Release Notes : BIG-IP APM 12.1.0

Applies To:

Show Versions Show Versions


  • 12.1.0
Release Notes
Original Publication Date: 04/23/2018 Updated Date: 04/18/2019


This release note documents the version 12.1.0 release of BIG-IP Access Policy Manager (APM).


Platform support

This version of the software is supported on the following platforms:

Platform name Platform ID
BIG-IP 1600 C102
BIG-IP 3600 C103
BIG-IP 3900 C106
BIG-IP 6900 D104
BIG-IP 8900 D106
BIG-IP 8950 D107
BIG-IP 11000 E101
BIG-IP 11050 E102
BIG-IP 2000s, BIG-IP 2200s C112
BIG-IP 4000s, BIG-IP 4200v C113
BIG-IP 5000s, 5050s, 5200v, 5250v C109
BIG-IP 7000s, 7050s, 7055, 7200v, 7250v, 7255 D110
BIG-IP 12250v D111
BIG-IP 10150s-NEBS, 10350v (AC), 10350v-NEBS (requires 12.0.0 HF1), 10350v-FIPS D112
BIG-IP 10000s, 10050s, 10055, 10200v, 10250v, 10255 D113
VIPRION B2100 Blade A109
VIPRION B2150 Blade A113
VIPRION B2250 Blade A112
VIPRION B4200, B4200N Blade A107, A111
VIPRION B4300, B4340N Blade A108, A110
VIPRION B4450 Blade A114
VIPRION C2200 Chassis D114
VIPRION C2400 Chassis F100
VIPRION C4400, C4400N Chassis J100, J101
VIPRION C4480, C4480N Chassis J102, J103
VIPRION C4800, C4800N Chassis S100, S101
Virtual Edition (VE) Z100
vCMP Guest Z101

These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.

Most of the support guidelines relate to memory. The following list applies for all memory levels:

  • vCMP supported platforms
    • VIPRION B2100, B2150, B2250, B4200
    • VIPRION B4300 blade in the 4400(J100)/4480(J102) and the 4800(S100)
    • BIG-IP 5200v, 5250v, 7200v, 7250v, 10200v, 10250v, 10350v, 12250v

Memory: 12 GB or more

All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.

Memory: 8 GB

The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)

  • No more than three modules should be provisioned together.
  • On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
  • To use Access Policy Manager (APM) and Secure Web Gateway (SWG) modules together on platforms with exactly 8 GB of memory, Local Traffic Manager (LTM) provisioning must be set to None.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category.)

  • No more than three modules (not including AAM) should be provisioned together.
  • Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
  • Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).

Memory: 4 GB or less

The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests provisioned with 4 GB or less of memory.

  • No more than two modules may be configured together.
  • AAM should not be provisioned, except as Dedicated.
  • ASM can be provisioned with this amount of memory, but a sizing exercise should be performed to ensure that it does not hit capacity issues.

vCMP memory provisioning calculations

The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory- 3 GB) x (cpus_assigned_to_guest/ total_cpus).

As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.

For certain platforms, the vCMP host can allocate a single core to a vCMP guest. However, because a single-core guest has relatively small amounts of CPU resources and allocated memory, F5 supports only the following products or product combinations for a single-core guest:
  • BIG-IP LTM standalone only
  • BIG-IP GTM standalone only
  • BIG-IP LTM and GTM combination only

Module combination support on the 3900

Note: The GTM+APM module combination is not supported on the 3900 product platform.

Although SOL10288 states that all modules are supported on all platforms as of BIG-IP version 11.4.0, this does not mean that all possible module combinations are allowed on every platform (especially, legacy platforms).

Configuration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

  • Microsoft Internet Explorer 11.x
  • Mozilla Firefox 27.x
  • Google Chrome 32.x

Compatibility of BIG-IQ products with BIG-IP releases

SOL14592: Compatibility between BIG-IQ and BIG-IP releases provides a summary of version compatibility for specific features between the BIG-IQ system and BIG-IP releases.

APM client browser support

For a list of browser versions that the Access Policy Manager client supports, refer to the BIG-IP APM Client Compatibility Matrix.

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP APM / VE 12.0.0 Documentation page.

Documentation changes in 12.1.0

In the 12.1.0 release, the following chapters were removed from BIG-IP Access Policy Manager: Third-Party Integration Implementations:

  • Citrix Requirements for Integration with APM
  • Integrating APM with a Citrix Web Interface Site
  • Integrating APM with Citrix XML Brokers

An iApps template is available for configuring Access Policy Manager and Local Traffic Manager to integrate with Citrix applications. The template can be used on the BIG-IP system to create an application service that is capable of performing complex configurations. You can download the template from the F5 DevCentral iApp Codeshare wiki at A deployment guide is also available there.

Evaluation support

If you have an evaluation license for BIG-IP APM VE, note that it does not include support for Oracle Access Manager.

New in 12.1

Application Access

Smartcard SSO Support for VMware Horizon PCoIP Proxy (VDI)

Users of APM in VMware Horizon VDI use cases can now use single sign-on (SSO) from smartcards. APM is easily configured as a SAML Identity Provider (IdP) for VMware View Connection Server, supporting two-factor authentication with RSA SecurID/RADIUS.

Support and Control USB Redirection and Client Drive Mapping for VMware Horizon

APM delivers data loss protection by supporting USB redirection for VMware Horizon desktops. Policies can be set in APM for contextual control over which user and which user device can or cannot use USB devices, such as disks, mitigating data loss protection via USB on those managed accounts and devices. This feature also supports and provides policy control over client drive redirection.

Support for Linux Desktops for VMware Horizon

APM supports Linux desktops in the VDI proxy for VMware Horizon, using the VMware Blast Extreme protocol.


Step-up Authentication Preview

This version of APM includes a preview of step-up authentication, which is based on per-request policies and the introduction of “subroutines”. Step-up authentication enables additional credential validation and revalidation for more security-sensitive areas of multi-layer web applications. Example: Anonymous authentication for parts of a web application and Active Directory authentication required for specific areas of the same web application.


Edge Client for Windows: Always Connected Mode Respects Network Location Awareness

BIG-IP Edge Client for Windows does not require a VPN connection when the users’ device is already on the corporate network and always connected mode is enabled.

Secure Web Gateway Services

Continue and Confirm

Continue and confirm enables you to prompt a user with two options, "Continue" or “Cancel". By clicking Continue, the end user acknowledges acceptance of the corporate policy and expresses the intention to surf the website. A customizable IT policy message can be placed as well.

Request Analytics

This capability reads URL, query strings, IP, headers, and POST payload in request packets to better categorize URLs. More accurate social media and malware categories allows SWG Services to protect both outgoing and incoming chat messages. This also helps mitigate command and control attacks considerably.


Additional iRules

APM provides greater flexibility through additional iRule commands and making the iRule agent available from the per-request policy (supported for use in APM and SWG).

iRule commands:

  • CATEGORY::lookup custom
  • CATEGORY::result

Enhanced Registry Checker returns values for policy branching

The Windows Registry access policy agent can now retrieve full registry values and put them into session variables for enhanced policy branching. The agent supports partial registry value matching and verification using combined registry values.

REST APIs for managing user sessions in APM

New iControl REST requests make it easier to manage sessions within APM by letting you list all user sessions and retrieve session ID, user login, and IP address for each APM server. Additional APIs are available for retrieving session information based on username or client IP address and for deleting the session based on the session ID.

User Identity

F5 DC Agent

The F5 DC Agent software picks up user login events from Active Directory and relays current user and IP address information to BIG-IP APM, allowing APM to transparently authenticate users to access the APM or SWG Services forward proxy. The new solution is faster and more accurate in capturing user name and IP address mapping. The F5 DC agent can be used in AFM and APM, depending on licensing.

Supported high availability configuration for Access Policy Manager

Access Policy Manager is supported in an Active/Standby configuration with 2 BIG-IP systems only.
Note: Access Policy Manager is not supported in an Active-Active or an N+M configuration.

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.

Installation checklist

Before you begin:

  • Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility.
  • Update/reactivate your system or vCMP host license, if needed, to ensure that you have a valid service check date. For more information, see SOL7727 - License activation may be required prior to a software upgrade for the BIG-IP or Enterprise Manager system.
  • Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
  • Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are running Application Acceleration Manager, set provisioning to Minimum.
  • If you are running Policy Enforcement Manager, set provisioning to Nominal.
  • If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
Installation method Command
Install to existing volume, migrate source configuration to destination tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 11.2.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP- volume HD1.3

Post-installation tasks

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.

After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility.
  3. Log on to the browser-based Configuration utility.
  4. Run the Setup utility.
  5. Provision the modules.
  6. Convert any bigpipe scripts to tmsh. (Versions later than 10.x do not support the bigpipe utility.)
Note: You can find information about running the Setup utility and provisioning the modules in BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Upgrading from earlier versions

Your upgrade process differs depending on the version of software you are currently running.

Warning: Do not use the 10.x installation methods (the Software Management screens, the b software or tmsh sys software commands, or the image2disk utility) to install/downgrade to 9.x software or operate on partitions. Depending on the operations you perform, doing so might render the system unusable. If you need to downgrade from version 10.x to version 9.x, use the image2disk utility to format the system for partitions, and then use a version 9.x installation method described in the version 9.x release notes to install the version 9.x software.

Upgrading from version 10.1.0 (or later) or 11.x

When you upgrade from version 10.1.0 (or later) or 11.x software, you use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help.

Upgrading from versions earlier than 10.1.0 11.x

You cannot roll forward a configuration directly to this version from BIG-IP version 4.x, or from BIG-IP versions 9.0.x through 9.6.x. You must be running version 10.1.0 software. For details about upgrading to those versions, see the release notes for the associated release.

Automatic firmware upgrades

If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might reboot additional times to perform all necessary firmware upgrades.

Upgrading from earlier versions of APM

When you upgrade from an earlier version of Access Policy Manager (APM), you might need to resolve issues related to these configurations.

Access policy logging

Starting in version 12.0.0, APM supports high speed logging. As part of the change, the log.access.db and log.access.syslog db variables were deprecated; they no longer have any effect on logging. Configuration procedures for access policy logging also changed. See the upgrade notes for access policy logging in the Release notes for BIG-IP APM 12.0.0, which are available from the BIG-IP APM / VE 12.0.0 Documentation page.

