Applies To:
Show VersionsBIG-IP LTM
- 11.5.4
Summary:
This release note documents the version 11.5.4 release of BIG-IP Local Traffic Manager and TMOS. You can apply the software upgrade to systems running software versions 10.1.0 (or later) or 11.x.
Contents:
- Platform support
- Configuration utility browser support
- BIG-IQ – BIG-IP compatibility
- User documentation for this release
- New in 11.5.4
- New in 11.5.3
- New in 11.5.2
- New in 11.5.1
- New in 11.5.0
- Installation overview
- Upgrading from earlier versions
- Upgrading earlier configurations
- Fixes in 11.5.4
- Fixes in 11.5.3
- Fixes in 11.5.2
- Fixes in 11.5.1
- Fixes in 11.5.0
- Behavior changes in 11.5.4
- Behavior changes in 11.5.3
- Behavior changes in 11.5.2
- Behavior changes in 11.5.1
- Behavior changes in 11.5.0
- Known issues
- Contacting F5 Networks
- Legal notices
Platform support
This version of the software is supported on the following platforms:
Platform name | Platform ID |
---|---|
BIG-IP 800 (LTM only) | C114 |
BIG-IP 1600 | C102 |
BIG-IP 3600 | C103 |
BIG-IP 3900 | C106 |
BIG-IP 6900 | D104 |
BIG-IP 8900 | D106 |
BIG-IP 8950 | D107 |
BIG-IP 11000 | E101 |
BIG-IP 11050 | E102 |
BIG-IP 2000s, BIG-IP 2200s | C112 |
BIG-IP 4000s, BIG-IP 4200v | C113 |
BIG-IP 5000s, 5050s, 5200v, 5250v | C109 |
BIG-IP 7000s, 7050s, 7055, 7200v, 7250v, 7255 | D110 |
BIG-IP 10150s-NEBS, 10350v (AC), 10350v-NEBS (requires 12.0.0 HF1), 10350v-FIPS (requires 11.5.4 HF1) | D112 |
BIG-IP 10000s, 10050s, 10055, 10200v, 10250v, 10255 | D113 |
VIPRION B2100 Blade | A109 |
VIPRION B2150 Blade | A113 |
VIPRION B2250 Blade | A112 |
VIPRION B4200, B4200N Blade | A107, A111 |
VIPRION B4300, B4340N Blade | A108, A110 |
VIPRION C2200 Chassis | D114 |
VIPRION C2400 Chassis | F100 |
VIPRION C4400, C4400N Chassis | J100, J101 |
VIPRION C4480, C4480N Chassis | J102, J103 |
VIPRION C4800, C4800N Chassis | S100, S101 |
Virtual Edition (VE) | Z100 |
vCMP Guest | Z101 |
These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.
Most of the support guidelines relate to memory. The following list applies for all memory levels:
- vCMP supported platforms
- VIPRION B2100, B2150, B2250, B4200, B4300, B4340N
- BIG-IP 5200v, 7200v, 10200v
- PEM and CGNAT supported platforms
- VIPRION B2100, B2150, B2250, B4300, B4340N
- BIG-IP 5x00v(s), 7x00v(s), 10x00v(s)
- BIG-IP Virtual Edition (VE) (Not including Amazon Web Service Virtual Edition) (3 GB, 10 GB production and combination lab models)
- PEM and CGNAT may be provisioned on the VIPRION B4200, but it is not recommended for production, only for evaluation. PEM may be provisioned on the VIPRION B2100, but it is not recommended for production, only for evaluation. Use the B4300 or B4340N instead.
- BIG-IP 800 platform support
- The BIG-IP 800 platform supports Local Traffic Manager (LTM) only, and no other modules.
Memory: 12 GB or more
All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.
Memory: 8 GB
The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)
- No more than three modules should be provisioned together.
- On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
- In the case of Access Policy Manager (APM) and SWG together, no module other than LTM may be provisioned, and LTM provisioning must be set to None.
Memory: Less than 8 GB and more than 4 GB
The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category.)
- No more than three modules (not including AAM) should be provisioned together.
- Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
- Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).
Memory: 4 GB or less
The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests provisioned with 4 GB or less of memory.
- No more than two modules may be configured together.
- AAM should not be provisioned, except as Dedicated.
- ASM can be provisioned with this amount of memory, but a sizing exercise should be performed to ensure that it does not hit capacity issues.
vCMP memory provisioning calculations
The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory- 3 GB) x (cpus_assigned_to_guest/ total_cpus).
As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.
- BIG-IP LTM standalone only
- BIG-IP GTM standalone only
- BIG-IP LTM and GTM combination only
Configuration utility browser support
The BIG-IP Configuration Utility supports these browsers and versions:
- Microsoft Internet Explorer 8.x, 11.x
- Mozilla Firefox 27.x
- Google Chrome 32.x
BIG-IQ – BIG-IP compatibility
SOL14592: Compatibility between BIG-IQ and BIG-IP releases provides a summary of version compatibility for specific features between the BIG-IQ system and BIG-IP releases.
User documentation for this release
For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP LTM / VE 11.5.4 Documentation page.
New in 11.5.3
7055/7255 Series and 10055/10255 Series platforms with Dual SSD support
This release provides support for the 7055/7255 Series and 10055/10255 Series platforms with Dual SSD support. For more information, see Platform Guide: 7000 Series and Platform Guide: 10000 Series.
New in 11.5.0
Security
ECC and DSA support for multiple client cert/key assignment in SSL client profiles
The BIG-IP system now includes support for Elliptical Curve Cryptography (ECC) and Digital Signature Algorithm (DSA) certificates in addition to the current RSA server certificate support for the client SSL profile. This is in support of new CA offerings where RSA and ECC and DSA server certificates are now being offered. Configuration options in the client SSL profile enable assignment of multiple certificate/keys pairs.
AES-GCM support for TLS version 1.2 for RSA and ECC Ciphers
The BIG-IP system now includes support for Advanced Encryption Standard-Galois Counter Mode (AES-GCM) on RSA and Elliptic Curve Cryptography (ECC) cipher suites for Transport Layer Security (TLS) version 1.2 protocol implementations. This level of support brings the BIG-IP system into compliance with IETF RFCs 5288 and 5289.
STARTTLS support for SMTP traffic
Using the new SMTPS profile type, you can activate support for the industry-standard STARTTLS extension to the SMTP protocol. When you create an SMTPS profile, you instruct the BIG-IP system to either allow, disallow, or require STARTTLS activation for SMTP traffic. The STARTTLS extension effectively upgrades a plain-text connection to an encrypted connection on the same port, instead of using a separate port for encrypted communication.
Enable/ Disable SSL Forward Proxy based Data Group Entries
There is a new iRule command to conditionally turn-off SSL Forward proxy. There is a new iRule on-box to support the command.
iControl Support for PKCS#12 Encrypted Password Container Format
This release supports PKCS#12 via iControl. This is a password container format that contains both public and private certificate pairs. This container is fully encrypted.
Improved PKCS#11 Interface Performance
This release contains performance enhancement to PKCS#11 Integration.
SafeNet Luna SA HSM integration with BIG-IP system
SafeNet Luna SA is an external HSM that is now available for use with BIG-IP systems. Because it is a network-based appliance, rather than an internal card-based solution, you can use the SafeNet Luna SA solution with the majority of BIG-IP appliances that run 11.5.0, including the BIG-IP Virtual Editions (VE).
Enhanced security for environments with stateless network traffic
VLANs on the BIG-IP system now include an optional configuration setting that causes the system to load balance traffic, using a round robin algorithm, across TMM instances. When enabled, this feature ensures that the system distributes packets evenly across TMM instances. By load balancing packets in this way, the system can prevent events such as certain types of DDoS attacks designed to send all packets to a subset of TMM instances as a way to overload the system.
BIG-IP 7200v HSM and SSL
This release features support for the new BIG-IP 7200v-FIPS Hardware Security Module (HSM) and Turbo SSL models within the BIG-IP 7000 series appliances. The 7200v-FIPS HSM model includes a FIPS 140-2 Level 2 certified internal HSM card that offloads SSL/TLS processing with industry leading bulk crypto throughput and protection of private keys. The 7200v-SSL model delivers the highest SSL performance in its class enabling organizations to maximize SSL offloading from overburdened servers and provide in depth protection for web applications. For more information, see Platform Guide: 7000 Series and the BIG-IP System HARDWARE DATASHEET.
VIPRION 2200
This release provides support for the new VIPRION 2200 platform, a two-blade chassis that supports B2000 Series blades. You must install BIG-IP version 11.5.0 or greater on all blades used in this chassis. For more information, see Platform Guide: VIPRION 2200.
Application Fluency
TCP Enhancements
This release includes several user-configurable TCP enhancements to optimize traffic for mobile users, including multi-path TCP (MPTCP) support, additional congestion control algorithms (Woodside, Illinois, Hamilton), and rate pacing per TCP connection to prevent bursty packet transmission. Two pre-configured TCP mobile optimized profiles target service providers and enterprise environments.
Proxy Mode for HTTP profiles
This release introduces a new Proxy Mode setting for HTTP profiles. In previous releases, when the BIG-IP system functioned as a forward proxy or transparent proxy server, and the system detected malformed or unknown HTTP traffic, the default behavior was to deny the traffic and drop the connection. With the Proxy Mode feature, you can configure the BIG-IP system to manage responses from multiple servers, allow and deny connection requests from browser traffic, and forward invalid HTTP traffic to a specific server instead of dropping the connections. This feature is particularly useful for service providers who require more flexibility in the way that the BIG-IP system manages invalid or unknown HTTP traffic.
SOCKS Profile
You can now use the BIG-IP Local Traffic Manager SOCKS profile to configure the BIG-IP system to handle proxy requests and function as a gateway. By configuring browser traffic to use the proxy, you can control whether to allow or deny a requested connection.
BER/DER encoding and decoding
This release provides BER/DER encoding/decoding iRule primitives for building traffic management solutions for protocols such as LDAP and SNMP.
Microsoft SQL Server Proxy
There is now a profile for MSSQL DB Environments that provides native parsing of TDS protocol, proxies basic authentication, routes connections based on SQL command or user. Layer on additional traffic management functions such as Priority pool activation, MS SQL Monitor, Client Side SSL, and OneConnect.
FIX Protocol Profile
The BIG-IP system provides a FIX profile for Financial Information eXchange (FIX) tag substitution and load balancing based on tags, for example, SenderCompID. When a client's tags and an institution's tags are not equivalent, tag substitution can be formed. Because the BIG-IP system natively parses and validates the FIX protocol, the BIG-IP system can provide context-aware routing of connections. If a FIX message passes a syntax and checksum verification, the BIG-IP system allows transmission, triggers the FIX_MESSAGE iRule event, and optionally logs the message. If a FIX message is invalid, the BIG-IP system logs the error, and either disallows transmission or drops the connection, as configured by the profile.
ePVA support UDP Transport
ePVA now supports offload of UDP traffic when using FastL4 Profile.
Pre-Defined groupings for Analytics
In this release, Administrators can create groups of IP addresses; both IPv4 and IPv6 addresses are supported in a grouping. The subnet groupings are global per device and are not configurable on a per application basis to avoid subnet name conflicts. Subnet groupings cannot be used together with geo locations; a user can view either subnets or geography.
Infrastructure
iControl REST
This release introduces a REST interface to iControl to remotely execute TMSH. iControl REST APIs are available for all BIG-IP product modules. TMSH versioning was added to provide script compatibility between versions of BIG-IP.
Network Virtualization Tunnels
This release introduces Layer 3 gateway functionality and support for the VXLAN (Unicast), NVGRE, and Transparent Ethernet Bridging tunnel types used in deploying virtualized networks.
IPsec Tunnel Interface
This new tunnel interface framework enables an IPsec tunnel to be used like any BIG-IP VLAN. Using this feature gives you more flexibility in associating IPsec with other objects in the BIG-IP system, such as static routes and virtual servers.
HA group failover for traffic groups
Prior to this release, the HA group feature of the BIG-IP system calculated a single HA health score for per device, and if the score fell below a configured threshold, the system initiated the failover of all traffic groups on the device. With this release, you can configure a separate, unique HA group for each traffic group instance on a device, causing the BIG-IP software to calculate a separate health score for each traffic group instance on a device. The result is that the system can initiate failover for a specific traffic group according to the needs of the application traffic associated with that traffic group. For example, if you create traffic-group-2 containing the virtual IP address 192.168.20.10, and you create an HA group based on trunk health and assign it to the instance of traffic-group-2 on device Bigip_A, then that instance of traffic-group-2, if active for Bigip_A, fails over to another device in the device group whenever the number of links falls below the specified threshold.
New utility for DSC configuration
For BIG-IP users who need to expediently set up device service clustering (DSC) on an existing system, this release includes a separate Run Config Sync/HA Utility wizard, available within the BIG-IP Configuration utility on the About tab of the navigation pane. This wizard is similar to the Setup utility but focuses on DSC-related tasks only, such as setting up device trust and device groups, as well as configuring config sync, failover, and connection mirroring.
Appliance mode for vCMP guests
On a vCMP system, you can now enable or disable Appliance mode for each guest individually, with no need to include Appliance mode in the BIG-IP system license. Enabling appliance mode for a guest adds an additional layer of security by ensuring that administrators for the guest use the BIG-IP Configuration utility and the Traffic Management Shell (tmsh) only, with no access to the root account and the Bash shell.
Software update availability check
This release provides the ability to check the F5 Networks downloads server for software updates for your system. By default, the system automatically checks the downloads server weekly. When there are no updates for your server, the system indicates that, and when there are, you can click a link to go to the downloads server to retrieve the most recent release/hotfix, EUD, EPSEC, and geo location version. You can find Update Check on the Software Management submenu.
DAG Round Robin disaggregation
The new DAG Round Robin feature for VLANs prevents stateless traffic from overloading a few TMM instances, instead load balancing the traffic among TMMs evenly rather than using a static hash. Stateless traffic in this case includes non-IP Layer 2 traffic, ICMP, some UDP protocols, and others. DAG Round Robin is particularly useful for firewall and Domain Name System (DNS) traffic, and can help prevent certain types of DDoS attacks, such as an ICMP DDoS attack that can overload the system by sending the same packets repeatedly to a specific subset of TMMs.
ZebOS Updates
This release provides an update to ZebOS 7.10.2, as well as additional OSPFv3 enhancements (OSPFv3 NSSA support, OSPFv3 Multiple Address Family support (RFC 5838), BFD support for OSPFv3)
CGNAT
CGNAT :: PPTP ALG Profile
This release provides a point-to-point tunneling protocol (PPTP) profile that enables you to configure the BIG-IP system to support a secure virtual private network (VPN) tunnel that forwards PPTP control and data connections. You can create a secure VPN tunnel by configuring a PPTP Profile, and then assigning the PPTP profile to a virtual server.
CGNAT :: BIG-IP Deterministic NAT utility
This release provides improvements to the BIG-IP Deterministic NAT utility (dnatutil), which can now interpret logs from version 11.4 and later. The dnatutil provides reverse or forward map possible end-points of the subscriber. The dnatutil is now packaged to install and run on CentOS or Debian based Linux systems using archived logs and is not tied to a specific version or platform of BIG-IP, allowing you to store and process logs from any supported DNAT log destination, including LTM, Remote Syslog, and Splunk.
CGNAT :: 6rd Support
The 6rd (rapid deployment) feature is a solution to the IPv6 address transition. It provides a stateless protocol mechanism for tunneling IPv6 traffic from the IPv6 Internet over a service provider's (SP's) IPv4 network to the customer's IPv6 networks.
PCP
This release of BIG-IP software supports the Port Control Protocol (PCP). Client-side devices (such as BitTorrent and Xbox) can use PCP to control Network Address Translation (NAT) mappings for themselves. See RFC 6887 for an exact specification of PCP. A PCP client can request an address mapping (such as 192.168.25.10 to 172.14.2.34) for itself or on behalf of another client machine, and PCP servers on NAT and Carrier-Grade NAT (CGNAT) devices support that mapping. The PCP client can then advertise its public-side address to fellow clients from the same vendor. The BIG-IP system is a CGNAT device that supports PCP mappings.
IPFIX for CGNAT
This release of BIG-IP software supports IPFIX and NetFlow V9 logging. IPFIX is a set of IETF standards. This version of BIG-IP software supports logging of CGNAT translation events and AFM events over the IPFIX protocol. This implementation conforms to the IPFIX protocol specified in RFC 5101, and the information model described in RFC 5102.
Documentation
BIG-IP Systems: Upgrade
This release introduces the BIG-IP Systems: Upgrading 11.x Software guide, which provides information for upgrading from earlier BIG-IP 11.x software to the current software version. This guide adds to the existing upgrade documentation, which describes upgrading from BIG-IP 10.x software to the current 11.x software version.BIG-IP Systems: Upgrading Active-Standby Systems and the BIG-IP Systems: Upgrading Active-Active Systems documents.
Good, Better, Best
Maximized Enterprise Application Delivery Value
To make it easier and more affordable to get the Software Defined Application Services capabilities all organizations need, F5 introduces three software bundle offerings: Good, Better, and Best.- Good
- Provides intelligent local traffic management for increased operational efficiency and peak network performance of applications.
- Better
- Good plus enhanced network security, global server load balancing, and advanced application delivery optimization.
- Best
- Better plus advanced access management and total application security. Delivers the ultimate in security, performance, and availability for your applications and network.
Installation overview
- Upgrade from 11.x configurations: BIG-IP Systems: Upgrading 11.x Software
- Upgrade from 10.x Active-Standby configurations: BIG-IP Systems: Upgrading Active-Standby Systems
- Upgrade from 10.x Active-Active configurations: BIG-IP Systems: Upgrading Active-Active Systems
Installation checklist
Before you begin:
- Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
- Update/reactivate your system or vCMP host license, if needed, to ensure that you have a valid service check date. For more information, see SOL7727 - License activation may be required prior to a software upgrade for the BIG-IP or Enterprise Manager system.
- Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
- Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
- Configure a management port.
- Set the console and system baud rate to 19200, if it is not already.
- Log on as an administrator using the management port of the system you want to upgrade.
- Boot into an installation location other than the target for the installation.
- Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
- Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
- Turn off mirroring.
- If you are running Application Acceleration Manager, set provisioning to Minimum.
- If you are running Policy Enforcement Manager, set provisioning to Nominal.
- If you are running Advanced Firewall Manager, set provisioning to Nominal.
Installing the software
Installation method | Command |
---|---|
Install to existing volume, migrate source configuration to destination | tmsh install sys software image [image name] volume [volume name] |
Install from the browser-based Configuration utility | Use the Software Management screens in a web browser. |
Sample installation command
The following command installs version 11.2.0 to volume 3 of the main hard drive.
tmsh install sys software image BIGIP-11.2.0.2446.0.iso volume HD1.3
Post-installation tasks
- Upgrade from 11.x configurations: BIG-IP Systems: Upgrading 11.x Software
- Upgrade from 10.x Active-Standby configurations: BIG-IP Systems: Upgrading Active-Standby Systems
- Upgrade from 10.x Active-Active configurations: BIG-IP Systems: Upgrading Active-Active Systems
- Ensure the system rebooted to the new installation location.
- Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
- Log on to the browser-based Configuration utility.
- Run the Setup utility.
- Provision the modules.
- Convert any bigpipe scripts to tmsh. (Version 11.x does not support the bigpipe utility.)
Installation tips
- The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
- You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
- If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.
Upgrading from earlier versions
Your upgrade process differs depending on the version of software you are currently running.
Upgrading from version 10.1.0 (or later) or 11.x
When you upgrade from version 10.1.0 (or later) or 11.x software, you use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help.
Upgrading from versions earlier than 10.1.0 11.x
You cannot roll forward a configuration directly to this version from BIG-IP version 4.x, or from BIG-IP versions 9.0.x through 9.6.x. You must be running version 10.1.0 software. For details about upgrading to those versions, see the release notes for the associated release.
Upgrading to 4th element versions from versions earlier than 11.5.0
You cannot directly update from pre-11.5.0 versions (e.g., v11.4.x, v11.2.x, etc.) to any 4th element version (e.g., v12.1.3.1, v13.1.0.1, etc.). Direct upgrade to 4th element versions is supported only from v11.5.0 and later. For pre-11.5.0 versions, you must first upgrade to v11.5.0 or later. The recommended upgrade path is from v11.4.1 to v12.1.3, and then to v12.1.3.1. For details about upgrading to those versions, see the release notes for the associated release.
Automatic firmware upgrades
If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might reboot additional times to perform all necessary firmware upgrades.
Upgrading earlier configurations
When you upgrade from an earlier versions of the software, you might need to know about or take care of these configuration-specific issues.
ID Number | Description |
---|---|
ID 223704 | When you import a single configuration file (SCF file) that contain VLANs of the same name that exist in different administrative partitions, the operation fails with a unknown operation error. Upgrading configurations with VLANs of the same name in different administrative partitions. Upgrade operation fails with a unknown operation error. Workaround: Before installing an SCF file, run the tmsh load sys config default command. This returns the system to the default configuration, so subsequent configuration import operations should succeed as expected. |
ID 398067 | As of version 11.0 a check is performed to ensure a failover unicast address actually exists. In configurations using the management port for failover, the management IP and unicast failover IP must be identical for failover to function properly. They must also be identical before upgrading. Releases preceding and including 11.3.0 do not automatically modify the unicast failover IP when the management IP is changed or vice-versa. This can cause failures when loading the config after an upgrade. This is an example error: 0107146f:3: Self-device unicast source address cannot reference the non-existent Self IP (a failover IP); Create it in the /Common folder first. Before upgrading, ensure that the management IP and unicast failover IP are identical. |
ID 401828 | The following configurations are invalid for a SIP virtual server: a) TCP virtual server with a UDP profile and a SIP profile. b) UDP virtual server with a TCP profile and a SIP profile. TCP virtual server with a UDP profile and a SIP profile, or a UDP virtual server with a TCP profile and a SIP profile. If such a configuration exists in previous versions, it loads in 11.3.x but may cause a core. Workaround: "Fix the configuration manually, as follows: a) A SIP TCP virtual server must have TCP as one of its profile type. b) A SIP UDP virtual server must have UDP as one of its profile type." |
ID 415961 | Unused HTTP Class profiles are not rolled forward during upgrade or UCS restore. If you have defined HTTP Class profiles but have not assigned them to virtual servers, the system does not bring forward those profiles into the new configuration when you upgrade. No Policy is created from the HTTP Class profile and the profile does not appear in the new configuration. This occurs when upgrading a pre-v11.4.0 configuration with a HTTP Class profile not attached to a virtual server. You might lose unused HTTP Class profiles in the configuration. Workaround: Attach all HTTP Class profiles to a virtual server before upgrade or save of a UCS. |
ID 434364 | "When upgrading from 10.x or installing a 10.x originated UCS on 11.x, bigpipe is used to parse the newly created file-object definitions which had been generated from files in the 10.x install. If the filename being upgraded to file-object starts with a '.', then on initial load, bigpipe will give an error while trying to load the generated configuration, resulting in an error message similar to: BIGpipe parsing error (/config/bigpipe/bigip.conf Line 107): 012e0017:3: The requested item (.myfile.txt {) is invalid (external_monitor_file_object_key | show | list | help) for 'external monitor file object'" The installation of a UCS or configuration roll-forward from 10.x to 11.x in which the previous install had files that were upgraded to file-objects, but whose filename started with a '.' The UCS will not install properly, and/or the configuration on initial boot will not load. Workaround: Edit the name of the file-object in question which would be found in /config/bigpipe/bigip.conf to remove the leading '.' character from the object name, and make any references to the file-object match that change. |
ID 435332 | If there are users defined on a version 10.2.1 BIG-IP system to have administrator or resource-admin roles, and they have partition access to a single partition, these user config objects fail to load during an upgrade to version 11.x. "Here is a sample user config from 10.2.1: user v-abban { password crypt '$1$UIPmGYdY$yewCx.a2qNDauz/UB1Jbp/' description 'v-abban' group 500 home '/home/v-abban' shell '/bin/false' role administrator in Common }" Upgrade or load UCS fails with the following error: 01070821:3: User Restriction Error: The administrator, resource administrator, auditor and web application security administrator roles may not be restricted to a single partition. Workaround: Prior to upgrade, edit the bigip_sys.conf to have the role line as follows: ... role administrator in [All] } |
ID 435482 | In versions prior to 11.4.0, the UCS does not save files containing spaces in the names. That means that any files that had spaces in the name would not be written to the UCS file and the UCS save would appear to succeed. When a UCS file which was saved in this manner is subsequently applied to 11.4.0 or greater, the configuration load will fail because the referenced file(s) (with spaces in their names) are not present in the UCS. "1. The UCS being applied was saved in a release prior to 11.4.0. 2. The configuration contained config objects with spaces in their names. 3. The UCS is being applied to 11.4.0 or greater." After upgrading into the newer release, the initial config load will fail. Alternatively, manually loading any UCS saved in this manner will result in a similar configuration load failure. Workaround: Boot back to the previous version and rename all the files in question so they don't have spaces in their names. Save the UCS again, and upgrade. |
ID 436075 | Using syslog include field when the command 'syslog-ng -s' does not succeed before the upgrade. Using syslog include field. It is possible to roll forward an include field with invalid syntax. This will cause the configuration to fail to load. Workaround: When using the syslog include field, ensure that the command 'syslog-ng -s' succeeds before the upgrade. |
ID 436212 | "If a copper SFP module is installed and a configuration is loaded which sets that module's speed and duplex, this configuration might fail to load. The /var/log/ltm file shows an error similar to the following and the config fails to load. 01070318:3: The requested media for interface 1.1 is invalid." "The system being upgraded needs to have a copper SFP module installed in order to encounter this issue. There are two ways to arrive at this state: when upgrading and at runtime. This runtime error and its workaround is covered in SOL14556, available at http://support.f5.com/kb/en-us/solutions/public/14000/500/sol14556.html. When applying a UCS from a previous version of TMOS, this condition can also be triggered." The upgrade fails after booting into TMOS for the first time. Workaround: "To work around this issue, edit /config/bigip_base.conf so that the lines specifying the 'media-sfp' setting are set to 'auto', similar to the following example. Once all interfaces using a non-auto setting are changed, the configuration should load. net interface 1.1 { media-sfp auto }" |
ID 436825 | Under certain conditions, nodes (or any other object with an IP address) in a partition that belong to route domain 0 will be treated as part of the default route domain for the partition after an upgrade. "All of these conditions must be true: - A system is being upgraded from any TMOS v10.x release to any TMOS v11.x release after 11.1. Upgrading to 11.0 or 11.1 is not affected, but the upgrade process resets the partition's default-route-domain setting to 0. - It has a partition that has its default route domain set to a nonzero route domain - That partition contains nodes with no route domain set (so the default is used) - That partition contains other nodes in route domain 0" Those objects may no longer be addressable or able to connect. Workaround: "Set the partition's default route domain ID to 0 before upgrading, then set it back to its previous value after the upgrade. This field is only used by the GUI and shell, so temporarily changing it to 0 will have no effect on the dataplane." |
ID 448409 | The command 'load sys config verify' causes loss of sync configuration and initiates a provisioning cycle. The 'verify' option on the 'load sys config' command is designed to ensure that a configuration (either from a file or pasted to the terminal) is valid, but not have it take effect. This affects the ConfigSync communication channel if configured. The ConfigSync connection, including the connections to other devices, might be lost. In addition, provisioning might be impacted. Workaround: You can avoid this issue by using the 'load sys config verify' command 'merge' option, which keeps the current configuration during the validation step. Once affected by this issue, the workaround is to re-load the full configuration using the command: tmsh load sys config partitions all. |
ID 449617 | If a configuration file includes a passphrase for an ssl-key file object, the object may fail to validate when loading the configuration. Passphrase present in ssl-key file object Configuration fails to load Workaround: Remove passphrase line from the file object. |
ID 450050 | "Following upgrade from 10.x to 11.x, the config file fails to load. An error similar to the following is logged: ""load_config_files: ""/usr/libexec/bigpipe load"" - failed. -- BIGpipe parsing error (/config/bigpipe/bigip.conf Line xxxx): 012e0020:3: The requested item (respondasm {) is invalid (<profile arg> | show | list | edit | delete | stats reset) for 'profile'.""" "- Upgrading from 10.x to 11.x - respondclass configuration directives were introduced into the customer's /config/bigip.conf profile respondclass XXXX { ... }" Configuration fails to load. Workaround: It is safe in version 11.0 onwards to manually delete a "profile respondclass XXXX {" block. |
ID 489015 | An LTM request-log profile that references a non-existent pool can pass validation in 11.1, but fails beyond 11.2 with an error similar to "The requested Pool (/Common/poolname) was not found." This can cause a load failure when rolling forward the configuration. An invalid request-log profile referencing a non-existent pool, upgrading from 11.1. Failure to load config post-upgrade. Workaround: Correct the request-log profile in the config either prior to upgrade or by editing the config after. |
ID 490139 | Loading iRules from the iRules file deletes last few comment lines immediately preceding the closing bracket. This occurs when loading an iRule file from versions prior to 11.5.1. Although the comments are removed, this does not affect iRule functionality. Workaround: Put comments in places other than immediately above the closing bracket. |
ID 496663 | iRule object in non-Common partition referenced from another partition results in upgrade/configuration load failure in 11.x. This occurs when upgrading/loading a configuration containing an iRule in one non-Common partition that references an object in another non-Common partition. A configuration of this type can be saved only using pre-11.x versions of the software. The config upgrade fails, and the UCS/configuration files cannot be loaded. The system posts an error message similar to the following: 'myucs.ucs' failed with the following error message: 'Rule [/UNCOMMONPARTITION/RULEABC] error: Unable to find rule_object (...) referenced at line xyz: [element]'. Workaround: None. |
ID 513239 | The configuration might fail to load upon upgrade from 10.x to 11.x if the configured SSL profile cache-size value exceeds the maximum supported value on 11.x. SSL profile exists with cache-size greater than 262144 (if upgrading to version 11.0.0 though version 11.4.1) or greater than 4194304 (if upgrading to version 11.5.0 and later). Upgrade from version 10.x to version 11.x fails. The system posts an version-specific error: -- If upgrading to version 11.0.0 through version 11.4.1: 01071313:3: The requested cache size value (4294967295) is out of range for client SSL profile (/Common/my_large_cache); should be in range from 0 to 262144. -- If upgrading to version 11.5.0 and later: 01071313:3: The requested cache size value (4294967295) is out of range for client SSL profile (/Common/my_large_cache); should be in range from 0 to 4194304. Workaround: Prior to upgrade, change the version 10.x cache-size to a value that is supported on the upgraded version. On versions 11.0.0 through 11.4.1, the supported range is from 0 to 262144; on version 11.5.0 and later, the supported range is from 0 to 4194304. |
ID 513501 | "When upgrading from a version prior to 11.5 to 11.5 or newer, the configuration may fail to load with and error similar to: ""LSN pool is configured with a prefix address that overlaps with a prefix address on another LSN pool"" If the configuration contains an overlapping DNAT and NAPT lsn pool." "On versions prior to 11.5, tmsh would allow users to configure overlapping DNAT and NAPT pools despite this configuration being invalid and non functional. Fixes to the validation were added in 11.5. However when upgrading from previous versions, if a configuration contains overlapping DNAT and NAPT pools it will fail to load the configuration on versions newer than 11.5." Configuration will fail to load on upgrade. Workaround: Edit bigip.conf and find the overlapping LSN pools. Either remove one of the pools or change the mode on the DNAT pool to NAPT. |
ID 523797 | The upgrade script failed to update the file path name for snmp.process_name, causing a validation error. Workaround: Edit the process name path to reflect the location. |
ID 528881 | When upgrading to an affected version, if a NAT has a name with spaces in it, the upgraded configuration does not load. The BIG-IP system must be configured with NATs that have spaces in their names. The configuration does not load on the upgraded system. Workaround: Remove spaces in NAT names before upgrading. Specifically: the initial letter must be a letter, underscore ( _ ), or forward slash ( / ), and subsequent characters may be letters, numbers, periods ( . ), hyphens ( - ), underscores ( _ ), or forward slashes ( / ). |
ID 530011 | Upgrading from 10.2.x to 11.x and see that iRule causes error when iRule event triggered: CLIENT_ACCEPTED - Illegal argument. TCP::option get on profile without tcp option setting (line 1) invoked from within 'TCP::option get 8'. Using rules.tcpoption.settings set specifying tcp option to collect. iRules that use TCP::option and depend on rules.tcpoption.settings do not work as expected when upgrading from 10.2.x to 11.x. Workaround: Configure TCP profile after upgrade that collects appropriate tcp option for iRule: create ltm profile tcp profile_name tcp-options "{8 last}". |
ID 532559 | If the client-ssl profile is /Common/clientssl, its parent profile is itself. But the configuration uses 'defaults-from none'. Add 'defaults-from none' under client-ssl profile '/Common/clientssl'. The upgrade fails. This occurs because the script extracts the line 'defaults-from none' and treats 'none' is its parent profile. Workaround: None. |
Fixes in 11.5.4
The fixes from 11.5.3 HF1 and HF2 are merged into 11.5.4.
