in Outlook Web App, in Outlook Web App 2013. A JavaScript error occurs if you click the LinkedIn button in Outlook Web App 2013 while using Internet Explorer 11.
434464 If a JavaScript function contains an Internet Explorer conditional compilation directive and a 'try ... catch' block inside this directive, it becomes inaccessible before declaration after re-writing. JavaScript code stops the execution if forward reference to such function exists. To work around the problem, if possible, move the function definition prior to all references to this function.
439887 Drag-and-drop and some other mouse operations work incorrectly in Outlook Web App (OWA) 2010 if accessed using APM portal access from the Chrome v.31.x browser. Navigation and message copy/move operations can be done using keyboard only; mouse operations may not work. There is no workaround.
444767 Access to Office365 Outlook Web Access services using Portal Access is broken for HTML5-supported browsers. The user is redirected to the APM Logout page after successfully logging in to Office365. User cannot get access to Mailbox in Office365 Outlook Web Access through Portal Access using HTML5-supported browsers. This example iRule disables OWA offline-caching support: when HTTP_REQUEST { if { [string tolower [HTTP::uri]] contains "/owa/manifests/appcachemanifesthandler.ashx" } { HTTP::respond 404 } }
446460 Content is not properly blocked according to the Content-Security-Policy back-end response header. The problem occurs for back-end response with Content-Security-Policy header. There can be possible security issues related to access to another domain or running scripts that are normally blocked. To work around the problem, tune up APM ACLs accordingly to the desired back-ends with Content-Security-Policy headers or stricter.
450136 Occasionally, users see chunk boundaries as part of HTTP response if the virtual server is configured with rewrite profile variant and some other profiles. Virtual server with rewrite profile variant and some other profiles like OneConnect and NTLM could cause HTTP response to be double-chunked. Customer will see chunk boundaries on the web page. To workaround this problem, use an iRule to rechunk the HTTP response always.
454306 When HTML style attributes with HTML entities are rewritten, it results in direct or incorrect links to resources. This occurs when using HTML style attributes with HTML entities. It results in broken styles in web application. There is no general workaround, but custom iRules can be used.
478657 If a web application uses HTTP URLs with embedded credentials, then they do not work with Portal Access. Web-application logic can be broken.
480283 Some backend servers cannot be accessed using BIG-IP Edge Portal for iOS over mobile networks. Authentication fails; (a cookie related to authentication goes missing). It also happens when connected using WiFi but much less often (possibly due to timing). Web-application fails to update cookie when running Edge Portal on mobile networks. The issue is intermittent and hard to reproduce. The impact of this issue is that web-application logic can be broken. This issue has no workaround at this time.
494135 If 'eval' JavaScript call is redefined in HTML page, event handlers may not work correctly. There may be many ways to re-define 'eval'. For example: <form> <button name=eval onclick="someFunction();">Button</button> </form> In this case 'onclick' event handler will not work through Portal Access. Web application may not work correctly. In the worst case scenario, the browser (Internet Explorer 9 or later) may crash. There is no workaround at this time.
519397 With Microsoft Internet Explorer browsers at logout from APM, session windows with different domains display the APM logout page. This happens when Internet Explorer browser is used, non-APM windows are open for APM windows. Other domain windows content might be replaced by the APM logout page. There is no workaround at this time.