Connectivity profiles

When upgrading from 10.x.x to 11.4.x, connectivity profiles are not fully recovered. You can work around the problem using one of these options:

  • Option 1: Upgrade from 10.x.x to 11.4.x, then reconfigure connectivity profiles in the Access Policy Secure Connectivity area of the Configuration utility.
  • Option 2: Upgrade from 10.x.x to 11.x.x, where 11.x.x is earlier than 11.4.x, then continue upgrading to 11.4.x.

Antivirus and firewall software checks in access policies

If your access policies include custom expressions that rely on session variables created by the antivirus or firewall software checks, after upgrade to 11.4.x, you must configure the antivirus or firewall software checks so that the Store information about client software in session variables property is set to Enabled. (It is disabled by default.)

If the custom expressions include multiple sub-expressions, you might need to edit the expressions.

Kerberos SSO

Kerberos SSO does not work after upgrading from 11.3.0 to 11.4.0 and later. This happens because, starting in 11.4.0 the password is saved in encrypted form, while the password in 11.3.0 is saved as clear text. Re-enter Kerberos SSO password after upgrading from 11.3.0.

Citrix client packages

The 11.4.x upgrade script cannot recover any file object with a name that includes space characters. If a Citrix client package file name includes a space, the configuration loads after upgrade, but the Citrix client package file does not function properly. To work around this problem:

  1. Outside of APM, name or rename a Citrix client package without spaces in the name.
  2. Use the correctly named Citrix client package.
    • To fix the problem before upgrade, replace any improperly named Citrix client package as needed.
    • To fix the problem after upgrade, upload a properly named Citrix client package and select it from the connectivity profiles.

Machine accounts for NTLM front-end authentication

APM does not restore NLAD connections when the configuration is restored from a UCS file. After upgrading to 11.4.x, if the previous configuration was using NTLM front-end authentication, the functionality is not restored. To work around this problem, after the upgrade, manually delete the existing machine account configurations and then recreate them.

Advanced customization

If you performed any advanced customization of files, you must upgrade these files manually.

Custom reports

Custom reports are lost after upgrade. To work around this issue, export your custom reports before you upgrade and then reimport them after you upgrade.

OAM configuration

When upgrading from version 10.2.x to 11.x with an OAM configuration, upgrade fails. To work around this issue: before you upgrade, delete the OAM configuration; after the upgrade is complete, create a new OAM configuration in version 11.x.

Access policies that use session variables

If you are upgrading from 10.x, you might need to update access policies that use session variables. Version 11.x introduces the concept of partitions. A partition is added to an object name. An access policy that compares a session variable against a value would behave differently after upgrade. This example shows the difference in the value of a session variable between these versions.

  • Version 10.x -
  • Version 11.x -

The partition, /Common, is added to the version 11.x object name.