ID Number | Description |
---|---|
226043 | "This release adds support for multiple destination addresses for audit-forwarder. There is one new db variable added for audit_forwarder: 'config.auditing.forward.multiple'. There are three options: 'broadcast', 'failover' and 'none'. The default is 'none'. When set to 'none', the behavior is the same as in previous releases. When db variable 'config.auditing.forward.multiple' is set to 'broadcast' or 'failover', db variable 'config.auditing.forward.destination' can be set to multiple IP addresses, separated by commas ( , ), such as '192.0.2.1,198.51.100.53,www.example.com'. This provides more than one destination IP address to the BIG-IP system audit_forwarder. Note that a single IP address works as well. When 'config.auditing.forward.multiple' is set to 'broadcast', the audit message is sent to all destinations. When it is set to failover, audit_forwarder sends the message to the first destination. If that fails, audit_forwarder tries the next destination until it finds a successful destination, or fails all destinations. Note that 'failover' mode is not supported for RADIUS server since it is UDP and there is no notion of failing to connect. For RADIUS server, if config.auditing.forward.multiple' is set to 'failover', audit_forwarder treats it as 'none'. When there is a failure to send the audit message, the system logs errors in '/var/log/ltm'." |
348000 | HTTP response status 408 request timeout no longer results in error being logged. |
364994 | TMM no longer restarts when a OneConnect profile is applied to a virtual server and OneConnect reuse is disabled on the server side by an iRule. |
365219 | Upgrades of high availability configurations from version 10.x to version 11.x or later now succeed, even if the 10.x system was still using the factory default admin password. It is recommended that you change the default admin password before deployment. |
375246 | "When set_member_session_enabled_state sets a pool member to disabled, then current connections will be maintained, but no more connections will be allowed. When set_member_monitor_state sets a pool member to disabled, then all connections will be killed immediately and no more connections will be allowed." |
413708 | A problem of SNMP IPv6 UDP response from the BIG-IP system with an ephemeral source port has been solved. |
418890 | All SSL keys from version 10.x can be loaded correctly using the UCS file. |
429011 | External link down time on network failover is now supported on BIG-IP 2000 series and 4000 series platforms. You can find the Link Down Time on Failover option in the GUI under Device Management :: Device Groups :: [device_group_name] :: Failover. |
430799 | Resolved CVE-2010-5107. See AskF5 solution article SOL14741: OpenSSH vulnerability CVE-2010-5107, available here https://support.f5.com/kb/en-us/solutions/public/14000/700/sol14741.html. |
433466 | Disabling bundled interfaces no longer affects the first member of associated unbundled interfaces. |
434096 | The BIG-IP system now allows up to an 8 KB log message size. |
439013 | Validation now allows IPv6 link-local address with %vlan notation. |
439299 | "iApp creation by non-admin users previously could fail with this error: Error parsing template:Tcl_Init failed: (invalid command name ""file"" while executing ""file join $i init.tcl"" (procedure ""tclInit"" line 21) invoked from within ""tclInit"" line:46) This no longer occurs." |
441058 | The system now loads the virtual IP addresses and associated SSL Certs/Keys in batches, so that TMM config load no longer exceeds its allowed CPU time. |
441638 | Keep the cache information in sync with packet data |
442869 | The primary blade formerly sent a message to all secondaries every second telling them to change the primary selection time. (The actual timestamp is correct and is the same every second.) Over time, this might fill up the audit log. This no longer occurs, and the message is now sent only when the primary actually changes. |
446755 | Connections no longer stall on virtual servers with ramcache and clientssl profile allowing non-SSL traffic. |
446830 | On a virtual server with an HTTP filter, Current Sessions stat now increments/decrements correctly if either side closes the connection after the HTTP request has been forwarded to the server but before the server has sent its response. |
447043 | "LTM policies now allow for rules to have multiple conditions on the same operand and same match type so that 'user-agent contains 'Android' AND 'Mobile' can now be expressed by specifying: conditions { 0 { http-header name User-Agent contains values { Android } } 1 { http-header name User-Agent contains values { Mobile } }" |
451059 | clientssl profile (SSL server) now checks the Change Cipher Spec payload received from the SSL client, and ensures that the Change Cipher Spec payload is a single byte of value '1'. |
452246 | When the original ClientHello and resuming ClientHello contain different ciphers, if the original cipher is in the resuming ClientHello it will be chosen and the session resumed, otherwise a full handshake will be used. |
453720 | The system now presents an error message when attempting to create a client-ssl profile without a cert-key-chain name and a cert/key, so the upgrade failure cannot occur. |
455651 | The parsing of regex and glob patterns has been improved for consistent behavior across MCP and TMM. |
455980 | On password change by an admin user for a user, the home directory of the user is left intact. |
456766 | SSL Session resumption now works in all expected cases. |
458104 | Trunk config member interfaces are no longer merged during load. Only the trunk member interfaces defined in the config are present after a load. |
458822 | Changes are now immediately reflected on secondary blades when the cluster status is changed on the primary blade. |
459100 | TMM now handles one way UDP traffic offloading correctly. |
460165 | Accessing Template and Cluster pages now load correctly. |
462187 | Non-admin users can now use the GUI to access the tunnel list page or properties for a configured tunnel without error. |
463468 | Failed tmsh command no longer generates double logs. |
464225 | Non-admin users can now successfully run the commands 'tmsh list ltm message-routing' and 'tmsh show ltm message-routing'. |
464651 | Resolved a failure when the customer installs another self-signed certificate with same subject/issuer before a self-signed certificate expires. |
465142 | LocalLB::ProfileClientSSL::create and create_v2 methods now work correctly when used in partitions other than /Common. |
467551 | TCP syncookie and Selective NACK (profile option) now works correctly. |
468473 | Monitors with domain username now save/load correctly. |
470756 | The snmpd daemon now periodically logs warning messages regarding slow query responses from mcpd. snmpd also attempts to maintain heart-beat communication with sod under these conditions. |
470788 | Static ARP entries that fall outside of configured self IP addresses can now be loaded. However, this invalid configuration is now avoided by requiring static ARP entries in a self IP subnet to be removed before a self IP can be removed. |
471059 | Cookie values containing space character are parsed properly. |
472585 | The tmrouted functions normally when multiple route domains with multiple routing protocols, with heartbeat enabled, are created and deleted repeatedly. |
472748 | The system now releases the default SNAT from the virtual server if there is a SNAT configuration directly associated with the virtual server. |
473037 | BIG-IP 2000/4000 platforms now support RSS with L4 data on SCTP. |
473163 | RAID disk failure and alert.conf log message now match, so appropriate SNMP traps are now issued when a disk is failing. |
475125 | HTTP::retry no longer causes TMM to crash. |
475649 | HTTP::respond no longer asserts and HTTP::collect now works as expected when used from HTTP_REQUEST in explicit proxy scenarios. |
476288 | Repeated creation and deletion of route domains and routing protocols led to a race condition between the start timer of the routing protocols and inconsistent memory state of the deleted routing protocols. This fix resolves the race condition. |
476708 | Correctly update the ECMP route paths on update. |
477064 | The TMM exit and restart that occurred in certain circumstances when processing SSL traffic has been fixed. |
479543 | The pool-member reference check for the node was moved to a later stage of validation, allowing the pool and pool members to be updated/deleted. This ensures that when the delete code for the node checks for references from a pool, there will be none. |
480119 | Error ERR_BOUNDS loglevel has changed from ERR to DEBUG, which is correct behavior. |
481089 | After performing a full sync, BIG-IP systems remain in sync as expected, even when active mcpd connections are deleted before the sync completes. |
481162 | The vs-index is now the same on each blade in a chassis on a multi-blade VIPRION and on multi-blade vCMP guests. |
481677 | TMM no longer produces a core file when the TCP::close iRule command is executed during an SSL handshake. |
483104 | vCMP guests now report bigipVcmpGuest as platform type. |
483699 | Accessing iFile object in Local Traffic :: iRules : iFile list now works correctly and no longer produces No Access error. |
483719 | Single-member vlan-groups no longer leak memory. |
484534 | Spanning Tree Protocol (STP) now checks for the disabled state of the port before adding it as an STP member. |
484861 | Ensure that the preferred system goes active after auto failback, even if its traffic group score is lower than that of its peers. |
485702 | The default community string 'public' is not add to the SNMP configuration on upgrade if it has been deleted in the previous software configuration |
485917 | The fix is based on verifying the validity of the TCP sequence number of the TCP packet embedded inside the PATH MTU discovery ICMP packet. If the TCP sequence number is valid for the targeted TCP connection, the ICMP packet is considered a legitimate PATH MTU Discovery packet sent by a router on the connection PATH and therefore the MTU value it carries is adopted as the new PATH MTU. If the TCP sequence number is not valid for the target connection, the ICMP packet is ignored. |
486758 | Resolved installation error in a pre-release build of 11.2.1 HF14 that caused the system to fail to correctly initialize the management port. The officially released 11.2.1 HF14 does not have this problem. |
486762 | With the fix in place, clients may open the full number of allowable connections. |
489113 | PVA status and statistics are displayed correctly for VIPRION B2250 blades. |
489451 | The system now checks for OpenSSL failures during SSL handshake generation, so TMM no longer panics. |
490429 | The dynamic routes for the default route are no longer flushed during operations on non-default route domains. |
490740 | HTTP will no longer crash if HTTP is disabled while it is parked on the client side. |
490893 | HSL logged deterministic NAT state information can be use to correctly forward and reverse map. |
491556 | tmsh show sys connection output is correct for users that do not have access to all partitions. |
492163 | Instances in which the pool monitor is incompatible with the pool member are now validated correctly. |
493117 | Now, an advertised route remains advertised after its netmask is changed. |
493140 | Using cookie hash persistence and invoking cookie hash persistence from within an iRule now works as expected. |
493246 | The software that generates the F5 BIG-IP MIBs has been updated to allow a slot 0 return value. |
494122 | Deterministic NAT state information from HSL is now usable on VIPRION B4300 blades. |
494743 | TMM translations after blade failure or startup can be properly reverse-mapped by dnatutil. |
495588 | Before v11.5.0, Clientssl profile only supports one key/cert pair, no name associated with the key/cert pair. In v11.5.0, multiple key/cert pairs are associated with one clientssl, so each key/cert pair has a name. |
495862 | Virtual status now stays red if all the pool members are down. |
495865 | Users can now remove a monitor from a pool / set it to 'none' through tmsh or a GUI iApp transaction. |
497304 | Ensure the sFlow data source is removed from an HTTP profile when it is deleted. |
498334 | TMM will correctly send a response message back when processing a zone notify message from a remote name server. |
500424 | DNATUtil will continue on even if it encounters an error. It will report the error but not exit. |
501437 | The rsync daemon is now shut down properly when the configsync-ip is set to none, and no longer listens on configsync-ip. |
502747 | The BIG-IP system will no longer generate an ACK to incoming SYNs which match an existing connection that cannot be recycled. |
503257 | Persistence, connection limits and HTTP::respond or HTTP::redirect no longer result in RST. |
503343 | Prevent TMM crash due to cloned packet incorrectly marked for TSO. |
503560 | The validation logic is now changed so as to allow a Statistics profiles and an HTTP transparent profile to be attached to the same virtual server simultaneously. |
503600 | TMM no longer crashes and coredumps while logging to remote logging server. |
504494 | Upgrading to 11.5.0 and later no longer associates a disabled HA group to traffic groups. This is correct behavior. |
504508 | IPsec Tunnel between the BIG-IP system and CISCO devices with older Dead Peer Detection (DPD) are no longer brought down because of mismatched Cookie Field in the DPD messages. |
504803 | Pools with a name that contains _mam are now showing up in the Pools list in the GUI. |
504827 | Verify existing serverside flows are actual relay flows before reusing it. |
505705 | Both the local and mirrored owner persistence record are properly removed. |
506041 | Only folders and partitions in the device group will get synced. However, since multiple device groups can still share the same partition, there is still a chance that the route domain on the partition could get overridden if the two device groups use different route domains. |
507109 | The certificate, key, and chain certificate settings in a Client SSL profile no longer change after an upgrade. |
507602 | IPsec lifebyte functions properly and leaves no inconsistent state on the BIG-IP device after rekey. |
507853 | Ensured that MCP no longer crashes when performing a large chunked query and a connection to a TMM is severed. |
510164 | DNS Express zone RR type-count statistics are correctly set after restarting zxfrd. |
510393 | Resolved occasional TMM restarts when stopping vCMP guests on 12050 and 10350N appliances |
510425 | DNS Express zone RR type-count statistics now display correctly. |
510921 | Database monitors now support monitoring IPv6 nodes. |
511057 | Monitor modification and deletion can now happen in the same transaction. |
511145 | The IPsec Policy Link on the Network :: IPsec :: Traffic Selectors :: List page now functions as expected. |
511517 | The system now supports a simultaneously configuring both a Request Logging profile and an HTTP transparent profile on a single virtual server. |
511559 | Virtual address status is updated after load, so no unavailable virtual address is advertised. |
512148 | A self IP now can be deleted even when its VLAN is associated with a static route, as long as at least one self IP exists on that VLAN. If the static route is IPv4, then an IPv6 self IP does not meet the requirement, and vice versa. |
512490 | Disable Nagle algorithm on TCP/HA profile to improve performance. |
512618 | This changes should provide a user to retrieve SA's based on specific addresses using racoonctl utility. |
513151 | Added new SNMP OID for VIPRION B2150 blades with SSD. |
513243 | If certain crypto commands return an error, but memory is allocated successfully, the system now completes the operation as expected. |
513319 | TMM no longer leaks memory when the sideband destination is unreachable. |
514108 | TCP Segmentation Offload (TSO) packet is now cleared correctly with no packet-locked message. |
514246 | Fix NULL pointer dereference in connflow_precise_check_begin |
514724 | Allowed the crypto device to be restored and not keep the crypto-failsafe HA status in the fail state. |
514726 | Individual DSR tunnels are removed after the corresponding client's user flows expire. |
514844 | The system now displays the correct number of health monitors for pool members for configurations containing administrative partitions and route domains. |
515345 | This release contains the fixes from NTP-4.2.8p2 Security Vulnerability Announcement. See Security Notice, available here http://support.ntp.org/bin/view/Main/SecurityNotice. |
515482 | When receiving ABORT commands, TCP catches cases where the connection is already closed. |
515646 | TMM no longer cores when multiple PPTP calls arrives from the same client. |
516184 | IKEv1 can re-establish its IKE SAs after the VLAN with IKEv1 traffic changes its cmp-hash setting (currently available options are "default, src-ip, dst-ip). |
516320 | Match across persistence no longer causes CPU spike. |
516322 | Modifying a persistence profile while updating partition /Common during a merge config no longer disassociates the iApp from the virtual server. |
516432 | DTLS no longer sends corrupted records when DB variable tmm.ssl.dtlsmaxcrs is not default value 1. |
516598 | Prevent starting multiple TCP keepalive timer for the same fastL4 flow |
516995 | NAT traffic group inheritance now syncs across devices using incremental sync. |
517124 | The HTTP::retry command no longer corrupts input that isn't in the UTF8 format. |
517388 | All relative distinguished names (RDNs) are now parsed as expected. Previously, the system correctly parsed RDNs for division name, state name, locality name, organization name, country name, and common name. Now, the system correctly parses all RDNs. |
517510 | The HTTP monitor has been fixed to avoid adding additional CR/LF pairs, except for the case where only headers are supplied and there are insufficient CR/LF supplied to terminate the headers. |
517590 | The pool member's status updates when the pool's monitor is removed. |
517790 | The passthrough-pipeline option now allows unexpected server-side ingress to switch the Transparent HTTP proxy into pass-through mode. |
518020 | This release has improved handling of certain HTTP types, so that an HTTP request with a version token that is not properly crafted is no longer treated as HTTP 0.9. This has the effect of all of the request data being forwarded to the backend. |
519081 | The server configuration of :* members now loads without error using tmsh. |
519510 | Change in L4 packet header offset, resulting from VLAN header insertion, is being accounted for to verify checksum. |
520380 | Enabled auto-sync and save-on-auto-sync no longer causes out-of-memory condition. |
520405 | A max-concurrent-queries configuration setting significantly above default no longer leads to a situation that causes tmm to restart in certain traffic loads. |
520413 | Woodside congestion control along with multiple profile options enabled and certain traffic no longer causes an issue where tmm may core. |
521144 | Network failover packets on the management interface now have the correct source-IP when device service clustering (DSC)/high availability (HA) device group have management ports on different IP networks, so that a management-route is necessary for them to communicate. |
522837 | Ensured that connections are not deleted twice when shutting down, so mcpd no longer cores. |
522871 | Nested wildcard deletion now deletes matched objects only. |
523434 | mcpd on secondary blades may restart and log an sflow_http_virtual_data_source error after a change in the cluster's primary blade. |
523513 | Compression is now disabled after an HTTP response with empty payload for iRule-based enabling. |
523527 | Routing protocols are now correctly configured on Route Domain 0 (zero) (RD0) after upgrade to version 11.2.0 or later. |
523642 | Power Supply status is now reported correctly after LBH reset. |
523854 | RTSP interleaved traffic passes reliably, even over an unreliable connection experiencing packet retransmission. |
523922 | Session table entries now consistently get their timeout values touched in all scenarios. |
524300 | A BIG-IP 2000 series or BIG-IP 4000 series device with a MOS version older than 2.8.9 - 587.0 is booted from MOS now retains its connection to the serial console. |
524490 | tmsh show sys running-config shows minimal default configuration. |
525958 | TMM no longer cores when load balancing to a node's IP address in iRule, routed towards an unreachable nexthop. |
526974 | Data-group member records no longer map empty strings to 'none'. |
527011 | Correctly set the inter-packet gap. |
527024 | Queries for an unsigned child zone of a DNSSEC zone on a BIG-IP are now sent to the backend nameserver. DNSSEC-OK flag is observed when processing the response and attaching and/or responding to DNSSEC resource records. |
527027 | Queries for an unsigned child zone of a DNSSEC zone on a BIG-IP are now sent to the backend nameserver. DNSSEC-OK flag is observed when processing the response and attaching and/or responding to DNSSEC resource records. |
528007 | The server name extension no longer leaks during renegotiation. |
528276 | The device management daemon no longer causes a crash when a timeout condition occurs during an iControl query. |
528407 | TMM no longer cores with an invalid lasthop pool configuration. |
528739 | The DNS Cache now correctly ignores data from the ADDITIONAL section when constructing the ANSWER section. |
528881 | NAT names with spaces in them now upgrade properly. |
529524 | BIG-IP systems and VIPRION platforms now successfully establish IPsec IKEv1 tunnels and secure and pass the intended traffic. |
529920 | Connection mirroring on a OneConnect virtual server now successfully recovers from a TMM crash during connection establishment, so no mirrored connection flows are lost. |
529977 | The OSPF LSA database correctly reflects the state of redistributed routes after rapid updates. |
530505 | When packet filtering is enabled and an IP fragment is received on the non-owning TMM, TMM forwards the IP fragment without issue. |
530761 | Corrected system to properly handle the above combination of conditions. |
530903 | HA pair in a typical Active/Standby configuration now remain Active/Standby after a software upgrade. |
531986 | The problem with default tmm route breaking Hourly licenses has been resolved with the fix. The default tmm route no longer affects the Hourly license. |
532107 | Maximum RTT value for nameserver cache is now deleted when the nameserver cache is deleted, which is correct behavior. |
532559 | Upgrade no longer fails if 'defaults-from none' is under profile '/Common/clientssl'. |
532799 | The BIG-IP system now correctly uses ARP to determine the destination MAC of a host routed via a /32 vlan route. |
533388 | tmm no longer crashes with assert "resume on different script" |
533562 | Fixed CGNAT memory leak that occurred when configured for hairpin mode or when inbound connection handling is set to automatic. |
533826 | The snmpd image no longer increases in size on a VIPRION system processor. |
533966 | There is no longer a TMM crash due to an extra loopback nexthop release. |
534052 | Memory is no longer leaked when VLAN failsafe is active and sending ICMP probes. |
534458 | SIP monitor now correctly processes monitor responses when the use of whitespace in header fields differ. |
534582 | HA configuration no longer fails over when a standby system has only the base configuration loaded. |
534804 | TMM no longer cores in certain conditions with rate limiting and service-down-action reselect on poolmembers |
536939 | Services no longer restart on a secondary blade when deleting configuration elements via tmsh using a * wildcard. |
537553 | Making SSL profiles configuration changes now complete successfully. |
537964 | Ensure that all relevant monitor instances are deleted when replacing a pool's monitor. |
538133 | The system now shows a list of sensors in the sensor_limit_table or by the system_check utility, with the actions taken when the sensor data exceeds its defined limit. |
538255 | The crypto acceleration hardware driver for the 2200/4200 has been fixed to avoid memory corruption. |
538603 | TMM no longer produces a core file when attempting to retry to calculate the rate-limit on a pool member that has gone down. |
539822 | tmm no longer leaks connflows and memory on vCMP guests when only one tmm is provisioned. |
540473 | When the peer/clientside/serverside iRule contains parking commands, tmm no longer cores upon connection reuse. |
540484 | Fixed crash from incorrectly matching PPTP ALG traffic in forwarding fastl4 virtual server. |
540846 | Resolved CVE-2015-5722. See AskF5 solution article SOL17181: BIND vulnerability CVE-2015-5722, available here https://support.f5.com/kb/en-us/solutions/public/17000/100/sol17181.html. |
540849 | Resolved CVE-2015-5986. See AskF5 Solution Article SOL17227: BIND vulnerability CVE-2015-5986, available here https://support.f5.com/kb/en-us/solutions/public/17000/200/sol17227.html. |
542314 | Rare HSB lockup on a 3900, 6900, 8900, 8950, 11000, 11050, PB100 or PB200 platform no longer occurs. |
542860 | Running TMSH command or racoonctl utility to delete IPsec SA's during HA Active to Standby or vice versa event does not result in TMM crash and IPsec SA's will be deleted as per the request. |
543220 | Global traffic statistics now includes the correct PVA statistics in the GUI and in TMSH. |
544028 | This release corrects the issue in which the Verified Accept counter 'verified_accept_connections' might underflow. |
544481 | Excessive DPD message exchange no longer causes the IPsec tunnel to fail. |
544913 | Logging recursion no longer occurs in TMM during failover while the system is attempting to connect to the remote logging server. |
544980 | BIG-IP Virtual Edition now ends up with sufficient disk space for the /var software partition when deploying from OVA for the Better or Best license bundle |
545704 | TMM no longer cores when using HTTP iRule commands on the server-side of the HTTP_REQUEST_SEND event. |
545745 | The cosmetic messages containing 'err' and 'best err' are no longer posted on initial tmm startup when tmm.verbose logging on hardware accelerated devices. |
546260 | Fixed root cause of TMM core. |
547815 | Freed a temporary data structure leaked by a premature return in DNSSEC-on-miss patch. |
550694 | Auto-recovery from a USB stalled-transfer condition has been implemented, which prevents the Status LED from blinking Amber on BIG-IP 2000, 4000, 5000, 7000, 10000 or 12000-series appliances. |
552532 | Oracle monitor functions now as expected with UTC and other time zones. |
553311 | The tmm crash caused by the route pool configuration is fixed. |
555686 | The system now ensures that the I2C bus muxes only enable a single interface, so the issue with interfaces on Copper SFPs OPT-0015 on 10000-series appliances no longer occurs. |
556284 | GTM/LCsync now completes successfully even when the configuration being sync'd contains a custom GTM/LC monitor definition. |
Fixes in 11.5.3
The contents of 11.5.2 HF1 are merged into 11.5.3.