Authentication and SSO-related issues

ID number Description
355490 TACACS+ accounting STOP messages are sent successfully and are properly logged on the TACACS+ accounting server. Sometimes, when the reply from the TACACS+ server is processed, "Invalid reply error message" is logged on APM. However, this message does not indicate any failure in sending the accounting STOP message to the TACACS+ server. This error message can be ignored because the accounting functionality works.
355981 APM CRLDP Authentication Agent binds anonymously to the LDAP server to retrieve CRL files. An option for a strong authentication bind is not currently supported.
367621 Access Policy Manager does not support IPv6 for communicating with the OCSP responder. Configuring the OCSP URL with an IPv6 address or a hostname that resolves to an IPv6 address will not work. Acess Policy Manager uses OpenSSL BIO APIs to connect to the OCSP responder and these calls do not support IPv6.
399696 Selecting an SSO configuration with WEBSSO::select does not work for form-based client-initiated and SAML SSO configurations. To work around the problem, use a variable to assign the configuration object name: set sso_config /Common/SAML-config WEBSSO::select $sso_config unset sso_config
399732 When a BIG-IP systems acts as a SAML service provider, it supports only assertions of size 64K or less. Also, when a BIG-IP system acts as a SAML IdP, it supports only authentication requests of size 64K or less.
427745 In APM RSA SecurID authentication, when PIN reset is required for RSA and the APM logon page is localized to use o/n (oui/non in French) or si/no (in Spanish) in place of Y/N, it does not work; it only accepts y or n. In APM RSA SecurID authentication, when PIN reset is required for RSA and the APM logon page is Localized, o/n (oui/non in French) or si/no (in Spanish) for Y/N do not work. APM RSA SecurID authentication PIN reset does not accept French or Spanish responses from an APM localized Logon page. To work around the problem, use y/n in place of o/n (oui/non in French) or si/no (in Spanish).
433242 SAML Single Logout (SLO) does not work when all of the following are true: The BIG-IP system is acting as a SAML Identity Provider (IdP) or SAML Service Provier (SP); The other party configuration has SLO configured; The SP connector or IdP connector on the BIG-IP system is missing a SAML SLO Request URL or SAML SLO Response URL. If SAML SLO is configured with SAML other party and other party does not have both SLO Request URL and SLO Response URL. SAML SLO does not work. To work around the problem, configure both SAML SLO Request URL and SAML SLO Response URL for SP and IdP connectors.
435719 When AD Query is configured before AD Auth in an Access Policy, and the password expiration warning is enabled, or the user password is expired and the user types the wrong original password, then password change fails. However, the BIG-IP system continues to prompt for new credentials until reaching the value specified for Max Password Reset Attempts Allowed and all attempts fail because the original password is incorrect. The problem occurs when: 1. AD Query is configured before AD Auth in an Access Policy and password expiration warning is enabled or 2. The user password is expired and the user typed the wrong original password. As a result, a user cannot change password after first typing the wrong password at logon page. You can work around the problem in one of these ways. 1. Close the tab or browser and open the logon page in a new tab or new browser window or 2. In the same browser, remove everything after FQDN/ and click Enter. That will initiate a new session.
436138 If you use Kerberos authentication with the Request Based Auth option set to Enabled and you use Secure Web Gateway explicit forward proxy, access to web sites fails. To work around the problem, set the Request Based Auth option to Disabled.
436224 Secure Web Gateway transparent proxy configuration fails to authenticate user when using Kerberos with Request Based Authentication option enabled. Kerberos authentication is configured with Request Based Authentication option enabled on captive portal virtual server. User's browser hangs. To work around the problem, set Request Based Authentication option to "disable".
438344 APM Websso (SSOv1) incorrectly handles POST request to Start URI. Websso appends SSO parameters to payload from POST request without adding the ampersand (&) delimiter. Websso does not update Content-Length on sending to backend server.
439680 BIG-IP system configured as a Service Provider (SP) supports only 'rsa-oaep' for key transport ( When the BIG-IP system configured as SP receives a SAML Assertion with an unsupported encryption algorithm (for example, rsa-1_5 for key transport instead of rsa-oaep), the BIG-IP system fails to report that algorithms are unsupported, and proceeds to the decryption phase, which fails. The only issue here is the error reported does not directly point to the cause of failure which makes troubleshooting more difficult. When BIG-IP configured as SP receives SAML Assertion which is encrypted or contains encrypted attributes. Troubleshooting could take longer. There is no workaround.
440395 If you have an HA pair and try to reset AD cache (group cache or PSO cache), the standby node logs this misleading message: Cannot cleanup cache if other options were changed for AAA AD Server. HA is configured, AD module is configured to use caches (password warning option is enabled AND/OR fetch nested groups option is enabled AND/OR fetch primary group is enabled AND/OR password complexity check option is enabled) admin is trying to reset any of caches at active node. The message can be skipped. There is no functional impact.
441537 In APM form-based SSO, some special characters are incorrectly URL-encoded for certain fields, such as hidden parameters. (This does not apply to form-based client-initiated SSO.) This occurs when using form-based client-initiated SSO with a hidden parameter that contains a special character, such as dash ( - ), underscore ( _ ), period ( . ), exclamation mark ( ! ), tilde ( ~ ), asterisk ( * ), left round bracket ( ( ), right round bracket ( ) ), and backslash ( \ ). Form might not work as expected. To work around the problem, use form-based client-initiated SSO if possible. Form-based client-initiated SSO has the correct URL encoding implementation. Alternatively, use an iRule to change the special ASCII characters back to the correct character.
442532 Response could not be sent to remote client. Conditions are not known. Box still works okay. Reconnect works.
461084 When the BIG-IP system is configured with Kerberos Auth agent and the client sends a request with an Authorization header PRIOR to the "HTTP 401" challenge, authentication fails. An auth request to the BIG-IP systems contains Authorization header; Kerberos Auth is configured. Auth can fail and the client might see a login prompt again when the IP address changes.
473042 ldbutil is used on the BIG-IP device in order to add/delete/modify user information in the LocalDB. When adding a new user to the Database, currently there is a limit of 127 characters for the user group field. In addition to that, restrictions apply to additional fields: user-name = 32 characters; DB instance = 32 characters; first name = 32 characters; last name = 32 characters; e-mail = 127 characters. If more than 32 characters are provided for user-name, DB instance, first name, or last name, the information is truncated and only 32 characters is stored in the database.
499690 The localdbmgr process keeps crashing repeatedly. The issue is caused by corruption in the contents stored in the memcache. The corruption in memcache is still being investigated. So at this time, it is not clear on the actual condition which results in this bug. There is no workaround at this time.
520610 Assertions that are passed from a SAML Identity Provider (IdP) to a SAML Service Provider (SP) contain a number of timestamps to prevent replay attacks. When assertions are processed by BIG-IP as SP, most of these timestamps are verified, except for SubjectConfirmationData NotOnOrAfter. This happens when the SubjectConfirmationData NotOnOrAfter timestamp is expired by the time that the BIG-IP as SP processes the assertion. As a result, BIG-IP as SP can accept an assertion with an expired SubjectConfirmationData NotOnOrAfter timestamp. There is no workaround at this time.
527408 /var/log/oblog.log file is not rotated periodically and could take a lot of disk space. APM AAA OAM is configured and have EAM plugin enabled on any virtual server. When EAM plugin makes Oracle SDK API calls logs are generated in /var/log/oblog.log and is never cleaned up. ASDK log file could fill up disk space. Delete older /var/log/oblog.log files from the BIG-IP system manually.
534187 Signing operation may fail if the BIG-IP system is used as a SAML Identity Provider or Service Provider and is configured to use passphrase-protected signing keys. Private key used to perform digital signing operations is passphrase protected. SAML protocol will not function properly due to inability to sign messages. To work around the problem, remove the passphrase from the signing key.