Fixes in 12.1.0

ID Number Description
372139 Manage Sessions are now showing correct current sessions on VIPRION chassis.
383801 Session variables that don't start with "session." show up in active session variable APM Reports.
402793 APM clients for Linux and Mac modified to perform better during secure re-negotiation.
403991 BIG-IP Edge Client for Mac now supports Proxy.pac file size of up to 1 MB; previously, the limit was 32KB.
409323 On Demand Cert Auth support for non standard port has been added to include the port information from VS as part of redirect URL.
419776 Check box performance restored.
420284 Support has been added for no cache option for the mcget command: mcget -nocache session... When the nocache flag is specified, APMD agent will read session variable from memcache directly instead of from APMD's session cache.
426492 APM now supports the use of custom ports on the virtual server that is used for initial access with a multidomain SSO configuration.
427125 Now Networks Access shows statistics table properly for Japanese language.
432126 Logon page now is fully editable with Internet Explorer 8.
439680 Unsupported algorithm will be logged correctly now.
440013 The Upload, Install, and Delete buttons will only be enabled on the Active platform.
446860 Now APM Exchange Proxy honors the tmm.access.maxrequestbodysize DB variable. Modify the tmm.access.maxrequestbodysize DB variable with a value larger than the maximum email body size you would like to support. The maximum supported value is 25000000 (25MB)."
453649 Now BIG-IP Edge Client respects network location awareness (NLA) settings from connectivity profile: disconnects VPN when inside enterprise network, establishes VPN when outside of enterprise network. Edge Client has no button in this mode. To achieve that, Edge Client should be configured in way: 1. 'Enable Always connected mode' checked. 2. 'Traffic flow when VPN is disconnected' set to 'Allow only in enterprise LAN' or 'Always'. 3. Connectivity profile should have suffixes configured."
457773 Changed "apmAccessStatCurrentActiveSessions" OID type to Gauge/counterbasedgauge64.
461084 Client's Kerberos auth will succeed now.
462598 Now when an APM renderer or renderer pool (used for serving internal pages) goes down, APM detects the unavailability and sends a TCP Reset to the client.
472446 A configuration error in config sync or tmsh transaction is now handled correctly.
477177 When creating ACL entries via tmsh, the source and destination addresses will now have the correct default of 'any'.
482145 Buttons are now correctly scaled for Windows DPI setting.
482241 Windows 10 can now be detected out-of-the-box by Client OS and Windows Info agents.
482266 Users running on Windows 10 running the BIG-IP Edge Client will no longer see a "Network Access Connection Device was not found." error message.
482625 Erroneous multibyte charset setting is ignored if META tag is inside ASCII-compatible page.
486601 Now HTML pages with inline JavaScript code that use multibyte character sets are processed correctly.
488866 Now BIG-IP Edge Client respects network location awareness (NLA) settings from connectivity profile: disconnects VPN when inside enterprise network, establishes VPN when outside of enterprise network. Edge Client has no button in this mode. To achieve that Edge Client should be configured in this way: 1 .'Enable Always connected mode' checked. 2. 'Traffic flow when VPN is disconnected' set to 'Allow only in enterprise LAN'. 3. Connectivity profile should have suffixes configured."
490830 Protected Workspace disabled on Windows 10 client.
492122 Now the 'f5 Pre-Logon User' is created only once, which allows a Domain or System Administrator to manage it, because the SSID does not change. When the user is no longer required (that is, when the logon process is complete), 'f5 Pre-Logon User' is disabled and remains disabled until the next usage.
495702 BIG-IP Edge Client for Mac can now be downloaded from the connectivity profile screen of the APM GUI.
498610 Exporting Access Profile containing text with logging actions and colons is successful.
503025 Cipher and Hash algorithm information is now shown correctly.
503825 Error 4001 is fully customizable using the customization editor.
504266 Now DNS Relay proxy forwards dynamic update DNS requests.
505927 Now APM supports Citrix XenApp 6.x load balancing policies when working as WI/SF replacement.
506349 APM now correctly identifies BIG-IP Edge Client for Mac as an Edge Client even if the user opens a new session by clicking the link on the logout page that says "Click here to open new session".
507321 Now user-defined JavaScript objects with 'origin', 'source' and 'data' fields may contain any values in these fields.
508477 Now Network Access components print session ID in four messages: Starting pending session ID: %sessionid, Session %sessionid established, Session %sessionid closed: Status, and Failed to open session %sessionid."
508630 An additional fix was made to restore DNS suffixes correctly.
508719 The title displays on the logon page now.
509586 Browser cache plays no role for updating endpoint software check component on browser.
509595 Now old document reference is used if returns 'null'. So document.write() for closed document works as expected.
509596 Web applications work correctly, with no 'F5_Invoke_write is not defined' error on JavaScript Console.
509758 Now, the BIG-IP Edge Client does not show an incorrect cosmetic warning message.
510459 Resolved issue in which clients receive a file not found message from Access due to out of date White List entry in OPSWAT.
510596 DNS resolution on Linux works now even when the "DNS Default Domain Suffix" setting in the Network Access configuration is empty.
511961 Clients using the BIG-IP Edge Client for Mac supplied with this APM release can continue to log in and do not get stuck at a "Connecting..." screen.
513201 BIG-IP Edge Client is correctly localized for Japanese locale.
513474 Resolved multiple vulnerabilities in OpenSSL. CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, CVE-2015-0293, CVE-2015-0209, CVE-2015-0288
513706 Fixed an issue causing incorrect metric restoration on Network Access on disconnect.
513865 Now it is possible to send HTTP status 503 for responses with APM-generated errors. This behavior is used by most of proxy servers (like Squid) in similar situations and is handled correctly by all web applications. This feature is disabled by default and may be enabled via special option in Access Profile or by setting special environment variable in Access Policy.
513969 Now Machine Certificate Check service is used for certificate verification even for non-limited users.
516075 Linux command line client works with On-Demand Cert Auth now.
516462 Fixed reason causing this issue; now excluded address routes are applied correctly even if a client machine roams between different networks.
516839 Improvement: Microsoft Edge browser is now detected properly and only supported resources are shown on the webtop now. All components that require ActiveX are not supported.
517872 Now proxy hostname is printed to logfile when resolution fails.
518159 APM no longer detects BIG-IP Edge Client for Mac as a browser when a user clicks "Start a New session" on access policy expired page.
518550 Now value of form 'action' attribute is correct inside event handlers.
519012 APM side handling has been fixed to work properly with VMware View RDS desktops.
519059 WebApp links are now properly rewritten.
519119 Internal exceptions are now logged at the "Error" level instead of "Critical".
520118 Single entry in the server list.
521491 Adjusted User agent string to report as Internet Explorer 10. This will allow access through firewalls that don't allow old user agent strings to pass.
521506 Fixed issues causing improper routing table management.
522124 With the fix, secondary MCPD will no longer restart when the admin creates APM SAML IdP/SP Connector.
522670 It is now possible to use the BIG-IP GUI to switch between Detached Signature and Enveloped Signature for BIG-IP as SP SAML Authentication Requests.
523327 Now both service and elevation helper can find those specific certificates.
523429 BIG-IP Edge Client for Mac now applies DNS server settings correctly.
523696 BIG-IP Edge Client for Mac doesn't show duplicate entries in the servers list.
523701 Machine Cert Auth agent passes on OS X 10.8 and OS X 10.9.
524392 RSA pin is not cached now irrespective of the password caching policy
524909 Now BIG-IP APM support Windows Info action on Windows 10 clients.
525384 Now Network Access components can obtain PAC file from SMB share.
526084 BIG-IP APM was enhanced to report session.client.platform session variable for BIG-IP Edge Client on Windows 10.
526140 ACCESS was not waiting for the response of an asynchronous operation before enforcing the max, which created a race condition. ACCESS now waits for the response before enforcing the max.
526192 APM now supports out-of-the-box detection of Microsoft Windows 10 in visual policy editor action items, such as, Client OS and Client Type.
526492 DNS resolution is successful for static and optimized tunnels on Microsoft Windows 10.
526519 The sessiondump utility was modified. The NULL termination byte of a NULL-terminated string is no longer printed. Furthermore, non-printable data is now printed as a hexdump, instead of raw binary data.
526578 Now proxy settings are correctly applied on client machine with German localization and Internet Explorer 10. However, Windows still shows empty fields in proxy settings GUI of Internet Explorer.
526610 JavaScript parsing is fixed to avoid this issue.
526637 tmm will no longer crash in APM clientless mode; it now sends a reset.
526677 Starting with the 6.1.1 release of View Connection Server, the communication protocol used by the View HTML5 client has changed. This change breaks BIG-IP APM's HTML5 View client implementation. As such, APM users cannot use this client to access their View Desktop. This fix implements the new View communication protocol to support launching of the View HTML5 client from an APM Full Webtop."
527799 OpenSSL library in APM clients updated to resolve multiple vulnerabilities in OpenSSL. CVE-2015-4000,CVE-2015-1792,CVE-2015-1791,CVE-2015-1790,CVE-2015-1789,CVE-2015-1788,CVE-2014-8176
528064 The GUI now sets the address to be "::" when saving the Server Connection to be No Server.
528139 DHCP lease can now be renewed correctly.
528548 Fixed CSS rewriting for: @import ""URL"" and @import 'URL'"
528675 Captive portal detection request modified to properly close HTTP connection.
528994 Now simplified check for native functions is used for Internet Explorer to avoid problems with context replacing in Internet Explorer 10+ even in compatibility mode.
529392 Internet Explorer 11 on Microsoft Windows 10 is detected correctly now if local proxy autoconfig script is configured with DIRECT rule for BIG-IP.
529438 Restore the source address translation correctly even if an iRule has disabled APM.
530092 Group name with spaces shall not be encoded with backslashes.
530549 Form action will have the correct value if it's modified after submitting form.
530648 User is able to sync a large policy, resolve LSOs on target and complete the sync without any error.
530697 Windows Phone 10 platform is detected correctly now.
530800 Fixed an issue where extra data was added to some OWA2010 requests making it impossible to send messages in configuration with Form-based SSOv2.
531483 Issue resolved.
531719 When using the CATEGORY::lookup command in an iRule to retrieve a classification for a URL, only categories matched in the URL database are returned. Starting in version 12.1, there are new flags available to be used as follows: CATEGORY::lookup - returns the same results as previous versions (list of all Websense categories, but no custom categories) CATEGORY::lookup request_default_and_custom - returns a list of all Websense categories as well as all custom categories CATEGORY::lookup request_default - returns a list of all Websense categories CATEGORY::lookup custom - returns a list of all custom categories"
531883 Windows 10 App Store VPN Client is now detected by BIG-IP APM out of the box using the Client Type agent.
531983 Routing table now updates correctly when new adapter is added to the system while SSL VPN tunnel is already established over an network adapter.
532096 Fixed issue causing Machine Certificate checker agent backward incompatibility.
532375 A new agent has been added (request analytics) that will allow outgoing Facebook messages to be blocked. To use this agent requires an additional URL Filter Assign item in the per-request policy. Correct per-request policy implementation should follow the general idea of Category Lookup > Request Analytics > URL Filter Assign > Response Analytics > URL Filter Assign.
532394 To provide better traceability, APM client creates log entry each time F5 software reads or writes "SearchList" or "SearchList_F5_BACKUP_VALUE" registry keys.
532509 The 'onmessage' handler added with window.attachEvent() now correctly recieves data sent through window.postMessage().
532616 OpenSSL library in APM clients updated to resolve vulnerabilities in OpenSSL. CVE-2015-1793
533422 The sessiondump utility now reuses the TCP connections.
533566 Added support for View HTML5 client v3.5 shipped with View Connection Server 6.2.
533723 Content rewriting is suppressed on the client side for the textarea tag.
534373 Fixed grammar.
534374 Pipe-separated session variables are now separated into multiple values of assertion attribute. For example, given session variable value '| a | b | c |', assertion attribute will look similar to this: <saml2:Attribute Name="name"> <saml2:AttributeValue>a</saml2:AttributeValue> <saml2:AttributeValue>b</saml2:AttributeValue> <saml2:AttributeValue>c</saml2:AttributeValue </saml2:Attribute>"
534378 APM now correctly handles Latin-1 (high ASCII) characters in username and password for ActiveSync clients.
534555 Due to customer demand, starting with BIG-IP v12.1.0, the RSA v1.5 algorithm can be enabled on BIG-IP as IdP manually via console to TMSH, using this command: modify apm sso saml <saml IdP object name> key-transport-algorithm rsa-v1.5 NOTE: Be sure to save the configuration after changes are made via TMSH. Starting with BIG-IP v12.1.0, support for RSA v1.5 on BIG-IP as SP is enabled by default with no required configuration."
534901 Fixes the handling of chunked responses coming during the HTML5 client load.
535119 At log table initialization, add extra 1-second gaps between the times to create individual log tables, to avoid the problem of 1-second granularity in MySQL timestamps.
536575 For an access policy that includes On-Demand Cert Auth, Dynamic ACL, or Per-App VPN, the Session Variable Report now shows session variables correctly.
537000 Installation of BIG-IP Edge Client on Windows 10 does not cause system crash anymore.
537614 Machine certificate checker service works now with a display language other than English.
538192 Second cache-control header was removed.
538198 Web page requests information from Applet instead of calling JavaScript function by Applet.
539013 After VPN connection has been established, DNS resolution works, in the case of a Windows 10 desktop with multiple NICs and one of them is in a disconnected state and has a statically assigned IPv4 configuration.
539018 Register all TMM threads with Monitor process and monitor process signal the right TMM thread if looping and TMM stack trace comes to the right TMM thread log file.
539201 APM now refers to IBM's Endpoint Management System by its correct name 'IBM MaaS360'.
539229 EAM handles exceptions gracefully during the authentication process when Oracle Access Manager is used.
539847 Now Variable Assign support and preserves newlines
541622 Create one cURL session for each user session that requires CAPTCHA verification
541978 Added check for nonexistent perflow variable and error log for non-existing perflow variables.
543222 With this release: 1. Only values starting from 0x are treated as hex-encoded. 2. If hex decoding fails, apd does not crash."
544146 Make the session ID available in each log message when available.
544988 Having /Common/vdi and /Common/vdiplugin assigned to a Virtual Server does not affect other profiles. Profile changes on a virtual server are immediately effective and do not require tmm restart.
546405 A new "Export as VMWare View Format" checkbox has been added to the meta-data exporting dialog.
547546 Added support of auto-update to MachineCertService.
548259 A check of cf->peer is in place to prevent the core.
549086 Now Windows 10 is properly detected with the Firefox browser.
549292 Fixed 0.3s latency between client and server SSL hello if VDI profile is added to virtual server.
549513 Customer should upgrade to BIGIP 12.1.
549588 EAM memory usage no longer grows. Cookie objects are deleted prior to deleting cookieMap from obAction destructor.
550221 User can sync a previously sync'ed policy after removing items from it successfully.
550536 The correct information/text (in French) is now displayed when the Edge Client is launched.
550537 When you configure an AAA Endpoint Management System in the GUI, the online help now specifies IBM Maas360 as one of the system types. If you use tmsh instead of the GUI, the aaa endpoint-management-system command still specifies and displays fiberlink as the corresponding type.
551260 Redirect URL is no longer truncated after ampersand sign.
551764 Upon successful execution of the Access Policy in clientless mode, the request is forwarded to the configured backend as needed.
551819 NTLM Type 1 message will set NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY flag now.
551999 Edge Client for Mac now tries to restore session after lost network connectivity is restored.
552216 var $redirectOrigURI = """";' is not valid PHP syntax. Changing the var $redirectOrigURI = """"; to $redirectOrigURI = """"; the issue is no longer seen."
552342 Passwords in headers are logged as asterisks as is done for post data.
552346 Add a newline character to the end of each of the affected log messages.
552498 Domain fields in Set-Cookie headers found in 401 responses are processed correctly.
553268 Session cookies are now cleaned up properly when user explicitly disconnects BIG-IP Edge Client.
553734 The issue is fixed for non string value types.
553925 Fixed installer package.
554041 Edge Client now ignores DNS location settings in Always Connected mode and establishes VPN even inside enterprise networks.
554074 Fixed code to trigger VPN connection immediately even when user clicked cancel before.
554081 The right validation is added. The configurations that has invalid excluded content type could make the configuration fail with this error message: 01070734:3: Configuration error: Response Analytics agent /Common/prp1_act_response_analytics_ag needs a valid content type. Provided content type /Common/invalid is not valid. Please go and edit bigip.conf to include the valid values such as All-Compressed, All-Images, All-Executable, Application-Flash, Text-html, Text-pdf"
554228 OneConnect now works when WEBSSO is enabled/configured, so that the system reuses the pooled server side connections.
554364 You can create a new document with Microsoft SharePoint 2010.
554690 VPN Server Module doesn't generate repeated Error Log "iface eth0 (4)" every 2 secs
554899 MCPD no longer cores with access policy macro during config sync in high availability configuration.
554993 The current active sessions, current pending sessions, and current established sessions counts of profile access stats now report correctly after failover.
555435 AD Query now completes as expected if cross-domain option is enabled and administrator's credentials are not specified.
555457 After F5 Networks components have been uninstalled, the system does not require reboot, and uses the latest installed software-device for VPN, as expected.
555507 SSO plugin no longer overruns memory not owned by the plugin, so the system supports the following configuration without memory issues: The BIG-IP system is configured and used as a SAML Identity Provider. Single Logout (SLO) protocol is configured on the attached Service Provider (SP) connector. At least one user executed SAML webSSO profile."
556597 Fixed crash cause in CertHelper. Crash was happening only in TMOS v12.0.0
556774 Install EdgeClient on a PC that connects to the APM through a captive portal now opens as expected.
557369 The BIG-IP system now processes NTLM requests for affected Lync clients, and users of the client are able to authenticate.
557399 Resolved an issue in Portal Access where certain user-defined Javascript objects could cause a loop in F5 helper code and unresponsiveness of a browser.
558631 The APM Network Access VPN feature no longer leaks memory.
559138 Fixed bug in certificate verification code.
559159 Correctly rewriting on nested conditional expressions on the client side JavaScript.
559218 Now iFrame with empty origin inherits origin value from parent window being accessed via Portal Access in the same manner as all browsers do.
559270 APM virtual server that can have multiple ABORTs events to a connection will no longer cause TMM to crash and restart.
560640 Network Access works as expected on Windows platform even a Java AppTunnel resource has been assigned.
560851 Enabling both clientssl and remotedesktop/vdi profiles on a UDP virtual server now produces validation error.
560968 AD or LDAP groups retrieval no longer leads to /tmp overflow.
561798 Edge Client now runs embedded browser in Internet Explorer 10 emulation mode, which has support for modern JavaScript.
561849 Trigger discrete join deletion from policy item upon its own deletion.
562919 TMM no longer cores in renew lease timer handler
563443 This release fixes a rare core dump related to the Websso plugin.
563474 F5-BIGIP-APM-MIB::apmPmStatConfigSyncState now returns the correct non-zero value.
563503 Fixed code to perform a complete match.
563676 Applied patches for CVE-2015-3194, CVE-2015-3195, CVE-2015-3196
564482 Delegation account can be enforced to use AES256 encryption, provided the delegation account is configured as SPN format on the Kerberos SSO configuration.
564496 Applying APM add-on license now increases Access and CCU license limits, as expected.
564537 The RADIUS server setting must be changed only from the APM RADIUS server config page. If AAA RADIUS Server is configured for ""both"" mode, then create layered virtual server/pool with * (any) port."
565167 Now it properly logs the message with correct domain name and user name.
565231 Objects are being exported correctly without error.
565527 Static proxy settings are now applied in Network Access configurations. This allow applications that do not support PAC files to work inside the VPN.
565554 An iRule can be attached to the APM virtual server to retrieve and then explicitly set the HSTS header upon URL redirection. DevCentral iRule example:"
565648 The APM process (apmd) no longer leaks file descriptors when access policy functions are invoked by internal BIGIP functions.
566264 Application editor can access and modify customization in APM UI
566646 Fixed the issue where Portal Access could try to buffer contents of some large files and respond with significant delay.
566908 Webserver listening on local Wifi or Ethernet IP can be accessed after VPN even if proxy.pac is defined in a way that forwards all web traffic over VPN to corporate proxy server.
566998 Edge client upgrade no longer fails if client was configured in locked mode.
567660 APM RDG feature now works as expected when Auto Last Hop is disabled.
568238 Firefox v44.0 through v46.0 can now install F5 Network plugins, perform endpoint checking, and establish network access connections.
568410 Network Access now works as expected even when DNS cannot be resolved on client and PAC file contains DNS resolution code.
568963 User can now launch Internet Explorer or Firefox inside protected workspace.
569284 Completely fixed.
569317 Now logged on credentials are used automatically to connect to VPN
569742 Now Network Access remains stable when a second network interface is being connected, so any long-standing TCP connections (such as VPN over Network Access) continue as expected.
570242 Enhance Java applet manifest file parsing to support manifests generated by Mozilla NSS Signtool.
570309 BIG-IP now accepts SAML SSO requests from Office365 containing a query in the URL and sent via HTTP-POST binding.
570403 PAC file download and merging issues were considered critical before and Edge Client disconnects the tunnel. This behavior is controlled by a new setting called "Ignore PAC download error" on BIG-IP now.
570563 Import and export of CRL is fully supported.
571003 TMM no longer generates core file and restarts upon upgrade.
571083 An iRule can be attached to the APM virtual server to retrieve and then explicitly set the HSTS header upon URL redirection. DevCentral iRule example:"
571718 Customer will not see the passwords logged. Instead in the log statement , the password will be masked as "******"
572062 When you delete EPSEC packages using the GUI, APM now correctly deletes the corresponding EPSEC ISO file from the filestore (/config/filestore/files_d/Common_d/epsec_package_d/). Before creating archives, administrators are now required to delete non-active EPSEC packages using the GUI to make sure that non-active EPSEC ISO files are not included in the archives. Although this issue has been resolved for newly downloaded EPSEC ISO files, you might still need to perform some cleanup: 1. You must remove previous leftover EPSEC ISO files as follows: a. Delete the EPSEC package from the GUI: Select System > Software Management > Antivirus Check Updates; select an existing EPSEC package from the list and click Delete. b. Go to /config/filestore/files_d/Common_d/epsec_package_d/ and find files for which there is no corresponding entry in /config/bigip.conf. c. Delete those extraneous files manually using the rm command. 2. You cannot import huge previously created UCS archives. Instead, you should delete non-active EPSEC packages prior to creating a UCS. 3. If you want to include only one (active) EPSEC ISO in a UCS archive, you must first delete non-active EPSEC packages using the GUI."
572068 Now VPN can be established from browser even if Network Access configuration is big.
572257 This release handles large single log values.
572563 Internet Explorer can now launch a Protected Workspace session.
572580 The most recently installed EPSEC version now remains configured, and does not roll back after reboot or shutdown-restart.
573429 Network Access now correctly manages its memory resources.
574517 Freed the necessary memory so the leak is no longer present.
574781 APM Network Access now correctly manages its memory resources.
575040 When ACCESS::disable is used in an iRule on a virtual server with an Access Profile and Per-Request Policy assigned, BIG-IP APM will not run the Per-Request policy.
575499 No more stale renew_lease timer in vpn_ctx to cause TMM core.
575609 Difficult to compress requests may be dropped.
576165 Fixed.
576294 Blank password is allowed in access-accept RADIUS requests.
576350 Am HTTP_401_RESPONSE page can be placed anywhere in the access policy chain. Any pre-authenticated information for the targeted agent will not be consumed by another agent sitting in front.
576375 Service now reports correct status to service control manager immediately.
577962 DNS Suffixes are now restored properly.
579560 Nitrox hardware acceleration support was fixed
579909 Fixed such that Secondary MCP will not exit but only log the warning message as the partition is successfully deleted.
580059 Fixed DNS relay proxy so it does not go in a state where it starts consuming huge CPU cycles.
580225 The system now passes the expected arguments with the WEBSSO::select command so TMM no longer crashes.
581602 Excessive DNS queries are no longer being sent from the EDGE client if the DNS server is unreachable.