ID Number | Description |
---|---|
ID 384451 | Improved memory management when there are duplicated keys or certs. |
ID 394236 | Changed ordering of shutdown operations to avoid this error. |
ID 420204 | The BIG-IP system now posts an error if the user tries to manually delete a particular FIPS key by-handle while its corresponding key object exists in BIG-IP configuration, regardless of the length of the key name. IMPORTANT: FIPS key deletion by-handle should still be executed with caution because the FIPS handle might belong to keys in different boot locations of the BIG-IP configuration. Deleting those FIPS keys does not throw an error, but will make FIPS keys in the other boot locations invalid and unusable. |
ID 428163 | Deleting a cache resolver no longer results in outstanding packet issues. |
ID 430323 | VXLAN daemon does not restart when 8000 VXLAN tunnels are configured. |
ID 435044 | "The following error is no longer logged erroneously on BIG-IP platforms which do not contain a FIPS hardware device: date_and_time hostname err iControlPortal.cgi[30667]: Checking for FIPS card.. FIPS open failed." |
ID 435335 | The tmm.proxyssl.cachesize and tmm.proxyssl.bucketcount settings are now respected when set and TMM has been restarted after the new values have been set. |
ID 436468 | DNS cache resolver TCP current connection stats are now decremented properly. |
ID 437637 | The 7000 Series platform no longer reports a false positive sensor out-of-range error when the Host is powered off using the AOM. |
ID 438674 | The BIG-IP system no longer sends tamd log messages to the configured remote log destinations. |
ID 438792 | The system now deletes a persist entry from all peer TMMs when it is deleted in any TMM, so no conflicts occur. |
ID 439343 | LDAP client certificate SSL authentication sends correct bind password to LDAP server |
ID 441642 | Monitor log rotation functionality has been restored, so that emails with error statements sent to the postmaster every 30 minutes have been stopped. |
ID 442647 | iRules now uses a 64-bit object |
ID 444710 | Out-of-order segments received before 3WHS is completed are no longer dropped. |
ID 447272 | If mcpd audit logging is enabled on a chassis, updates to device group state were in past versions recorded on every configuration change, even if CMI was not configured or no synchronizable object was modified. This no longer happens, and these log messages are now only generated if the state actually changes. |
ID 447483 | CVE-2014-3959 |
ID 451224 | tm.pathmtudontfragoverride dbvar introduced. If the value is changed from 'disable' (this is the default) to 'enable', then DF bit will not be set in IP fragments generated by TMM. |
ID 451433 | If a device goes to standby due to a failsafe operation, the HA Group Scores on that device are forced to zero, so that the traffic groups can become active on an active device. This is the correct behavior. |
ID 453489 | The system no longer posts extraneous warning messages caused by ssh connections from peers on the 127.0.0.0/8 subnet. |
ID 455006 | Invalid UDP datagrams that interfered with SIP processing are now dropped. |
ID 456413 | Persistence records are maintained when connection and persistence timeouts are with 33 seconds of each other. |
ID 456573 | Power supply sensor values are successfully read without errors on BIG-IP 2000-/4000-/5000-/7000-/10000-series appliances with DC power supplies. |
ID 456853 | "For DTLS, CCS record will be held until all other handshake messages besides Finish are handled. When pcm is set to request, client may or may not send CertVfy message, in this case, expcertvfy=TRUE and pcm=request, BIG-IP should hold CCS maximum DTLS_MAX_NUM_HOLD_CCS_WAIT_CERTVFY times. When pcm=request, client sends client certificate message to BIG-IP (client-ssl profile), there are two cases for DTLS. 1. Client never sends CertVfy message. Then when BIG-IP receives CCS message, it should process CCS and not hold it. 2. Client sends CertVfy message but in the wrong order, CCS then CertVfy. In this case, BIG-IP should hold CCS to wait for CertVfy message. Then after BIG-IP receives CertVfy message, we process as the following CertVfy then CCS. After BIGIP receives CCS message, BIGIP does not know if it can expect CertVfy message or not. Then it will hold CCS for three(DTLS_MAX_NUM_HOLD_CCS_WAIT_CERTVFY) times to wait for the retransmission of 3 messages before it thinks that client will not send CertVfy message. hs->num_hold_ccs_wait_certvfy is the counter for it. It is always increasing, after it reaches 3, it starts to process CCS message." |
ID 461587 | Serverside connections established due to LB::reselect will now correctly get closed after the 3-way handshake completes if the corresponding clientside connection has already been closed. |
ID 462827 | The system now checks for the full header name to properly parse instead requiring X-F5 to determine whether or not it is the X-F5-REST-Coordination-Id header. |
ID 463380 | URIs with space characters now work properly in ODATA query. |
ID 464116 | HTTP responses modified by response-adapt are cached. |
ID 466266 | In this release, the system ensures that upgrade from 11.x can never result in an Active/Active state. |
ID 467196 | The max log size setting is now greater than 1024, which allows large systems (multiple blades, high-availability) to store messages for more than 24 hours. |
ID 468235 | The worldwide City database (City2) now includes Digital Element's proxy information. |
ID 471535 | FTP filter now accepts NL-only line-ending when rewriting EPSV command. |
ID 471625 | After deleting external data-group, importing a new or editing existing external data-group now works as expected. |
ID 471860 | When you disable an interface, the state shows DISABLED. When you enable that interface, the indication for the interface now shows ENABLED. |
ID 472092 | The complete request payload is now sent to the ICAP server, even in the presence of a long-running iRule in ICAP_REQUEST. |
ID 472202 | The false positive report of RX HSB DMA lockup had been eliminated as long as the ring is moving. |
ID 474388 | The race condition that occurred has been fixed, so no APM-profile-related actions complete after the HTTP-profile closes the connection. |
ID 474974 | "ssl_sni_profile_hash_add() and ssl_proxy_profile_hash_add() increases nref counter, so ssl_sni_profile_hash_drop_all() and ssl_proxy_profile_hash_drop_all() should decrease nref counter." |
ID 475460 | tmm no longer crashes if a client-ssl profile is in use without a certificate revocation list (CRL) configured. |
ID 477218 | TMSH command now automatically issues the absolute path by using the context for the current connection to MCPd, so there are no MCPd restarts in this case. |
ID 477789 | The system now correctly converts the '&' (ampersand) character in the Certificate and ensures that the Peer Device process is still operating. |
ID 480370 | The internal listeners that are created to forward the connections between TMM processes are now deleted when no longer needed, so new connections are not created, which prevents a memory leak. |
ID 481216 | A fallback response is no longer inappropriately generated after an error after an Early Server Response. |
ID 481844 | When adding and deleting multiple client-ssl profiles configured with differing certificate revocation lists (CRLs), tmm no longer crashes and/or uses the wrong CRL. |
ID 483539 | The correct MSS value is now used when SYN has options without MSS specified, so TMM no longer cores. |
ID 484305 | TMM no longer crashes when an iRule executes a parking command inside a 'clientside' or 'serverside' context-switching command. |
ID 484706 | Incremental sync of the deletion of an iApp instance now completes successfully. |
ID 485472 | Resolved issue where TMM might crash with assert: 'Must be syncookie' when the iRule 'virtual' command leads to a protocol mismatch. |
ID 486450 | iApp redeployment now works correctly, and no longer causes mcpd on secondaries to restart. |
ID 487660 | This release resolves CGNAT translation failures in persistence mode when there is an SPDAG and a small port range. |
ID 488374 | The racoon daemon no longer crashes due to mismatched IPsec policy configuration. |
ID 489750 | The system now handles the case in which deleting FIPS key by-handle using tmsh when the key name is different from the FIPS-label of the key. |
ID 490713 | FTP port selection uses a round robin method to avoid quick-reuse as much as possible. |
ID 491454 | SSL handshake now completes successfully when a SPDY profile is attached when Next Protocol Negotiation (NPN) is detected on a BIG-IP system with a Cavium Nitrox accelerator. |
ID 491518 | SSL [session id] persistence no longer prematurely terminate TCP connection. |
ID 491791 | Performing a GET on nonexistent pool members now shows an error when using iControl REST with nonexistent pool members. |
ID 492368 | CVE-2014-8602. |
ID 492422 | Response code now reported only in HTTP response logs. |
ID 493558 | TMM handles the case, and no longer cores due to lost-packet retransmitted packet value mismatch. |
ID 493673 | Fields are properly not compressed. e.g. the NAPTR Replacement field. |
ID 493807 | Using PPTP with profile logging now works correctly and no longer causes TMM to crash. |
ID 494322 | The TMM no longer crashes when under load when the HTTP_REQUEST iRule handler is used with the explicit proxy. HTTP state-changing commands used within HTTP_REQUEST on the explicit proxy works correctly. |
ID 494367 | HSB lockups no longer occur after a HiGig MAC reset on BIG-IP 5000-series and 7000-series platforms. |
ID 495253 | TMM no longer cores in low-memory situations during SSL egress handling. |
ID 495526 | TMM no longer cores if users choose to modify the tunnel interface attributes, such as MTU value, before traffic passes through an IPsec tunnel interface. |
ID 495574 | DB monitor functionality might cause memory issues. |
ID 497619 | The intermittent performance impact no longer occurs when a pool members goes up and down when using source_addr persistence. |
ID 497719 | CVE-2014-9295, CVE-2014-9293, CVE-2014-9294, CVE-2014-9296 |
ID 497742 | All TCP re-transmits have the proper source MAC address. |
ID 499150 | Connections will be reused even with VIP on VIP configuration. |
ID 499430 | Standby unit no longer bridges network ingress packets when bridge_in_standby is disabled. This is correct behavior. |
ID 499946 | Internally, the fragment buffers are copied into a contiguous buffer before processing by the Nitrox crypto hardware. |
ID 499947 | "The Virtual Address state change code was improved in multiple areas: 1. GTM is checked for provisioning. 2. Each individual Virtual Address is checked for GTM association before assuming it needs to be broadcast. 3. Virtual Address changes caused by the Virtual Server, Pool, or Virtual Address changes are processed at a higher priority. 4. Virtual Address changes caused by a GTM state change are processed after the Virtual Server changes in #3. 5. All Virtual Address changes are processed on a queue that limits the number per mcpd event loop, preventing Virtual Address status changes from blocking normal mcpd operations." |
ID 500234 | Fixed a race condition that might have caused IPSec components to access previously freed memory. |
ID 500365 | This release fixes a memory leak that occurred when using SIP in TCP/ClientSSL configurations, when the clientside flow was torn down in response to the SSL handshake not completing. The system now frees the SIP handler upon receiving the notification of a failed SSL handshake, so that the connection is rejected, the system performs the proper cleanup of the SIP handler, and no memory leak occurs. |
ID 501690 | TMM no longer crashes due to the behavior of the LTM listener with an iRule that has a RESOLV::lookup command when parsing its return values. |
ID 501953 | The fix correctly removes the next active setting for a device when it is in standby mode and a HA failsafe triggers. This causes a new device to be picked as next active if one is in standby mode and capable of running the traffic group. |
ID 502149 | iControl should store the mode info and set a default value to it. |
ID 502443 | When a VIPRION blade comes on-line, the bigd process on the blade no longer starts health monitors prematurely, which could have caused some monitored objects to be marked down incorrectly. |
ID 502683 | Traffic is now handled correctly in syncookie mode when hardware syncookie is on. |
ID 502770 | "Parking command can run inside clientside and serverside. The client side connection must exist when clientside command runs; the server side connection must exist when serverside command runs; otherwise the clientside and serverside commands fail." |
ID 503604 | When switching from interface tunnel to policy based tunnel, tmm cores. |
ID 503620 | BIG-IP SSL now works well with ciphers ECDHE_ECDSA or DHE_DSS with OpenSSL client version OpenSSL 1.0.1k and later. |
ID 503676 | SIP REFER, INFO, and UPDATE requests now trigger the SIP_REQUEST and SIP_REQUEST_SEND iRule events. This is the correct behavior. |
ID 503741 | The system now silently discards all of the invalid records and preserves the association. This is correct behavior. |
ID 503979 | The CPU usage will not be overwhelmed when cache resolver is sending massive DNS queries to slow back end name servers. |
ID 504306 | https monitors now properly perform SSL session re-use. |
ID 504396 | When a virtual server's ARP or ICMP is disabled, the correct mac address is now used. |
ID 504572 | PVA accelerated 3WHS packets are new egressed on correct hardware COS queue. |
ID 504633 | The system now updates the 'expected next sequence number' only when the record is good. |
ID 505056 | Packet priority passthrough mode is now working properly. |
ID 505222 | "In current implementation, DTLS sends CN requests one by one. DTLS sends one request, waits for the response and then sends another one. The fix is sending multiple requests currently to CN." |
ID 505964 | A crash in the HTTP profile implementation of cookie handling has been fixed. |
ID 506282 | DNSSEC key generation is now synchronized upon key creation. |
ID 506290 | Send MPI redirected traffic to HSB ring1 instead. |
ID 506304 | UDP connections no longer stall if initialization fails. |
ID 507143 | Diameter filter will now queue HUDCTL_ABORT events to prevent leapfrogging previously queued events |
ID 507461 | The system no longer resets active net cos settings during device/group HA configuration sync operations. |
ID 507487 | Added validation for virtual server iRule pools. |
ID 507842 | CVE-2015-1349 |
ID 508716 | DNS cache resolver no longer drops chunked TCP responses |
ID 509063 | Creating or loading a guest config on a clustered BIG-IP with an empty slot 1 no longer results in an error, and the default cores-per-slot value is correctly used for the guests. |
ID 509276 | VXLAN tunnels with floating local addresses no longer generate incorrect gratuitous ARPs on the standby device. |
ID 511130 | Memory is now validated before handling a CMP acknowledgement. |
ID 512485 | In this release, the system does no L2 forwarding of encapsulated frames received from one endpoint and destined to another within the same overlay (VXLAN VNI/Tunnel), so no extra hop is added. |
ID 513034 | TMM no longer crashes if Fast L4 virtual servers have fragmented packets |
ID 514450 | This version of software more consistently handles the condition of a remote MAC address being moved from one endpoint to another. |
Fixes in 11.5.2
The contents of 11.5.1 HF1 through 11.5.1 HF6 (inclusive) are merged into 11.5.2.
ID Number | Description |
---|---|
ID 356658 | The system no longer logs alert-level log when remote authenticated users that do not have local account login. The notice-level error is written to /var/log/secure, as expected. |
ID 400945 | Errors reported when vdisk volume is corrupted/unmountable have been clarified. |
ID 416292 | Ensured that the active CMI connection is destroyed when mcpd is shutting down. |
ID 417068 | FIPS key labels longer than 32 characters now get truncated to 32 characters. Those keys with the same first 32 characters are truncated, and the system attaches an underscore and number to a total of 32 characters; for example fipssamplekeylabelof32characte_1, fipssamplekeylabelof32characte_2, and so on. BIG-IP uses the FIPS handles when querying the FIPS cards for keys, so the fact that the FIPS key labels are different from the BIG-IP key names does not matter and does not affect traffic. |
ID 419664 | Performing a mibwalk of SNMP-sysIfxStat now returns expected stats. |
ID 424143 | The SNMP configuration is now being saved to the correct file. |
ID 426328 | Updating an iRule that uses sideband connections no longer causes TMM to core. |
ID 427357 | The icmp-echo property is now set correctly for virtual addresses with network prefixes. |
ID 427832 | The timestamp for the bounded lifetime of the syncookie tables of secrets is now maintained correctly. As a result, software syncookies are resolved consistently. |
ID 428072 | If an iRule refers to a pool by leaf name (without the full path), the virtual server status now reflects the pool's status. |
ID 432720 | The BIG-IP will not send GARPs for a Virtual Address when the ARP has been disabled for that virtual address. |
ID 434400 | The connection is terminated and tmm core no longer occurs. |
ID 434730 | Automatic incremental synchronization succeeds even after a large number of synchronization operations in rapid succession. |
ID 437627 | Improved handling of a fragmented packet that could cause a crash if using a fastL4 profile. |
ID 437773 | All LACP trunk members remain present after rebooting primary blade. |
ID 437875 | "This spurious error message may have previously been displayed when the local user database feature is configured: 01071704:3: Not running command (/usr/libexec/localdb_mysql_restore.sh) because the request came from an untrusted connection. This error message has always been harmless, but now it no longer is displayed." |
ID 438877 | The SASP monitor ignores up to 5 consecutive unexpected send weight messages and keep looking for registration reply response from GWM. If it does not get the reply in 5 attempts then the monitor shall restart. |
ID 439363 | When the local traffic policy name that is auto-generated from multiple HTTP Class profile names is longer than the maximum supported length of 255 characters, the system now truncates the name, so that config load and upgrade occur successfully. |
ID 441985 | The key/cert/chain/passphrase (outside ckc) now matches the RSA pair inside ckc. |
ID 442020 | Router information is now preserved correctly by proxy ARP/NDP code for VLAN groups. |
ID 442191 | The policy condition now converts properly from an HTTP class to an LTM policy and the ultimate behavior is identical to that of the previous release. |
ID 442336 | TMM no longer crashes when there is a FastL4 virtual server, syncookie is enabled, PVA is accelerated, and a configured SERVER_CONNECTED rule fails. |
ID 442391 | Duplicate address detection and unsolicited neighbor advertisement now work as expected. |
ID 442618 | Improved memory handling in TMM prevents some TMM crashes in low-memory situations. |
ID 442993 | Only the default managment-route is used to configure the gateway, and if unconfigured no gateway. |
ID 444178 | The policy will properly replace specified HTTP headers. |
ID 445911 | tmm fast forwarded flows are no longer offloaded to ePVA, which is correct behavior. |
ID 447080 | VLAN tagged/untagged configuration change occurs immediately, and no longer requires tmm restart. |
ID 447874 | HTTP pipeline request no longer causes TCP window stay at 0 when HTTP pipeline requests are sent, and those requests use the GET method. |
ID 448476 | Updated media code to recognize XFP media in PB100 blades. |
ID 448533 | The endpoint is chosen based on the client's source port. This leads to better port selection behavior. |
ID 448787 | Connection tracking is now correctly disabled in non-default route domains. |
ID 449891 | Fallback source persistence record will be used and the second ssl request will be load balanced to the same pool member that the first one went to. |
ID 449896 | Deterministic NAT (DNAT) does not pick a colliding port for the second connection, so connections complete successfully. |
ID 449989 | Can now save UCS when using iControl REST. |
ID 451035 | Configuring BIG-IP with hundreds of FIPS keys no longer causes TMM to reset. |
ID 451319 | The system now honors Content-Length header when server responds with 4xx response with body for CONNECT request. |
ID 451534 | TMM SIGSEGV and crash no longer occurs with SSL forward proxy in PassThrough Mode. |
ID 452293 | Monitors now work on the Standby devices in an HA configuration. |
ID 452315 | Connection rate limit configured on Virtual with no default Pool works |
ID 452454 | Forward RST packet for IP forwarding Virtual with fastL4 profile with loose initialization configured and an idle timeout that is less than the server idle timeout. |
ID 452482 | Cookie persistence records are ignored when the connection limit of the persisted pool member has been reached. This results in incoming connections to be offloaded to another pool member (if available). |
ID 452643 | "A Members lb_value is updated upon transitioning from disabled to enabled states when using one of the following load balancing methods: - Least Connections - Fastest - Least Sessions" |
ID 452689 | Constructing such as IPIP, GRE tunnels using the IPsec tunnel interface now passes traffic as expected. |
ID 453171 | The system now correctly handles a large number of cookies when using Application Policy Manager (APM). |
ID 454475 | The padding values used in the TLS 1.0 or greater handshake are now validated, and invalid values cause an alert to be sent. |
ID 454954 | Packets dropped using DIAMETER::drop within DIAMETER_INGRESS event will no longer be retransmitted. |
ID 455376 | Parked Diameter response messages are no longer dropped, nor are the requests retransmitted. |
ID 456461 | The TMM no longer core dumps when a vlan-group is configured after an sflow receiver. |
ID 456467 | This release fixes the intermittent/infrequent case where the CPU usage (from the top cmd) of restjavad exceeds 20% for 15 seconds. |
ID 457934 | SSL Persistence Profile now operates correctly, and does not cause high CPU usage. |
ID 458480 | TCP Segmentation Offload (TSO) no longer causes the Traffic Management Microkernel (TMM) to restart during high memory usage. |
ID 458957 | TMM no longer leaks memory on repeated plugin client initialization messages. |
ID 459096 | Setting Allow All to Allow Default now works without error. |
ID 459929 | Policy rules are now evaluated in the expected order. |
ID 460020 | If there are multiple set cookie rewrites to an HTTP response header, tmm no longer cores due to referencing incorrect locations into the buffer. |
ID 460178 | oamd shutdown function has been updated and does not crash attempting double delete. |
ID 460730 | Increased MCP's throughput by limiting the amount of data sent in a given chunk. |
ID 460945 | Memory no longer leaks when changing a policy that is in use by a virtual server. |
ID 461350 | Fix the standby box memory keeps growing when the connection mirroring and re-transmission are turned on. |
ID 461578 | This release provides improved handling of large objects in the session database. |
ID 462025 | SQL monitors now handle route domains so that they behave as expected. |
ID 462351 | Stats for policies can now be reset from the Statistics :: Module Statistics : Local Traffic :: Policies page without error. |
ID 463470 | The Active Translation Mappings now count only translation mappings that are actively in use. |
ID 463652 | Client SSL profile retains its own Certificate/Key/Chain entries, when they differ from the parent profile. |
ID 463715 | syscalld's timeout mechanism no longer emits an OPERATION_TIMEOUT message, unless the message appropriately reflects the condition of the system. |
ID 464132 | Allows serverside SSL to be disabled by iRule or CPM policy. |
ID 464148 | The deterministic NAT (DNAT) utility (dnatutil) now reports correct reverse mappings for platforms with Intel Hyper-Threading Technology (HT) Technology split plane (htsplit) CPUs, which includes VIPRION and BIG-IP series 4000, 7000, 8000, and 10000 platforms. |
ID 464499 | A client-ssl profile configured on a partition other than /Common now retains its cert-key-chain setting. |
ID 464683 | Upgrade from 11.2.1 to 11.5.0 and later now works correctly. |
ID 465052 | Check to make sure all required arguments are present in an HTTP::cookie command prior to attempting to use them. |
ID 465133 | SIP-ALG will now keep track of the second INVITE and sequence number and recognize the 200OK |
ID 465607 | The system now provides checks to mitigate the race condition on close of FastHTTP to avoid the core. |
ID 465803 | OpenSSL is updated to fix CVE-2014-0221 and CVE-2014-0195. |
ID 466281 | A value stored in the session DB from an iRule on the parent VS can be accessed from the internal virtual server, and vice-versa. |
ID 467022 | The platform capabilities file which was causing this issue has been modified to allow the system to go active normally. |
ID 467646 | IDE DMA timeouts no longer result in become unresponsive on VIPRION B4100/B4100N (A100), B4200/B4200N (A107) blades and on Virtual Edition (VE) configurations deployed with IDE storage drivers (Xen, Hyper-V). |
ID 467706 | Forward and reverse mapping are now agreement for VIPRION C4800/C4800N (S100, S101). |
ID 467868 | Previously, mcpd might leak memory when returning an error message that contained the reason for a monitor failure. The message now reports the reason without leaking memory. |
ID 468175 | The system now works correctly, without stopping traffic going through an IPsec tunnel from BIG-IP systems to Cisco systems. |
ID 468388 | Connection flows do not leak and TMM does not core when service provider DAG is configured and/or under-provisioned LSN pools are configured on the BIG-IP systems. |
ID 468514 | Ensures that only one sync for a given commit transaction is sent to the remote peer. |
ID 468517 | This MCPD error message should no longer occur at the secondary blades: err mcpd[6528]: 010717b5:3: HA group (HA) cannot be removed. It is used by traffic group (/Common/traffic-group-1 ) |
ID 468837 | SNAT translation traffic group inheritance now syncs across devices using incremental sync. |
ID 469139 | Modify virtual stats detail page to display values for max PVA assist, Current PVA assist and total PVA assist from the virtual server stats table and the pva struct. |
ID 469739 | The ConfigSync operation completes successfully if HA pair has dissimilar cert-key-chain sub-object names within an SSL profile. |
ID 470191 | FastL4 component now validates existence of connection peer upon reception of TCP FIN. |
ID 471644 | 'Total' is removed from Throughput(bits) and Throughput(pkts) charts (both in GUI and tmsh) |
ID 471821 | Compression.strategy "SIZE" would cause software to do the compression. |
ID 472148 | The Nitrox driver was updated to properly handle highly fragmented SSL records. |
ID 472157 | The browser now succeeds uploading large files. |
ID 472571 | Multiple client SSL profiles attached to a virtual server will no longer cause memory to be leaked. |
ID 472944 | SMTP commands received after STARTTLS will be correctly buffered by SMTPS profile until the SMTP server is ready to receive them. |
ID 473105 | FastL4 connections are now handles correctly with pva-acceleration set to guaranteed, and are no longer reset. |
ID 473200 | Manually editing the system configuration and renaming a virtual server with an empty pool no longer causes an unexpected error when reloading the configuration. |
ID 474069 | If the IVS connection is closed while ICAP is processing an iRule that completes asynchronously, and if on resumption of processing the ICAP response an abort occurs, the closing is not processed after the abort, and no crash occurs. |
ID 474226 | LB_FAILED event is correctly triggered when persistence pool member is not available or offline. |
ID 474584 | The igbvf driver no longer leaks xfrags when a partial jumbo frame is received. |
ID 474771 | In this release, the system includes the PVA statistics when calculating the BIG-IP system global throughput statistics values. |
ID 475791 | Removed ramcache race condition, so that connection teardown messages are processed in the correct order. |
ID 476564 | The system now sends RST in guaranteed mode for an ePVA flow when the packet is received in software. |
ID 476567 | The system now updates accelerated status after the flow has been successfully inserted into the ePVA, so the correct state is reported. |
ID 476886 | In this release, if BIG-IP system receives the complete ICAP response from the ICAP server before it has completed sending the ICAP request, and a OneConnect profile is on the IVS, the TCP connection to the ICAP server is terminated and that connection is not reused. |
ID 477111 | The main routing table now has a single entry for the management network. |
ID 477232 | Only the translation address persists when the persistence mode is address. |
ID 477375 | SASP monitor no longer cores when configured in push mode. |
ID 477394 | Passive FTP using FTP range iRule no longer causes out-of-ports reset. |
ID 477859 | ZebOS config now loads correctly when the password begins with a number. |
ID 478195 | FIPS exported keys can now be correctly installed on other FIPS platforms that belong to the same FIPS security domain. |
ID 479171 | tmm no longer attempts to transmit DSACKs after reassembly queue has been purged, so no tmm crash occurs. |
ID 480113 | FIPS exported keys can now be successfully installed in FIPS cards without causing config-sync failure. |
ID 480509 | HTTP bodies containing a Content-Type header of 'application/javascript' or 'text/javascript' will be recorded under the 'Javascript' compression statistic. |
ID 480686 | Internal vlangroup loop no longer occurs when the Translucent/Transparent vlangroup setting exists with a duplicate IP address. |
ID 480699 | Increased the maximum statemirror.queuelen db variable limits. If necessary, the statemirror.queuelen can now be increased beyond 256 MB up to 1 GB. Note that increasing the statemirror.queuelen increases memory requirements to approximately twice the queuelen multiplied by the number of tmms, and also increases the time required to detect an error in the mirroring connection. The statemirror.queuelen should be kept as low as possible to prevent repeated failure. |
ID 480888 | A response from the server is no longer truncated in some situations when the serverssl profile is combined with the use of the HTTP::collect iRule command. |
ID 481082 | The auto update settings no longer reset during a sync operation. |
ID 481410 | Automated Phone Home update check time is randomized to prevent intermittent problem when all machines would access the service at once. |
ID 481647 | OSPF daemon no longer asserts when receiving a Link Status (LS) Update Packet with an LSA header whose length is greater than 255 bytes. |
ID 481648 | The ipaddrTable's ipAdEntIfIndex value now matches the ifTable's ifIndex value for the same interface. |
ID 481880 | SASP monitor no longer core dumps during a state change in push mode. |
ID 483157 | The BIG-IP system no longer uses 0 (zero) as the TCP source port for server-side flows, so TCP ports are not reused too quickly. |
ID 483328 | SSL virtual servers now successfully negotiate SSL handshake, so the device no longer logs the following message: crit tmm[14270]: 01260000:2: Profile name-of-profile: could not load key/certificate. |
ID 484453 | Reduced the log level for registering with the LOP (lights out processor) to the debug level. |
ID 485189 | TMM now verifies that a persistence cookie was successfully found before extracting it from HTTP responses. |
ID 485833 | Ensure all user directory file descriptors are closed. |
ID 486137 | Activation function has been modified to eliminate dependency on the MCPD. |
ID 486712 | Improved the statistics for updating the number of PVA connections when using fastL4. |
ID 487554 | In this release, reuse of TCP source ports is sequential, which eliminates the issue of TCP source ports being used too quickly on the server side. |
ID 487696 | Disable channel splitting/division when number of TMMs is odd as while physical platforms guarantee even counts, VCMP (for one) allows configurations which result in an odd number of TMMs, which violates the channel splitting assumptions." |
ID 488180 | An issue has been resolved which could cause mcpd to continuously restart after a chassis blade replacement. |
ID 490480 | UCS load now completes successfully if the saved configuration includes FIPS keys with names containing dot ( . ). |
ID 490577 | An issue has been corrected which could result in the TMM process crashing and leaving a core during process shutdown. |
ID 490817 | Clear codec alert after propagation so SSL filter doesn't keep reporting alerts indefinitely. |
ID 491030 | The Nitrox crypto accelerator will no longer hang with certain SSL records. |
ID 492367 | CVE-2014-8500 |
ID 494029 | Console messages about a missing ebtables command no longer appear during BIG-IP system startup. |
ID 494078 | Automated Phone Home update check contains strengthened certificate validation, including hostname verification. |
ID 494280 | Drop the new flow/tunnel and allow it to clean up. |
ID 492367 | CVE 2014-8500 |
ID 497579 | An issue has been corrected which can prevent a vCMP guest from processing SSL and compression traffic. |
ID 503237 | CVE-2015-0235 |
Fixes in 11.5.1
ID Number | Description |
---|---|
ID 439054 | Running 'qkview' from the Primary blade on a chassis based system with more than one blade installed now produces Secondary blades files. |
ID 447267 | Erroneous "Unsupported power supply" messages have been stopped by a new method of verifying PSU model numbers. |
ID 446540 | TMM will no longer core/restart with this backtrace due to large DNS sub-cache sizes. Please note that it is still advised to restrict cache size to 10x the defaults to avoid TMM memory starvation issues. |
ID 446901 | The UI now appropriately handles the value range for the Message Cache Size field. |
ID 448846 | A crash bug related to HSM and memory exhaustion has been fixed. |
ID 446402 | Deterministic NAT state information will be logged from one TMM when configuration changes. |
ID 448299 | The emulated IDE storage driver has been replaced with PV (para-virtualized) SCSI storage driver. PV SCSI driver gracefully handles disk I/O timeouts and recovers from them. |
ID 449330 | Extract NAT information from previous version base on static file. |
ID 449402 | The correct ha-group failover type is now correctly associated with the traffic-group. |
ID 449769 | L4 mirrored connections are no longer aborted on the first failover to a Big-IP. |
ID 449852 | A statsd memory leak related to vCMP has been fixed. |
ID 450156 | Prevent install failure by always using target installation to get kernel version information. |
ID 442034 | SSL persistence allows clientside to complete before closing. |
ID 450174 | A reference counting problem related to CMP flows on a chassis has been corrected. |
ID 450839 | The 11000 and 11050 platforms now boot correctly with updated hotfixes. You can check the associated hotfix notes to ensure the fix is incorporated. |
ID 450665 | "If an unexpected connflow is matched, that connflow is abandoned with an error message similar to: Clientside flow (10.10.10.211:34827 -> 10.10.20.7:34827) found, but is not of PPTP GRE proxy type. Creating new flow. Then a new, correct connflow is created and used." |
Fixes in 11.5.0
ID Number | Description |
---|---|
ID 223684 | Toggling between Advanced/Basic mode now correctly shows and hides RADIUS and Diameter profile settings. |
ID 242715 | We now flush L2 forwarding tables on failover for vlans in vlangroups. |
ID 248216 | The SOAP monitor now allows configuring the SOAPAction HTTP header. This allows specifying the intent of a SOAP request in the form of a URI, as documented at [1]. The default value is the empty string (the header is still sent, but with no content). |
ID 273195 | "A new command has been created to enable or disable logging. The attribute is applied to the node or pool_member and is not saved to the configuration nor does it sync. Logging is continuous, and the file(s) are rotated and compressed regularly. The logs are stored in /var/log/monitors, while the old logs (such as bigdlog and monitor debug) remains consistent in behavior and location. To configure: TMSH ----------------------------------------------------- tmsh modify ltm node <name> logging enabled tmsh list ltm node <name> tmsh modify ltm pool <name> members modify { <name> { logging enabled } } tmsh list ltm pool <name> GUI ----------------------------------------------------- nodes >> node >> Logging pool >> members >> member >> Logging iControl ----------------------------------------------------- bigip.LocalLB.NodeAddressV2.set_monitor_logging_state(nodes=['/Common/172.27.92.215'], states=['STATE_ENABLED']) bigip.LocalLB.NodeAddressV2.get_monitor_logging_state(nodes=['/Common/172.27.92.215']) bigip.LocalLB.Pool.set_member_monitor_logging_state(pool_names=['/Common/p1'], members=[[{'address':'1.1.1.1', 'port':'80'}]], states=['STATE_ENABLED']) bigip.LocalLB.Pool.get_member_monitor_logging_state(pool_names=['/Common/p1'])" |
ID 352848 | HTTP::payload command now includes the proper data, and no additional data. |
ID 353101 | The system now handles the NULL, and SQL monitors do not hang. No workaround is necessary. |
ID 353853 | Retries have been added for the floating cluster member management address set request until it succeeds, or the primary switches. |
ID 357536 | HTTP::respond, HTTP::close and HTTP::disable now will work within an early server response. HTTP::collect and HTTP::retry still are non-functional. |