Client issues

ID number Description
223583 Inside Protected Workspace (PWS) on Microsoft Windows Vista, a user can create folders only in some locations using the context menu; that is, only a Folder item appears on the New menu. However, a user can create standard type files using the context menu directly on the desktop and in the user's home folder. Files can be created on the Desktop and then moved to the desired location.
376615 Username and password are not sent when the On-Demand Cert Auth agent is used in an access policy; as a result logon fails. The problem happens for these clients: iOS, Android, Windows Mobile, and Linux CLI. To work around the problem, put the Logon page agent before the On-Demand Cert Agent in the access policy.
378524 The following problem occurs with Google Chrome support on Windows and Linux machines for the Citrix Web Interface 5.4 application in full webtop. If you open a full webtop and click an application icon on it, nothing happens.
393043 During an APM remote connection, the progress bar might not render correctly on a Linux system when using the Chrome browser.
399552 CD/DVD burning through SPTI inside PWS works even though the policy disallows it.
404890 This is a rare issue that happens for Internet Explorer when pop-up screens are set to be blocked by browser. When you launch a Java app-tunnel for the first time in Internet Explorer, the message "Allow pop-ups for this site?" is displayed. In rare cases, when you click Allow once, the Java app-tunnel freezes in the Initializing state and cannot be used. To work around the problem, add a virtual server to the allowed sites for pop-ups from Tools > Internet options in Internet Explorer.
409233 VMware View Client becomes unresponsive for about one minute after associated APM session is terminated by administrator. APM session associated with VMware View Client connection is terminated by administrator. VMware View Client becomes unresponsive for about one minute.
420550 WYSE client cannot launch any application if the APM session expired.
428904 Printer redirection and keyboard redirection ('special keyboard commands') in non-fullscreen mode do not work on Microsoft Windows version 7 or 8. This happens when the client OS is Windows version 7 or 8. User is not able to use local printers remotely as well as 'special keyboard commands' (for example, ALT+TAB) in non-fullscreen mode. To work around the problem, use fullscreen mode to use local printers remotely as well as 'special keyboard commands' in Windows version 7 or 8.
432020 By default, Internet Explorer 11 starts with Enhanced Protected Mode enabled and the browser process runs inside AppContainer. Enhanced Protected Mode (AppContainer technology) in Internet Explorer 11 prevents the interception of connection requests. As a result APM App tunnels cannot redirect traffic to a proxy running on the loopback address. You can work around the problem in one of these ways: 1. Disable Enhanced Protected Mode in Internet Explorer 11. 2. Add the backend server to the Trusted Sites or the Intranet Sites list.
432515 The external logon page does not post the Action required pop-up dialog box of BIG-IP Edge Client. This occurs when APM uses the external logon page. The impact is that the user does not know that there are required actions to perform. To workaround this issue, you must inject the following JavaScript code into the External Logon page: <body onload="OnLoad()"> ... <script language="javascript"> function OnLoad() { try{ if ( "undefined" != typeof(window.external) && "unknown" != typeof(window.external) && "undefined" != typeof(window.external.WebLogonNotifyUser) && "unknown" != typeof(window.external.WebLogonNotifyUser) ){ window.external.WebLogonNotifyUser(); } }catch(e){alert(e)}; } </script>
434831 When the client connects to APM (with Safari) and launches the Application Tunnel, the tunnel will be created, but the application configured to launch will not. There is no error; the only indication is that the application is not started by the Application Tunnel. This happens after a user upgrades their OS X to version 10.9 (Mavericks), connects to APM and launches a Java Application Tunnel configured to launch an application when it starts. As a result, a user can not auto-start an application on Application Tunnel start. User would need to open application manually. To work around the problem: 1. Use Firefox browser. 2. Disable Safe mode for the required host. Select Safari preferences > Security Tab > Manage Website Settings >. 3. In the left panel, choose Java. 4. For the required host, choose Run in Unsafe mode.
440375 Under the Built-in Administrator account inside Protected Workspace, a VPN connection cannot be established if VPN components are not installed already. This occurs when a user is using Built-in Administrator account on Windows 8 or 8.1 and tries to connect through VPN inside PWS and VPN components are not installed yet. User cannot connect using VPN if above conditions are met. To work around the problem, install VPN components before Protected Workspace on an account other than Built-in Administrator.
462985 Remote Desktop session terminates after TCP idle timeout without any activity from the client. Remote Desktop Services by default do not send keep-alive packets to the RDP clients. When there is no activity from the client or terminal server, the TCP session is terminated. When there is no activity from the RDP client, the session is terminated and the client tries to reconnect to the server. To work around the problem, configure AD policy: 1. Set a keep-alive connection interval of 1 minute for the terminal servers: 2. Set the idle session limit to Never for Remote Desktop Services sessions: 3. Increase TCP idle timeout to 900 seconds on the BIG-IP system if the RDP clients that you support do not send keep-alive packets.
469110 Microsoft Remote Desktop for iOS might hang if invalid credentials are entered. Restarting the Microsoft Remote Desktop for iOS application and entering valid credentials remedies the issue.
472382 The VMware View Logon page for RADIUS does not display a challenge message when challenge occurs on the RADIUS server. RADIUS authentication is used for View Client. The user will see a generic message that a challenge event occurs. The next tokencode challenge process consists of three steps, each with a different challenge message, but the user sees one standard message on all three steps. To work around the problem, use RSA SecurID authentication.
480829 Citrix Receiver 5.9 for iOS fails to connect to the store with an error message: Cannot Add Account. Citrix Receiver 5.8.3 for iOS crashes after sending credentials. APM is configured in integration mode with Citrix Storefront 2.5. Update Citrix Storefront to version 2.5.2 or configure iOS Receiver to use legacy protocol.
485276 When Citrix Receivers for Mac or Windows are used to create accounts with APM configured in Citrix Web Interface proxy, Citrix Web Interface replacement or Citrix StoreFront replacement modes, users are prompted for credentials twice.
515172 VMware View clients consume two sessions while connected when APM is configured with Smart Card optional Access Policy. In this case, the very first opened session remains unauthenticated and is automatically groomed afterwards. This happens with APM as PCoIP proxy configured to support smart card using basic authentication method and password authentication as a fallback option. Extra short-lived unauthenticated APM sessions are created during the normal policy execution.
519779 If the session expires or is killed for a View client that was authenticated with a smart card, the client does not allow for re-authenticating with a smart card. This is not an APM issue. A VMWare-specific bug is open to track the issue: To work around the problem, disconnect from the previous (expired/killed) session and start a new one.
535888 VDI does not check Access Profile Scope setting. It always assumes global profile scope. This occurs when profile scope is set to Virtual Server or Profile. Profile scope setting is ignored and Global scope is used.
539038 VMware View Connection Server backends v6.x do not support some modern cipher suites that are now used by default by BIG-IP/APM starting from version 12.0. This causes errors when APM attempts to talk to the VCS backend. ServerSSL profile configured with DEFAULT ciphers. VCS default-configured. User cannot access VCS through BIG-IP system. Do one of the following: 1. On the BIG-IP system, update the serverSSL profile to change the value of Ciphers from DEFAULT to DEFAULT:!DHE:@STRENGTH or 2. On the View Connection Server system, open this file for editing: VMware View\Server\sslgateway\conf\ and add the following line to it: enabledCipherSuite.1=TLS_RSA_WITH_AES_128_CBC_SHA
539083 BIG-IP Edge Client for Mac will, only briefly, display garbled message to indicate that is executing some endpoint check. This could be for any endpoint check such as file, process, antivirus, firewall, and so on. This occurs with Edge Client for Mac and an endpoint check configured on server side. A garbled message displays for a second or two. There is no workaround at this time.