Session ID rotation has been implemented, and starting from 11.2.0, it is on by default. This breaks compatibility with earlier BIG-IP Edge Client and plugin versions. For example, when APM is configured for session ID rotation, an 11.1.0 Edge client is not allowed to log in to Access Policy Manager (APM) version 11.2.x. The expected behavior in this case is for APM to present the login page to the Edge client after each login attempt. To disable session ID rotation per-box, you can use the following tmsh command: tmsh modify sys db apm.rotatesessionid value disable

Behavior changes in 12.1.0

There are no behavioral changes in this release.

Known issues

This release contains the following known issues.

Upgrade issues

ID number Description
417711 After the upgrade, if the previous configuration used NTLM front end authentication, the functionality is not restored. NTLM configured and UCS file is saved prior to restoring a dive to factory defaults. tmsh load sys config default is run to restore the system to the default state. NTLM auth will not work, and this error will appear in /var/log/apm: "err nlad[6921]: 01620000:3: >0x55b5db90> nlclnt[3c80a0a0a] init: Error [0xc000006d,NT_STATUS_LOGON_FAILURE] connecting to DC" After the upgrade, manually delete the existing NTLM machine account configurations and then recreate them.
421456 Kerberos SSO does not work after upgrading from 11.3.0 to 11.4.0, because in 11.4.0 the password is saved in encrypted form while the password in 11.3.0 is saved as clear text. Kerberos SSO password is saved as clear text in 11.3.0. Cannot access Kerberos server. Re-enter Kerberos SSO password after upgrade.

Admin issues

ID number Description
360141 Modifying the SSO configuration does not cause the Apply Access Policy button to show up on the Admin GUI or the visual policy editor. The configuration change takes effect immediately for new sessions established after the change. Old sessions (those that were already created before the configuration change) continue to use the old SSO configuration.
362200 When customizing messages, you cannot use special characters, such as ', ", &, <. Special characters in the Description field or message field of a portal policy The special characters will be escaped To work around this problem, do not use such characters, manually fix customization XMLs (not advised).
362351 Branch names cannot start with the word fallback in the visual policy editor. Do not start branch names with the word fallback. The terminal name must begin with an alphabetic character (for example, a or A). The remainder of the name can contain only alphanumeric characters (numbers and letters), spaces, and these symbols ( + - _ ( ) [ ] ). The terminal name cannot begin with the text fallback. Please rename the terminal.
363188 Using a space in an alias for a virtual server can cause unexpected results when you use tmsh to add or update a connectivity profile. No spaces are allowed in aliases for virtual server.
384479 When you configure a virtual server for Oracle Access Manager integration (by selecting the OAM Support option), the option to select a specific AccessGate does not apply to OAM 10g environments.
398361 Not all configuration objects validate and reject an object name that contains the space character. As a best practice, when you create a configuration object do not include a space in the object name.
403722 If you initiate an access policy sync from the Standby node, an admin must resolve any conflicts on the Active partner. Ideally, an access policy created on the Standby node would be synced to the Active node automatically without admin intervention. To work around this problem, avoid syncing an access policy from a Standby node. Otherwise, you must resolve conflicts, if any, on the Active node.
404936 Files named core.xxxx, where xxxx is a number, are created in advanced customization directories during the build process when the customization build cores because of invalid characters in the default customization file. These core files are listed in the user interface.
405352 If you enter a bad FQDN for domain controller in an NTLM Auth configuration and a DNS server responds with DNS SERVFAIL, the NTLM Auth configuration does not work even after you fix the incorrect FQDN. NTLM auth configured in APM Invalid domain controller specified, or the domain controller goes down. NTLM auth will stop working. To work around this problem, after you correct the FQDN in the NTLM Auth configuration, restart the ECA plugin and NLAD daemon using this command: bigstart restart nlad. Note: To avoid future problems due to misconfigurations, you can configure your DNS server to return a negative response.
414411 When you use visual policy editor from the Chrome browser, images do not preload and as a result, the navigation bar flickers. To work around the problem, use Firefox or Internet Explorer.
419748 After a hosted content file is referenced by a Portal Access resource, the file cannot be deleted, even if the link-type of the resource is not "hosted-content". This problem occurs in this sequence of steps. Use the GUI. Create a resource such as portal-access or webtop. Set the link-type to "hosted-content" and select a sandbox file. Now change the link-type to 'uri'. Try to delete the sandbox file. It will not be deleted, even if it is not in use. Users cannot delete some unused sandbox files. To work around the problem, use tmsh to clear the sandbox file reference in the resource. Example: tmsh modify apm resource portal-access <NAME> sandbox-file none Now the sandbox file can be deleted.
419754 When using a local user database instance for authentication on APM, if a user that is flagged to change password leaves the password field empty, the user is prompted again to change password. Whether the user types a new password or leaves the password field empty again, the user is prompted again to change password. This occurs under all of the following conditions: 1. Local user database is used for authentication. 2. User is administratively flagged for password change. 3. User attempts to change his or her password. 4. User uses an empty password as the new password. After the empty password is entered the first time, the user will continue to be prompted for a password. The next password entered will be rejected regardless of whether it is empty or not. APM handles a subsequently entered non-empty password correctly.
419836 When you switch from editing one file to editing another file in advanced customization without saving the first file, changes to the first file are lost. This is not user friendly as a user may spend a lot of time on editing the file. When clicking another file, the user does not know that changes will be lost and are not recoverable. A user can only modify the file again after the change is lost.
419996 When you import users to a local user database, any first or last name with a space in it is truncated to the first space.
420506 When using the Local Database agent with a write action, the list of properties available includes groups; however, this property is read-only and any attempt to write to it fails. This issue arises when using the APM general purpose Local Database agent with an action that includes writing to the groups property. There is no workaround. You cannot write to the groups property. Its appearance in this list is an error. It should show up only in the properties list for a read action.
423137 The compression setting pull-down is available on the Network Access resource page. If an end-user sets this to GZIP when compression is not licensed, the system posts a TMM error explaining that compression license limit has been exceeded for the day. Set compression to 'GZIP compression' using a box that does not have compression licensed. Run traffic. GZIP compression appears available when it is not. Set compression to none.
582673 It takes long or completely impossible to display huge policies (more than 4000 elements). VPE returns server timeout error or simple stucks. Huge Access Policy 4000 or more elements. Unable to edit policy because VPE is time-outed.