ID 362984 | When running the command 'tmsh modify sys global-settings mgmt-dhcp enabled', the system now posts the message 01071662:3: DHCP is not supported on this platform |
ID 364814 | Improvements in strict ipv6 compatibility and standards compliance. |
ID 365472 | IPv6 traffic from the Linux kernel will now use the correct source address as the routing decision in the kernel been disabled and only TMM does the routing. |
ID 370561 | In tmsh, setting /ltm/profile/one-connect/<one connect profile>/share-pools to enabled from the default of disabled allows sharing of node pools among virtual servers with the specified OneConnect profile. |
ID 370941 | Subject Alternative Name now accepts email address, URI, IP addresses including DNS names as valid input. |
ID 372597 | The merged process no longer takes most of the CPU. |
ID 383767 | SSL handshake referencing SSL certificate/key pairs on the Thales HSM no longer fail, and now operates correctly. |
ID 384111 | The iRule 'nexthop' command now updates only 'nexthop' for the connection, and no longer overwrites the selected remote node's address. |
ID 385612 | The HTTP::host iRule command has been improved so that 'HTTP::host www.example.com' will set the host header to www.example.com |
ID 385615 | The HTTP::query iRule command has been improved so that 'HTTP::query example_query=value' will set the query in the uri to 'example_query=value' |
ID 389180 | "Prior to 11.5, one could not configure the DSCP bits in the IP header. To configure the new attribute: TMSH: ----- tmsh create ltm monitor http ht1 ip-dscp <value> GUI: ---- monitors >> monitor >> IP DSCP iControl: --------- New monitor parameter 'type', 'STYPE_DSCP'. Can be used with: LocalLB.Monitor.set_template_string_property LocalLB.Monitor.get_template_string_property" |
ID 389325 | "This release adds four BigDB variables to control the behavior of the HTTP filter when it encounters invalid HTTP traffic. These new options are disabled by default. Important: The last three of these should be used only in a transparent proxy configuration. No checking is done once the HTTP filter switches to pass-through mode, and arbitrary traffic could proceed down the now open tunnel. Tmm.HTTP.passthru.truncated_redirect - For invalid HTTP redirects with missing trailing carriage returns, forwards the redirects to the client instead of dropping them. Tmm.HTTP.passthru.invalid_header - For traffic with invalid HTTP headers, passes through the traffic instead of dropping it. Tmm.HTTP.passthru.unknown_method - Treats unknown HTTP extension methods as 'invalid.' You can combine this method with the previous flag to cause unknown HTTP extension methods to be passed through. Tmm.HTTP.passthru.pipeline - Upon receipt of pipelined data, the HTTP filter switches to pass-through mode. This is useful when HTTP non-compliant traffic breaks the request-response idiom, for example, by sending binary data after a GET, and expecting that the data is sent to the server before that server responds to the earlier GET request." |
ID 391165 | The last sync type field now differentiates properly between incremental and full load synchronizations. |
ID 392368 | Enterprise Manager now supports statistics collection for managed BIG-IP pool members that have the any port designated. |
ID 396489 | Policies can set an internal virtual server and enable adaptation, and adaptation now occurs correctly. |
ID 396915 | The error message will still be displayed when the malformed packet is sent, but it will no longer crash the utility. |
ID 400007 | MCP validation has been added to prevent user from modifying the netmask. Kernel does not lose the IPv6 self IP address. |
ID 402412 | FastL4 no longer switches to idle timeout before data is received, so the 5-second tcp handshake timeout holds until the first data arrives, at which time it switches to idle timeout. |
ID 403569 | Can now create an internal virtual server in a different partition than the wildcard virtual. |
ID 403758 | BFD protocol configured for IS-IS over IPv6 addresses is able to establish a session with its neighbors. |
ID 404134 | In this release, modifications to the base profile will sync to peers. |
ID 405053 | Reduced error rate reading LOP CPLD sensors. |
ID 406159 | "In addition to reporting to the UIs which monitor produced the down result, it also reports what and when the last error encountered by the monitor as well as time since the last state change. TMSH ----------------------------------------------------- tmsh show ltm monitor <monitor type> <monitor name> GUI ----------------------------------------------------- pool >> pool members >> member >> Availability nodes >> node >> Availability" |
ID 408761 | Faulted message no longer occurs when a PSU is removed or the power cable is removed. |
ID 408950 | VIPRION P8 chassis firmware update now completes successfully when using serial port redirection. |
ID 408950 | VIPRION P8 chassis firmware update now completes successfully when using serial port redirection. |
ID 409219 | IPv6 packet reassembly now succeeds. |
ID 410285 | Optimizations made to tmsh significantly reduce the time required to save a huge configuration. |
ID 411886 | Replacement operations on the allow-service field of self IP addresses now function properly. |
ID 412642 | When the configuration of the floating management is handled internally, wipe out all other mgmt ip addresses and reprogram the floating ip as primary. |
ID 413236 | We now successfully resume SSL sessions with SSL profile names >=32 bytes. |
ID 413354 | Some excessively quick port reuse conditions are now fixed. |
ID 414245 | TMSH 'edit /ltm virtual' command now populates editor with appropriate content. |
ID 414967 | dnatutil will now properly warn when doing reverse lookup on address outside of one-to-one mapping range. |
ID 415072 | The spurious Latched Event log entry that indicates a power system fault no longer occurs. |
ID 415714 | DNS Cache now correctly truncates responses (for non-EDNS0 queries) to 512 bytes. |
ID 415823 | This race condition no longer exists. The BIG-IP will always use an encrypted connection from a the configsync-ip. |
ID 415991 | Active FTP works when there is no route back to the client. |
ID 415995 | Asymmetric profiles (one side UDP and the other TCP) were not working if the server-side profile was UDP. This has been corrected. |
ID 416693 | Beginning with software version 11.4.1, the ACPI _SDD operation fails silently, which is the correct behavior. The original diagnostic that produced the message was incorrect, and has been corrected with new, correct diagnostics. |
ID 416803 | The connection service now ignores excessive concurrent connection requests to the same address. |
ID 416991 | DEFAULT cipher string in SSL profiles will not include any SSLv3 cipher suites. |
ID 417357 | dnatutil can now use Syslog, Splunk log, and LTM logged deterministic NAT configurations for reverse mapping. |
ID 417956 | BIG-IP CGNAT will now translate the internet host IPv4 address into an IPv6 address using the IPv6 prefix from the virtual server. |
ID 418495 | "Changed the validation login in bigip to skip files with names matching the pattern: *.sw[pno]. For files with names not matching this pattern the work around is still required." |
ID 418552 | Erroneous sensor fault log messages no longer occur on system boot. |
ID 418781 | The TMM has been fixed to delay linking child route-domains until all the RD's are loaded. |
ID 419036 | HTTP iApps now correctly configures Slow Ramp Time when it is set to a non-default value in advanced configuration mode. Affected iApps are f5.http, f5.bea_weblogic, f5.microsoft_iis, f5.microsoft_sharepoint_2010, f5.oracle_as_10g, f5.oracle_ebs, f5.peoplesoft_9, f5.sap_enterprise_portal, and f5.sap_erp. |
ID 419082 | Voltage out of range warnings are no longer logged inappropriately for DC power supplies in BIG-IP 2400 chassis. |
ID 419297 | CGNAT now works correctly when total of the addresses in the virtual server source prefix and the translation prefix is greater than 8 million. |
ID 419730 | A defect in the handling of FTP traffic that led to TMM panics has been corrected. |
ID 419969 | BIG-IP no longer uses different source IP addresses for the Passive FTP data and control connections for virtual servers with an FTP profile and SNAT pool configured. Specific members of a snatpool can also now be selected in an iRule. |
ID 420131 | "Fixed a TMM core that could occur while processing certain connection teardown scenarios for virtual servers with a DNS profile. The following log message could indicate that this was encountered: 'Assertion 'valid pcb' failed'." |
ID 420157 | The system now checks for a NULL destination when creating a sideband connection variable in an iRule, and TMM no longer cores. |
ID 420188 | This release corrects the issue in which mcpd failed to synchronize a device group and logged the message indicating that the sync for the device group was already in progress to a different device. In this release, the system does not block a load when another load is already in progress. |
ID 420200 | More types of DNS messages are now passed through the BIGIP. |
ID 420283 | When a VXLAN tunnel is created, the two db variables are enabled automatically. |
ID 420330 | Fixed an issue on TMM SSL traffic handling to avoid crashing when TMM memory is exhausted. |
ID 420475 | Static routes created via tmsh or the web UI are now correctly propagated to ZebOS. |
ID 420498 | If a query that does not have the RD bit set is answered by a virtual server with transparent cache enabled, a subsequent query for the same query name with RD bit set will get a correct answer. |
ID 420573 | FIPS exported (.exp) keys containing colons in the keyname can now be successfully imported into the FIPS card using tmsh. |
ID 420585 | An occasional TMM crash when using a DNS cache resolver or validating resolver has been corrected. |
ID 420723 | In this version of software, the cluster synchronized configuration files have version control, so that a new blade or guest slot's configuration cannot overwrite the higher version of any existing configuration on any potential cluster primary member. |
ID 420789 | The standby system no longer crashes in a configuration containing a forwarding virtual server with a wildcard IP address and port, with connection mirroring enabled. |
ID 420941 | A potential TMM crash in low-resource situations with persistence cookies no longer occurs. |
ID 421066 | Syncs previously would fail if another sync was already in progress; this has been fixed. |
ID 421117 | Handling SSL traffic with a SAML Access profile on a BIG-IP 2000-series or 4000-series platform no longer causes TMM to core. |
ID 421124 | Role change is now updated in EM/BIG-IP system SSO setup |
ID 421145 | Systems with many hundreds of active server-side flows on the affected thread no longer result in port exhaustion. |
ID 421171 | SNMP OID now shows the correct treadstone variant for FIPS and SSL. |
ID 421181 | An issue is now fixed where newly created subfolders may fail to sync after an upgrade. |
ID 421270 | "Made the parameter (shutdown-timeout) configurable Default value is 5 seconds tmsh list ltm profile mblb all-properties" |
ID 421289 | Properly warn users when an invalid ceiling is configured in a parent rate class. |
ID 421349 | Using Enterprise Manager to manage HA pairs with FIPS no longer causes key handle mismatches. |
ID 421528 | ICMP messages are no longer reassembled when going through vlan group and original fragmentation is preserved. |
ID 421567 | The UI.logaccess DB variables used to control role-based access to the System Logs in the GUI now persist after reboot. |
ID 421571 | HTTP::respond with a zero-length body now works correctly with SPDY. |
ID 421614 | Handling of qnames in DNS requests has been made more robust. |
ID 421648 | Documentation now contains correct values for the 'Machine Info' agent. |
ID 421670 | Observe that TMM does not crash when plugins are in use and traffic exercises them. |
ID 421721 | With this fix, we ensure that SDN license is required in order to use VXLAN. |
ID 421868 | Firewall policy objects are now manageable through XConfig interface. |
ID 421882 | ospf6d no longer crashes while attempting to remove redistributed routes during failover. |
ID 421886 | MCPD will no longer crash when completing a file_sync operation. Steps were taken to ensure that the references to deleted information were removed. |
ID 422082 | tmrouted will no longer core |
ID 422105 | Transparent DNS Cache no longer inserts a truncated response into the cache. |
ID 422330 | A flaw has been fixed that would cause tmm to crash with compression enable under a particular corner case involving an aborted or dying flow. |
ID 422359 | The TMM no longer crashes when stalled SPDY streams are aborted. |
ID 422471 | alertd was missing requisite configuration and error map files. Those mappings are now populated and the traps should work. |
ID 422630 | Use the default port suggested by the RFC for VXLAN profile. |
ID 422731 | The management IP address now persists across reboots when configured via front panel LCD. |
ID 422808 | The connection to a down port specific virtual server is no longer answered by the next less specific port. |
ID 422897 | FTP will work in case of port translation is needed. |
ID 423067 | DSLite hairpinned connections now allow traffic to flow through. |
ID 423115 | mcpd no longer cores when virtual servers in a traffic group have non-floating ip address. |
ID 423215 | DH-anon (ADH) key exchange is now supported in NATIVE cipher suites instead of COMPAT. |
ID 423306 | CGNAT in deterministic mode translation will no longer fail and use the backup pool. |
ID 423487 | tmsh will no longer display an incorrect warning when validating an iRule that uses the recv command. |
ID 423818 | ICMP packet now gets reassembled only when 'reassemble-fragments' is enabled. |
ID 423834 | tmsh list with the one-line option now displays on one line for all objects as expected. |
ID 423876 | HTTP iApps now correctly configure Priority Group Activation (PGA) when it is selected. Affected iApps are f5.http, f5.bea_weblogic, f5.microsoft_iis, f5.microsoft_sharepoint_2010, f5.oracle_as_10g, f5.oracle_ebs, f5.peoplesoft_9, f5.sap_enterprise_portal, and f5.sap_erp. |
ID 424031 | An issue was fixed where CGNAT in Deterministic NAT translations were not using all the translation addresses and ports configured. |
ID 424035 | Allow pool member and node ratios greater than 100. With this fix, ratio values between 1 and 65535 are supported. |
ID 424060 | SPDY no longer causes a core in certain low-memory situations. |
ID 424173 | Network device configuration no longer cause some of the directories under /sys/class/net to become unreadable. |
ID 424248 | Virtual servers with the same ip address and port but different vlan assignment now successfully bind to tmm and process traffic as expected. |
ID 424322 | Re-designated an empty SFP port as capable of all media the MAC knows how to support until a PHY is installed. Trunks may now contain empty SFP ports on 2x00/4x00 platforms. |
ID 424345 | An issue has been resolved with the command 'tmsh load sys config verify' where the system may reboot into vCMP mode if the configuration being verified has a different vCMP provisioning level than the current running configuration. |
ID 424379 | Configuring BIG-IP with many FIPS keys no longer causes TMM to constantly reset. |
ID 424561 | Virtual server configured with preserve_port_strict now functions correctly with CMP. |
ID 424728 | BGP address-family IPv6 configuration is correctly saved. |
ID 424822 | OSPFv3 now retains non-default metric/metric-types for redistributed protocols when a unit transitions from active to standby. |
ID 424842 | UI escapes the ampersand sign in the certificate fields to prevent improper interpretation of symbol. |
ID 424901 | Introduced improvements in strict ipv6 compatibility and standards compliance. |
ID 424972 | All requested hardware devices are now assigned to the vCMP guest. |
ID 425028 | The BIGIP configuration will have correct failover traffic group assignment for the '/', '/Common' and other non-default system folders. |
ID 425033 | Validation will now prevent LSN pools with overlapping prefixes from being configured. |
ID 425182 | Improvements have been made to the way the system handles memory pressure, so the system does not slow down or become unstable. |
ID 425250 | TMM no longer crashes when using iRule parking commands with Datagram Load Balancing. This version silently drops any datagrams received after the first response datagram is egressed to the client. |
ID 425333 | Fixed an issue on ProxySSL with Stratos and VE platform during SSL renegotiation. |
ID 425382 | Improvements in strict ipv6 compatibility and standards compliance. |
ID 425495 | Private tmsh aliases no longer cause sync failures. |
ID 425525 | The system now correctly performs a slow-start when serving from cache, which results in correct buffering and traffic handling. |
ID 425580 | By setting the confg.allow.rfc3927 database variable to 'enable,' addresses in the 169.254.0.0/16 range can be configured on a BIG-IP. |
ID 425589 | Improvements in strict ipv6 compatibility and standards compliance |
ID 425594 | Added an option (generic-alert) in client-ssl/sever-ssl profile, when generic-alert is set to TRUE, BIGIP keeps the current implementation and send all Alert message with 'handshake failure' with fatal level. Otherwise, send the correct Alert message. The default is set to TRUE. |
ID 425597 | If (NATIVE+COMPAT) has overlap, SSL will now use NATIVE, not COMPAT. |
ID 425670 | You are now able to delete a wide IP in the LC web interface. |
ID 425878 | Loading a configuration with vcmp guests no longer causes incorrect guest settings. |
ID 425953 | The commit ID is now synchronized to secondary blades of a chassis; a sync will not be required if a different blade becomes primary. |
ID 425974 | HTTP::respond and HTTP::redirect respect the max_requests limit, closing the connection to the server when it is reached. |
ID 426197 | The maximum number of entries in the session cache is now configurable via the BigDB variable tmm.ssl.cachesize. Note that after changing this variable the TMMs must be restarted for the new value to take effect. The per-profile limit is now per TMM so if the limit is set to 32K entries, each TMM will be allowed to have 32K entries. |
ID 426332 | Rules and objects now appear correctly in the new partition. |
ID 426341 | BIND has been updated to address CVE-2013-4854. |
ID 426373 | OSPFv3 external (type 5) LSAs originated by TMOS contain a route tag only when a route tag is configured. |
ID 426508 | default-information originate' in OSPFv3 now correctly detects the additional and deletion of a default route. |
ID 426570 | tmm no longer leaks 'source address' memory. |
ID 426625 | The system no longer returns an error when a user tries to update a Data Group of type 'string' or 'integer' that have records containing a String but not a Value. |
ID 426704 | vCMP guest no longer gets stuck in waiting-install when all resources are in use. |
ID 426802 | Improvements in strict ipv6 compatibility and standards compliance |
ID 426992 | When more than one self IP is configured, those self IPs now correctly listen on default ports. |
ID 427002 | If a self-ip has the 'default' list included in the allow-services, then the system will validate all the other entries against the 'default' list. The tmm is now protected from an incorrect configuration with duplicated entries. |
ID 427026 | tmm no longer crashes with an assertion failure when duplicated flow_remove is called in software when error was encountered during traffic process. |
ID 427071 | Resolved issue preventing GUI from displaying traffic selector list. |
ID 427077 | "An option has been added to the TMSH config installation command that can be used to reset keys and certs associated with the trust domain. The option name is 'reset-trust' and it can be specified on the command line when manually loading a UCS file in TMOS. This command can be used to mitigate the problem of a UCS file not loading because of missing or incorrectly formed trust certs or device keys. To regenerate the trust-related certs and keys while loading an affected UCS, run the following command: tmsh load sys ucs <UCS File> reset-trust. Important: running this command on a device that is part of a trust domain requires the device to rejoin that trust domain." |
ID 427085 | BIG-IP sets the correct protocol version in Alert message when it receives a ClientHello with an unsupported protocol version. |
ID 427092 | BIGIP now sends Alert message with fatal level when it receives unsupported certificate type. |
ID 427107 | deterministic NAT LTM logged configuration snippets will no longer truncate needed information when LSN Pool name is longer than 20 characters. |
ID 427112 | For SSLv3, A no_certificate alert message is now sent in response to a certification request if no appropriate certificate is available. |
ID 427118 | BIG-IP now sends correct TLS alert messages in handshake failure modes. |
ID 427201 | The http-set-cookie action in an ltm policy now correctly uses the domain and path parameters when generating a Set-Cookie header. It is no longer possible to use the http-set-cookie actions without supplying a value. |
ID 427239 | The default node monitor now syncs even when full-load-on-sync is false on the failover device group. |
ID 427342 | If you filter by the Status column under Local Traffic > DNS Express Zones > DNS Express Zone List, the page now correctly renders without error. |
ID 427357 | The icmp-echo property is now set correctly for virtual addresses with network prefixes. |
ID 427423 | "HTTP now recognizes that 'generic' iRule commands can be executed on both the request and response. Instead of failing when the http_data structure ownership status is mismatched, HTTP will execute the iRule command. The remaining 'non-generic' HTTP commands that will still fail are: HTTP::version HTTP::collect HTTP::release HTTP::redirect HTTP::respond HTTP::retry HTTP::close HTTP::header insert_modssl_fields The commands that must be invoked in a request are: HTTP::method HTTP::uri HTTP::path HTTP::query The commands that must be invoked in a response are: HTTP::status HTTP::is_redirect This means that HTTP commands can now be executed in many more events. (Those raised by other filters.)" |
ID 427448 | The memory leak no longer occurs in the MCPd process, so that the previously memory exhaustion no longer occurs. |
ID 427475 | CGNAT: TMM no longer cores when running low on translation addresses and ports. |
ID 427607 | The fix is to modify the polling behavior in the quickassist driver to allow more efficient handling of hardware compression requests. |
ID 427687 | policy action 'server-ssl disable' now works correctly. |
ID 427736 | Occasional possibility of a TMM crash during sFlow sampling of HTTP traffic no longer occurs. |
ID 427791 | During rekey, there will not be leftover invalid security associations for IPsec tunnel between BIGIP and Fortigate firewall and traffic won't be stale for a prolonged period of time. |
ID 427840 | HSL log entries for deterministic NAT now contains unix-time, which can be use by dnatutil without timezone conversion. |
ID 427886 | You can now set a rule on a virtual server using iControl/REST. |
ID 427928 | "If the default LTM Policy, '_sys_CEC_video_policy', was modified using the GUI, the changes were not persisted (saved to /config/bigip.conf) and will be lost if 'load sys config' is executed or during an upgrade. If modification was done with TMSH, the changes were persisted. It is a good practice to clone the default configurations and make modifications on the clone as well as assign the cloned configuration to the virtual server instead of the default configuration. TMSH can be used to force persistence. For example a TMSH command to 'modify ltm policy _sys_CEC_video_policy strategy first-match' (or any modification even if it doesn't change the configuration value) followed by 'save sys config' causes the setting to be saved in bigip.conf." |
ID 427952 | Memory during load operations is properly re-claimed. |
ID 427956 | The system now properly reclaims the memory during load operations. |
ID 428066 | IPv6 router advertisement now works in vlan group. |
ID 428153 | TMUI -- Gateway Failsafe now properly rendered in IE |
ID 428161 | It is now possible to add a non-CA device to a trust domain. |
ID 428405 | Fixed a slow memory leak with client and server ssl profiles in mcpd. |
ID 428494 | A loss of high configuration data after loading bigip_base.conf has been largely corrected. Some scenarios still exist, however. |
ID 428631 | DWR now uses rewrite attributes configured in the Diameter profile (for example, origin-host-to-client, origin-host-to-server, origin-realm-to-server, and origin-realm-to-server). |
ID 428642 | A tmm crash bug has been resolved. |
ID 428706 | False positive messages warning of 100% CPU use have been corrected. |
ID 428735 | A TACACS+ system auth and file descriptors leak has been corrected. |
ID 428750 | changing LSN Pool translation-port-range for LSN Pool of deterministic mode will correctly trigger logging of deterministic NAT state information |
ID 428884 | Modified MBLB proxy to correctly detect irule running state. |
ID 428895 | The return value of the iRule 'active_members' command now matches the length of the list returned by the 'active_members -list' command, whether or not priority groups with minimum active members is configured on the pool. |
ID 429114 | Monitors now send traffic using the correct source address for the egress interface and do not falsely mark available pool members as down. |
ID 429122 | Even when there is corruption, istatsd will no longer use an excessive amount of CPU. |
ID 429124 | "This release adds support for accelerating connections that do not always use autolasthop but instead use a lasthop pool with a single member. The process now allows accelerating traffic from vlangroup members as long as those members are vlans." |
ID 429393 | 11.4 now handles L7 policies created in 10.x that are stored in partitions that refer to pools with no partition. |
ID 429396 | HTTP Class profiles from previous versions may have url formats that are now invalid. If these profiles have urls that do not start with a http:// or / https://. Loading a configuration with such profiles now provides a descriptive error message and omits the profile. |
ID 429429 | Disabling plugins programmatically is now supported, and TMM memory use does not increase with traffic that would otherwise involve those plugins. |
ID 429699 | For translucent vlan groups, allow standby stratos in ha pair to use local vlan FDB entry for bridging the traffic between two interfaces on a child vlan in the given vlan group. |
ID 429770 | The pool now goes unavailable and comes back available. |
ID 429827 | recv command now checks timeout after check data received so good data received just before timeout is not discarded. |
ID 429832 | vCMP guest tmms will no longer report errors about missing external interfaces on trunks passed in from the hypervisor. |
ID 429952 | tmm no longer loops with plugin errors. |
ID 429960 | When a lookup fails is aborted, report that the lookup failed, instead of assuming a lookup always succeeds. |
ID 429975 | "OCSP Responder Timeout value has been made configurable to meet the required timeout values at site. #tmsh modify sys httpd ssl-ocsp-responder-timeout 500 Also as an other alternative you could try the following # tmsh modify sys httpd ssl-include ' SSLOCSPResponderTimeout 500'" |
ID 430090 | In OSPFv3, the standby unit no longer advertises the default route when 'default-information originate' is configured. |
ID 430091 | An adapt profile without an internal virtual selected will be treated as if it is disabled. This is correct behavior. |
ID 430104 | iControl fixed to not report error when done from localhost. |
ID 430108 | Connection limits are now managed correctly on the standby device so that connection limits are not exceeded erroneously. |
ID 430114 | The lsndb delete command has been updated to work correctly on chassis based systems. |
ID 430728 | Resolved an issue that would cause TMM to crash if a TCP iRule is suspended with an error while the peer sends a packet. |
ID 430768 | The system now detects changes in a parent profile (the one specified in 'defaults-from') and runs validation to ensure the new inherited values are acceptable on the child profile. |
ID 430905 | Policy sync now works with more than two devices. |
ID 431141 | This race window had been fixed properly and customer need to install recent patch. |
ID 431251 | IPSEC GUI now supports phase1 encrypt alg aes192 or aes256 |
ID 431305 | Fixed TMM crash that could occur in rare instances of iSession use. |
ID 431503 | TMM no longer crashes on neighbor messages during the initial tunnel config load process. |
ID 431618 | Fixed a relatively rare coring condition where the SIP filter would access memory that was already freed. |
ID 431635 | SIP connections with MBLB+OneConnect are no longer being terminated upon failure to send/connect to the client. |
ID 431667 | Fixed the show cm device-group option that would intermittently specify incorrect options. |
ID 431990 | The TCL 'table' command now works correctly with SPDY. |
ID 432208 | The websecurity profile must be attached to a Virtual Server before you can attach an LTM policy that controls ASM. If you attach and detach LTM policies controlling ASM in the GUI that attach/detach will be done automatically for you. If you remove the policy with TMSH, the websecurity profile will remain attached. In the next release, the GUI will detect an existing websecurity profile and not attempt to add it again to avoid the validation error. |
ID 432285 | Configurations from releases prior to 11.3.0 which have routes named by their IP address will now load on upgrade. |
ID 432492 | The BIG-IP system transmits IPv6 BFD for single-hop sessions with a hop limit value of 255. |
ID 432567 | You can now set up sync between devices in two different time zones. |
ID 432723 | External Datagroup: TMM no longer cores on rapid creation/deletion cycle. |
ID 432735 | The RST of the two ALG clients no longer happens. |
ID 432826 | Passive LACP trunks now work upon reboot. |
ID 432939 | A memory leak in the SASP monitor has been corrected. |
ID 433460 | Client browser activity no longer causes serverside connection abort. Previously, this could result in pool members being marked down. |
ID 433567 | INVITEs with c= headers only in the media portion of the SDP message body correctly setup media flows. |
ID 434397 | Resets do not continue to occur if there is still capacity in low priority pool member. |
ID 434515 | The system no longer returns a truncated response when both ASM Policy and DOS Profile are assigned to the virtual server. |
ID 434533 | vCMP guests will now be upgraded into the same vCMP state as the currently running system. |
ID 434907 | Call from clientA is hairpinned by the BIGIP, a reinvite is sent from clientB, the media flows are properly setted up. |
ID 435217 | Single hyper-thread VCMP guest's are now manageable under maximum data-plane utilization. |
ID 435296 | A reset of statistics for a TCP virtual server will no longer cause the counters for the number of open connections, close_wait, fin_wait, time_wait or accepts to remain high. |
ID 435407 | ssl persistence no longer corrupts application data |
ID 435598 | The condition which could cause memory corruption in tmm related to the http-set-cookie action in an ltm policy has been fixed. |
ID 435855 | When a packet is cloned, the original packet flags were preserved. If the original packet was locked, then this flag was propagated to the cloned packet. The fix is to clear this flag in the cloned packet when it is created. |
ID 435879 | Improvements in strict ipv6 compatibility and standards compliance |
ID 435959 | The system now correctly handles packets output on members of vlangroups where the packets are cached replies for the same vlan on which the request arrived. |
ID 435993 | Establishment of CMP-redirected flows no longer erroneously expires/replaces NOEXPIRE flows, so this probably no longer occurs. |
ID 436634 | tmm won't crash if profile changes and then virtual is deleted. |
ID 437006 | The tmm now correctly processes large URIs when evaluating conditions of type http-uri in an ltm policy. |
ID 437739 | TMOS now monitors all tmms for looping/locked on a Centaur/Victoria2 BIGIP. |
ID 437866 | In this release, the system correctly decrements active jobs counter when this error is detected. CPU no longer runs high, and jobs are assigned to the correct compression queue. |
ID 438081 | Bug fixed in zxfrd to continue large response processing. |
ID 438149 | The innocuous message 'interface module id schema mismatch (3 != 0)' will longer be created in /var/log/ltm |
ID 438222 | The system now will correctly identify the changed configuration components during the modify operation on a built-in policy. The system will save and load correctly now after these modifications. |
ID 438622 | SFP insertion and removal events are detected automatically on BIG-IP 800 appliances. |
ID 438685 | Support SHA256/SHA384 sign/verify hash |
ID 439048 | TCP connections no longer stall when tcpdump is started on the BIG-IP system and tcp segmentation offload is enabled. |
ID 439364 | Extraneous DNAT log entries are no longer being generated. |
ID 440877 | Stateless virtual server now properly processes fragmented packets in this case. |
Behavior changes in 11.5.4
ID Number | Description |
---|---|
226043 | "There is one new db variable added for audit_forwarder: 'config.auditing.forward.multiple'. There are three options: 'broadcast', 'failover' and 'none'. The default is 'none'. When set to 'none', the behavior is the same as in previous releases. When db variable 'config.auditing.forward.multiple' is set to 'broadcast' or 'failover', db variable 'config.auditing.forward.destination' can be set to multiple IP addresses, separated by commas ( , ), such as '192.0.2.1,198.51.100.53,www.example.com'. This provides more than one destination IP address to the BIG-IP system audit_forwarder. Note that a single IP address works as well. When 'config.auditing.forward.multiple' is set to 'broadcast', the audit message is sent to all destinations. When it is set to failover, audit_forwarder sends the message to the first destination. If that fails, audit_forwarder tries the next destination until it finds a successful destination, or fails all destinations. Note that 'failover' mode is not supported for RADIUS server since it is UDP and there is no notion of failing to connect. For RADIUS server, if config.auditing.forward.multiple' is set to 'failover', audit_forwarder treats it as 'none'. When there is a failure to send the audit message, the system logs errors in '/var/log/ltm'." |
439013 | It's no longer possible to use %vlan notation with non-link-local IPv6 address as object name. |
479147 | You can now create multicast VXLAN tunnels with the same local-address and different multicast addresses. |
539130 | "bigd now logs child process exit messages in /var/log/bigdlog (so bigd.debug must be enabled) rather than in /var/log/ltm. This allows the logging to be controllable. Successful command exits are also logged for completeness since this the log messages only appears when debugging is enabled." |
Behavior changes in 11.5.3
ID Number | Description |
---|---|
ID 487552 | You are now allowed to provision any number of combinations of modules on platforms with 5.5 GiB of memory or more so long as there are resources available. Previously, 3 or more modules were not allowed to be provisioned on platforms with 6 GiB or less. |
Behavior changes in 11.5.2
ID Number | Description |
---|---|
ID 487552 | You are now allowed to provision any number of modules on platforms with 5.5 GiB of memory or more. Previously, 3 or more modules were not allowed to be provisioned on platforms with 6 GiB or less. |
Behavior changes in 11.5.1
ID Number | Description |
---|---|
Selective control of ICMP Echo responses | You can now configure the BIG-IP system to selectively enable or disable ICMP Echo responses for a virtual address based on the virtual server state that you configure for advertising a route to that virtual address. For example, if you configure the system to advertise a route to the virtual address when any virtual server for that virtual address is available, the BIG-IP system sends a response for an ICMP Echo request only if one or more virtual severs associated with the virtual address is in an Up or Unknown state. |
325234 | ZebOS is able to obfuscate all password values for BGP, OSPFv2, and IS-IS protocols when displaying or storing configuration via IMI shell commands 'show running-config' or 'write' respectively. Password obfuscation feature can be turned on by enabling 'service password-encryption' in IMI shell config-mode. This feature can be turned off via config-mode command 'no service password-encryption'. However it is important to note that password values that have been encoded will remain encoded even after disabling password-encryption service. Only those passwords configured after disabling this service will appear in clear text as long as password-encryption service continues to remain disabled. |
Behavior changes in 11.5.0
ID Number | Description |
---|---|
ID 247958 | This is a behavior change that affects SSL profile configuration on both clientssl and serverssl. The certificates configured in 'Trusted CA certificates' are not included in the certificate chain that the BIG-IP system sends to the other end, if the SSL profile is configured to request/require a remote certificate. You can configure the certificates in the 'Chain' field instead of 'Trusted CA Certificates' field to include those certificates in this case. |