Network access issues

ID number Description
342035 A SIP client cannot communicate with a SIP server when connecting over a Network Access tunnel. SIP protocol uses fixed UDP ports, and communication fails because Network Access tunnel translates the source port of the connection. To work around the problem, configure a layered virtual server using the SIP UDP port and set the Source Port option to Preserve Strict.
351360 Sometimes when assigning different route domains to Network Access clients connecting to the same virtual server or using the same connectivity profile, traffic from the client can go out into the network associated with the wrong route domain. This could happen when two clients are assigned the same IP address (from different lease pools containing the same address ranges) and different route domains and try to access the same IP address on the internal network using the same TCP/IP protocol. To work around this problem, when sharing IP address ranges among route domains, use separate virtual servers for each route domain, with different connectivity profiles.
356419 On Linux, PPP routes might be lost if Network Access is configured with the Allow Local Subnet option enabled. This behavior is rare. To work around the problem, disconnect from the server using the "f5fpc -o" command and then reconnect to the server.
356766 Removing or updating Network Access device or client components while the system has an active Network Access connection might cause the system to drop the existing connection and fail to establish a new connection until after a system reboot.
364061 On a Linux client, the network access Show log file link does not display the log file unless gedit is installed. To work around this problem, install gedit on the Linux client.
373889 You can configure a Network Access tunnel to update a session (that is, to extend expiration time) based on a traffic threshold and a window of time. Traffic measurements are taken every 5 seconds, but they are not divided by 5 before being used in the calculation. As a result, instead of bytes per second, bytes per 5 seconds is calculated, which is incorrect. To work around this problem, select the Network Access resource you want to update, then select Network Settings and Advanced from General Settings. Proceed as follows: 1. Set Session Update Threshold to 5 times the desired bytes/second rate. 2. Set Session Update Window to 2 or higher. Note: The session life management might not be exact.
383607 After a Network Access client loses connectivity and reconnects with another IP address, the client cannot open tunnels to optimized hosts for 4 to 7 minutes.
398339 When you use the Fedora operating system with SELinux enabled and use the Firefox web browser to connect to APM for network access, you might get SELinux blocking notifications. To work around the problem, perform these steps: A. Execute the following commands on a terminal as root user (not sudo): 1. "setsebool -P mozilla_plugin_enable_homedirs on" 2. "setsebool -P unconfined_mozilla_plugin_transition 0" B. Restart Firefox and try connecting to the APM server again.
403082 Networks Access cannot perform routing table clean-up if a user closes browser windows without logging out from the webtop, or if a user closes a browser window without waiting for the logout process to complete. To work around the problem, add the APM virtual server address to the Trusted Sites list.
404654 BIG-IP Edge Client for Mac shows status as connected but traffic does not flow through the tunnel. The problem is seen when all of these conditions exist. 1. The Prohibit routing table changes setting is disabled on the server. 2. The user initially connects to a wireless network, then connects to a wired network, and then disconnects from the wireless network. As a result, VPN seems to be connected but no traffic flows through VPN. To work around the problem, perform one of these steps. 1) Enable the Prohibit routing table changes setting on the server or 2) Disconnect the client before switching networks. If the client is already in this state, restarting the client will fix this issue.
416412 A Network Access webtop does not show warning windows about session expiration. A full webtop does not show warnings intermittently.
423161 When a Network Access session and an APM session are closed simultaneously, one of these logs is written: apm logs: "VPN Cleanup: failed to release IPv4 ERR_ARG" tmm logs: "address <p> in leasepool <lease pool> is unassigned - can't release" This happens when a Network Access resource and a Network Access webtop are assigned using the Advanced Resource Assign action, and the Network Access session is closed. These are notice level logs and not errors.
427125 Network Access status window does not display properly when client access is from Japanese OS. To work around the problem, perform these steps: 1. Select Access Policy > Customization. 2. Change the view from Basic to Advanced. 3. In the navigation tree, find Customization Settings > Webtops > <Your webtop name> > Full Webtop popup settings and set Show statistics table to on.
435542 In some cases re-installation of the VPN driver on Windows 8.1 requires a system reboot. Without reboot the user can be presented with this error: "The modem (or other connecting device) is already in use or is not configured properly."
438056 The APM Network Access client for Windows systems can fail to establish a VPN connection if the client SSL profile is configured with the options no-tls or sslv3 and the BIG-IP system selects an AES cipher. Windows Schannel API does not consider AES as a valid cipher for an SSLv3-only connection and can reject the connection to the BIG-IP system. Explicitly disable TLS in client-ssl profile and enable SSLv3. An unlikely configuration in real customer deployments. Only affects deployments in which the default configuration has been modified to disable TLS and enable SSLv3, an unlikely scenario. If you restrict client SSL to SSLv3-only, you might need to exclude AES ciphers (defined in RFC3268) by adding ':!AES' to the 'ciphers' option in the client-ssl profile to work around compatibility issues with Windows clients: for example ltm profile client-ssl clientssl_ssl3_only { ... ciphers SSLv3:!AES ... }
465978 Connectivity profile compression setting specifies compression level for BIG-IP-to-client direction. Compression from BIG-IP-APM-to-client is still present even if it is disabled in connectivity profile. GZIP compression is enabled in network access resource. GZIP compression level is set to 0 (No compression) in the Network Access section of the connectivity profile. Expected behavior: there is compression in client-to-BIG-IP direction, there is no compression in BIG-IP-to-client direction. Observed behavior: there is compression in both directions. Compression from BIG-IP-to-client direction can not be turned off by connectivity profile setting. To work around the problem, modify the value of the compression.strategy db variable to "speed": tmsh modify sys db compression.strategy value speed
469852 Users lose connectivity to resources through VPN when forwarding virtual servers are disabled. This occurs when forwarding virtual servers are disabled and the connectivity profile is enabled. User loses connectivity to resources through VPN. Network Access connectivity works if all the forwarding virtual servers are enabled or deleted completely.
476279 Network Access with snatpool establish fails with access policy having route domain and snat agent with snatpool selected. Route domain and SNAT agent with snatpool selected. Network access establish fails. To work around this issue, set automap setting in route domain and SNAT agent.
482976 AppTunnel fails with two resources, one with protocol type and the other with port range. This occurs when the following conditions are met: 1. The App tunnel resource contains a resource item configured with a protocol type and order 1. 2. The App tunnel has another resource item configured with port range and order 2. This occurs when the following conditions are met: 1. The App tunnel resource contains a resource item configured with a protocol type and order 1. 2. The App tunnel has another resource item configured with port range and order 2. AppTunnel cannot be established. To work around the problem, reverse the order, making the port range resource item order 1 and the protocol type order 2.
495128 If a client machine uses proxy and Network Access does not specify any proxy, then Safari should not use proxy for some Network Access resource after the Network Access tunnel is created. However, Safari does so. This problem occurs with Safari 8. Other versions of Safari and other browsers work as expected in our testing. Apple has been notified: rdar://problem/18651124. The problem occurs when all of these conditions exist: 1. OS = Mac OS X Yosemite. 2. Configuration = Client machine has local proxy configured and Network Access on BIG-IP system access policy does not specify any proxy. 3. Action = Accessing Network Access resource after tunnel is created. As a result, some network access resource might be unavailable. There is no workaround at this time.
504498 Antivirus check will not pass with EPSEC 377.0. This happens with EPSEC 377.0 installed and with an antivirus check using Bitdefender 18.x. To work around the problem, upgrade to the latest EPSEC build.
522590 DNS Relay proxy service does not resolve static hosts if no DNS server is configured at the Network Access resource. The problem occurs under these conditions: DNS Relay proxy service is installed on machine; A DNS server is configured at the Network Access resource; Full Tunnel mode is used. Static hosts are not resolvable on client. Specify a bogus DNS server in Network Access resource (for example Virtual Server address).
527668 KB3058515 introduces new security changes in Internet Explorer versions 9, 10, and 11. As a result, it is unable to create a tray icon from a plug-in that running on site that is not in the Trusted Sites list. The problem occurs under these conditions: 1. KB3058515 is installed. 2. Client machine has Internet Explorer version 9, 10 or 11. 3. APM virtual server is not in Trusted Sites list. Minimize to tray option does not work. To work around the problem, uninstall KB3058515 or add APM to the Trusted Sites list.
527875 In security update KB3065822, Microsoft changed behavior of Internet Explorer. Now, to install F5 VPN ActiveX under current user, APM is required to be in Trusted Sites list. Installation per machine also requires APM to be in Trusted Sites list but only for Internet Explorer 9. This only applies to installation from notification bar. This notification bar is shown when user accesses the APM Virtual Server first time (that is, no F5 ActiveX is installed). Existing installations are not affected. Installation using Edge Client package is not affected as well. The problem occurs under these conditions. 1. KB3065822 should be installed. 2. Either of these configurations require that APM be in Trusted Sites list to install F5 WebComponent (ActiveX): Internet Explorer 9 installation either per-machine or per-user; or, Internet Explorer 10 or 11 installation per-user. A user with a clean machine may be unable to install F5 Web Components per user if APM is not in the Trusted Sites list when accessing an APM virtual Server. To work around the problem, you can do any of the following: 1. Do not install KB3065822 or 2. Uninstall KB3065822 or 3. Add the APM virtual server to the Trusted Sites list.
528424 Tooltips/Toast notification are not displayed when Network Access changes state (Connect, Disconnect, Reconnect, etc). Beginning with Microsoft Windows 8, tooltips are replaced by Toast Notifications; Windows does not convert tooltips to toast notification for F5 WebComponent in Windows 10. The problem occurs under these conditions: Internet Explorer 11. Windows 10. Networks Access changes state. User is not notified about state change. To enable tooltips, in Group Policy change this setting: "User Configuration \ Administrative Templates \ Start Menu and Taskbar \ Disable showing balloon notifications as toasts" to Enable.