Application access issues

ID number Description
223712 During a web applications session, when a user logs out of Microsoft Office Communicator and then attempts to log on again, the logon request fails.
339865 Microsoft SharePoint 2007 with Office Integration does not work in LTM+APM mode when Windows Protected Workspace is used in an access policy. When you try to open a Microsoft Office document, an alert about a wrong URL is displayed.
340549 The rewrite plugin does not implement forwarding HTTPS requests through the HTTPS proxy correctly. (However, forwarding HTTP requests through the HTTP proxy does work correctly.) Portal application configured to use a proxy and https Clients cannot connect to the web application. To work around the problem, create a layered virtual server to catch HTTPS traffic leaving APM and forward it to a HTTPS proxy server using CONNECT. Proxy authentication is not implemented and if the response status from HTTPS proxy server is not 200, then use an iRule to close the connection.
362325 Links in content are rewritten in HTML attachments from Outlook Web Access (OWA) after you open the attachments in the browser or save them to disk using the Save as action. This happens because APM application access patches the links in HTML attachments. This occurs with OWA 2003, 2007, and 2010.
389881 The Portal Access feature in APM does not support Flex Runtime Shared Libraries using ActionScript3. Access Portal enabled Applications contain flash content that were created with Flex. Flex applet does not work through Portal. None.
404899 Webpage errors occur when opening a chat window in IBM Lotus iNotes 8.5 with Sametime through a Portal Access webtop. This happens only when using Internet Explorer 9. To work around this problem, add a Portal Access item with the path "/sametime/stlinks/*" to the Portal Access resource and disable Home Tab for this item.
406745 Office for Mac 2011 gets login page html instead of document when "open in Office" used SharePoint. Cannot open Office document using SharePoint. Not able to view the document from Portal Access. N/A
416759 Microsoft Dynamics CRM might not work correctly through reverse proxy in some cases. SAML can be used to accomplish SSO.
421063 JavaScript code that deletes 'call' or 'apply' methods from Function.prototype does not work through Portal Access. Errors can occur. Some web-applications might stop working or work with errors. This issue has no workaround at this time.
422525 Portal Access resources with proxy host configured and no DNS record available to BIG-IP will be blocked by APM ACL. All requests to these resources will result in APM DNS error page. Some resources accessible only via proxy cannot be configured to work through APM Portal Access. Use intranet DNS server for BIG-IP, or add resources behind proxy server to a DNS server configuration.
430976 Some of Portal Access wrappers for client-side JavaScript code could use slow version of HTML rewriting code. In old versions of Internet Explorer, it could take more than a minute to process assignment of 2.5Mb of HTML code in JavaScript. User could notice it when browser window freezes for several seconds. Pages accessed through Portal Access might not be responsive for several seconds. This issue has no workaround at this time.
431337 The LinkedIn button is a part of the new feature, Apps in Outlook Web App, in Outlook Web App 2013. A JavaScript error occurs if you click the LinkedIn button in Outlook Web App 2013 while using Internet Explorer 11.
434464 If a JavaScript function contains an Internet Explorer conditional compilation directive and a 'try ... catch' block inside this directive, it becomes inaccessible before declaration after re-writing. Invocation of JavaScript function with conditional compilation and try...catch block inside can't be used before declaration. JavaScript code stops the execution if forward reference to such function exists. To work around the problem, if possible, move the function definition prior to all references to this function. Custom iRule can be used to implement it. No general iRule exists.
439887 Drag-and-drop and some other mouse operations work incorrectly in Outlook Web App (OWA) 2010 if accessed using APM Portal Access from the Chrome v.31.x browser. Navigation and message copy/move operations can be done using the keyboard only; mouse operations might not work. There is no workaround.
443629 Microsoft Dynamics CRM might not work correctly through reverse proxy in some cases. SAML can be used to accomplish SSO.
444767 Access to Office365 Outlook Web Access services using Portal Access is broken for HTML5-supported browsers. The user is redirected to the APM Logout page after successfully logging in to Office365. User cannot get access to Mailbox in Office365 Outlook Web Access through Portal Access using HTML5-supported browsers. This example iRule disables OWA offline-caching support: when HTTP_REQUEST { if { [string tolower [HTTP::uri]] contains "/owa/manifests/appcachemanifesthandler.ashx" } { HTTP::respond 404 } }
453166 Rewrite writes many recovery logs. Rewrite plugin recovery procedure sometimes resets the plugin to an unstable state. Portal Access is not available.
454306 When HTML style attributes with HTML entities are rewritten, it results in direct or incorrect links to resources. This occurs when using HTML style attributes with HTML entities. It results in broken styles in web application. There is no general workaround, but custom iRules can be used.
480283 Some backend servers cannot be accessed using BIG-IP Edge Portal for iOS over mobile networks. Authentication fails; (a cookie related to authentication goes missing). It also happens when connected using WiFi but much less often (possibly due to timing). Web-application fails to update cookie when running Edge Portal on mobile networks. The issue is intermittent and hard to reproduce. The impact of this issue is that web-application logic can be broken. This issue has no workaround at this time.
494135 If 'eval' JavaScript call is redefined in HTML page, event handlers may not work correctly. There may be many ways to re-define 'eval'. For example: <form> <button name=eval onclick="someFunction();">Button</button> </form> In this case 'onclick' event handler will not work through Portal Access. Web application may not work correctly. In the worst case scenario, the browser (Internet Explorer 9 or later) may crash. There is no workaround at this time.
521822 Referer header received by backend contains in the path component(s) 'f5-w-doubledot'. There were doubledot components in referer URL (for example: '../../test.html'). Backend can be confused after receiving referer header with different value. Custom iRule can be used to fix referer header value; no general iRule exists.
572698 HTML page with document.write() operations inside event handlers may not be processed correctly. Internet Explorer may show error on this page. HTML page with document.write() calls inside event handlers or another scripts executed after document loading. Strings passed to document.write() function contain HTML tags with URL or another re-writable content in attributes. HTML page is not shown at all or works incorrectly in Internet Explorer. No workaround known
576325 Access to some field names of classes inherited from flash.utils.Proxy is broken. Presence of flash.utils.Proxy descendants. Customer application malfunction. None.
591588 Applications that use appendChild() or similar functions to build UI might experience slow performance in Microsoft Internet Explorer browser. Intense usage of methods such as: appendChild(), insertBefore(), and so on. Very low web application performance when using Microsoft Internet Explorer. None.
595477 HTML page with document.write() operations inside event handlers may not be processed correctly. Internet Explorer may show error on this page. HTML page with document.write() calls inside event handlers or another scripts executed after document loading. Strings passed to document.write() function contain HTML tags with URL or another re-writable content in attributes. HTML page is not shown at all or works incorrectly in Internet Explorer. No workaround known