ID 284369 | LTM monitor passwords and secrets phrases are now encrypted in the configuration file. |
ID 291315 | The following sys db variables are no longer supported: - platform.blade.main1.temperature.threshold - platform.blade.main2.temperature.threshold - platform.blade.main.internal.temperature.threshold - platform.blade.mezz.dag.temperature.threshold - platform.blade.mezz.hsb.temperature.threshold - platform.blade.mezz.internal.temperature.threshold - platform.chassis.temperature.threshold - platform.chassis1.temperature.threshold - platform.chassis2.temperature.threshold If you try to get the value, the system returns a message similar to the following: 01020036:3: The requested BIGdb variable (platform.chassis.temperature.threshold) was not found. |
ID 416991 | DEFAULT cipher string in SSL profiles will not include any SSLv3 cipher suites. |
ID 427154 | In software versions earlier than 11.5.0, a device group could be configured so that changes to it were automatically synced to all devices in the group. By design, this synchronization defaulted to not perform a save on the sync target. The /cm trust-domain 'save-on-auto-sync' attribute governed the behavior. Setting the attribute to true instructed the system to perform a save operation on the sync target. Beginning in version 11.5.0, this option is no longer configured as part of the trust-domain, but is part of the configuration of a device group. |
ID 427579 | HA-Group score no longer includes active-bonus in data returned from command 'tmsh show sys ha-group'. Active bonus is only relevant for the active device of a traffic group. |
ID 449402 | In 11.5.0, ha-group failover settings are configured per traffic-group. In previous 11.x releases, ha-group settings were per device. When upgrading to 11.5.0, existing HA Group setting might need to be associated with traffic-groups manually. Without setting the traffic-group failover method, the ha-group score and failover cannot function. You can set the ha-group reference manually in the GUI or via tmsh. |
Known issues
ID Number | Description |
---|---|
221963 | When you are logged on to a cluster management address, and you or another user subsequently promotes one of the secondary blades to the primary, you and the other user might need to log on again. This occurs when using cluster management and promoting secondary blades to the primary. You and other users might need to log on again. Workaround: None. |
221973 | BIG-IP system ignores a pool member's response and marks the pool member down after the configured timeout. This issue occurs when all of the following conditions are met: -- An ECV health monitor such as TCP, HTTP has been assigned to a pool or pool member (Note: HTTPS ECV monitors are implemented differently than HTTP and TCP monitors and are not affected by this issue.) -- A pool member responds after the assigned health monitor has sent three probes to it. The pool member will not be available to serve the clients' requests. For example, if the HTTP monitor is configured with an interval of 5 seconds and a timeout of 31 seconds, and the BIG-IP system receives the pool member's response after the third HTTP monitor probe has been sent, the BIG-IP system ignores the pool member's response and mark the pool member down after the timeout of 31 seconds. Workaround: To work around this issue, you can set the monitor interval to a value greater than the affected pool member's response time under the expected production load. For more information, see SOL9104: The BIG-IP system may ignore a pool member's response to health monitor probes, available here: https://support.f5.com/kb/en-us/solutions/public/9000/100/sol9104.html. |
222034 | If HTTP::respond is called in LB_FAILED with large headers and/or body, the response might be truncated. The Content-Length header value is correct; it is the content itself that is truncated. This issue occurs when all of the following conditions are met: -- HTTP::respond is used in the LB_FAILED event to return a large response. -- No other TCP data has been sent to the client. The response sent by the BIG-IP system will be truncated. For example, with slow-start enabled, and no data sent to the client yet, the response will be truncated after two packets. Other TCP profile configurations will truncate at different points. Workaround: To work around this issue modify the iRule. For example, instead of directly using HTTP::Respond inside of an LB_FAILED event, perform a 302 Redirect to another URI, which can then be handled by an unaffected event. For more information, see SOL9456: Using the HTTP::respond iRule command in the LB_FAILED event may result in truncated responses, available here: http://support.f5.com/kb/en-us/solutions/public/9000/400/sol9456.html. |
222184 | When the license expires, if you are on the License Summary page on a partition other than Common, the system automatically returns you to the Common partition, but does not activate the Reactivate button. This occurs if you are on the License Summary page on a partition other than Common The system automatically returns you to the Common partition, but does not activate the Reactivate button. Workaround: The workaround is to select a different partition and then reselect the Common partition. This should reset the Reactivate button to an active state. |
222221 | The BIG-IP system may fail to complete an SSL handshake. This issue occurs when all of the following conditions are met: -- The affected virtual server is processing the client SSL connection with an iRule. -- The iRule uses the TCP::close command in the CLIENTSSL_HANDSHAKE event. The TCP::close command can be used in the CLIENTSSL_HANDSHAKE event to close the client connection. For example, the iRule closes the client connection if the hostname requested by the client does not match the common name in the SSL cert. As a result of this issue, you may encounter the following symptoms: -- The client SSL connection stalls until the TCP connection is timed out by the BIG-IP system. -- The client SSL connection fails at the Change Cipher Spec Protocol during the SSL handshake. Workaround: To work around this issue, you can insert a delay with the after command for the TCP::close command. Impact of workaround: Depending on the type and volume of the connections, the after command may introduce noticeable latency. F5 recommends that you test any such changes in an appropriate environment. For more information, see SOL14037: The BIG-IP system may fail to complete an SSL handshake , available here: http://support.f5.com/kb/en-us/solutions/public/14000/000/sol14037.html |
222287 | On multi-core platforms running in CMP mode, rates configured in a rate class are internally divided between the active TMM instances. This occurs on multi-core platforms running in CMP mode. As a result, each flow is restricted to bandwidth equal to the configured rate divided by the number of active TMM instances. Workaround: In order to achieve the actual rate set on the rate class, the system must be processing at least one flow on each active TMM instance. For more information, see SOL10858: Rate classes on CMP systems are divided among active TMM instances, available here: http://support.f5.com/kb/en-us/solutions/public/10000/800/sol10858. |
222344 | If a route learned via any dynamic routing protocol exactly matches a management static route, traffic from the Linux host will follow the dynamic route. NOTE: Regarding affected modules, the problem affects any module provisioned in TMOS as the root cause is in the core functionality shared by all modules. Dynamic routes might override static management routes. Workaround: There is no workaround. |
222862 | Using tmsh to configure network mirroring (also referred to as connection mirroring), the BIG-IP system erroneously allows configuration of identical primary and alternate mirroring addresses. Using tmsh to configure the BIG-IP system to use identical IP addresses for the primary and alternate mirror address settings. The BIG-IP system interleaves the two inbound data streams, processing them as if they were one. As a result, the mirroring messages become garbled, and the mirrored connection table on the standby system is not updated, as expected. If a failover occurs when the redundant system's connection table is not synchronized with the primary, connections that do not match the connection table on the standby system are dropped once it becomes active. Workaround: In 11.x, configure the primary and secondary mirror addresses to use different IP addresses. In 10.x, configure the self and peer alternate mirroring address settings to use different IP addresses than the configured primary mirroring address settings. In 9.x, configure the self and peer alternate mirroring address settings to use different IP addresses than the configured primary mirroring address settings. Note: F5 also recommends configuring the alternate mirror address on a separate VLAN whenever possible, to maximize the protection offered by the network mirroring feature. |
223031 | If you run the tcpdump utility from a B4100 blade on a VIPRION chassis containing a mix of B4100 and B4200 blades, the process does not show packets from the B4200 blades. This happens on a VIPRION chassis with a mix of B4100 and B4200 blades. tcpdump does not report packets from the B4200 blades. Workaround: To work around this issue, run the tcpdump operation from the B4200 blade. |
223412 | When configuring a ConfigSync peer IP address, the IP address must reside in the default route domain. The default route domain has an implicit value of zero (0). For example: 192.168.20.100%10. "Checking configuration on local system and peer system... Peer's IP address: 192.168.20.100%10 Caught SOAP exception: Error calling getaddrinfo for 192.168.20.100%10 (Temporary failure in name resolution) Error: There is a problem accessing the peer system. BIGpipe parsing error: 01110034:3: The configuration for running config-sync is incorrect. On BIG-IP 11.x, the system returns an error message that appears similar to the following example: err mcpd[5766]: 01071430:3: Cannot create CMI listener socket on address 192.168.20.100%10, port 6699, Cannot assign requested address" ConfigSync operations will fail if you configure a peer address that contains an explicit route domain ID. Workaround: The workaround is to not use route domains for ConfigSync operations. For more information, see SOL12089: ConfigSync operations fail when you configure a ConfigSync peer address with an explicit route domain ID, available here: http://support.f5.com/kb/en-us/solutions/public/12000/000/sol12089.html. |
223421 | If a disk is removed from an array, the serial number of the disk persists in the system until the drive is manually removed. This occurs on multi-disk systems. The serial number of the disk persists even after the disk is removed from the array. Workaround: There is no workaround for this issue. The serial number of the disk persists in the system until the drive is manually removed. |
223426 | If you apply to a virtual server a TCP profile with the MD5 signature setting enabled, the virtual server incorrectly accepts connections regardless of whether the peer presents the MD5 option. This affects both client-side and server-side connections. Note that the problem does not affect TCP connections established from the BIG-IP host (for example, BGP connections). Enabling the TCP option for MD5 signatures does not cause TCP connections without MD5 signatures to be rejected or ignored. However, when the MD5 signature setting is enabled, and an MD5 signature is present, the MD5 signature is validated. The MD5-configured virtual server incorrectly accepts connections regardless of whether the peer presents the MD5 option. Workaround: None. For more information, see SOL12241: A virtual server with the MD5 signature setting enabled in its TCP profile does not reject or ignore non-MD5 optioned connections, available here: http://support.f5.com/kb/en-us/solutions/public/12000/200/sol12241.html. |
223542 | You must delete and recreate a trunk to change its speed. This occurs when you change the speed of an existing interface in a trunk. You cannot change the speed. Workaround: You must either delete all the interfaces and add them back at the new speed, or delete the trunk and recreate it. |
223634 | The Traffic Management Shell (tmsh) may not display dynamic Address Resolution Protocol (ARP) entries as expected. In BIG-IP 11.x, the show net arp Traffic Management Shell (tmsh) command displays dynamic ARP entries for all route domains. Additionally, you can display dynamic ARP entries for specific route domains by using the show arp any %route domain id command; however, you cannot specify the default route domain 0. In BIG-IP 10.x, the show net arp Traffic Management Shell (tmsh) command displays ARP entries for only the default domain. This issue occurs when you have a BIG-IP system with more than one route domain configured, and you view dynamic ARP entries using tmsh. ARP entries appear to be missing for route domains other than the default (BIG-IP 10.x). The system is unable to display only those dynamic ARP entries specific to the default route domain 0 (BIG-IP 11.x). Workaround: If you are in the tmsh utility (in 10.x or 11.x), you can run the bigpipe utility to view dynamic Address Resolution Protocol (ARP) entries for a different route domain. To do so, run the command run until bigpipe arp args... at the tmsh command line. For more information, see SOL12623: The Traffic Management Shell may not display dynamic ARP entries as expected, available here: http://support.f5.com/kb/en-us/solutions/public/12000/600/sol12623.html. |
223651 | An SSH File Transfer Protocol (SFTP) client might emit an error message containing 'Received message too long' when the user is unprivileged and may not use SFTP. This occurs when using a user with insufficient privileges uses SFTP. 'Received message too long' posted for SFTP client when the user is unprivileged. This is a known issue with SSH. For more information, see 2.9 - sftp/scp fails at connection, but ssh is OK, available here: http://www.openssh.com/faq.html#2.9. Workaround: The user must be authorized to use SFTP/SCP. |
223796 | When an SFP is not inserted in a VIPRION interface socket, the interface status should show 'MS' (missing); instead, the interface status might show 'DN' (down). This occurs on a VIPRION chassis where there is no SFP in the interface socket. The interface status might show 'DN' (down). Workaround: None. |
223885 | If you apply a hash persistence profile to a FastL4 virtual server, the virtual server stops processing traffic. Note: The hash persist profile was extended in 10.0.0 with new options, but is no longer supported in combination with FastL4 virtual servers. In addition, when the hash persistence profile is initially applied and during each subsequent configuration load, the BIG-IP system logs messages to the /var/log/tmm file: notice hudfilter_init: 'HASH' is not a bottom-level filter. ... mcp error: 1031000 in mcpmsg_to_database. This occurs when using hash persistence profile with FastL4 virtual servers. FastL4 virtual servers stop processing traffic after a hash persistence profile is applied. Workaround: The workaround is to use universal persist instead. You can also use the TCP or UDP profile instead of FastL4. If a hash persistence profile was applied to a FastL4 virtual server, you can restore traffic by deleting and recreating the virtual server with a different virtual server name. For more information, see SOL12078: FastL4 virtual servers stop processing traffic after a hash persistence profile is applied, available here: https://support.f5.com/kb/en-us/solutions/public/12000/000/sol12078.html. |
224073 | Pinging the floating self-ip from the command line of the same system results in a no response to the ping. This no-response reply does not indicate that the floating self-ip is not working and is not responding to normal ping operations. This occurs when the floating self-IP tries to ping from the BIG-IP system command line This results in a no response to the ping. Workaround: To work around this, issue the ping from another host in the network. |
224142 | There is a pause negotiation mismatch in a trunk containing a mix of fiber and copper. To work around this issue, do not mix fiber and copper in the same trunk. This occurs in a trunk containing a mix of fiber and copper. A pause negotiation mismatch occurs. Workaround: To work around this issue, do not mix fiber and copper in the same trunk. |
224294 | SASP monitor validates timeout and interval although these values are not used by the monitor. This occurs when using SASP monitor timeout and interval. This causes certain SASP monitor configurations not to load. Workaround: None. |
224372 | When you are connected using the serial console to a multi-drive platform, you might see messages similar to the following: warning kernel: RAID1 conf printout and warning kernel: disk 0, wo:0, o:1, dev:dm-14. The messages are also logged in /var/log/kern.log file. This occurs when you are directly connected by serial console of a multi-drive system. These messages appear during the time a drive is rebuilding. Note that the messages appear only when you are directly connected by serial console. They do not appear when you are logged in using SSH. Workaround: This messages are benign, and you can safely ignore them. |
224402 | When you specify a custom configsync user (that is, an account other than admin), if you have specified a maximum number of password failures, the configsync account is subject to the password lockout after the specified number of failures. This occurs for configsync users when maximum password failure is set. The configsync account is subject to the password lockout after the specified number of failures. Workaround: To work around this issue, use the admin account as the ConfigSync user, or reset the non-standard account that is locked out. |
224406 | The dashboard cannot handle numbers that exceed 32 bits. If a statistic goes above that number, dashboard values will be incorrect. This occurs dashboard and numbers that exceed 32 bits. When this occurs, there will be incorrect dashboard values. Workaround: There is no workaround. |
224520 | The bcm56xxd service's small form-factor pluggable (SFP) plug_check mechanism (for example, bs_i2c_sfp_plug_check()) looks for module-detect signal changes every five seconds, and can miss a pluggable media type swap (that is, a swap from fiber SFP to copper SFP or SFP+) because the check does not look at pluggable media type changes. This occurs when changing pluggable media. This can result in link failures, due to internal media settings that are still associated with a previously populated pluggable module. Workaround: None. |
224665 | The Proxy Exclusion List setting is not aware of administrative partitions. As of BIG-IP 10.1.0, VLAN group objects reside in administrative partitions. This means that you can create a VLAN group in an administrative partition, and then give users the authority to view and manage the object in only that partition. Proxy exclusion is a VLAN group setting, so the partition restrictions should be in effect. However, the system does not prevent you from adding proxy exclusion for a VLAN group in another partition. Doing so may result in issues for the VLAN group. Using VLAN groups and proxy exclusion. Results in issues for the VLAN group Workaround: None. For more information, see SOL12711: The Proxy Exclusion List setting is not aware of administrative partitions , available here: http://support.f5.com/kb/en-us/solutions/public/12000/700/sol12711.html. |
224881 | On AOM-equipped platforms, changing the management IP via the front-panel LCD multiple times might result in fields on the LCD being displayed with a value of 0.0.0.0. Repeatedly changing management IP using front-panel. Fields on the LCD are displayed with a value of 0.0.0.0. Workaround: The correct values will be displayed after a system restart. |
225358 | Both units probe both gateway fail-safe pools regardless of their unit IDs. This occurs in HA configurations. Members of a redundant configuration continue to probe both gateway fail-safe pools. Workaround: Reload config via "tmsh load sys config". |
225431 | Disabling the LCD System Menu does not persist across restarts. This is for diagnostic purposes. This occurs when you disabled the LCD display and restart the system. The LCD display setting is not saved. Workaround: To prevent access or configuration changes from the LCD Systems Menu, you can re-enable and then disable the LCD System Menu after each system restart. For more information, see SOL11363: Disabling the LCD System Menu does not persist across restarts, available here: http://support.f5.com/kb/en-us/solutions/public/11000/300/sol11363.html. |
225588 | Error conditions such as unreachable IP addresses, and unavailable TACACS+/RADIUS services, are not logged to /var/log/ltm for the TACACS+ RADIUS audit forwarding accounting feature. This occurs when you configure the feature using a non-existent IP or a good IP that is not running TACACS+ or RADIUS, and run some tmsh commands. Entries are logged in /var/log/audit, and no error messages are logged in /var/log/ltm. Workaround: None. |
226113 | "ACPI: Unable to locate RSDP ACPI Error: A valid RSDP was not found (20090903/tbxfroot-219)" Limited to 6900, 8900, 8950, 11050, and PB200 platforms. These messages are benign and indicate that an ACPI capable kernel is booted on a system without ACPI support. Workaround: None. |
226964 | Node marked down by a monitor that is waiting for a manual resume mistakenly displays Enabled state when it is actually down. After a health monitor configured for manual resume has marked a node down, the Configuration utility incorrectly reports the node as Enabled instead of Forced Offline. After a health monitor configured for manual resume has marked a node down, the Configuration utility incorrectly reports the node as Enabled instead of Forced Offline. This issue only affects nodes. The issue does not affect pools or pool members. Node remains disabled, but the GUI reports Enabled. Workaround: You can work around this issue by clicking the Enabled (All traffic allowed) option and clicking Update. For more information, see SOL11828: After a health monitor configured for manual resume has marked a node as down, the Configuration utility incorrectly reports that the node is still enabled, available here: http://support.f5.com/kb/en-us/solutions/public/11000/800/sol11828.html. |
227272 | If you replace a tri-speed copper small form-factor pluggable (SFP) module with a fiber SFP, you may have to reinsert the fiber SFP module a second time before it accurately reports link status. This occurs when replacing copper SFPs with fiber SFPs The link does not work. You might see the following messages: 'Failed to recover link status' and 'temporarily removed from linkscan.' Workaround: To work around this, remove and reseat the fiber SFP module. |
227281 | When a full-proxy HTTP virtual with ramcache, fallback, and deferred accept configured; executes, a reject command in a CLIENT_ACCEPTED event TMM restarts. This occurs when the virtual server is configured with all of the following elements: - HTTP profile configured with Cache Setting and a fallback host. - iRule that uses the CLIENT_ACCEPTED iRule event, along with a reject statement. - The TCP profile Deferred Accept setting is enabled. If a virtual server that is configured with the previous settings receives a connection that triggers the reject iRule statement, the TMM process may restart and temporarily fail to process traffic. Workaround: To work around this, remove the fallback host statement in the HTTP profile that is used by the virtual server. |
227369 | Generating a SIGINT or SIGQUIT on the serial console during login causes all services to halt and restart. Further, SIGQUIT may cause chmand and get caught in a loop of failed restarts, requiring a host reboot. This occurs when at any point while the password prompt is displayed, there is a signal generated, for example: -- For SIGINT, press Ctrl-C. -- For SIGQUIT, press Ctrl-4, Ctrl-\, or (in some cases) SysReq. All services halt and restart. Further, SIGQUIT may cause chmand and get caught in a loop of failed restarts, requiring a host reboot. Workaround: None. But the problem no longer occurs after the first successful login from the console. |
246726 | A virtual address is defined as the IP address with which you associate one or more virtual servers. A virtual server is represented by an IP address and a service. The BIG-IP system continues to process traffic for virtual servers after disabling the related virtual address. When a virtual address is disabled in LTM, TMM still processes traffic for the virtual IP addresses on that virtual address. For example, if you define virtual servers of 10.10.10.2:80, and 10.10.10.2:443 on the BIG-IP system, then 10.10.10.2 is the virtual address. If you disable the virtual address of 10.10.10.2, the BIG-IP system continues to process traffic for the virtual servers. Traffic is still processed. Workaround: Disable virtual servers instead. For more information, see SOL8940: The BIG-IP system processes traffic for virtual servers after disabling the virtual address, available here: https://support.f5.com/kb/en-us/solutions/public/8000/900/sol8940.html |
246871 | When you are on the license summary general properties screen and you refresh the browser after you reactivate a license, the system prompts you to log on again. This occurs after reactivating a license on the license summary general properties screen, and then refreshing the browser. The system prompts you to log on again. Workaround: Do not refresh the browser. |
246962 | The system counts route domain health check traffic as part of IPv6 traffic statistic totals. If your configuration has a monitor on a pool in a routing domain, you will see an increase in IPv6 traffic. If you remove the monitor from the pool, the IPv6 statistics freeze (assuming there is no actual IPv6 traffic). If occurs with configurations that have a monitor on a pool in a routing domain. With this configuration, you will see an increase in IPv6 traffic. If you remove the monitor from the pool, the IPv6 statistics freeze (assuming there is no actual IPv6 traffic). Workaround: None. |
246983 | A display issue in the browser-based Configuration utility makes it appear as if users can modify user settings that they should not be able to access. For example, a user logs on using an account assigned a non-administrator role. When that user changes the password and clicks Update, the screen temporarily redisplays with available settings for file, partition, and shell access. This might occur in some Internet Explorer or Firefox browsers after changing a password. Although the user can manipulate the controls, and select different settings, the system does not accept the change. Workaround: None, however this is a browser issue. Internet Explorer and Firefox might allow user to see contents of change-select controls after the form has been submitted. The controls are disabled, even though it might appear that they are functional. |
247012 | If you use a SIP or HTTPS monitor on a server that requires authentication using a certificate signed by a certificate authority (CA), the monitor must use certificates signed by a CA that the server recognizes. Do not configure a monitor using certificates signed by an Intermediate CA because the monitor does not send such certificates to the server. This occurs when using non-CA-signed certificates on SIP or HTTPS monitors that communicate with servers that require CA-signed certificates. Authentication fails. Workaround: Use CA-signed certificates. |
247062 | Beginning with version 10.0.0, the system reports module memory mixed in with memory used by all processes. To determine actual memory usage, you must use standard Linux commands, such as ps, top, and other similar commands. Workaround: |
247094 | If you have state mirroring enabled, when you upgrade one unit of a redundant system, the system posts messages until all systems are running the same version of the software. tmm tmm[1917]: 01340001:3: HA Connection with peer 10.60.10.3:1028 established. This occurs when upgrading redundant system configurations and the versions are not yet the same. The system posts messages until the software versions are the same. Workaround: There is no workaround for this condition. All units in a redundant system must be running the same version of the software. |
247099 | After an import default operation, the prompt is set to reboot, but the operation does not instigate the reboot operation on the primary blade, although it does on the secondary blade. This is intentional behavior: the operation causes a reboot on secondary blades, but the primary blade does not reboot automatically in this case. To activate the imported configuration, reboot the primary blade. Workaround: None. |
247135 | Linux represents long VLAN names using the first 13 characters and an appended ~1. If you use the Linux system command ifconfig to retrieve the interface configuration of a VLAN with a name longer than 9 characters, the operation truncates the name to 8 or 9 characters. Workaround: To work around this issue, use the ip addr show command to retrieve the VLAN using the IP address. |
247200 | When a user configured for one role is logged on to the browser-based Configuration utility, and you change that user's role to another type, also using the Configuration utility, the system logs off that user. This occurs when changing the user role while that user is logged on. When that user logs back on, the system writes to the catalina.out file error messages such as com.f5.mcp.io.McpIOException: java.io.EOFException: Error while reading message at. Workaround: None, however, these messages are benign, and you can safely ignore them. |
247216 | The help frame crops the right edge of some of the formula definitions on the Performance statistics screen. This occurs when viewing formula definitions on the Performance statistics screen. The right side of the text is cropped, and there is no horizontal scroll bar. Workaround: Click the Launch button to view the full text. |
247241 | Occasionally, when you create an installation repository on a USB thumb drive from the BIG-IP system, the operation fails while copying the repository files to the thumb drive. (The failure might also occur when reading or writing any large file to the thumb drive from the BIG-IP system.) mount USB thumb drive and attempt to copy large files between drives. When the failure occurs, the system reboots and writes a log entry similar to the following in the /var/log/ltm file: -- Dec 10 11:13:12 local/8900 notice overdog[2401]: 01140108:5: Overdog scheduling exceeded 1/2 timeout of 5 seconds (measured:8060 ms) Workaround: Create the installation repository on a USB thumb drive using a Linux workstation, as documented in the BIG-IP Systems: Getting Started Guide. In any case, do not perform the operation on a BIG-IP system that is actively in production to prevent the potential failure from affecting live traffic. |
247300 | "You should not use the SSL::respond method with a CLIENTSSL_CLIENTCERT iRule event with a COMPAT mode cipher, as it can result in a handshake failure." "This occurs when you use the SSL::respond method with a CLIENTSSL_CLIENTCERT iRule event with a COMPAT mode cipher." This results in a handshake failure. Workaround: None. |
247310 | There is an extremely rare chance that, if the high-availability mirroring connection fails and recovers, the result might be a new persistence record and an expired record using the same key to send their respective messages. For example, if a record comes in that would have matched an old one on the active system, it is possible that the old record's expiration action might arrive after the new record's update action. If the key matching the old record expires, the standby system incorrectly deletes the corresponding new record. This occurs when high-availability mirroring connection fails and recovers in the time between checking persistence entries. When this occurs, there might be a new persistence record and an expired record using the same key to send their respective messages. If the key matching the old record expires, the standby system incorrectly deletes the corresponding new record. Workaround: None, but the possibility of encountering the issue is very rare. |
247709 | "When you change the idle timeout in System :: Preferences, the system must restart the httpd process. This results in a set of error messages similar to the following example: err httpd[6246]: [error] [client 127.0.0.1] Invalid method in request OPTIONS * HTTP/1.0 err httpd[6320]: [error] (9)Bad file descriptor: apr_socket_accept: (client socket) warning httpd[3064]: [warn] RSA server certificate CommonName (CN) `dhcp-137' does NOT match server name!? warning fcgi-[6376]: [warn] FastCGI: server ""/usr/local/www/mcpq/mcpq"" started (pid 6377) err httpd[6379]: [error] [client 127.0.0.1] Invalid method in request OPTIONS * HTTP/1.0 warning httpd[3064]: [warn] long lost child came home! (pid 6239) These messages occur primarily as a result of the process restart, and you can safely ignore them." Workaround: None. |
247727 | When you create a new profile or edit an existing profile using the all-properties option of the tmsh utility, unless you remove some options, the properties might produce unexpected behavior. This occurs when creating or editing profiles using the all-properties option. All properties become custom; that is, profile properties no longer inherit parent settings. Workaround: Use the tmsh utility create and modify commands operations. When you do so, the system preserves the profile's properties inheritance. |
247894 | The iRule substr function cannot use a string with a number in it as a terminating string. This occurs when using iRules. The iRule converts that string to integer and incorrectly uses it as a substring length. Workaround: None. |
247981 | Controlling PMTU and route metrics is a global setting. However different traffic profiles for fast L4 versus full proxy might need different settings, which is not supported. Setting different traffic profiles for fast L4 versus full proxy, specifically, setting the dbvariable tm.enforcepathmtu to disabled, and configuring an L7 virtual server containing a remote pool member with an intermediate MTU smaller than the clientside. Some traffic flows might use sub-optimal PMTU settings. Connections might fail after the maximum number of retransmissions of the segment that is too large. Workaround: None. |
248489 | If the user configuration set (UCS) file you roll forward at installation time contains a problem, subsequent system load operations can fail. If this happens, the remote users and administrators cannot log on to the system. This occurs when rolling forward the UCS fails. Remote users and administrators cannot log on to the system. Workaround: To work around the situation, log on to the system as the root user or as the admin local user. |
284910 | The BIG-IP system may continue to generate server-side TCP connections to pool members after the associated virtual server configuration is deleted. To improve connection speeds for Performance HTTP virtual servers, the BIG-IP system primes connections to the pool members. When a client makes a connection to the virtual server, if an existing server-side flow to the pool member is idle, the BIG-IP LTM system marks the connection as non-idle and sends the client request over it. This issue occurs when all of the following conditions are met: -- The configuration contains a Performance HTTP virtual server that references the base FastHTTP profile. -- The Performance HTTP virtual server processes at least one connection before being deleted. -- The Performance HTTP virtual server configuration is removed. As a result of this issue, you may encounter the following symptoms: -- Packet traces show the BIG-IP system connecting to pool members from its non-floating self IP address. -- The BIG-IP connection table includes an entry showing the recurring connections. In the following example, the any6.any connection table entry represents the client-side IP address, and 10.11.16.221 is the BIG-IP self IP address: 'any6.any any6.any 10.11.16.221:44321 10.11.16.253:80 tcp 9 (tmm: 0)' Workaround: To work around this, you can delete the pool and restart TMM. For more information, see SOL13850: The BIG-IP system may continue to create server-side TCP connections to pool members after the associated virtual server configuration is deleted , available here http://support.f5.com/kb/en-us/solutions/public/13000/800/sol13850.html. |
291327 | Configuring a virtual server for multicast communications inside a route domain does not work. This occurs when configuring a virtual server for multicast communications inside a route domain. The resulting configuration does not work. Do not configure a virtual server for multicast communications inside a route domain. Workaround: None, but this appears to be a rare condition. |
291541 | If there are static Address Resolution Protocol (ARP) entries targeted to the management network in either the existing configuration or in the configuration being installed or used in a ConfigSync operation, the configuration may fail to load. This occurs when performing a config sync or loading a configuration containing static ARP entries targeted to the management network. When this occurs, the configuration may fail to load. An error message is logged to the /var/log/ltm file similar to the following example: '01070712:3: Caught configuration exception (0), Netlink reply from kernel has error: -101 - routing.cpp, line 883' Workaround: "To work around the issue, first delete any static ARP entries targeted at the management network and then complete the configuration load or ConfigSync operation.