Portal access issues

ID number Description
384405 With Access Policy Manager Portal Access, if you add a web-acceleration profile to the Local Traffic virtual server, it does not take effect until the you go to the command line and type "bigstart restart tmm". The web-acceleration profile is important to Portal Access performance, so this step is necessary to ensure caching occurs for Portal Access content.
406040 If an application uses a non-standard location for favicons (as permitted by the LINK meta tag) and you use Internet Explorer 10 for access to the application, then the BIG-IP system creates a new session for that URI. If you use Google Chrome version 25 or above, the BIG-IP system closes the current session during fetching favicons from the non-standard location. Related change in Google Chrome: An example of an iRule workaround is as follows: when HTTP_REQUEST { if { [string tolower [HTTP::path]] ends_with "favicon.ico" and [HTTP::cookie "MRHSession"] eq "" } { ACCESS::disable } }
426492 Multidomain SSO does not support custom ports. For multidomain SSO, redirection back to the slave virtual server will always go back to a standard 80/443 port. The slave virtual server must be on port 80/443. For example, suppose we set up a virtual server for Accessing this will redirect to the primary virtual, and login will proceed normally. When we redirect back to the slave virtual, we will redirect to on the standard 443 port. This occurs for multidomain SSO and nonstandard ports on the slave virtual server. Administrators cannot configure multidomain SSO on ports other than 80 or 443. To work around the problem, only use ports 80 and 443.
426963 When the client sends an HTTP POST with an expect 100-continue, APM will fail to forward it to the backend server. The client will wait about 3 seconds to timeout before sending the actual data of the POST request. The client will not receive a 100-continue. Usually, it waits for about 3 seconds and then forwards the data anyway. The following iRule appears to resolve the issue. when HTTP_REQUEST { if {([HTTP::method] eq "POST") && [HTTP::header exists "Expect"] } { HTTP::header remove "Expect" SSL::respond "HTTP/1.1 100 Continue\r\n\r\n" } }
428268 Some URLs might contain ampersand (&)-separated parameters. If each '&' separated parameter is not followed with an equal sign (=), the APM system does not recognize it as a proper query string, and the redirection from the primary virtual server back to the secondary virtual server will be incorrectly parsed. This problem occurs with multidomain SSO. Customer will not be able to login with URLs that include an '&' that is not followed by an '='. To work around the problem, URL-Encode "&" and "=" in the original URL before passing it to APM. Or, follow every parameter with "=" or "=value". Both workarounds require application changes.
428894 When a user logs in with Multidomain SSO, some cookies are set. At logout, one set of these cookies does not have a domain set, and are not deleted. It appears this only applies when Cookie Scope is set to Host. When logging in, the existing cookies can cause errors. Here are two workarounds. 1. Clearing the cookies allows the user to log in again. 2. The problem does not seem to occur if you change Cookie Scope to Domain instead of Host.
439965 BIG-IP APM currently cannot handle multiple browser tabs trying to create sessions at the same time. The most common example is saving multiple homepages in a web browser. When the web browser opens, requests from these tabs are sent within milliseconds. This can cause very unpredictable behavior where sometimes it will function correctly, and other times there will be connection resets or the user will see error pages. This applies any time a user is attempting to create a new session. Once a session exists, multiple tabs are supported. This can cause very unpredictable behavior: sometimes it will work, other times there will be connection resets, and other times the user will see error pages. Affects All APM products, except SWG If the user is already authenticated and has a session, then multiple tabs can be opened. However, there is no workaround for session creation.
455975 Using MIB F5-BIGIP-APM-MIB::apmGlobalConnectivityStatCurConns displays incorrect information and description. Using SNMP MIB F5-BIGIP-APM-MIB::apmGlobalConnectivityStatCurConns. Using MIB F5-BIGIP-APM-MIB::apmGlobalConnectivityStatCurConns displays incorrect information and description.
460590 If one of two nameservers returns a response of "No such name" for a domain query, then the same domain query is not tried on the second nameserver. Two name servers configured: The DNS entry for a particular domain name is present only in one name server. When a response is already received from the first nameserver, the domain query is not attempted on the second nameserver. So even though an entry may be present on the second nameserver, the resolve fails. This is expected behavior. DNS operates on the assumption that all nameservers everywhere contain the correct and valid data. Always have two name servers in sync so they should have the same set of domain entries.
462598 When the APM Access renderer or renderer pool (used for serving internal pages) goes down for an unknown reason, tmm goes into retry loop and sod kills the tmm. For the problem to occur, at the very least, APM must be in use. The problem showed up in the past with a mangled iRule in place. This condition causes a crash due to an unresponsive TMM and will trigger a failover. This has only been observed with an incorrectly formed iRule. So it is likely that fixing an associated iRule to operate as intended will resolve the problem. If this occurs without an associated iRule, there is no workaround.
468130 When Kerberos authentication is used with request-based authentication (RBA) enabled, the first POST request sent to the BIG-IP system could be replaced by a dummy POST and authentication then fails. This can occur when the BIG-IP system is configured as a SAML Identity Provider (IdP) and the http-post SSO binding is used. The problem occurs under these conditions: 1. RBA is enabled. 2. Kerberos Auth is used. 3. The first request to the BIG-IP system before session has been established is a POST request. Some functionality may not behave properly; for example, when the BIG-IP system is configured as a SAML IdP and an http-post SSO binding is used, AuthnRequest can get lost and authentication will fail. To work around the problem, edit the access policy and, in the properties for the Kerberos Auth item, set Request Based Auth to Disabled.
470389 Garbled characters (or control characters) are seen in the /var/log/apm log file. This issue occurs under the following conditions: username/password are not provided when accessing the virtual; Network Access resource is launched and VPN is established; and when accessed from another browser, the first session is killed and sometimes garbled characters appear. Unnecessary garbled characters occur in log messages. There is no workaround at this time.
479348 Multidomain SSO works by running the policy on the primary authentication virtual server and redirecting the request back to the virtual server that it landed on. While running the policy on the primary virtual server, if there is a redirect ending that does redirect to some URI, it seems to be ignored. Multidomain SSO then redirects to the secondary virtual server. Access policy with Multiple Domains enabled and where Primary Authentication URI is set to some URI, for example,, and add auth domain In the visual policy editor of the same Access policy, configure a Redirect ending to some external resource. Create a virtual server for the start URI and one for the login URI. For example, you will have a virtual server for and one for, and add the above Access Profile/Policy to the two virtual servers. The impact of this issue is that the user is unable to redirect Access sessions to a desired external location, such as, Access session redirected to external website based on some Access Policy logic. iRule workaround steps: 1. Change ending Redirect to ending Allow. 2. Create a custom variable using Variable Assign action just before the ending Allow (that used to be ending Redirect) and assign value 1; for example, session.ending.redirect return 1 3. Implement the following iRule on the primary authentication virtual server: when ACCESS_POLICY_COMPLETED { set ending "[ACCESS::session data get session.ending.redirect]" if { $ending eq 1 } { after 2000 { ACCESS::session remove } ACCESS::respond 302 Location [external address] } unset ending }
497746 A vulnerability scanner noted that /vdesk/timeoutagent-i.php does not have X-Frame-Options: header set, and also returns 200 OK when a GET is sent. Therefore this URI is vulnerable to click-jacking. This fails for OWASP best practices. That means that it violates PCI DSS Requirement 6.5 and in turn is a failure. To work around the problem, use an iRule to insert the header.
498926 Multi-domain SSO fails when the session expires on the Primary Authentication URI. To work around the problem, modify the href for the Session Expired Message so that it redirects to In the text customization for the Session Expired Message, replace [SESSION_RESTART_URL] with session variable %{}.
526140 Access does not always properly enforce maximum sessions per user. Assume the maximum sessions per user limit is set to N > 0, for some K > 0, the user begins with N-K active sessions, and there are at least two CPUs (two TMMs). If for X > 0, a user attempts simultaneous access from K+X different devices, it is possible the user ends with N+X active sessions. The problem is most easily noticed when attempting to enforce N=1, in which it is possible for a user to have 2 (or more) active sessions. This happens in a Secure Web Gateway configuration with IP address-based credentials. The likelihood of encountering this issue is higher if there are more TMMs. The user either coincidentally or maliciously attempts simultaneous access from multiple devices. The maximum sessions per user is not properly enforced as expected. An iRule can be written to manually enforce the session limit on a subsequent request.
532774 If a wrong token is entered in the URL that is sent in the Location header to the BIG-IP system, then BIG-IP redirects about 20 times instead of displaying an error page at the first attempt. The problems occurs under all of these conditions: 1. Configure multidomain SSO. 2. Go to slave host. 3. Authenticate after redirect to the primary auth. 3. Intercept and change token to the incorrect one. As a result, multiple redirects to random URLs happen in case of wrong token. There is no workaround at this time.