Authentication and SSO-related issues

ID number Description
355490 TACACS+ accounting STOP messages are sent successfully and are properly logged on the TACACS+ accounting server. Sometimes, when the reply from the TACACS+ server is processed, "Invalid reply error message" is logged on APM. However, this message does not indicate any failure in sending the accounting STOP message to the TACACS+ server. This error message can be ignored because the accounting functionality works.
355981 APM CRLDP Authentication Agent binds anonymously to the LDAP server to retrieve CRL files. An option for a strong authentication bind is not currently supported.
399696 Selecting an SSO configuration with WEBSSO::select does not work for form-based client-initiated and SAML SSO configurations. iRule utilizing WEBSSO::select "iRule validation error that might look like the following: 01070151:3: Rule [/Common/test_sso] error: Unable to find sso_config (test) referenced at line 4: [WEBSSO::select test]" To work around the problem, use a variable to assign the configuration object name: set sso_config /Common/SAML-config WEBSSO::select $sso_config unset sso_config
433242 SAML Single Logout (SLO) does not work when all of the following are true: The BIG-IP system is acting as a SAML Identity Provider (IdP) or SAML Service Provier (SP); The other party configuration has SLO configured; The SP connector or IdP connector on the BIG-IP system is missing a SAML SLO Request URL or SAML SLO Response URL. If SAML SLO is configured with SAML other party and other party does not have both SLO Request URL and SLO Response URL. SAML SLO does not work. To work around the problem, configure both SAML SLO Request URL and SAML SLO Response URL for SP and IdP connectors.
435719 When AD Query is configured in an Access Policy, and the password expiration warning is enabled, or the user password is expired and the user types the wrong original password, then password change fails. However, the BIG-IP system continues to prompt for new credentials until reaching the value specified for Max Password Reset Attempts Allowed and all attempts fail because the original password is incorrect. This issue occurs when all of the following conditions are met: - The BIG-IP APM access policy is configured to execute an AD query. - The session.logon.last.password session variable value, when hitting the AD query agent, does not contain the correct user AD password (either because it was wrongly typed on the Logon Page or because it contains the password for another authentication method) - user AD password is expired or the user authentication password expiration warning is enabled on the AD Query. Users are unable to complete an update of their AD password. You can work around the problem in one of these ways. 1. Close the tab or browser and open the logon page in a new tab or new browser window or 2. In the same browser, remove everything after FQDN/ and click Enter. That will initiate a new session. 3. The following configuration change can be performed: On the VPE, create a Macro and move between Start to the AD Query (included) in the Macro. On the AD Query inside the Macro, set the "Max Password Reset Attempts Allowed" to 1. Set the "Maximum Macro Loop Count" of the Macro to 3. Call the created Macro right after the Start in the VPE. This will prevent looping on the change password
436138 If you use Kerberos authentication with the Request Based Auth option set to Enabled and you use Secure Web Gateway explicit forward proxy, access to web sites fails. To work around the problem, set the Request Based Auth option to Disabled.
438344 APM WebSSO (SSOv1) incorrectly handles POST request to Start URI. WebSSO appends SSO parameters to the payload from a POST request without adding the ampersand (&) delimiter. WebSSO does not update Content-Length on sending to backend server. This issue has no workaround at this time.
440395 If you have an HA pair and try to reset AD cache (group cache or PSO cache), the standby node logs this misleading message: Cannot cleanup cache if other options were changed for AAA AD Server. HA is configured, AD module is configured to use caches (password warning option is enabled AND/OR fetch nested groups option is enabled AND/OR fetch primary group is enabled AND/OR password complexity check option is enabled) admin is trying to reset any of caches at active node. The message can be skipped. There is no functional impact.
441537 In APM form-based SSO, some special characters are incorrectly URL-encoded for certain fields, such as hidden parameters. (This does not apply to form-based client-initiated SSO.) This occurs when using form-based client-initiated SSO with a hidden parameter that contains a special character, such as dash ( - ), underscore ( _ ), period ( . ), exclamation mark ( ! ), tilde ( ~ ), asterisk ( * ), left round bracket ( ( ), right round bracket ( ) ), and backslash ( \ ). Form might not work as expected. To work around the problem, use form-based client-initiated SSO if possible. Form-based client-initiated SSO has the correct URL encoding implementation. Alternatively, use an iRule to change the special ASCII characters back to the correct character.
574435 BIG-IP as a SAML Service Provider fails to resolve Artifact for Assertion when using a default route domain other than 0 in administrative partitions other than "Common". - SAML Service Provider objects 'apm aaa saml' and 'apm aaa saml-idp-connector' are created in an administrative partition other than 'Common' - Default route domain other than 0 is used for a partition where objects are created. - BIG-IP used as a SAML BIG-IP can fail to resolve Artifact for an Assertion, which subsequently will fail SAML SSO. Configure SAML Service Provider to use HTTP-POST binding instead of Artifact binding.
588172 Client certification revocation check will fail. Two conditions will trigger this problem: 1. A CRLDP agent is configured in the access policy without server hostname and port, which is needed for DirName type processing. AND 2. At least one DirName type CRLDP is present in the client certification and it is the first in the list. Users may fail access policy evaluation when client certification is used. Configure an LDAP server for the CRLDP object. It need not return a valid CRL.
590670 After end-user successfully performs SP initiated SAML SSO with a original request URI other then "/", SP will redirect user back to '/' as landing URI. BIG-IP is used as SAML SP and no relay state is configured on either SP or IdP User is not redirected to original request URI. Workaround provided below works when first client request to BIG-IP as SP is 'GET'. This workaround is not applicable when first client request is 'POST'. SP object can be configured with relay state pointing to the landing URI: %{session.server.landinguri} After successful authentication, end-user will be redirected to the landing URI (reflected back by IdP in the relay-state).

Client issues

ID number Description
223583 Inside Protected Workspace (PWS) on Microsoft Windows Vista, a user can create folders only in some locations using the context menu; that is, only a Folder item appears on the New menu. However, a user can create standard type files using the context menu directly on the desktop and in the user's home folder. Files can be created on the Desktop and then moved to the desired location.
369772 Renaming or moving files smaller than 16 bytes might corrupt its contents. Renaming of small files inside PWS. File content might get corrupted. Do not rename or move small files inside PWS.
376615 Username and password are not sent when the On-Demand Cert Auth agent is used in an access policy; as a result logon fails. The problem happens for these clients: iOS, Android, Windows Mobile, and Linux CLI. To work around the problem, put the Logon page agent before the On-Demand Cert Agent in the access policy.
393043 During an APM remote connection, the progress bar might not render correctly on a Linux system when using the Chrome browser.
399552 CD/DVD burning through SPTI inside PWS works even though the policy disallows it. 1. Policy is set to disallow CD/DVD burning. 2. User uses SPTI based CD/DVD burning tool. Despite policy being set to disallow it, user is able to burn CD/DVD.
404890 This is a rare issue that happens for Internet Explorer when pop-up screens are set to be blocked by browser. When you launch a Java app-tunnel for the first time in Internet Explorer, the message "Allow pop-ups for this site?" is displayed. In rare cases, when you click Allow once, the Java app-tunnel freezes in the Initializing state and cannot be used. To work around the problem, add a virtual server to the allowed sites for pop-ups from Tools > Internet options in Internet Explorer.
409233 VMware View Client becomes unresponsive for about one minute after associated APM session is terminated by the administrator. APM session associated with VMware View Client connection is terminated by the administrator. VMware View Client becomes unresponsive for about one minute.
428904 Printer redirection and keyboard redirection ('special keyboard commands') in non-fullscreen mode do not work on Microsoft Windows version 7 or 8. This happens when the client OS is Windows version 7 or 8. User is not able to use local printers remotely as well as 'special keyboard commands' (for example, ALT+TAB) in non-fullscreen mode. To work around the problem, use fullscreen mode to use local printers remotely as well as 'special keyboard commands' in Windows version 7 or 8.
432020 By default, Internet Explorer 11 starts with Enhanced Protected Mode enabled and the browser process runs inside AppContainer. Enhanced Protected Mode (AppContainer technology) in Internet Explorer 11 prevents the interception of connection requests. As a result APM App tunnels cannot redirect traffic to a proxy running on the loopback address. You can work around the problem in one of these ways: 1. Disable Enhanced Protected Mode in Internet Explorer 11. 2. Add the backend server to the Trusted Sites or the Intranet Sites list.
432515 The external logon page does not post the Action required pop-up dialog box of BIG-IP Edge Client. This occurs when APM uses the external logon page. The impact is that the user does not know that there are required actions to perform. To workaround this issue, you must inject the following JavaScript code into the External Logon page: <body onload="OnLoad()"> ... <script language="javascript"> function OnLoad() { try{ if ( "undefined" != typeof(window.external) && "unknown" != typeof(window.external) && "undefined" != typeof(window.external.WebLogonNotifyUser) && "unknown" != typeof(window.external.WebLogonNotifyUser) ){ window.external.WebLogonNotifyUser(); } }catch(e){alert(e)}; } </script>
434831 When the client connects to APM (with Safari) and launches the Application Tunnel, the tunnel is created, but the application configured to launch does not. This happens after upgrading OS X to version 10.9 (Mavericks), connecting to APM with Safari, and launching a Java Application Tunnel configured to launch an application upon startup. As a result, you can not auto-start an application upon Application Tunnel start. You must open the application manually. There is no error; the only indication is that the application is not started by the Application Tunnel. The problem comes from a constraint of Sandbox/Safe mode of Safari, and has no programmatic solution from the applet (java code). To work around the problem, you can either use Firefox, or Disable Safe mode for the required host: 2. Select Safari preferences :: Security Tab :: Manage Website Settings. 3. In the left panel, choose Java. 3. For the required host, choose Run in Unsafe mode.
440375 Under the Built-in Administrator account inside Protected Workspace, a VPN connection cannot be established if VPN components are not installed already. This occurs when a user is using Built-in Administrator account on Windows 8 or 8.1 and tries to connect through VPN inside Protected Workspace and VPN components are not installed yet. User cannot connect using VPN if above conditions are met. To work around the problem, install VPN components before Protected Workspace on an account other than Built-in Administrator.
440504 If compatibility view settings are disabled in Internet Explorer 10 and Internet Explorer 11, protected workspace feature of BIG-IP Edge Client won't work. User unchecks default compatibility view settings in Internet Explorer 10 and Internet Explorer 11. Access policy is configured to launch protected workspace. Protected workspace won't be launched. Keep default compatibility view setting in Internet Explorer 10 and Internet Explorer 11.
454509 The on screen keyboard doesn't work inside Windows Protected Workspace for Windows 8 tablets. Windows 8 tablet is used to connect to APM and Protected Workspace is configured on the server. On screen keyboard cannot be used. There is no workaround.
472382 The VMware View Logon page for RADIUS does not display a challenge message when challenge occurs on the RADIUS server. RADIUS authentication is used for View Client. The user will see a generic message that a challenge event occurs. The next tokencode challenge process consists of three steps, each with a different challenge message, but the user sees one standard message on all three steps. To work around the problem, use RSA SecurID authentication.
514143 When using Windows firewall check, the policy check is failing. Policy with firewall check when using Windows firewall. BIG-IP Edge Client is not allowed to access BIG-IP system.
529503 BIG-IP Edge Client continues to connect to a previously resolved IP address even when the DNS server points to a different server for that name. Edge Client has made successful connection to old address. User disconnects and and connects again. Client will connect to old IP address. Quit and restart Edge Client. This issue is caused by Windows caching of the resolved IP address.
532713 VPN establishment fails and client goes in retry loop without notifying user of any error. Network access configuration has remote PAC file configured. Client fails to download this PAC file during VPN connection establishment. BIG-IP Edge Client goes in reconnect loop without notifying user of any error. User can check Edge Client logs to see whether VPN connection failed due to failure to download PAC file.
589708 Adding a new login account onto citrix receiver could enumerate the applications and desktop. But after logging off and trying to reconnect to the same account will start failing. Citrix storefront integration mode with APM and using same FQDN for both accessing Storefront as well as APM virtual Customer has to use different FQDNs for internal (Storefront) and external access (APM virtual) No workaround other than using different FQDNs
592948 When using Google Chrome or Safari (WebKit-based) browser to launch VMware View HTML5 client for Horizon 7 from APM webtop, this attempt fails with a blank screen in place of remote desktop session. -- BIG-IP APM configured as PCoIP proxy for Horizon 7. -- APM webtop in which the HTML5 client is used to launch a remote desktop. Cannot use HTML5 client. Only native client (Horizon View client) is available. when HTTP_REQUEST { if { [HTTP::header "Origin"] ne "" } { HTTP::header remove "Origin" } if { [ HTTP::method ] == "POST" && [ HTTP::uri ] == "/broker/xml" } { set BROKER_REQUEST 1 HTTP::collect [HTTP::header Content-Length] } } when HTTP_REQUEST_DATA { if { [ info exists BROKER_REQUEST ] && [ regexp {<have-authentication-types[ \t\r\n]*>[ \t\r\n]*<name[ \t\r\n]*>[ \t\r\n]*saml[ \t\r\n]*</name>[ \t\r\n]*</have-authentication-types>} [HTTP::payload] ] } { HTTP::respond 200 content {<?xml version="1.0" encoding="UTF-8"?><broker version="11.0"><set-locale><result>ok</result></set-locale><configuration><result>ok</result><broker-guid>1</broker-guid><authentication><screen><name>saml</name><params></params></screen></authentication></configuration></broker>} Content-Type text/xml } } when HTTP_RESPONSE { if { ! [ IP::addr [ IP::remote_addr ] equals ] } { return } set BROKER_RESPONSE 1 set content_length 0 if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576}{ set content_length [HTTP::header "Content-Length"] } else { set content_length 1048576 } # Check if $content_length is not set to 0 if { $content_length > 0} { HTTP::collect $content_length } } when HTTP_RESPONSE_DATA { if { ! [ info exists BROKER_REQUEST ] || ! [ info exists BROKER_RESPONSE ] } { return } regsub "<broker version=\"9.0\">" [HTTP::payload] "<broker version=\"11.0\">" payload HTTP::payload replace 0 [HTTP::payload length] $payload HTTP::release }"
For some Network Access configurations, a VPN cannot be established with Mac using F5 Edge client or Browser helper apps. The following conditions must be true:
1- The Network Access resource Traffic Options setting is configured for Force all Traffic Through Tunnel.
2- The Network Access resource Allow Local Subnet setting is disabled.
(Both of these options are defaults.)