|
291689 | When you use the Weighted Least Connections (Node) load balancing method, you must set a connection limit for each node prior to adding the pool member to the pool. This occurs with Weighted Least Connections (Node) and connection limits. If you fail to specify the connection limit for the node prior to adding the pool members, the system presents a configuration validation error. Workaround: "In this release, you must use the following process to accomplish this: 1. Create a pool that uses the Weighted Least Connections (Node) load balancing method. 2. Explicitly create the node entries for the pool members on the Local Traffic Nodes Node List (create) screen. 3. For each node, specify a value other than 0 (zero) in the Connection Limit box. 4. Return to the pool configuration screen by clicking its link in the Local Traffic Pools Pool List. 5. Select the Members tab and add the pool members to the pool, using the same IP addresses as the nodes that you configured in the earlier step." |
291704 | If you replace a copper (Cu) small form-factor pluggable (SFP) with a fiber SFP, the link might remain down, even when connected to an active peer. This occurs when you replace a copper SFP with a fiber SFP. When this occurs, the link might remain down. Workaround: The workaround is to issue a bigstart restart bcm56xxd command. From the command line, 'bigstart restart bcm56xxd'. |
291719 | When the Configuration utility restarts, system writes benign messages to catalina.out. This occurs when the Configuration utility restarts The system writes messages to catalina.out: 'log4j:ERROR A 'org.apache.log4j.ConsoleAppender' object is not assignable to a 'org.apache.log4j.Appender' variable,' 'log4j:ERROR The class 'org.apache.log4j.Appender' was loaded by log4j:ERROR,' '[org.apache.catalina.loader.StandardClassLoader@1359c1b] whereas object of type,' and 'log4j:ERROR'org.apache.log4j.ConsoleAppender' was loaded by [WebappClassLoader.' Workaround: None, but these messages are benign, and you can safely ignore them. |
291723 | At system startup, you might see messages about unrecognized md component devices. This occurs because datastor volumes are not intended to be combined into a redundant array. The disk management subsystem unintentionally tries to join them into an array, but fails. "The system posts messages similar to the following: -- mdadm: Unrecognized md component device - /dev/mapper/vg--db--sda-mdm.app.wom.dat.datastor. -- mdadm: Unrecognized md component device - /dev/mapper/vg--db--sdb-mdm.app.wom.dat.datastor." Workaround: None, but no adverse result occurs, and you can safely ignore these messages. |
291742 | In the ltm.log file, you might see mcpd warning messages similar to the following: warning mcpd[3002]: 01070156:4: Could not remove file /config/bigip/auth/pam.d/tmm_ldap. Please remove this file manually. Messages in ltm.log show issues with removing files that do not exist. When you navigate to the specified directory, you do not find the files. These messages are incorrect, and you can safely ignore them. Workaround: None. |
291756 | On a multi-drive system, when you remove a drive, LED status might not reflect status correctly. This occurs when removing a drive on multi-drive systems. If the LED is flashing when you remove a drive from the unit, the LED status does not turn green (as it should) when disk replication begins. If the LED is not flashing, the LED turns green immediately in the transition to replicating a drive. Workaround: None, but this is a cosmetic issue only, and has no effect on functionality. |
291761 | When you complete a new installation, the Firefox browser may not recognize the SSL certificate. This occurs only on a new installation when using the Firefox browser. When this occurs, the Configuration utility posts the message 'Please wait while this BIG-IP device reboots, shutting down device.' This spins forever and never returns. This behavior is Firefox-browser specific, so when the certificate is no longer viewed as valid, the Firefox browser ignores subsequent HTTP requests. Workaround: None, but the issue happens only when doing a fresh install using the Firefox browser. A configuration you roll forward includes the device certificates, so this is not an issue. The Microsoft Internet Explorer browser posts an accept-certificate dialog box when you restart the system. |
291784 | If you set the import save value to 1 (one) and import a single configuration file (SCF), the import operation stops. This occurs when setting the import save value to 1. After initiating the SCF import, the import operation halts and does not resume. Workaround: To work around this issue, set the import save value to 2 or more. Note that the default value is 2. |
291786 | When you use the domaintool utility to delete a domain when you are configuring Kerberos delegation, if that domain serves as the default, the system removes the domain but leaves it as the designated default. "add a domain using the domaintool which will set it as the default. remove the domain using the domaintool. This will remove the domain but leave it as the default." Deleted domain still defined as the default in krb5.conf Workaround: To work around this issue, change the default to a different domain before the delete operation. |
336885 | There is a memory leak that affects Firefox 3.6 but not Internet Explorer 8. The leak occurs because of an interaction between the dashboard and the web browser. The workaround is to use Internet Explorer to view the dashboard. This occurs in Firefox 3.6 and involves the dashboard interaction with the web browser. When this occurs, there is a memory leak. Workaround: If running the dashboard for a long time, use Internet Explorer instead of Firefox. |
336986 | If a hard drive is in the process of replicating and an install to a non-existent volume set is started, the array status for the replicating drive will transition to 'failed' while the volume sets are created. They are created at the very beginning of the installation, so this failed status should last no more than 1 minute. After the volume set is created, the status will go back to 'replicating', as expected. This occurs when installing to a control plane that doesn't exist yet, for example, in the middle of replication. The array status shows 'failed'. Workaround: None. |
337934 | For remoterole configurations in which one of the attributes ends in 'role' will have that attribute truncated. Also this could happen with an attribute that ends in 'deny' and has a deny directive. remoterole attributes ending in 'role'. May also happen with attributes ending in 'deny'. Parsing truncates attributes. Workaround: None. |
338426 | Clusterd can core on shutdown under certain circumstances. This occurs with vCMP, and only happens when clusterd is shutting down. When this occurs, clusterd can assert. Workaround: None, but it has taken care of all notifications to other system components, so the core can be safely ignored. |
342319 | When you add a Domain Name System (DNS) server to the BIND forwarder server list from the Configuration utility, the recursion option is set to no and the forward option is not set. The parameters 'recursion yes' and 'forward only' are not being updated in named.conf when creating entries in the BIND Forwarder Server List from the GUI. This issue may cause some DNS queries that are sent to the BIG-IP system to fail. Workaround: You can work around this issue by setting the recursion and forward options. For more information, see SOL12224: Configuring the BIND forwarder server list does not correctly set additional options for the named.conf file, available here: http://support.f5.com/kb/en-us/solutions/public/12000/200/sol12224.html. |
342325 | If username and password have not been configured for a RADIUS accounting monitor, it will try to connect with a NULL username-password. This occurs when the username and password have not been configured for a RADIUS accounting monitor. The system attempts to connect with a NULL username-password. Workaround: Configure the username and password for the RADIUS accounting monitor before attempting a connection. |
342423 | The statsd process computes the value for system-wide CPU usage using a formula: process 'A' CPU usage divided by the number of CPUs on the chassis. Assuming a chassis is fully populated with PUMA I blades, the average is divided by 16. If a blade drops out, the number of CPUs is now 12, so while that blade is out of circulation, the data is divided by 12. However, even for the 5-second window: it is possible that the average might be calculated incorrectly. This occurs when calculating average system-wide CPU usage when a blade drops out. For example: -- From time1 to time4, there are 16 CPUs on the box, and processA is using 96% of its CPU. -- At time5, one of the blades drops out. -- The calculation to compute CPU and system usage happens at this time. -- Before the blade dropped out, the system-wide average was 96/16 = 6. When the blade drops out, the system-wide average is 96/12 = 8. Workaround: None. However, this is a small difference. Although blades going down should not happen often, when it does happen, it is only the first 5-second system-wide average that is affected. The next average will be correct. |
344226 | Trying to create a CRLDP server using a name that already exists fails. The resulting error message does not indicate the problem. This occurs when creating a CRLDP server using a name that already exists. The operation fails with the message 'An error has occurred while trying to process your request.' A more accurate message is 'The requested CRLDP server ('crldp_server_name') already exists in 'partition_name'.' Workaround: None. |
345092 | "When a RAID system is booting, the system posts the message: Press 'CTRL-I'; to enter Configuration Utility..." This occurs on RAID systems during boot. Pressing Ctrl+I has no effect. It is not possible to enter the Configuration utility this way. This is a hardware constraint. Workaround: Instead, you can configure RAID parameters through TMOS. |
347174 | When starting BIG-IP VE on a Hyper-V platform, the BIG-IP VE system posts multiple Advanced Configuration and Power Interface (ACPI) messages. This occurs when starting BIG-IP VE on a Hyper-V platform. The system posts ACPI messages such as: 'ACPI: LAPIC (acpi_id[0x3f] lapic_id[0x3e] disabled)'. Workaround: None, but these messages are expected and you can ignore them. |
348431 | "If you cancel a qkview when it is being generated via the GUI, a zero-byte sized qkview will be created. Subsequent attempts will still generate a zero-byte qkview (even when deleting the previous qkview). Canceling qkview generation via the GUI does not stop the qkview process; until its finished or killed, qkviews will have size zero." Cancel a qkview while being generated via the GUI; immediately re-generate a qkview via the GUI. Confusion and inability to generate a qkview. Workaround: "Wait until qkview process has finished or kill the process and regenerate. Removing the lock file (# rm /shared/tmp/.qkview_lock) will also allow it to work, but having 2 processes overwriting each other's the temp files is not recommended." |
348502 | Deleting or renaming a vdisk from the file system (for example, using bash) will not be detected by vcmpd and can lead to unexpected behavior if the system later attempts to use that vdisk. This occurs when deleting or renaming a vdisk using the file system rather than TMSH/iControl. The system, by design, does not support the detection and handling of direct (for example, using bash) vdisk delete or rename. Workaround: Deleting or renaming the vdisk files directly is not supported. Only use tmsh commands, the UI, or iControl to delete or rename vdisks. |
349242 | The load balancing method 'Ratio Least Connections (node)' does not perform correctly with 'Performance (Layer 4)' virtual servers. This occurs when using the Ratio Least Connections load balancing method. Does not perform correctly with 'Performance (Layer 4)' virtual servers. Workaround: None. |
349629 | "The error is usually similar to : 01070257:3: Requested VLAN member (1/2.1) is currently a trunk member Unexpected Error: Loading configuration process failed." Changes to vlan/trunk/port may cause UCS load to fail. Config will fail to load. Workaround: None. |
351934 | Booting with SSD installed, you will be able to see the SSD sled activity light blinking while the other spinning media sleds do not. This happens when booting with SSDs installed. SSD tray is only tray to blink activity while booting. Workaround: None, but this is normal behavior. |
352560 | Proxy SSL is incompatible with persistence profiles. This occurs with persistence profiles and Proxy SSL. The result does not work. Workaround: None, but persistence profiles and Proxy SSL should not exist on the same virtual server. |
352840 | When using partition default route domains, an attempt to load a previously saved configuration which had a different default route domain on a VIPRION may result in the secondary daemons restarting. Load a configuration with a different default route domain to the previously saved one on a VIPRION. Secondary daemons restarting. Workaround: To work around this, load the default configuration before loading a config that has a different default route domain on any partition. |
352957 | Established flows via virtual servers with iRules using the 'node addr' command to set the nexthop to a different address than the gateway returned in route lookup, or transparent flows to a pool member, might fail (due to mis-routing of packets) after a route table change, even if the change does not affect any of the addresses used in the flow. Existing flows might not recognize valid routes after being set with iRules using the 'node addr' command if the next hop is set to an address other than the gateway returned in the route lookup or transparent flows to a pool member. New flows established before route table changes might not work as expected. New flows established after the route table change work as expected. Workaround: None. |
353249 | LTM Virtual Server Bytes in/out and Packets in/out values may be larger than expected on PVA platforms, when using FastL4 profile with PVA in 'Assisted' mode. This occurs when using the FastL4 profile with PVA in 'Assisted' mode. LTM Virtual Server Bytes in/out and Packets in/out values may be larger than expected. Workaround: None. |
353621 | You can get an error from tmsh when adding a device to the trust-domain that says the device cannot be found. This occurs in TMSH, if the 'name' option is omitted. This only occurs in TMSH. Adding devices in the GUI does not result in an error. The system posts the error: 'The requested device (10.10.20.30) was not found.' Workaround: This error actually indicates the "name" parameter was not specified in the command. The message does not indicate that there is a connectivity issue to the device being added to the domain. |
354467 | When you create an opaque VLAN group before creating the route domain to assign it to, opaque mode does not work. This occurs with VLAN groups created before the associated route domain. In this case, opaque mode does not work Workaround: To work around this issue, you can add the VLAN group to the route domain and then set its mode to opaque, or if you are already in this state, you can restart tmm. |
354972 | In some cases, TMSH does not properly recognize hostnames as an item reference for commands. This occurs in tmsh commands. Hostnames are not recognized when referenced in tmsh commands. Workaround: Use IP addresses instead of hostnames when creating addresses with tmsh in this release. Or use the GUI. |
355299 | PVA acceleration can be configured on a platform without a physical Packet Velocity ASIC present. This occurs when configuring PVA acceleration on a platform without PVA present. No acceleration can occur, because the platform does not support it. Workaround: None, but the setting has no actual effect and is harmless. |
355564 | The Error message 'The requested unknown (/Common/traffic-group-1/Common/bigip1) was not found.' might appear in the log during startup. This message does not indicate a problem, and can be ignored in this situation. Configuration is new or has been set to defaults. The error message will appear in the log during the device name change. There is no impact, as the message appears due to the device name changing. Workaround: None. |
355616 | LTM virtual-address objects are only shown in tmsh list output when specifically requested, as in 'list ltm virtual-address', not in commands such as 'list ltm'. This occurs when running the command: tmsh ltm. Virtual-address objects are not shown. This is expected behavior. Workaround: Use the command: list ltm virtual-address. |
356611 | You can invoke imish (the shell for configuring dynamic routing) from tmsh. When you subsequently press Ctrl + Z, sshd and imishd start consuming CPU until the imish shell times out. This occurs when tmsh is not the login shell. If the system is already in this state, run the fg command, and then exit imish. This occurs when invoking imish from tmsh and press Ctrl + Z. sshd and imishd start consuming CPU until the imish shell times out. Workaround: None, but suspending tmsh is not recommended behavior. |
356705 | After completing the setup wizard in the Configuration utility, the user is redirected to the Welcome screen. After completing the setup wizard in the Configuration utility and returning to the Welcome screen. The menu at left should also change from the restricted setup menu to the full menu, but occasionally it does not. Workaround: In this case, the workaround is to log out/in or refresh the browser. |
357132 | For disk usage modules capable of using a datastor, deploy all additional disks and provision them as type "datastor" prior to provisioning the module. Workaround: See KI Text |
357656 | When you use bigstart restart to restart all daemons on a guest on VIPRION platforms, the system logs a benign ltm log message. This occurs when restarting all daemons on a guest on VIPRION platforms. "The system logs the message: notice chmand[7975]: 012a0005:5: Chmand cleanup: Slot:Led:Color (1:3:0) not succeed: virtual void Hal::NullAnnunSvc::ledSet(Hal::LedFunction&, Hal::LedColor&, uint32_t&, uint32_t&, uint32_t&)." Workaround: None, but this is a benign message and you can safely ignore it. |
357822 | User can use "delete cm trust-domain all" to create or fix trust-domain when loading a blank or inconsistent SCF. Workaround: None. |
358063 | If you issue the command 'restart sys service all' from the tmsh shell, the next command you issue results in the error message: 'The connection to mcpd has been lost, try again.' This occurs when restarting services. The connection to mcpd is lost when mcpd is stopped and restarted. A message indicating the lost connection is expected behavior. Workaround: Try the command again. |
358099 | If two devices have different provisioned modules, then the application with those modules configured in one device might not be able to sync to the other device. This occurs when syncing two devices that have different provisioned modules. The two devices are out of sync and cannot recover in this situation. Workaround: For sync to occur correctly, both devices must have the same provisioning. |
358191 | "If the user resets device trust and changes the host name of the device, the other devices in the trust domain still show the unchanged, former host name and show the device as still attached." This occurs in a trust configuration. Resetting a device name has no effect on other devices in the trust configuration. Workaround: None. |
358575 | The traditional ConfigSync mechanism has been replaced with a more robust MCP-to-MCP communication mechanism. As a result, UCS files now load the full configuration in all cases, and no longer have the concept or ability to only load the 'shared' portion. This occurs when attempting to load a UCS file that was created on a different device. Cannot load UCS files created on a different device. Workaround: None. |
358615 | Because there is no 'add' option for unicast-address, if you have two existing unicast addresses, the command to add another replaces both addresses with a single address. For example, given a device with two existing unicast addresses, this command replaces both addresses with a single address: modify cm device centmgmt1.f5net.com unicast-address { { ip 10.10.10.1 } } The result is that the device unicast has only the mgmt address, and has lost the internal IP address. Workaround: When modifying failover unicast addresses using tmsh, you must specify all addresses, even if the intention is to remove or add a single address. |
358655 | The system posts an error message 'No such file or directory' during kernel installation. This occurs during kernel installation. The system reports an error such as the following: info: RPM: ls: /etc/modprobe.d/*.conf: No such file or directory. Workaround: None, but it does not negatively impact the installation itself. |
359393 | In order to be compliant with the FIPS-140 standard. Keys cannot be exported from a FIPS card in plain text, hence they can only be exported by encrypting them with the master key on the FIPS card. This occurs when the master key on the FIPS card has changed since the keys have been exported. In this case, it is not possible to import the keys back into the card Workaround: None. |
359395 | Invalid or empty SSL certificates, keys, or CRLs will not be rolled forward on upgrade to v11.0.0. Empty or invalid certificates under /config/ssl/ssl.crt, /config/ssl/ssl.key, /config/ssl/ssl.crl. Roll-forward fails when invalid or empty certificates, keys, or CRL are found. Workaround: None. |
359491 | When a system's hostname is set by the user via the tmsh setting 'modify sys global-settings hostname new-hostname.example.com' only the local copy of the self device is set. Remote copies of the hostname are not updated accordingly. Thus, running the command 'list cm device name-of-device hostname' would have the hostname 'new-hostname.example.com' on the local machine and 'old-hostname.example.com' on other machines in the trust domain. Update or set the hostname using tmsh. Login to another host in the trust domain and check the first hostname. Hostname returned for a remote host in a trust domain does not match the host name defined on that host locally if set using tmsh. Workaround: The 'cm device hostname' property of devices is purely cosmetic, so this is harmless. Setting the hostname via the tmsh command 'modify cm device name-of-self-device hostname new-hostname.example.com' does function correctly, and keeps all devices' views of the hostname correct. (Note that it is invalid to set the hostname of a different device with this command; it is only valid to set the self device's hostname.) |
359873 | LTM-initiated SSL renegotiation is not attempted when secure renegotiation is configured as required and the peer is unpatched (does not support SSL secure renegotiation). This applies both to configuration-based (e.g., renegotiate-period), as well as iRules-based attempts to renegotiate. This occurs when secure renegotiation is required and the peer is unpatched. LTM-initiated SSL renegotiation is not attempted. Workaround: None except to ensure that all peers are patched. |
360122 | The iControl method System.Statistics.reset_all_statistics() does not reset iStats. This occurs when running the iControl method System.Statistics.reset_all_statistics(). Does not reset iStats. Workaround: To work around this, do the following: 1. bigstart stop. 2. Remove all files (not directories) in /var/tmstat2. 3. bigstart start. |
360134 | 6400, 6800, 8400, and 8800 platforms with Cavium NITROX Federal Information Processing Standards (FIPS) cards do not support secure SSL renegotiation with RC4 ciphers. Initial SSL handshakes are unaffected, but attempts to perform mid-connection rehandshakes fail when SSL secure renegotiation is negotiated. This occurs on the 6400, 6800, 8400, and 8800 platforms with FIPS cards using secure SSL renegotiation with RC4 ciphers. Initial SSL handshakes are unaffected, but attempts to perform mid-connection rehandshakes fail. Workaround: You can work around this by disabling SSL renegotiation or RC4 ciphers. Platforms with Cavium NITROX-PX FIPS cards are unaffected. |
360485 | Node statistics, especially after a statistics reset, may be too high for a node whose address is in a lasthop pool. Lasthop pool configured. Inaccurate node stats. Workaround: None. |
360530 | If a lasthop pool is in use for mirrored traffic, connections mirroed to the standby will not be processed if the lasthop pool's IP address is unresolved by ARP/NDP. Connection mirroring, lasthop pool (disabled autolasthop). Affected flows will not resume on the standby after failover. Workaround: Add a monitor to the lasthop pool so its IP address is resolved before connections arrive. |
360675 | Creating a configuration object with a FIPS 140 key will always create a key in the FIPS 140 device even when the configuration objects are not saved. FIPS 140 key handling. Configuration objects that are not saved will require the user to delete FIPS 140 keys manually from the device. Workaround: Manually delete keys using the following command: tmsh delete sys crypto fips by-handle. List key handles using the following command: tmsh show sys crypto fips. |
360974 | After a cold boot, for the first few minutes a user may experience problems while changing IP settings with the Chassis LCD panel. Workaround: After the default screen appears wait an additional 5+ minutes to make any changes to the settings via the LCD panel. |
361181 | You can run the command 'fipsutil -f init' to force re-initializing the FIPS card or 'fipsutil reset' to reset the FIPS card. Both these operations delete all the keys in the card. However, issuing the command does not delete the BIG-IP configuration objects representing those keys. It also does not modify SSL profiles utilizing those keys. When there are BIG-IP configuration objects referencing to such FIPS keys, these operations will result in the failure to load configuration on reboot. This occurs when running the command 'fipsutil reset' or 'fipsutil -f init' and when BIG-IP has configuration objects referencing keys on the FIPS card. The system posts messages similar to the following: 'notice mcpd[5816]: 01390002:5: The size of the configuration DB has been extended by 2097152 bytes, now using a total of 10485760 bytes', 'err mcpd[5816]: 010713e4:3: FIPS subsystem reported error while attempting file object operation: FipsMgr::get_handle_from_modulus error unable to obtain handle. Modulus(e1:fb:55...ef:89:b3), FIPS:ERR_HSM_NOT_INITIALIZED. ', 'err mcpd[5816]: 010713e4:3: FIPS subsystem reported error while attempting file object operation: fips_insert_masked_object error on import, ERR_HSM_NOT_INITIALIZED. ', 'err mcpd[5816]: 01070712:3: Caught configuration exception (0), unable to import FIPS 140 key (/Common/fipspartition) from key file.) - sys/validation/FileObject.cpp, line 4714. ', 'err tmsh[6948]: 01420006:3: Loading configuration process failed. ' Workaround: "To avoid this situation, delete the FIPS keys and remove the usage from profiles before resetting or re-initializing the FIPS device. If the system gets into the failure condition, you can recover by completing this procedure: 1. Edit the bigip.conf file where the FIPS key is referenced. Delete all occurrences of the key. 2. Delete the key from /config/ssl/ssl.cavfips 3. Find and delete the key from filestore/files_d/partition-name/certificate_key_d/ 4. Run 'tmsh load sys config partitions all' to make sure the config loads. After this point, the config should load without issue after a reboot." |
361315 | if you go to the System : Preferences screen and simply click the Update button without editing any values, the system incorrectly posts a Changes pending notice (that is, recommendation for synchronization). Many values on this screen are not even synchronized across BIG-IP devices. This occurs when you click the Update button on the System : Preferences screen. The system incorrectly recommends a sync, even though it's not needed. Workaround: None. |
361470 | An error message is posted when a virtual server's destination address is entered into tmsh with invalid IPv4 or IPv6 numbering or a hostname. This occurs when entering invalid IPv4 or IPv6 numbering or a hostname in tmsh. The system posts an error message similar to the following 'The requested virtual address (/PATH/ADDRESS) was not found.' Workaround: None. |
362225 | Disabling connection queuing via "tmsh edit" while connections are queued causes the queued connections to become stuck. This occurs when using tmsh edit while connections are queued. Queued connections become stuck. Workaround: The workaround is to use tmsh modify command instead of edit. |
362405 | If a vdisk migration occurs, the original copy is left unchanged on the source slot. The copy is never synchronized with the new vdisk copy on the destination slot. After vdisk migration is successful, the original vdisk can be safely deleted but can also be kept as a valuable backup. However, note that if the guest is once again allocated to the slot containing the old vdisk, then that old vdisk is used without it first synchronizing with any other vdisk. This might result in unexpected behavior, for example: If that slot is the only one the guest is allocated to, it boots up with the old software, configuration, and license that existed on the guest at the time the guest was migrated to another slot. If, however, the guest is already deployed on other slots, the guest uses the old vdisk on that slot but synchronizes the software, configuration, and license from the guest's primary slot, per normal clustering behavior. Workaround: None. |
362874 | There is a misleading Upgrading Device Trust banner that can appear on GUI. The banner indicates that the device is waiting for its peer to be contacted. This occurs when a device that is configured to be in a redundant pair is upgraded to version 11.x, but its peer device cannot be contacted. After upgrading, the GUI might post the following message for several hours: 'Upgrading Device Trust Device trust is still being upgraded. Please do not make modifications to Device Management or Traffic Groups pages while this message is displayed.' Workaround: If the peer device is no longer in use, the following workaround should be used to remove the banner message: * Set the trust.configupdatedone db variable to 'true'. * Set the failover.isredundant db variable to 'false'. * Restart devmgmgtd. * Reset trust. |
363216 | A virtual server might indicate 'vlans-disabled', but does not include a list of which ones are disabled if that list is empty. The tmsh list command does not indicate that a VLAN is disabled. This can bee seen only in GUI. "This occurs when you add a VLAN to a virtual server. The default setting is disabled. For example, this means that the virtual server is disabled for no VLAN entries, which is the default setting: ltm virtual sample_vs { destination any:any profiles { fastL4 { } } vlans-disabled }" Silently disables the VLAN added to a virtual server. Workaround: Running the command 'list ltm virtual all-properties' indicates whether the VLAN is enabled or disabled. |
363541 | You can create an 'and' rule for the default node monitor that includes the monitor '/Common/none'. This occurs with the none monitor. When this occurs, the state of the node is not reported correctly. Workaround: None. |
363756 | Simultaneous blade-to-blade migrations of guests might occur. In rare instances, multiple migration tasks take longer than the allocated interval, and could time out. If this happens three times, the guest is placed in the "failed" state. This occurs with simultaneous blade-to-blade migrations of multiple guests on vCMP configurations. If multiple guests must migrate before power on, it is possible that the first two guests will likely migrate, while all others will fail due to timeout values. Workaround: "To recover a guest from this condition, wait until all guest migration tasks complete successfully or fail after three timed-out attempts. Then on any blade with a guest in the 'failed' state, execute the 'vretry' command. This will cause any guests in the failed state on that blade to retry the failed action. Executing 'vretry' one blade at a time and waiting until all migration tasks on that blade are complete will avoid these failsafe timeouts. If a guest's retry attempts also fail, re-provisioning the guest might resolve the issue. To do this, change the guest's state to 'configured' and then subsequently back to 'provisioned' or 'deployed', as preferred. Note that this might cause the guest to be allocated to a different blade." |
363912 | In rare occasions, when there are no monitors assigned as the default node monitor, an entry 'none' may appear in the Active select box on the 'Default Monitor' page in the Configuration utility. This still represents the fact that no monitors are selected as the default node monitor and the BIG-IP system operates as such. This occurs because tmsh allows /Common/none for the default-node-monitor. GUI displays correctly, but 'none' is not in GUI by default. Workaround: None. This is a cosmetic issue that has no impact on system functionality. |
364407 | When vCMP is provisioned and guests are created, when vCMP is later deprovisioned, attempting to deletion/modification/etc. cannot succeed. Even after vCMP is deprovisioned, VLAN deletion/modification incurs a verification check that prevents VLAN from being deleted/modified. You cannot remove VLANs that a provisioned/deployed/configured vCMP guest made use of. Workaround: To work around this, reprovision vCMP, delete/modify the guest, delete/modify the VLANs, and then deprovision vCMP (reboot required). |