Secure Web Gateway issues

ID number Description
431077 You cannot use tmsh to change the logging level for Secure Web Gateway content analytics. End-user cannot modify the logging level for the Content Analytics Server using the tmsh CLI. To work around the problem, you can perform the following steps: 1. Use SSH to connect and log into the BIG-IP system. 2. Change directory to /var/antserver/wsgsdk/config/ant_server. 3. Open the ant_server.config file for edit and modify the ANT_SERVER_LOG_LEVEL variable to desired level. Note: The ANT_SERVER_LOG_LEVEL variable can range from 0 (Log Nothing) to 8 (Extra Debug). The variable is set to 3 by default.
479287 When using an HTTP 407 Response or HTTP 401 Response agent in an access policy for SWG-Explicit or SWG-Transparent profile type, respectively, without additional configuration Kerberos authentication attempts always fail. The session variable,, seems to be set to the actual website to which the client is trying to connect instead of to the proxy URL (virtual server proxy domain name). This results in GSS-API errors when getting credential information for Kerberos authentication. The access policy (with access profile type SWG+Explicit or SWG+Transparent) includes HTTP 407 Response (for SWG+Expliceit) or HTTP 401 Response (for SWG+Transparent) and Kerberos Auth actions and an Allow ending. (For APM versions earlier than 11.6.0, the access policy would include an SWG Scheme action before the ending.) Users cannot authenticate to the SWG-Explicit or the SWG-Transparent proxy if attempting to use Kerberos authentication. To work around the problem, add a Variable Assign agent to the access policy after the HTTP 407 Response (or HTTP 401 Response) action. Add a Variable Assign entry as follows. Type this custom variable in the left pane and, in the right pane, select Text and type the appropriate domain name.
505247 F5DCAgent reports to IF-MAP server only IP address, either IPv4 or IPv6, and the workstation uses that IP address to communicate with AD Domain Controller in order to obtain TGT and TGS. This occurs on workstations that have multiple network interfaces or that have both IPv4 and IPv6 protocols enabled and being used for network communication. Not all workstation IP addresses are being reported to IF-MAP server, which can result in a user being denied access to certain resources. There is no workaround at this time.
505264 There is a delay before F5DCAgent updates the IF-MAP server with workstation's new IP address when it is changed due to DHCP lease expired, or when the user changes it manually. This occurs when the following conditions are met: - TGT and TGS tickets do not have client's IP addresses. - IP addresses are not enforced in TGT and TGS tickets. Users might be denied access to resources. To work around the problem, use a password to lock and then unlock the workstation.
507419 Use of Category Lookup by Subject.CN in a reverse proxy configuration will result in a connection reset. Category Lookup by Subject.CN requires the configuration of SSL forward proxy. Without this in place, the Subject.CN cannot be retrieved for use with Category Lookup. Category Lookup by Subject.CN cannot be used in per-request policies for reverse proxy use. This will require SSL profiles with SSL forward proxy deployed for correct operation. To work around the problem, you can use Category Lookup by SNI for equivalent functionality.
532375 If an administrator creates a policy with a categorization agent and a URL Filter with an action to block Facebook chat, when the per-request policy applies the URL Filter, the chat session cannot be completely blocked. The categorization agent will not successfully categorize it as Facebook chat. However, if response analytics is included in the policy, incoming chat messages will be blocked, but outgoing chat messages will still be sent. (Although the sender will be shown a "message could not be sent" notification, it will still have been sent). SWG module provisioned. Categorization agent in place. URL Filter created that blocks Facebook Chat. URL Filter is applied to user's request when per-request policy is evaluated. Facebook chat at this time cannot be accurately blocked. So users will still be able to send chat messages to other Facebook users thereby bypassing the URL Filtering policy in place. If response analytics is used, incoming chat messages will be blocked. This significantly impacts the user experience. Users will be able to send messages, though the sender will be shown a "message could not be sent" notification. Alternatively, an admin can block all of Facebook and, therefore, Facebook chat will be blocked as well.