As a workaround, do the following.
1- Navigate to the Network Access resource.
2- Modify the Network Access resource Allow Local Subnet checkbox setting to Enabled.
3- Save the setting and apply the Access Policy.

Network access issues

ID number Description
342035 A SIP client cannot communicate with a SIP server when connecting over a Network Access tunnel. SIP protocol uses fixed UDP ports, and communication fails because Network Access tunnel translates the source port of the connection. To work around the problem, configure a layered virtual server using the SIP UDP port and set the Source Port option to Preserve Strict.
351360 Sometimes when assigning different route domains to Network Access clients connecting to the same virtual server or using the same connectivity profile, traffic from the client can go out into the network associated with the wrong route domain. This could happen when two clients are assigned the same IP address (from different lease pools containing the same address ranges) and different route domains and try to access the same IP address on the internal network using the same TCP/IP protocol. - Both source and destination IP addresses are the same - IP protocol is the same (i.e. ICMP, TCP, or UDP), - For TCP/UDP both source and destination ports are the same, - For ICMP the message type and ID are the same, - Connection.VlanKeyed option is enabled (which is default), - Both clients use the same connectivity profile. Client connection can be directed to the wrong network. To work around this problem, when sharing IP address ranges among route domains, use separate virtual servers for each route domain, with different connectivity profiles.
356766 Removing or updating Network Access device or client components while the system has an active Network Access connection might cause the system to drop the existing connection and fail to establish a new connection until after a system reboot.
373889 You can configure a Network Access tunnel to update a session (that is, to extend expiration time) based on a traffic threshold and a window of time. Traffic measurements are taken every 5 seconds, but they are not divided by 5 before being used in the calculation. As a result, instead of bytes per second, bytes per 5 seconds is calculated, which is incorrect. Network Access tunnels, with Inactivity Timeout configured with an activity threshold The inactivity timeout counter is not getting reset like it should, and client connections could be dropped due to inactivity even though their activity is above the Session Update Threshold. To work around this problem, select the Network Access resource you want to update, then select Network Settings and Advanced from General Settings. Proceed as follows: 1. Set Session Update Threshold to 5 times the desired bytes/second rate. 2. Set Session Update Window to 2 or higher. Note: The session life management might not be exact.
383607 After a Network Access client loses connectivity and reconnects with another IP address, the client cannot open tunnels to optimized hosts for 4 to 7 minutes.
398339 When you use the Fedora operating system with SELinux enabled and use the Firefox web browser to connect to APM for network access, you might get SELinux blocking notifications. To work around the problem, perform these steps: A. Execute the following commands on a terminal as root user (not sudo): 1. "setsebool -P mozilla_plugin_enable_homedirs on" 2. "setsebool -P unconfined_mozilla_plugin_transition 0" B. Restart Firefox and try connecting to the APM server again.
403082 Networks Access cannot perform routing table clean-up if a user closes browser windows without logging out from the webtop, or if a user closes a browser window without waiting for the logout process to complete. To work around the problem, add the APM virtual server address to the Trusted Sites list.
423161 When a Network Access session and an APM session are closed simultaneously, one of these logs is written: apm logs: "VPN Cleanup: failed to release IPv4 ERR_ARG" tmm logs: "address <p> in leasepool <lease pool> is unassigned - can't release" This happens when a Network Access resource and a Network Access webtop are assigned using the Advanced Resource Assign action, and the Network Access session is closed. These are notice level logs and not errors.
438056 The APM Network Access client for Windows systems can fail to establish a VPN connection if the client SSL profile is configured with the options no-tls or sslv3 and the BIG-IP system selects an AES cipher. Windows Schannel API does not consider AES as a valid cipher for an SSLv3-only connection and can reject the connection to the BIG-IP system. Explicitly disable TLS in client-ssl profile and enable SSLv3. An unlikely configuration in real customer deployments. Only affects deployments in which the default configuration has been modified to disable TLS and enable SSLv3, an unlikely scenario. If you restrict client SSL to SSLv3-only, you might need to exclude AES ciphers (defined in RFC3268) by adding ':!AES' to the 'ciphers' option in the client-ssl profile to work around compatibility issues with Windows clients: for example ltm profile client-ssl clientssl_ssl3_only { ... ciphers SSLv3:!AES ... }
444110 An IPv6 only Network Access configuration is not supported. Either IPv4 or IPv4&IPv6 are the supported IP versions.
469852 Users lose connectivity to resources through VPN when standard or forwarding virtual servers are disabled. This occurs when standard or forwarding virtual servers are disabled and the connectivity profile is enabled. User loses connectivity to resources through VPN. Network Access connectivity works if all the standard and forwarding virtual servers are enabled or deleted completely.
476279 Network Access with snatpool establish fails with access policy having route domain and snat agent with snatpool selected. Route domain and SNAT agent with snatpool selected. Network access establish fails. To work around this issue, set automap setting in route domain and SNAT agent.
528424 Tooltips/Toast notification are not displayed when Network Access changes state (Connect, Disconnect, Reconnect, etc). Beginning with Microsoft Windows 8, tooltips are replaced by Toast Notifications; Windows does not convert tooltips to toast notification for F5 WebComponent in Windows 10. The problem occurs under these conditions: Internet Explorer 11. Windows 10. Networks Access changes state. User is not notified about state change. To enable tooltips, in Group Policy change this setting: "User Configuration \ Administrative Templates \ Start Menu and Taskbar \ Disable showing balloon notifications as toasts" to Enable.
541261 The failure happens when we get the redirect to /vdesk/webtop.eui. This is in the whitelist as a portal protected URI, and when it doesn't have a valid sid, the action is to create a new session. Because this is clientless mode, there aren't any cookies, so it thinks it needs to create a new session. Then the old session is deleted, causing the logs to report a logout due to user request. Windows 8.1 + APM 11.5.3. Logon page -> irule agent -> Advanced resource assign (NA+NA webtop) -> Allow (no auth for logon page, everything should lead to allow) Try to log on with the Windows inbox VPN client. VPN connection Failed; stating error invalid credentials. Logs show session deleted due to user logout request. None.
594422 OpenSSL library modified to keep it compatible with RFC 6347 complaint DTLS server renegotiation sequence number implementation. The old OpenSSL library is not compatible with RFC6347, the new OpenSSL library is modified to be compatible with RFC6347. The current APM client is compatible with old OpenSSL code, not the new OpenSSL code. The current APM client is not compatible with new OpenSSL libary.