364522 | A user with the app_editor role can create an app service; however, because app_editor users cannot create objects (they can only update and enable/disable them), app_editor users actually cannot create an app service. This occurs with users with the app_editor role. App_editors cannot add pool members unless node already exist. Workaround: There are two workarounds: 1. Use the new add_member_v2 method, which does not have this constraint (the add_member command is deprecated). 2. Have a user with the appropriate role create/manage the node address prior to using add_member. |
364588 | Running the show cmd from /Common to display pool in another partition does not show all of the information. This occurs when you run the show command from /Common partition to display the details of a pool in another partition. The monitor instance line is missing. Workaround: To work around this, navigate to the partition first. Then the show command presents the expected results. |
364717 | There is an issue when using the node-port option with the delete command for persistence persist-records. This occurs when using the delete command to delete persistence records on a nonexistent port. The system deletes all the persist table entries irrespective of the port specified. In addition, the show command with nonexistent port displays all the entries irrespective of the port specified. Workaround: None, except to ensure that the port exists before deleting the persist table entries. |
365006 | Installing a 10.x UCS on a "clean" 11.0 will cause daemons on secondary blades to restart. Workaround: None. |
365555 | The DES ciphers have been deprecated for TLS V1.2 but TMM is including them. These ciphers are supported on earlier versions of SSL/TLS, such as SSLv3 and TLS v1.0, which are widely used. TLS v1.2 is trying to depreciate and move to higher standards. Workaround: None. F5 recommends that you do not use these ciphers. |
365756 | During the load of a bad SCF file, once an error occurs, the user is left in the partition folder where the error occurred. If the user attempts a second load, they get an error: 'Data Input Error: 01070734:3: Configuration error: Invalid mcpd context, folder not found'. This occurs when loading a bad SCF file. The system changes the cli location to folder that has the error. Workaround: Fix the SCF file, change directory/context back to /Common and attempt to reload. |
365757 | Mixed mode is presented as an option for extra disks. When trying to change the mode for logical disks, the system presents all options in the GUI and tmsh, even those that are not valid. When applied, this configuration option presents an error message: '01071372:3: Cannot change the mode for logical disk (HD2) from (NONE) to (MIXED). Disks cannot be changed to MIXED or CONTROL modes.' Workaround: Only None and Datastor are functional modes for extra disks. |
365767 | The verify option during a load .scf file operation from tmsh on the VIPRION system causes mcpd to restart. To work around this issue, do not use the verify option on VIPRION. Load .scf file using tmsh on a VIPRION platform. mcpd restart. Workaround: None. |
365836 | Changing provisioning using two commands in sequence (for example, LTM=none and VCMP=dedicated)in TMSH results in a fatal TMM error. That happens when typing the two TMSH provisioning commands LTM=none and VCMP=dedicated in succession. This results in a fatal TMM error, and, if the config was not saved after entering the provisioning commands, the primary reboots, which results in no provisioned modules or the previous provisioning settings. Workaround: Use the GUI or iControl to adjust the system provisioning level. Or, issue a provisioning transaction for vCMP with a custom command at the root. The following example shows how to set LTM=none and VCMP=dedicated. 'echo "create cli transaction;modify sys provision ltm level none;modify sys provision vcmp level dedicated;submit cli transaction;quit"|/usr/bin/tmsh'. When you run this transaction, secondary blades will likely reboot automatically. The primary might reboot automatically as well. If the primary does not reboot and the status is REBOOT_REQUIRED, wait two full minutes before rebooting the primary blade. Waiting ensures that provisioning completes, the secondaries have rebooted, vcmpd starts, and the system enters a quiescent state. |
366060 | There is an issue that is rarely encountered in FTP mirroring. FTP mirroring occasionally fails when connections come from tmm0. "When it does fail, the idle timer on the standby is not updated and the connection is reaped in the 30-50 second range." Workaround: None. |
367072 | Running the command 'tmsh show sys hardware' on appliance-based system shows a Registration Key field with a -- value, even on licensed systems. This field is designed only for chassis-based systems, so you can ignore the value This occurs on appliance-based systems when running the command. The Registration Key field contains a -- value. Workaround: There is no workaround, but this field is designed only for chassis-based systems, so you can ignore the value. |
367198 | Running 'tmsh show sys hardware' on appliances shows a blank Registration Key field. This occurs when running this command on hardware other than VIPRION chassis. Blank Registration Key field. Workaround: This is by design; this field is intended for VIPRION chassis only. |
367714 | When accessing the serial console on some BIG-IP platforms, if the baud rate is changed repeatedly on the serial client, the serial console port may cease functioning. In this case, a reboot of the BIG-IP system is required to restore serial console functionality. "This problem is known to occur on BIG-IP 6900 appliances, and may also occur on BIG-IP 1600, 3600, 3900, 8900, 8950, 11000 and 11050 appliances. This problem has been observed to occur more frequently when connecting to the BIG-IP serial console from a client using a USB-to-Serial adapter. Different makes and models of USB-to-Serial adapters do not perform identically." The serial console interface to the affected BIG-IP system is lost. A reboot of the BIG-IP system is required to restore serial console functionality. Workaround: The BIG-IP system can be accessed via the management IP address, or by the AOM management IP address if so configured. For more information, see SOL13331: The BIG-IP serial console port may lock up when the terminal emulator is configured with a mismatched baud rate, available at http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13331.html. |
367996 | Chunked HTTP responses might not be unchunked before they are compressed and forwarded to the client. This issue occurs when the following conditions are met: - The NTLM and OneConnect profiles are applied to a virtual server. - HTTP compression is enabled on the virtual server. This can also be triggered when replacing the NTLM profile with an APM access policy configuration on the virtual server Client connections might fail. Workaround: To work around this issue, you can either modify the type of response chunking or disable compression. For more information, see SOL14030: The BIG-IP system may fail to unchunk server response when compression is enabled, available here: https://support.f5.com/kb/en-us/solutions/public/14000/000/sol14030.html. |
368888 | The system allows you to create a virtual server (which creates the virtual address) in traffic-group 2 and a SNAT translation IP in traffic-group 1, and then to assign the SNAT IP to the virtual IP address, even though doing so could cause asymmetric routes if these traffic-groups were not active on the same unit. This occurs with multiple traffic groups and SNAT translation tables. This configuration might cause asymmetric routes. Workaround: To workaround this, only perform this type of configuration when two traffic groups are active on the same unit. |
369352 | When logged in as a resource administrator "load sys config default", which restores the configuration to factory defaults, doesn't prompt for verification as it should. If you execute the command from a normal administrator role you do get a prompt. "Login as a resource administrator run ""load sys config default"" restore begins without a verification prompt." System restore initiated without prompt when run as a resource administrator. Workaround: None. |
371164 | Since traffic groups are not bound to any specific VLAN, so Neighbor Discovery (ND) for link-local addresses go out on all VLANs. This occurs because traffic groups are not bound to any particular VLAN or interface. Since MAC is bound to the traffic group, it is not bounded to particular VLAN either. "Using MAC masquerade addresses on VLANs. TMM creates new link-local address for each masquerading MAC. Thus, the same link-local address might be used on all interfaces, which means that the system might use the same MAC on different VLANs. For example, in the following configuration, you might expect that traffic-group-1 and MAC 02:23:e9:74:e2:c4 are bound only to VLAN Internal. However, you can create another self IP address, assign it to different VLANs or route domains, and have them be part of the same traffic group. A traffic group is about availability and not about routing or partitioning. Configuration =========== net self 10.10.10.10%1 { address 10.10.10.10%1/23 allow-service { default } floating enabled traffic-group traffic-group-1 unit 1 vlan Internal }." Although this is intended functionality, some users might not expect the behavior. BIG-IP sends ND probes for all masquerading addresses on all VLANs. Although switches typically build up forwarding tables per VLAN, there are some switches that might not correctly, which results in failure to forward packets as expected. That might impact other traffic, including IPv4. Workaround: Set the db variable tm.macmasqaddr_per_vlan to True. This ensures that a single source MAC is associated with a single VLAN ID, and is guaranteed to be unique per VLAN. |
371647 | When using the F5 Advanced Client Authentication (ACA) module's Kerberos delegation, users must manually add the iRule _sys_auth_krbdelegate to their profile. Using Kerberos authentication in ACA. When using ACA Kerberos delegation, users must manually add the iRule _sys_auth_krbdelegate to their profile. Note: This does not apply to APM authentication. Workaround: Manually add the iRule _sys_auth_krbdelegate. |
372209 | When the certificate used to verify a signed iRule expires, the iRule verification status still remains 'Verified' as long as the certificate exists on the device. This occurs when an expired certificate that was used to sign an iRule still exists on the system The iRule status remains 'Verified', even though the certificate is expired. Workaround: To avoid the misleading status, the signature for iRules signed with an expired certificate should be modified to have the 'ignore verification' property set to true, or edited to remove the signature (edit the rule and remove the 'definition-signature' line). |
374109 | The radvd config is not migrated to tmsh syntax during a UCS restore. Performing a UCS restore. radvd config is not migrated to tmsh syntax. Workaround: Create the config manually with tmsh. |
374333 | When the rate of new connections (CPS) is extremely low, observed/predictive load balancing can perform uneven connection distribution across pool members. Configure a pool using predictive or observed load balancing methods. Uneven connection distribution across pool. Workaround: None. |
375207 | On rare occasions, tmsh writes an innocuous error message to /var/log/ltm based on a query to mcpd. Here is one case that issues the message: In tmsh, type the command 'generate sys icall event', and then press the tab key. The following error is posted: 01070734:3: Configuration error: Invalid wildcard query, invalid or missing class ID. Workaround: None, but this message is innocuous and can be safely ignored. |
375434 | An HSB lockup might occur when the TMM driver tries to reset HSB and the effort is not successful. After several failed attempts, a bad DMA packet causes tmm to crash. This occurs on HSB platforms that have AMD processors, which include the BIG-IP 6900, 8900, 8950, 11000, and 11050N platforms, and the VIPRION B4200 and B4200N blades. The system posts error messages similar to the following: -- 'Device error: hsb interface 3 soft resetting due to transmitter failure'. -- 'Interface 0.3: link is down'. -- 'hsb interface 2 disable tx ring 0 timed out'. Workaround: None. |
376166 | QSFP+ module ports do not allow a media capability setting of 1 GbE. This occurs when setting the media capability of the 10 GbE port to 1 GbE. This action fails to turn the 'link-up' LED to amber; the LED remains green. Workaround: None. This action is not supported on this port. |
376447 | If a VLAN group member is used in the configuration of another object, an error may result. It should not be possible to add that VLAN directly to a route domain since it is part of a group, however, if you create a new route domain. The VLAN appears. Attempting to add that VLAN results in the error. This occurs when using tmsh or iControl and the VLAN group feature. "The system posts an error similar to the following: 01070712:3: Caught configuration exception (0), Cannot create vlan 'vlanx' in rd0 - ioctl failed: File exists - net/validation/routing.cpp, line 395." Workaround: To avoid the problem, when using tmsh and the VLAN group feature, only use the VLAN groups, never their members, when configuring other objects. Furthermore, it is not necessary to work with the VLAN group member (that is, in this case, the group is already in the route domain, so adding the VLAN itself is not even necessary). |
377231 | VIPRION B4300 blades only support 9600 and 19200 baud, even though other baud rates are accepted. This occurs when using baud other than 9600 or 19200 on VIPRION systems. You can select other baud rates, but they do not work. Workaround: None. VIPRION B4300 blades only support 9600 and 19200 baud. |
378055 | The serial console on the B2100 blade in a VIPRION C2400 chassis cannot be set to 38400 using the tmsh command 'tmsh mod sys console baud-rate 38400,' but can be set using the AOM Command Menu. After setting to 38400 via the AOM Command Menu you can use the tmsh command to see that the baud rate has been set to 38400. This occurs on the B2100 blade on a VIPRION 2400. Cannot use tmsh to set baud rate to 38400. Workaround: Use AOM to set baud rate to 38400. |
378967 | Users in partitions attached to sync-only device groups do not sync to other devices in that device group. There are users whose active partitions are attached to a sync-only device group. This affects sync-only device groups only, not the failover device group. Workaround: None. |
379002 | MSRDP persistence fails when pool members are in route domains, causing the pool's load-balancing mechanism to be used instead. A configuration with route domains and MSRDP persistence. Connections will be load-balanced in perpetuity. Workaround: Do not use route domains if possible. |
380047 | Listing objects that exist in partitions other than /Common shows no results. This occurs when you are in the /Common partition and you attempt to list objects that exist in another partition, for example, running the command 'list ltm profile ntlm my_subfolder/my_ntlm_profile' when /Common is the active partition. Listing certain objects in subfolders of the current folder (e.g. 'list ltm profile ntlm my_subfolder/my_ntlm_profile') may not show any output. Workaround: As a workaround, you can change into the partition ('cd my_partition') and then list the object: 'list ltm profile ntlm my_ntlm_profile'. |
380415 | TMM CPU utilization statistics reported by sFlow or by running 'tmsh show sys tmm-info' are less than actual TMM CPU utilization. This occurs when using sFlow or by running 'tmsh show sys tmm-info' to report TMM CPU utilization statistics. The values reported are less than actual TMM CPU utilization. Workaround: TMM CPU utilization stats can be found by running 'tmsh show sys proc-info tmm'. |
381123 | Enabling more than 10 sFlow receivers may impact the performance of the BIG-IP system and, therefore, is not recommended. This occurs when using more than 10 sFlow receivers. Slower system performance. Workaround: None. This configuration is not recommended, |
381710 | The test-monitor and test-pool-monitor commands require the monitor or pool argument to include its partition; e.g. /Common/pool1. This occurs when using these commands inside a partition. Tab completion from inside a partition causes the partition name to be omitted. Workaround: To work around this, run these commands from the root partition, or to manually type the full pool or monitor argument including partition. |
382040 | Config sync fails after changing an IP address of a pool member with a node name. IP addr change achieved by deleting the pool member and node then recreating the pool member/node. "This issue occurs when the following steps are followed. 1. Delete an existing pool member that has a node name set. 2. Recreate the pool member with a different IP address using the same node name before syncing the config. 3. Sync the configuration. ltm pool ip_mod_pl { members { ip_mod2_nd:http { address 10.168.1.4 } ip_mod_nd:http { address 10.168.1.1 } } } ltm node ip_mod2_nd { address 10.168.1.4 } tmsh modify ltm pool ip_mod_pl members delete { ip_mod2_nd:http} tmsh delete ltm node ip_mod2_nd tmsh modify ltm pool ip_mod_pl members add { ip_mod2_nd:http { address 10.168.1.5 }} tmsh run cm config-sync to-group S48-S49 On versions 11.4.0 and later, the issue happens only if a full is performed. Note that full loads may still complete successfully on occasion, even if full-load-on-sync is false for the device group." Config sync fails. Workaround: Delete the pool member and node on the peer then sync the configuration. The issue does not affect pool members/nodes with no name associated with the node. |
382252 | If TMM cores, the High Speed Bridge (HSB) driver clears its transmit and receive ring buffers as part of its shutdown routine. This causes the loss of HSB ring buffer data and state information that might be useful in diagnosing the cause of certain TMM cores resulting from invalid buffer data. "- BIG-IP platforms containing a High Speed Bridge (HSB) FPGA device. - A TMM core occurs." HSB ring buffer data and state information, that might be useful in diagnosing the cause of the TMM core, is not preserved in the resulting TMM core. Workaround: None. |
382363 | The system does not require setting a pool's min-up-members greater than 0 (zero) when also using gateway-failsafe-device on the same pool. A pool's min-up-members is 0 when gateway-failsafe-device is set. Failure to set min-up-members greater than 0 when using gateway-failsafe-device might cause errors. The tmm might crash. Workaround: Set min-up-members greater than 0 when using gateway-failsafe-device. |
382613 | On VIPRION 4400 chassis containing B4100 blades, the Speed LED stays with solid yellow when at 10 MB. VIPRION 4400 chassis containing B4100 blades. The Speed LED stays with solid yellow. Workaround: This is not an indication of a problem with the system, even though the Platform Guide: VIPRION 4400 Series indicates that the Speed LED should blink yellow. |
383128 | While upgrading or booting between versions on the VIPRION B2400, B4200, and B4300 Blade Series, it should be expected that firmware upgrades between versions may delay the cluster from becoming active by up to fifteen minutes. This occurs when upgrading or booting between versions on VIPRION blades. Firmware upgrades between versions may delay the cluster from becoming active by up to fifteen minutes Workaround: None. |
383442 | If a packet is split into multiple fragments and the matching part of the tcpdump filter is in a later fragment, it does not match. This occurs on multi-fragment packets. The tcpdump packets do not match. Workaround: None. |
384717 | While viewing 'watch-trafficgroup-device', if devices in the device group change, 'watch-trafficgroup-device' can sometimes become non-responsive. This occurs while viewing 'watch-trafficgroup-device' if devices in the device group change. The 'watch-trafficgroup-device' can sometimes become non-responsive. Workaround: Killing the tool and restarting after the device group membership stops changing keeps the 'watch-trafficgroup-device' running stable. |
385825 | The CMI watch-* scripts (such as watch-devicegroup-device, watch-sys-device, watch-trafficgroup-device) should not be allowed to run indefinitely as they may adversely affect performance of the unit after a few hours. Run a CMI watch script for an extended period, for example: 'tmsh run cm watch-devicegroup-device'. Might cause processes to fail, or a unit to failover or unexpectedly reboot when non-tmm memory is exhausted. Workaround: Do not allow CMI watch-* scripts (such as watch-devicegroup-device), to run indefinitely. Problems typically occur after a few hours, so the issue might not occur if you keep run to less than an hour. |
385915 | When using the tmsh command 'list net interface all lldp-tlvmap' to display the lldp-tlvmap values, you might see values that deviate from the default of 130943 (for example, 114552). "This issue occurs when Link Layer Discovery Protocol (LLDP) is enabled and you use the BIG-IP Configuration utility to manually update the properties of a BIG-IP interface. This issue occurs when unused bits in the Type, Length, Value (TLV) bitmask are incorrectly set." None. This issue is purely cosmetic. Workaround: Manually modify the value as needed. |
386778 | IPsec in HA deployment cannot use anonymous ike-peer. This occurs when using IPsec in an HA configuration. The tunnel is not created. Workaround: - Create a new ike-peer with the required remote IP field holding the remote peer's IP address. - If using RSA (the default) uncheck the verify certificate field (not required when using PSK). - Change the presented ID and verified ID fields to 'address'. |
387106 | Ramcache statistics are associated with only one virtual server per profile. The statistics for all of the virtual servers that use this profile are reflected in the ramcache statistics for that virtual server. This occurs in reporting ramcache statistics. System reports statistics for only one virtual server per profile. Workaround: The workaround is to create a copy of the profile for each virtual server if the individual statistics are desired. However, this adds complexity to the configuration and should only be done when necessary. |
387448 | Monitoring device group status from a device from outside the group might return an incorrect status. When monitoring device group status from a device that does not belong to that group, the config sync status reported could be inconsistent with the device-level status. For example, the sync status for device A is 'Changes Pending,' but the device-group to which device A belongs shows a status of 'In sync.' Workaround: View the sync status from a device in the device group. |
388098 | Running dmesg can report hda cable detect errors. This occurs when running dmesg. dmesg might display a message similar to the following: 'localhost warning kernel: hda: host side 80-wire cable detection failed, limiting max speed to UDMA33'. Workaround: None. This is expected and does not indicate any problem with the hardware or software. |
388273 | On a VIPRION, the failover daemon does not communicate correctly with the peer chassis unless the management port is configured on each blade. This occurs on a VIPRION when the failover daemon attempts communication with the peer chassis. Communication does not occur correctly, and both chassis can become active for an interval of time. Workaround: Configure the management port on each blade. Specifically, assign a network address and subnet to the management port for each blade. |
389397 | On 12050/12250 (D111) and 10350N (D112) platforms, setting the db variable platform.powersupplymonitor to disable might not stop power supply error messages on power supplies that are connected but not turned on. This occurs on BIG-IP 12050/12250 (D111), 10350N (D112), and 10000s/10050s/10200v/10250v (D113) platforms on which platform.powersupplymonitor is set to disable. The power supplies in the system that are not turned on might log error messages until power is removed. Workaround: Remove power on disabled power supplies. |
390089 | Multiple MSSQL monitors on a single node might cause state flapping. Multiple, different SQL monitors on the same pool member/node. May cause node flapping, potentially indicating that a server is down when the server is actually up. Workaround: Use a single monitor. Adjusting the interval might help if there are only two or three SQL monitors on a node, but if there are more, adjusting the interval likely has no effect. |
390195 | Tmsh 'list auth partition' command shows partitions the user has no access to User with tmsh access and limited partition access User can see a list of all partitions on the system, possible confusion about which ones they have access to Workaround: None. |
390764 | A BFD session might not show the correct session 'Up Time' value in the BFD session information returned using the IMI shell command 'show bfd session detail'. This occurs when any BFD session parameter is modified through imish. BFD Session 'Up-time' is reset when BFD configuration is modified.. There is no functional impact, only diagnostic. The BFD session appears to have reset when it has not. Workaround: None. |
392085 | On a standalone BIG-IP system, on the properties screen for Device Management, the Force to Standby button might become available. Since this is a standalone unit and there is no active-standby configuration, this button is not valid and it should not be clicked. This occurs on a standalone BIG-IP system. The Force to Standby button might become available, even though it is not valid. Workaround: None. |
395148 | When setting the baud rate for the front panel serial management port using the AOM command menu, the LCD display does not reflect the baud rate change until fpdd is restarted. This occurs when changing the baud rate using the AOM command menu. The incorrect baud rate might be shown. Workaround: Restart fpdd using the command 'bigstart restart fpdd'. |
395269 | Reapplying a template to reconfigure an Application Service Object deletes any firewall rules that have been created through the Security screen. This occurs when reconfiguring an iApp. Firewall rules are deleted. Workaround: To retain a set of firewall rules, include creation of the desired firewall rules in the template itself. |
395720 | On the BIG-IP 4000 platform, sometimes on boot, Ethernet devices do not get renamed. For example, eth6 should be renamed to pf1-7. This occurs on the BIG-IP 4000. Ethernet devices do not get renamed. Workaround: To work around this issue, reboot the device. |
396122 | In a non-homogeneous cluster, validation on a secondary blade may fail if the module is not allowed or resources are not available. Module provisioned and validated on a primary blade but the validation for this module not completed on secondary blade. Daemons may restart when the an invalid module is provisioned on the secondary blade. Workaround: Make sure the primary member of a cluster is the blade with the least available resources (Puma1). |
396273 | When running dmesg, you might see errors similar to the following: 0000:17:00.0: vpd r/w failed. This is typically considered a firmware issue on the device, and you can contact the card vendor for a firmware update. This can occur when 'lspci -vvv' is executed. This is a benign message, and you can safely ignore it. Workaround: There is no workaround, but this is not a functional issue. |
396278 | If you set MGMT IP address using the LCD module, the ltm log contains a message stating the management route was not found. This is the message: Aug 31 12:01:20 localhost err tmsh[9771]: 01420006:3: 01020036:3: The requested management route (/Common/default) was not found. This is a benign logging message that is reporting a non-existent error condition. This occurs when you set MGMT IP address using the LCD module on 1600, 2000, 3600, 3900, 4000, 5000, 6900, 7000, 8900, 10000, and 11000 platforms. The system writes this message to the ltm log: Aug 31 12:01:20 localhost err tmsh[9771]: 01420006:3: 01020036:3: The requested management route (/Common/default) was not found. Workaround: There is no workaround, but this is a benign logging message that is reporting a non-existent error condition. |
396293 | SNAT bounceback does not work when the non-default CMP hash is used on a VLAN carrying that kind of traffic. This occurs with SNAT bounceback using non-default CMP hash. SNAT bounceback does not work. Workaround: None. |
396831 | Provisioning Virtual Clustered Multiprocessing (vCMP) on 2000/4000 series platforms can cause a kernel panic. vCMP is not supported on these platforms. This can occur on the 2000/4000 series platforms. A kernel panic can occur. Workaround: The release notes contain information about which platforms support vCMP. You can also check the AskF5 Knowledgebase. If a vmdisks application-volume was created on a platform that does not support vCMP, it should be removed. |
398947 | It is possible that the text 'serial8250: too much work for irq4' may be seen on the host serial console. These messages are extremely rare. The cause of the message is a temporary overload of the serial port. However, once the serial port has recovered from the overload, it continues to operate normally. The system might post the text 'serial8250: too much work for irq4' may be seen on the host serial console. Workaround: None. No character loss on the console has been observed when this condition is encountered. |
399073 | You might encounter the error 'err ntpd[5766]: Frequency format error in /var/lib/ntp/drift' in /var/log/daemon.log once after boot. This occurs after boot. The system posts the error: err ntpd[5766]: Frequency format error in /var/lib/ntp/drift. Workaround: None. This message indicates an innocuous condition. |
399470 | Switch based platforms incorrectly identify Fiber Channel SFP modules. This occurs on switch based platforms. The platform incorrectly identifies the Fiber Channel SFP. Workaround: None. Switch based platforms do not support Fiber Channel SFP modules. |
399726 | "TMM restarted during license or config loading. New TMM core file is in /shared/core. Message 'HA daemon_heartbeat tmm fails action is go offline down links and restart.' from sod daemon in /var/log/ltm file." This occurs on Virtual Edition (VE) configurations when TMM takes more than 10 seconds to mmap in the GeoIP files as part of the license loading process because of high disk latency. It might trigger failover. Workaround: None. |
400078 | When removing a pluggable module from some specific ports on 4300/4340N blades or on the 10000 and 12000 series platforms, it is possible for the adjoining ports to lose link briefly. For example, this might occur when removing a pluggable module from the 4300 blade's ports 1.1 or 1.5 When this occurs, it may cause established link on ports 1.2 or 1.6 respectively, to drop briefly. Workaround: None. Workaround: None. |
400584 | lsn-pool object can be created without any member prefix, however will not function for translation until prefixes are added. lsn-pool without any member prefix lsn-pool without any member prefix will no perform translation Workaround: add prefixes to lsn-pool |
400778 | On a VIPRION system during failover in which the blade transitioning from secondary to primary, log messages make it appear that chmand is looking to delete logical disks on CF1 and HD1. This occurs on VIPRION systems. The ltm log displays messages: -- err chmand[6909]: 012a0003:3: Physical disk CF1 not found for logical disk delete'. -- err chmand[6909]: 012a0003:3: Physical disk HD1 not found for logical disk delete'. Workaround: None. These messages are benign and you can safely ignore them. |
401917 | When disk space is available on the primary blade of a chassis, but not available on one or more of the secondary blades mcpd validation will fail on the secondary blade(s) and cause mcpd to restart. Workaround: Use the GUI or tmsh to remove any unused application volumes from secondary blades. |
402455 | Before attempting synchronization using the GUI setup wizard, clocks of the BIG-IP devices must be synchronized. It is recommended to use an NTP server for completing this operation. This occurs when using the setup wizard. Establishing device trust group fails. Workaround: To facilitate this, synchronize the clocks of the BIG-IP devices, preferably using an NTP server. |
402469 | The system presents a provisioning error when you try to provision LTM+GTM+ASM on B2100 (A109) and PB200N (A111) blades, even though the combination is supported starting in version 11.2.0. Workaround: To work around this, you can provision LTM+GTM+ASM+AVR instead. |
402811 | On hypervisor systems that host a BIG-IP Virtual Edition (VE)system, large memory pages might impact vADC performance when the hypervisor is under load This occurs on VE. Large memory pages may hurt vADC performance when the hypervisor is under load and must page in and out those large pages. Workaround: Configure memory reservation as 100% of the VE memory allocation. |
402855 | Removal of Route-Domains from configuration might cause load failures. #NAME? Load of the updated config fails. Workaround: Clear the current config by loading defaults before loading the UCS using the following command sequence: -- tmsh load sys config default. -- tmsh load sys ucs ucs_name. |
403613 | The drop counters for the 1.x interfaces on the 2000s / 2200s and 4200v platforms currently do not work in LTM mode due to a hardware issue. This occurs on 2000s / 2200s and 4200v platforms drop counters for 1.x interfaces. Drop counters do not work in LTM mode. Workaround: There is no workaround. |