Other issues

ID number Description
540245 An ACCESS::respond command with one argument could cause a false warning message in the LTM log. The warning message in the log starts with "The following errors were not caught before. Please correct the script in order to avoid future disruption." The message can be ignored.
525378 Assume that a user establishes a session on one virtual server. If the user learns his session ID, he may attempt to reuse that session ID to gain access to resources guarded by a different virtual server. When this happens, the iRule access session commands like [ACCESS::session sid] and [ACCESS::session exists] do not validate the scope of the session. The iRules consider sessions from other virtual servers to be valid, which can cause unintended results and potentially lead to end-users gaining higher privileges than administrators intended. There may be multiple access profiles assigned to multiple virtual servers, but the iRule session commands will treat all sessions the same. If the administrator is not careful with how the iRule session commands are used, it can result in a user bypassing the access policy and receiving higher privileges than the administrator intended. Care must be used to ensure that iRules using the session commands do not result in unintended behavior. An iRule similar to one below can be used to restrict a session to the virtual server on which it was created: when ACCESS_ACL_ALLOWED { set sessionlistener [ACCESS::session data get ""] set virtualname [virtual name] if { [HTTP::cookie MRHSession] != "" } { if { not ($sessionlistener equals $virtualname) } { # enter whatever command you wish to use to prevent the connection reject } } }
488588 An APM session is invalidated when accessing the /public folder URLs on modifying session cookie information. If the modified LastMRHSession cookie collides with an existing session but the full MRHSession does not, then APM kills the closest matching session when accessing /public URLs. This issue occurs under the following conditions: 1. Configure an APM virtual server with a simple policy (any policy will suffice). 2. Configure an LTM virtual server that calls the APM virtual server with the iRule command: virtual. 3. Access the virtual server and get the APM session established. 4. Use the Cookies acquired to send a request for any resource in the /public folder on the BIG-IP system, but modify the MRHSession cookie so that it is slightly different from the correct value. 5. Observe that APM kills the session identified by the LastMRHSession cookie. Session is invalidated and new session is created. The following iRule can be used to remove the cookie to prevent the issue: when HTTP_REQUEST { if {[HTTP::path] contains "/public"} { HTTP::cookie remove "LastMRH_Session" HTTP::cookie remove "MRHSession" } }
360889 For ACLs that are generated from a Portal Access resource, port 0 (zero) matches against port 80 (when the scheme is HTTP) and against port 443 (when the scheme is HTTPS). For ACLs otherwise, port 0 matches against any port.
447051 Access Policy import fails if the policy has at least one customization image file associated with it. Policy contains at least one customization image file. Users are unable to import the exported policy. Use the following steps to work around the issue: 1. cd /shared/tmp/impor. 2. Open the import-abcd-abcd.conf file. 3. Delete the duplicate occurrence of config entry for the file corresponding to the error, such as the following: ' apm policy image-file /Common/swapnil-img_0_HQ_1.jpg { local-path /shared/tmp/import/imp-140131-213953-995/res/5_Common_img_0_HQ.jpg }'. 4. Run the command: tmsh load sys conf merge file <filename.conf>.
528332 After a resource for an App Tunnel is added with a port range in a comma-separated list, instead of a dash-separated list, the modify action on the resource from the Admin UI will show errors. When a port-range is provided using Admin UI for the resource, it does not allow the user to introduce a comma-separated list. This problem only occurs when a user uses tmsh to introduce a comma-separated port range for the App Tunnel resource and then tries to modify it using the Admin UI. An example of a tmsh command that introduces the comma-separated port-range list after which the issue crops up on the Admin UI modify operation on that resource: (cfg-sync Standalone)(Active)(/Common)( modify putty { apps add { item1 { host port-range 443,80,22,389 log packet }}} (cfg-sync Standalone)(Active)(/Common)( list putty apm resource app-tunnel putty { acl-order 108 apps { item1 { host log packet order 0 port-range 443,80,22,389 } } customization-group putty_resource_app_tunnel_customization } The issue with modify operation for the comma-separated port-range is only seen through Admin UI; the user can still modify the comma-separated port range resource using tmsh. Use tmsh to modify the resource.
415262 If you use tmsh to create a connectivity profile and set another connectivity profile as the parent, the profile that you create does not inherit the settings for Windows/Mac Edge Client, Server List, Location DNS list, and all mobile client settings. This happens only in CLI. User may not see some attributes because they are not inherited from parent profile. To work around the problem, if you create the profile in GUI, all the information is inherited.
457773 The wrong datatype is used to represent the apmAccessStatCurrentActiveSessions OID. APM provisioned. Using the wrong datatype to represent apmAccessStatCurrentActiveSessions could be misleading. There is no workaround.
477177 Using tmsh to create ACL entries causes the source and destination IP addresses to default to Host type set to ::/128. This is different behavior compared to UI where the default is 'Any'. Unless source and destination IP addresses is specified, ACL entries created in TMSH will not default to 'Any'. IP address will be default set to ::/128. This issue has no workaround at this time.