Portal access issues

ID number Description
384405 With Access Policy Manager Portal Access, if you add a web-acceleration profile to the Local Traffic virtual server, it does not take effect until the you go to the command line and type "bigstart restart tmm". The web-acceleration profile is important to Portal Access performance, so this step is necessary to ensure caching occurs for Portal Access content. Virtual Server configured with Access profile, and a web-accelerator profile is added to it Web acceleration is not enabled on the virtual server, which negatively impacts performance of APM on that virtual. At the command line, type bigstart restart tmm.
386517 When configuring multidomain SSO, a pool must be assigned to the virtual, even if one is not being used. A typical symptom of not assigning the pool is that after logon, the user will be redirected back to another logon page. Any use case of multidomain SSO where there is no pool configured on the virtual servers, and there is not a webtop assigned. There are two known use cases where this is commonly encountered. 1) LTM + Secure Connectivity virtuals do not usually have a default pool configured. 2) The pool is being configured through an iRule. When configuring multidomain SSO, always assign a default pool to the virtual server.
406040 The general pattern is that there is a request to the main resource, and also a request for some other resource, like an image file. The request to the main resource will create a session, and the BIG-IP system will set a cookie. But if the request to the other file comes before the cookie is set, then a second session will be created. One example of this occurred with an iPad using SAML Auth. Other clients were okay, but the iPad would send requests for "/" as well as a PNG file, which would lead to multiple sessions and sometimes this confusion would lead to SAML assertion failures. Another example is the fetching of favicons. If an application uses a non-standard location for favicons (as permitted by the LINK meta tag), the client might make requests to both "/" and the favicon, leading to multiple sessions. Different clients behaved differently. Internet Explorer 10 seems to create multiple sessions. Google Chrome 25 and above seems to create the second session and then close the first session. Related change in Google Chrome: BIG-IP APM access policy is configured with Portal Access or LTM + APM mode. The client sends a request to the main resource, and then does not send the MRHSession cookie with the request for the secondary resource. If the session threshold is exceeded, access sessions will be refused. An iRule can be used to disable the ACCESS filter on these secondary resources. This is an example disabling ACCESS for favicons: when HTTP_REQUEST { if { [string tolower [HTTP::path]] ends_with "favicon.ico" and [HTTP::cookie "MRHSession"] eq "" } { ACCESS::disable } }
426963 When the client sends an HTTP POST with an expect 100-continue, APM will fail to forward it to the backend server. The client will wait about 3 seconds to timeout before sending the actual data of the POST request. This occurs when the Access profile is enabled. The client will not receive a 100-continue. Usually, it waits for about 3 seconds and then forwards the data anyway. The following iRule appears to resolve the issue. when HTTP_REQUEST { if {([HTTP::method] eq "POST") && [HTTP::header exists "Expect"] } { HTTP::header remove "Expect" SSL::respond "HTTP/1.1 100 Continue\r\n\r\n" } }
439965 BIG-IP APM currently cannot handle multiple browser tabs trying to create sessions at the same time. The most common example is saving multiple homepages in a web browser. When the web browser opens, requests from these tabs are sent within milliseconds. This can cause very unpredictable behavior where sometimes it will function correctly, and other times there will be connection resets or the user will see error pages. This applies any time a user is attempting to create a new session. Once a session exists, multiple tabs are supported. This can cause very unpredictable behavior: sometimes it will work, other times there will be connection resets, and other times the user will see error pages. Affects All APM products, except SWG. If the user is already authenticated and has a session, then multiple tabs can be opened. However, there is no workaround for session creation.
455975 Using MIB F5-BIGIP-APM-MIB::apmGlobalConnectivityStatCurConns displays incorrect information and description. Using SNMP MIB F5-BIGIP-APM-MIB::apmGlobalConnectivityStatCurConns. Using MIB F5-BIGIP-APM-MIB::apmGlobalConnectivityStatCurConns displays incorrect information and description. This issue has no workaround at this time.
468130 When Kerberos authentication is used with request-based authentication (RBA) enabled, the first POST request sent to the BIG-IP system could be replaced by a dummy POST and authentication then fails. This can occur when the BIG-IP system is configured as a SAML Identity Provider (IdP) and the http-post SSO binding is used. The problem occurs under these conditions: 1. RBA is enabled. 2. Kerberos Auth is used. 3. The first request to the BIG-IP system before session has been established is a POST request. Some functionality may not behave properly; for example, when the BIG-IP system is configured as a SAML IdP and an http-post SSO binding is used, AuthnRequest can get lost and authentication will fail. To work around the problem, edit the access policy and, in the properties for the Kerberos Auth item, set Request Based Auth to Disabled.
470389 Garbled characters (or control characters) are seen in the /var/log/apm log file. This issue occurs under the following conditions: username/password are not provided when accessing the virtual; Network Access resource is launched and VPN is established; and when accessed from another browser, the first session is killed and sometimes garbled characters appear. Unnecessary garbled characters occur in log messages. There is no workaround at this time.

Secure Web Gateway issues

ID number Description
505264 There is a delay before F5DCAgent updates the IF-MAP server with workstation's new IP address when it is changed due to DHCP lease expired, or when the user changes it manually. This occurs when the following conditions are met: - TGT and TGS tickets do not have client's IP addresses. - IP addresses are not enforced in TGT and TGS tickets. Users might be denied access to resources. To work around the problem, use a password to lock and then unlock the workstation.
594860 When certain end user interface pages (e.g. 401 response) are served by the APM, these include a unique parameter in the URL. This results in the leak of objects representing caches for these pages leaking since the unique parameter causes the caching to be ineffective. Use of SWG in Transparent mode. One of the following: - Use of a logon page agent, an external logon page agent or a 401 agent in the access policy. - Triggering an access policy evaluation when one is already in progress or accessing a page that requires an established session when an access policy evaluation is in progress. A memory leak in the TMM. None (when the triggering conditions are encountered).

Other issues

ID number Description
238556 AAA types for SecurID and RADIUS in APM will not source packets from the floating IP address for the traffic group, as customers would expect. Because RSA authentication server is sensitive to the incoming IP address of the authentication packets, an extra virtual server is required to SNAT the authentication requests to the correct (floating) address so that the same source IP will be used in both members of an HA pair. You see this when you use RADIUS AAA or RSA AAA in an APM access policy. Authentication will fail because RSA expects the source IP address to be specific, and will not tolerate changes for HA failover.
294032 When you access an older version of APM software using the Windows system client and a pre-logon antivirus check is configured, the OPSWAT AV control gets loaded into your browser. The control does not unload successfully and, as a result, the antivirus check fails. You cannot log on until the control is unloaded. Reboot the client system.
360889 For ACLs that are generated from a Portal Access resource, port 0 (zero) matches against port 80 (when the scheme is HTTP) and against port 443 (when the scheme is HTTPS). For ACLs otherwise, port 0 matches against any port.
383464 In reports, names that contain a single quote are displayed in hex-encoded format. For example, the name O'Brian might be displayed as O%27Brian.
383511 The Device EPSEC Status screen should reflect the recent status of all devices in the device group. When a request to see the device status of a device group is made, the Changes pending link displays. After sync, the link should disappear and the status should be displayed. To work around the problem, perform Sync from group by clicking the Changes pending link. Then go to the Device EPSEC Status screen. The status displays.
415262 If you use tmsh to create a connectivity profile and set another connectivity profile as the parent, the profile that you create does not inherit the settings for Windows/Mac Edge Client, Server List, Location DNS list, and all mobile client settings. This happens only in CLI. User may not see some attributes because they are not inherited from parent profile. To work around the problem, if you create the profile in GUI, all the information is inherited.
447051 Access Policy import fails if the policy has at least one customization image file associated with it. Policy contains at least one customization image file. Users are unable to import the exported policy. Use the following steps to work around the issue: 1. cd /shared/tmp/impor. 2. Open the import-abcd-abcd.conf file. 3. Delete the duplicate occurrence of config entry for the file corresponding to the error, such as the following: ' apm policy image-file /Common/swapnil-img_0_HQ_1.jpg { local-path /shared/tmp/import/imp-140131-213953-995/res/5_Common_img_0_HQ.jpg }'. 4. Run the command: tmsh load sys conf merge file <filename.conf>.
452059 When the storage partition for MySQL is full and the system is under a heavy load, logd can go into a busy wait looping state. Only when disk partition of MySQL is full. This is an error case; the MySQL shall rotate, also logd produces chatty logs only during stress tests. Daemons that depend on logd might also get into a state waiting for logd services. To work around the problem, clean up the disk partition of MySQL.
481659 Recurring check fails during connection. The problem occurs when APM BIG-IP virtual server DNS record has been updated or DNS load balancing is used. Mac or Linux client is used. Recurring check fails. Network Access clients fail to connect, and report internal error. The client log shows "wrong response HTTP code, 504".
503359 Policy sync fails with error status "Created failed on target" on target devices. 1. Create a connectivity or rewrite profile from the default one. 2. Create another child profile using the one created above as parent. 3. Create a virtual server, with the child connectivity and/or rewrite profile, and an access policy. 4. Initiate a policy sync for the access profile. Policy sync function fails. To work around the problem, create connectivity or rewrite profile, only use the default profile as parent; or, have the non-default parent profile sync first to target devices.
518153 Policy Sync fails for an access policy that was generated from an iApp. Use iApp template to create an application which includes access policy. Initiate a policy sync on the access policy. Policy sync function does not work for policy created by iApp. Use Config Sync at least initially to sync the iApp template, the application. and even all the objects in the application to the target device. Afterwards, you can use policy sync to sync the policy.
543794 AVG AV Free Edition 2015 not detected by APM endpoint inspection antivirus check. AVG AV Free Edition 2015, APM endpoint inspection antivirus check. Antivirus check will fail for AVG AV Free edition 2015 AV.
545527 BIG-IP Edge Client endpoint checking component cannot detect real-time protection state of ESET Endpoint Security software version 6.2.2021.0 on Microsoft Windows. ESET Endpoint Security software version 6.2.2021.0 is installed on user's machine and real-time protection is enabled. Access policy requires presence of this software with real-time protection enabled. Endpoint check fails, resulting in denied session. No workaround.
564890 Endpoint checking reports incorrect 'last scan time' for Windows Defender v4.8.10240.16384 on Windows 10 User is connecting to APM on Windows 10. Access policy has an endpoint check configured. Access decision is made based on last scan time. Client system has Windows Defender v4.8.10240.16384 installed on it. Access policy will be evaluated incorrectly. In some cases, access policy evaluation might fail. Don't use 'last scan time' in access policy. As an alternative, you can provide read-only access to the folder that OPSWAT needs to access: C:\ProgramData\Microsoft\Windows Defender. This requires an Administrator to set read-only folder access for the Windows system that is being accessed. This is not a BIG-IP system-specific workaround, and depends completely on your internal networking configuration and permissions settings.
581449 State of antivirus software ESET NOD32 Antivirus 9 is not detected correctly by F5 endpoint checking module. APM has access policy configured to check antivirus software on user's machine User uses ESET NOD32 Antivirus 9 for protection against viruses Access policy may fail
595285 When configuring the same url in a second category we receive the following error message: May 19 16:13:44 bigip12 err mcpd[8992]: 010717f3:3: Custom category (/Common/category_allow_group2) has invalid URL (*). Reason: You cannot have the same URL in two or more custom categories. URL used in category (/Common/category_allow_group1). Configuring the same URL in multiple custom categories. Customer cannot have the same URL in multiple custom categories this blocks the use case when using custom categories to create custom black lists, or white lists for dedicated population of users, we can expect a specific url to be present in multiple categories (url A allowed for group A, but disallowed for group B). None

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802

For additional information, please visit

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.


AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to from the email address you are using to subscribe. Unsubscribe by sending a blank email to

Legal notices