440203 When you use an iApp to create an APM service, after the access policy and related objects are created, the notification Apply Access Policy on the GUI might still be enabled. This happens even though the generation number in the corresponding access profile has been increased by 1. To disable this notification, you can click the Apply Access Policy link. The happens when you create an APM service with an iApp. The Apply Access Policy notification on the GUI is turned on even though the generation number in the corresponding profile access has been increased by 1. To work around this problem, you can click the Apply Access Policy link to turn off this notification. Alternatively, you can modify the iApp script by putting the command "tmsh modify apm profile access <NAME> generation-action increment" into a different transaction. You can do this by creating a shell script from the iApp script: 1. The shell script consists of two lines: sleep <SAY 5 SECONDS> tmsh modify apm profile access <NAME> generation-action increment 2. In the iApp script, execute the shell script in the background.
539075 Client side checks such as antivirus, firewall, process, file, and so on, on CentOS 7 do not work. Server logs show "Access encountered error: ERR_ARG" for these clients. This happens when client-side checks are configured on the BIG-IP system and CentOS 7 and Firefox client connecting to this BIG-IP shows symptoms Clients from CentOS 7 are not able to connect to BIG-IP APM. There is no workaround at this time.
481659 Recurring check fails during connection. The problem occurs when APM BIG-IP virtual server DNS record has been updated or DNS load balancing is used. MAC or Linux client is used. Recurring check fails.
383511 The Device EPSEC Status screen should reflect the recent status of all devices in the device group. When a request to see the device status of a device group is made, the Changes pending link displays. After sync, the link should disappear and the status should be displayed. To work around the problem, perform Sync from group by clicking the Changes pending link. Then go to the Device EPSEC Status screen. The status displays.
440013 Updating EPSEC package on Standby system initiates a configsync operation from Standby to Active without notice. This issue is seen only when administrator attempts to upload a new EPSEC package on the standby unit. Just uploading the package causes a config-sync to the active. Causes config-sync from standby to active. So can cause config loss of newly created config on active. Always apply the EPSEC changes from the active device.
294032 When you access an older version of APM software using the Windows system client and a pre-logon antivirus check is configured, the OPSWAT AV control gets loaded into your browser. The control does not unload successfully and, as a result, the antivirus check fails. You cannot log on until the control is unloaded. Reboot the client system.
238556 AAA types for Securid and RADIUS in APM will not source packets from the floating IP address for the traffic group, as customers would expect. Because RSA authentication server is sensitive to the incoming IP address of the authentication packets, an extra virtual server is required to SNAT the authentication requests to the correct (floating) address so that the same source IP will be used in both members of an HA pair. You see this when you use RADIUS AAA or RSA AAA in an APM access policy. Authentication will fail because RSA expects the source IP address to be specific, and will not tolerate changes for HA failover.
383464 In reports, names that contain a single quote are displayed in hex-encoded format. For example, the name O'Brian might be displayed as O%27Brian.
371015 On chassis platforms, in some scenarios, more than one value is displayed under the Local Time column in the All Sessions report.
436196 Searches on event logs for Secure Web Gateway time out when the number of records is close to the maximum, 1 million, that can be stored. If the local db has the capacity volume such as 1 million records, GUI times out. User will see the timed out error in GUI. A simple custom search works fine.
452059 When the storage partition for MySQL is full and the system is under a heavy load, logd can go into a busy wait looping state. Only when disk partition of MySQL is full. This is an error case; the MySQL shall rotate, also logd produces chatty logs only during stress tests. Daemons that depend on logd might also get into a state waiting for logd services. To work around the problem, clean up the disk partition of MySQL.
534378 Users with Latin 1 chars in credentials cannot log into APM when using a non-UTF8 ActiveSync client (such as iOS). To work around the problem, put a Variable Assign agent after Logon Page with following assignment: (check the secure checkbox) session.logon.last.password = set pass [mcget -secure session.logon.last.password]; binary scan $pass c* chars; set newpass ""; foreach {ch} $chars { append newpass [format %c [expr $ch & 0xFF]] }; return $newpass
530648 If Policy Sync is used, the GUI can become unresponsive during normal management operations (sync, resolve, check Policy Sync Status, and so on). This can occur with any size Access Policy. If Policy Sync must be used, follow the workaround text. Policy Sync is used with APM in the GUI. This is easily reproducible on 4GB boxes (set up policy sync between two HA pairs and sync a few policies). GUI becomes unresponsive, must be restarted by "bigstart restart tomcat". To work around the problem: 1. To get the admin UI back: bigstart restart tomcat 2. To give more memory to the admin UI: tmsh modify sys db provision.tomcat.extramb value 100 save sys config

Contacting F5 Networks

Phone - North America: 1-888-882-7535 or (206) 272-6500
Phone - Outside North America, Universal Toll-Free: +800 11 ASK 4 F5 or (800 11275 435)
Fax: See Regional Support for your area.

For additional information, please visit

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.


AskF5 is your storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 Publication Preference Center

To subscribe, click AskF5 Publication Preference Center, enter your email address, select the publications you want, and click the Submit button. You will receive a confirmation email. You can unsubscribe at any time by clicking the Unsubscribe link at the bottom of the email, or on the AskF5 Publication Preference Center screen.

  • TechNews Weekly eNewsletters: Up-to-date information about product and hotfix releases, new and updated articles, and new feature notices.
  • TechNews Notifications: Periodic plain text TechNews, sent any time F5 releases a product or hotfix. (This information is always included in the next weekly HTML TechNews email.)
  • Security Alerts: Timely security updates and ASM attack signature updates from F5.

Legal notices