403688 | Hardware syncookies currently require both client side and server side profile context to have hardware syncookies enabled in order to function. This occurs with hardware syncookies. Hardware syncookies do not function. Workaround: Enable client side and server side profiles for hardware syncookies. |
403764 | If a log message is not matched by any filter, then the log will be processed by the syslog-ng daemon. Workaround: To disable log processing by the syslog-ng daemon, create a filter with source equal to "all" and level equal to "debug" then route as desired. |
404398 | Using tmsh merge to update route-domains does not work. This occurs when attempting to merge configuration information that contains differing route domain information. The operation fails with a message similar to the following: 01070979:3: The specified vlan (/Common/external) for route domain (/Common/0) is in use by a self IP. Unexpected Error: Loading configuration process failed. Workaround: A workaround is to manually merge the changes to /config/bigip_base.conf (or /config/partitions/partition_name/bigip_base.conf) before performing the load operation. |
404588 | LSN iRules persistence-entry get/set and inbound-entry get/set might not work properly for RTSP when the iRule gets suspended (for example if the 'after' command is used). This occurs when an iRule on the RTSP_RESPONSE event gets suspended (for example when using the 'after' command). LSN iRules persistence-entry get/set and inbound-entry get/set might not work properly for RTSP. Workaround: None. |
405255 | Issuing a 'reset-stats net interface' command in tmsh does not clear the stats for an interface with status 'disabled'. This occurs when resetting stats on a disabled interface. Stats do not reset. Workaround: Enabling the interface with 'modify net interface x.y enabled' before resetting stats causes the stats to correctly clear. The interface can be disabled again afterwards if needed. |
405898 | If the maximum transmission unit (MTU) for a network running OSPF is different from ZebOS, or if its neighbor router has configured for its interface MTU, OSPF adjacencies may not form, or some datagrams may be rejected. TMM has cached a reduced path MTU for a network that is smaller than the configured MTU of the interface. OSPF running on that interface. OSPF adjacencies never fully form and routes are not exchanged. Workaround: Restarting TMM clears the cached maximum transmission unit (MTU), and allowing all interface MTUs to function with default values should prevent a mismatch. |
406238 | FTP active mode data connection does not work from the BIG-IP system command line, if the connection is exiting through an interface with SP DAG. cmp-hash = src-ip or dst-ip. ftp initiated from the BIG-IP system. The data connection cannot be established with active mode. Workaround: Use FTP passive mode for data transfer. |
408599 | The iRule node command does not function properly when invoked from the LB_SELECTED event. Using an iRule in which the 'node' command in the LB_SELECTED event modifies the node and port. Although logs from the iRule may indicate the node and/or port was modified, the changes are not applied, as a subsequent tcpdump confirms. Workaround: Use node under other events. |
408810 | BIG-IP with Vyatta neighbor on a single link may appear to be stuck in ExStart/Exchange state because Vyatta incorrectly drops a database description packet containing a 24 byte router-LSA (zero link LSA). "OSPFv2 or OSPFv3 Neighbor is a Vyatta router" OSPF session will not come up Workaround: None |
409059 | Hairpin connections are not supported for NAT64. "-- lsnpool with NAT64. -- Hairpinning enabled." Hairpinned connections do not work, Workaround: Hairpin via upstream router. |
410036 | "If a client and server attempt to resume a TLS connection using TLS session tickets through a BIG-IP virtual server configured for Proxy SSL, the BIG-IP resets the connection. If Reset Cause Logging is enabled (refer to SOL13223), the reset cause is 'SSL Session Not Cached.'" #NAME? Resumed handshakes do not succeed, which might result in traffic disruption for the affected clients through the virtual server. Workaround: Disable TLS session tickets on either the pool members, or the client systems. |
410114 | When the OSPF protocol running on BIG-IP system sends a 24-byte router LSA, Vyatta discards this LSA. This might cause the OSPF protocol to become stuck in ExStart/Exchange and never reach FULL state. This occurs intermittently. OSPF v2 protocol configured between BIG-IP system and a Vyatta neighbor. OSPFv2 protocol does not synchronize without manual intervention. Workaround: In imi shell, run the command 'clear ip ospf process'. You might need to run the command multiple times. |
410223 | For a virtual with a SIP profile configured as an ALG using the TCP transport, TCP FIN and RST packets are being unnecessarily sent by the BIG-IP system to multiple peer clients/servers when one of the client/servers issues a FIN or RST packet. SIP ALG TCP virtual configuration and one of the clients/servers send a FIN or RST packet to the virtual. Unless the SIP clients/servers are configured to automatically reconnect when they receive an unexpected FIN or RST, the in-progress sessions/calls that are using the connection being closed will fail. Workaround: "Configure the mblb (message based load balancing) profile to isolate the clients and servers from RST and FIN packets generated by the other client and servers. Add the following mblb profile to the SIP virtual: ltm profile mblb /Common/test { defaults-from /Common/mblb isolate-abort enabled isolate-client enabled isolate-expire enabled isolate-server enabled }" |
411875 | The persist command generates an erroneous intermittent error when resuming after server-side shutdown This occurs when the persist command parks and the flow is closed before it resumes. Any portion of the iRule following the park does not run, and the connection logs a spurious error. Workaround: Insert a [catch] around the [persist add]. |
412458 | It is possible to misconfigure a SIP ALG virtual by adding a transport protocol profile to the virtual server that does not match the ip-protocol of the virtual server. This invalid configuration will result in a core. If a UDP profile is applied, then the ip-protocol type should be udp. If a TCP profile is applied, then the ip-protocol type should be TCP. "Add a tcp transport protocol profile to a virtual server. apply a UDP profile to the same configuration." Misconfigured SIP ALG virtual server allows packets for other protocols to reach the tcp/udp/sctp filters. Workaround: None. |
414018 | Hairpin connections between different subscriber hosts fail. The subscriber network(s) and the internet are in different route domains. Applications on different subscriber hosts cannot establish connections. Workaround: Use the same route domain for the subscriber networks and the internet. |
414160 | Configuring the VLAN used for inter-device mirroring for an IP cmp-hash mode may cause errors establishing the mirroring connection between devices. Configure the VLAN used for inter device mirroring also for IP cmp-hash mode. Errors generated when establishing mirroring connections between devices. Workaround: Configure the VLANs used for the mirroring connection with the default cmp-hash mode, not an IP cmp-hash mode. |
415483 | A license activated on 11.2.1, or later, is not backward compatible with software versions 11.2.0, or earlier An issue occurs after performing a software downgrade from version 11.2.1, or later, to software version 11.2.0, or earlier. The license becomes non-operational. Workaround: You must acquire a new License Key, or request for 'allow move' from F5 after downgrade. |
415608 | "When TM.MaxICMPRate is reached, TMM will drop ICMP requests. There is no visibility in logs when that happens." Excessive ICMP traffic. There is no functional impact but it is harder to troubleshoot such condition. Workaround: use TMM counters |
415961 | Unused HTTP Class profiles are not rolled forward during upgrade or UCS restore. If you have defined HTTP Class profiles but have not assigned them to virtual servers, the system does not bring forward those profiles into the new configuration when you upgrade. No Policy is created from the HTTP Class profile and the profile does not appear in the new configuration. This occurs when upgrading a pre-v11.4.0 configuration with a HTTP Class profile not attached to a virtual server. You might lose unused HTTP Class profiles in the configuration. Workaround: Attach all HTTP Class profiles to a virtual server before upgrade or save of a UCS. |
417045 | Upon shutdown, the system posts the message 'err chmand[8873]: Error sending MCP system_information (err:1020003)’ to the ltm log. This might occur intermittently when shutting down the system. This message is benign, and the system should power up correctly. Workaround: None. |
417526 | The system logs a message sequence that includes a hardware sensor critical alarm in log /var/log/ltm when a power cable is disconnected and then re-connected. This might occur when a power cable is disconnected, then re-connected to an AC power supply. When that happens, system status might switch from Good to Bad, and then back to Good within seconds. As a result, the system posts a message sequence similar to the following: -- notice chmand[9322]: 012a0016:5: Blade 0 hardware sensor notice: Power Supply 2 GPIO status(SPAFFIV04G): Good. -- crit chmand[9322]: 012a0013:2: Blade 0 hardware sensor critical alarm: Power Supply 2 GPIO status(SPAFFIV04G): Bad. -- notice chmand[9322]: 012a0016:5: Blade 0 hardware sensor notice: Power Supply 2 GPIO status(SPAFFIV04G): Good. This is expected behavior, in that the system is actually reflecting the state in real time: when the cable is connected, the status is Good; when the cable is disconnected, the status is Bad; when the cable is re-connected, the status is Good. This message sequence does not indicate a problem in the BIG-IP system. It simply means that it might take a few seconds for the fan in the power supply to come up to speed. Workaround: None. |
417720 | "If a power supply fan unit becomes jammed or experiences a failure that prohibits the minimum RPM threshold to be met, the LTM log will erroneously indicate that the power supply has been turned off. For example: localhost crit chmand[8482]: 012a0013:2: Blade 0 hardware sensor critical alarm: Power Supply 2 GPIO status(73-610-125): Bad localhost crit chmand[8482]: 012a0013:2: Blade 0 hardware sensor critical alarm: Power supply #2 fan-1: Bad localhost warning chmand[8482]: 012a0018:4: Chassis power module 2 turned off." Any kind of power supply fan failure that prevents the unit from achieving the minimum spec. for RPMs. Misleading log message. Workaround: None. |
418509 | It is not possible to match a literal ( (open parenthesis) in the stream filter. "Stream filter enabled. Stream expression includes a ( not intended as the opening of a regex group." Unable to directly match expression that contains a literal (. Workaround: "Use octal character encoding to resolve stream filter conflicts, as shown in this example: ( = \050 ) = \051 so instead of the expression: function\(param1\), use the expression: function\050param1\051." |
418709 | The LCD module might report the error 'Low fan speed'. However, it does not specify which fan component on the unit is low: the CPU fan, the chassis fan, or a specific PSU fan. This occurs on the 2000 series, 4000 series, 5000 series, 7000 series, and 10000 series platforms. There is an indication that a component is failing, but no indicator of which specific component is failing. Workaround: Use the console to determine which fan is low either by viewing console messages/warnings as they show up or by running 'tmsh show sys hardware' or viewing the /var/log/ltm file. |
418924 | Secondary blades in a cluster go into swap when there are too many iso images in /shared/images. Too many iso images in /shared/images. Secondary blades are slow. Workaround: Use tmsh or the GUI to delete as many iso images from /shared/images as feasible. |
419345 | Changing Master Key on the standby of an HA configuration on a chassis might cause secondaries to restart processes. This occurs when you modify the master key on standby chassis. Users might not be able to access the cluster. The secondary blades of that chassis might experience continuous restarts of mcpd and other daemons, accompanied by 'decrypt failure' messages in the ltm log. Workaround: Run the command bigstart restart on secondaries to return system functionality. In general, you should change master keys on the primary in the cluster. |
419621 | After a blade failover, an existing inbound session may not have the delete event logged when it completes. "lsn-pool with NAPT Inbound session logging enabled HA configuration After failover" The add event for the inbound session may not have a matching delete event. Workaround: None. |
419733 | BIG-IP systems configured with additional non-default management routes via static, OSPF or other protocols might post error messages. The problem occurs when multiple management interfaces are defined. The system might post route_mgmt_entry count errors during the operation of the /usr/bin/config script. Workaround: You can use an alternative method exist to configure the mgmt address and default route: GUI, iControl, tmsh, and configuration file load. |
419741 | Rare TMM crash bug with vip-targeting-vip. Core analysis is typically necessary to determine whether this bug is the cause. Triggering this bug is difficult and seems to require vip-targeting-vip (e.g., use of the 'virtual' command in an iRule) and more than one blade. In rare situations, the TMM crashes. Workaround: None. This occurs rarely, and the system recovers automatically. Although this workaround has not be verified, in situations where virtual A targets virtual B via the 'virtual' command, it should be sufficient for virtual A to have shorter timeouts than virtual B. |
420053 | Although the IPFIX Logging Destination accepts transport protocol profile configuration, it does not use parameters from the profile. An IPFIX Logging destination can be configured with non-default protocol profiles, such as a custom TCP profile with specific values for Idle Timeout or Keep Alive interval, but the selections are not used. This occurs when customizing parameters within the configured protocol profile. Parameters specified within the configured protocol profile are not utilized, and default values are used instead. Workaround: None. |
420184 | A transaction fails when you create a new folder and then create an object in that new folder in a batched set of command-line commands. This occurs when a folder does not yet exist, and you try to create the folder and the object in a batched set of command-line commands. The transaction fails with an error similar to the following: 01070734:3: Configuration error: Invalid mcpd context, folder not found (/AAA). Workaround: To work around this, create a folder before using batch commands to create objects in a folder. |
420344 | When BFD is configured between the HA pair neighbor and the HA pair units, BFD fails to establish a session because the IS-IS routing module uses floating self IP address for establishing adjacency rather than non-floating self IP address. BFD is used with IS-IS in HA pair configuration. BFD cannot be used with IS-IS in HA pair configuration. Workaround: None. |
420689 | A single configuration file (SCF) as generated by the command save sys config file 'name', does not contain information describing what configuration objects have synchronized between the device and other devices. This occurs with an SCF generated using the command: save sys config file 'name'. Loading the SCF can cause the system to lose track of this information. Workaround: From one device, run the following command: modify cm device-group device_group_name devices modify { device_name { set-sync-leader } }'. |
421012 | scriptd might indicate that it is running on a secondary blade, even when the process is running on a primary blade or an appliance. The error condition generates this log message: 014f000f:7: Becoming secondary cluster member The conditions under which this occurs are not well understood, but it is a rare occurrence. Perpetual iCall handlers do not run, so scripts running under the control of a daemon do not run. Workaround: Issue the command 'bigstart restart scriptd' on an affected blade or device. |
421092 | The maximum number of named variables in an iRule is 4,194,304. This occurs when using iRules. System drops core file and posts message: Assertion 'maximum pages' failed. No more than 4,194,304 named variables can exist in an iRule. Although the maximum pages limitation has always existed, beginning with 11.3.0, the assert occurs very early when this is detected. Workaround: None. |
421640 | Entries that mention yourtheme.css appear in the httpd error logs. Using the GUI for iApps triggers this condition. Entries appear in httpd_errors referencing yourtheme.css. There is no impact, visual or otherwise, to the GUI or the rest of the BIG-IP system. Workaround: None. |
421702 | The BIG-IP system publishes the mgmt MAC addresses using offsets of the chassis base MAC address, instead of the MAC addresses from the kernel (as ifconfig and dmesg report). This occurs on BIG-IP systems MAC addresses. MAC address is inconsistent between ifconfig and 'tmsh show sys mac'. Workaround: None. |
421851 | When iRules are saved into bigip.conf, the first line is automatically indented with four whitespaces. Usually these whitespaces are removed when the config is loaded, but when an iRule starts with commented lines, the whitespace is not removed. Every subsequent save/load operation adds another four whitespaces. When users adds checksum to the iRule, loading fails at checksum verification error This occurs when both conditions are true: 1. Line 1 begins with a # character and white spaces. 2. The checksum operation is performed on the iRule. Load failure. Workaround: Remove the whitespace at the beginning of the iRule |
422259 | "An IPFIX logging destination is configured with a pool of nodes to identify the collectors to which IPFIX messages should be sent. The health of the nodes and the overall pool can be monitored by the BIG-IP system using a health monitor. However, if network or other issues cause the ICMP monitors to mark a node as Offline, the BIG-IP system continues to try to establish connections and send data to that node, instead of deferring such attempts until the node is declared Online again by the health monitor." Network or other issues that cause ICMP requests to a pool member to fail. Minimal, other than extra processing load. Under normal circumstances, if ICMP traffic to a pool member is not successful, the BIG-IP system cannot establish a connection to that member, and IPFIX messages might be transmitted to other available nodes in the pool. When the iptables filter is removed, it takes approximately five seconds for the traffic to resume. This is expected behavior. Workaround: None. |
422315 | When trying to remove certain interfaces from list, the user can encounter an error in the UI. For example, if more than two interfaces exist in the Interface list on a trunk object, you receive an error if you attempt to remove one of the interfaces that appear between the first and last interfaces listed. More than two interfaces exist in Interface list on trunk object. Customer tries to remove a 'middle' interface and Update. Customers cannot remove all interfaces from Trunk using UI. Workaround: Use tmsh. |
422709 | Intermittently, if a secondary blade is being disabled, it may miss the command and stay enabled. Unknown. Secondary blade will still pass traffic as if it is active. It will not be considered inactive for counting of min-up-members. Workaround: As this only happens rarely, you can re-enable the blade and re-disable the blade. |
423304 | Synchronized configuration objects may contain invalid parameters after you delete an object and create a different object type with the same name. "This issue occurs when all of the following conditions are met: -- The BIG-IP systems are configured as part of a Device Group. -- You delete a configuration object of one type and then create a different type of object that uses the same name. -- The new object's configuration is synchronized to the other systems of the Device Group." An invalid configuration on the box that is synced to, and no obvious warning signs. Workaround: Use either of the following methods: -- Synchronize the configuration after you delete the original object and before you create the new object. -- Use a different name for the new configuration object. |
423392 | In previous versions of iRules, the variable tcl_platform was readable as: 'set myvar static::tcl_platform'. However with recent changes, the variable is in the global, not static namespace and should be accessed as '::tcl_platform'. This occurs on pre-11.4.0 iRules that use the variable 'static::tcl_platform'. iRules that worked properly under earlier versions can result in runtime Tcl exceptions (disrupting traffic) after an upgrade to v11.4.0 or later, if those iRules reference static::tcl_platform. Workaround: To map tcl_platform into the static namespace in an iRule, use the following: when RULE_INIT { upvar #0 tcl_platform static::tcl_platform }. Or you can use ::tcl_platform instead of static::tcl_platform. Note: The latter workaround might demote a virtual server from CMP. For more information, see SOL14544: The tcl_platform iRules variable is not in the static:: namespace, available here: http://support.f5.com/kb/en-us/solutions/public/14000/500/sol14544.html. |
424228 | If a virtual server is created without an assigned pool (i.e. the pool is assigned in the iRule) and the iRule parks, the iRule may not return from suspension and the packet will be dropped. A virtual server is created and an iRule is assigned that parks, and the virtual server has no assigned default pool. Packets are dropped. Workaround: Either use the CLIENT_ACCEPTED event for UDP data or assign a default pool. |
424649 | Blades continually fail over with a large enough translation address space in an lsn-pool in DNAT mode. An example of a translation prefix large enough to cause this problem would be /8, or several translation prefixes summing to a large number of translation addresses. An lsn-pool in deterministic mode, assigned to a virtual server, with a /8 prefix (or similar number of addresses.) System is rendered unusable until DNAT mode is disabled. Workaround: Change to NAPT mode, or use a smaller translation prefix range. There is no other workaround. |
424797 | "Some parts of the UI become non-functional. Tomcat logs (/var/log/tomcat/catalina.out) will show java.lang.OutOfMemoryError: PermGen space error(s). Other parts of the UI will continue to function, particularly ones that the user has used most recently." Issue has been seen over extended use with LTM, AAM, and AVR all provisioned. Issue is possible with other combinations. Some parts of the UI become non-functional. Other parts of the UI will continue to function, particularly ones that the user has used most recently. Other BIG-IP functionality is not affected. Workaround: "On command-line, as root, run the following command: bigstart restart tomcat" |
425017 | For Thales HSM clients, the tmm and pkcs11d daemons must be restarted for changes to take effect to the key protect mechanism. This occurs for Thales HSM clients when support is added for module keys and token keys, or for softcard features, or when these are enabled or disabled. Changes do not take effect. Workaround: None. The tmm and pkcs11d daemons must be restarted for the changes to take effect. |
425018 | Loading a SCF after modifying self IP may cause route in Linux kernel to be dropped. Linux host applications may not be able to connect when they are expected to. Create a config with a self IP on a VLAN and a default gateway route on that VLAN, save a SCF file, then modify the self IP in that SCF file and then load the SCF. Linux kernel default gateway route is dropped and host applications looking for the route may not be able to connect. Workaround: Reset the config to default before loading modified SCF: 1. tmsh load sys default. 2. tmsh load sys scf SCF_flename. For more information, see SOL14572: Routes configured in a single configuration file may be missing from the Linux kernel route table after loading the single configuration file, available here: http://support.f5.com/kb/en-us/solutions/public/14000/500/sol14572. |
425209 | "mcpd on secondary blades may restart with an error message about an sflow_vlan_data_source object of the form: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (sflow_vlan_data_source) object ID (1760). A duplicate value was received for a non-primary key unique index field. DB exception text (Can't save/checkpoint DB object, class:sflow_vlan_data_source status:13))" The exact conditions under which this occurs are not well understood. The immediately triggering event is a restart of the clusterd daemon on an individual secondary blade in a VIPRION chassis, performed while all other blades are restarting their TMOS software. All services on an affected blade will restart. Workaround: This issue has no workaround at this time. |
425826 | "Unit in HA configuration constantly cored until the system was rebooted. An intermittent error appears: notice panic: ../kern/xbuf.c:2273: Assertion 'valid xfrag' failed" It is unclear whether this is an high-speed bridge (HSB) issue or a driver issue. The return buffer is provided by the driver and used by HSB to return the packets. Either the provided buffer is corrupt or HSB somehow corrupts it. This issue is rare and has been seen across several platforms and HSB bitfiles. Rare issue that results in kernel panic. You might see invalid return buffer and invalid xfrag messages. Workaround: This is typically cleared on reboot. The issue might also be cleared with a bitfile upgrade. |
425965 | "On the BIG-IP 2000 and 4000 family of platforms rapid changes to port speed and duplex mode on the fixed RJ-45 ports may cause a TMM restart. Ports may be listed as down in UI, but through the CLI the system port is listed as up. Messages about tmm processes restarting may appear in /var/log/ltm." Ports down due to tmm restarting. Workaround: Change both sides of the interface to auto-negotiation, then switch to the desired speed/duplex. |
426128 | If the passphrase for the pkcs12 file being installed is greater than 49 characters in length, installation could fail with the error - "Key management library returned bad status: -28, Bad password". This occurs with pkcs12 files with passphrases greater than 49 characters. When this occurs, installation could fail with the error - "Key management library returned bad status: -28, Bad password". Workaround: Use passphrases containing fewer than 50 characters for pkcs12 files. |
426129 | CGNAT translation logs sent to ArcSight HSL destinations will not be in a compatible format for ArcSight to parse. "LSN pools are configured for a virtual server A log profile is configured to use an ArcSight destination and attached to the LSN pool" CGNAT log messages will not be processed correctly by ArcSight Workaround: "Modify ArcSight for custom parsing Use a different log server." |
426350 | When the BIG-IP system is passing heavy traffic load on an L7 VIP, running tcpdump might causes tmm restart. Running tcpdump under heavy L7 traffic load. Traffic passing might be interrupted and the BIG-IP system might fail over to standby. Workaround: None. |
427223 | "VIPRION C4800-series chassis contain two Annunciator cards which perform chassis-level hardware-management functionality. Each card is located in a numbered slot accessible via the chassis front panel after removing the LCD display. BIG-IP utilities (such as the 'bladectl' utility or the 'tmsh show sys hardware' command) label the annunciator cards numerically opposite from the chassis front-panel slot labels. - The annunciator card located in physical slot 2 is identified as 'Annunciator'. - The annunciator card located in physical slot 1 is identified as 'Annunciator 2'." VIPRION C4800-series chassis running affected versions of BIG-IP. Inconsistency between logical and physical numbering of the chassis annunciator cards can cause confusion when one of the annunciator cards requires replacement or other service. Workaround: Remember that numerical identification of chassis annunciator cards in the TMOS UI is reversed from the physical annunciator slot numbering. |
427260 | PPTP-ALG stats: tmsh show sys pptp may show duplicate flows with some stats in each direction. CGNAT and PPTP-ALG with default DAG. Running the command 'tmsh show sys pptp' shows identical flow with different stats incremented. Although this is a cosmetic issue, it might be confusing. Workaround: Grep and aggregate the stats for a unified view. |
427924 | When inserting a new blade in a VIPRION C2400 chassis, with UDP or TCP hash set to 'ipport', the new blade uses the 'port' hash instead. Rebooting the blade or restarting bcm56xxd and tmm causes the correct DAG (Disaggregator) hash to be used. UDP or TCP hash algorithm changed from default (e.g. changed from 'port' to 'ipport'). -- UDP or TCP virtual servers configured. -- New blade inserted into chassis. New blade includes external interface to which traffic will arrive. Prevents adequate distribution of traffic within a chassis, which may disrupt traffic flows or reduce the traffic throughput of the BIG-IP system. Workaround: Reboot the new blade after it has been configured. Issue the 'bigstart restart' command (to restart the bcm56xxd and tmm modules and program the DAG with the correct hash type). |
428752 | Occasionally, on shutdown/reboot of a platform, diskmonitor might be started while the system is shutting down. This occurs when the system is shutting down, halting or rebooting. After a shutdown, halt, or reboot is initiated, the system console may display this message: 011d0002: Can not access the database because mcpd is not running. The ltm log file shows the same database warning along with a date and system entry: warning diskmonitor: 011d0002: Can not access the database because mcpd is not running. Workaround: The warning is innocuous on shutdown and may be ignored. The diskmonitor script automatically runs when the system is booted next and detects disk space issues at that time. |
428976 | If a self IP is configured for advertisement in OSPF and is moved to a different VLAN, the LSA may be removed from the database and not readded. OSPF enabled, self IP moved between VLANs. Missing prefix from OSPF. Workaround: Remove and readd connected route redistribution, delete and readd the self IP, or clear the OSPF process ("clear ip ospf process" in imish). |
429013 | Log file permissions for one specific log file were incorrectly set. This has been fixed to address an issue with CCE-26812-8, CCE-26821-9 and CCE-27190-8 syslog-ng configuration/permissions. Since only Administrators can have advanced shell access, they are on the only ones who could be able to see the log files. This just sets the file permissions the same as the rest. Very little impact. Workaround: none |
429096 | Various tools, including the Dashboard, display an SSL TPS limit provided in the base license, ignoring any additional licensing modules that might increase the TPS limit. This occurs when the system is using licensing modules that increase base SSL TPS. An incorrect SSL TPS limit is reported. Workaround: None. This a display issue only. The correct SSL TPS limit is actually used. |
429213 | "A race condition may occur in which a monitor instance is killed abruptly if another copy of the same monitor attempts to check health of the same node IP:port in a different route domain. The killed monitor will then contribute to a monitoring timeout and potentially mark the node as down. This issue occurs because the PID file created to prevent duplicate monitoring of the same pool member is not sufficiently unique to distinguish between route domains. For example, SIP monitor named ""sip_london"" applied to pool members 1.2.3.4%100 and 1.2.3.4%200 would share the same PID file: /var/run/SIP__Common_sip_london.::ffff:1.2.3.40..5060.pid" "For health monitor types which execute outside of the bigd process (see list below), a health monitor profile is assigned to monitor 2 different nodes which have the same IP:port in different route domains. The affected monitor types include: Diameter IMAP LDAP NNTP POP3 Radius Radius Accounting RPC Scripted SIP SMB SMTP WAP" Pool members may flap down/up. Workaround: "To work around this, perform the following steps: 1. Create a duplicate copy of the monitor profile, and add the route domain to the name of the monitor profile. For example: ltm monitor radius /Common/radius_seattle_rd43 { default-from /Common/radius_seattle } 2. For nodes or pool members in that route domain, replace the old monitor profile with the new duplicate monitor profile." |
429613 | TACACS+ accounting packets are only sent to the authentication server. This occurs with TACACS+ accounting packets. These packets are only sent to the authentication server. Workaround: You can use syslog to send the messages (but not TACACS+ accounting codes) to multiple destinations simultaneously. |
430354 | When an alarm light is present on the primary blade and the USB LCD dongle is then attached, all of the blades go from green/pri or green/sec to amber status, and the alarm light is erased. A few moments later once the LCD screen is up, the blades go back to their original green pri/sec assignment but the alarm light never returns. Although the alarm message is present on the LCD after it comes up, the alarm light should stay on until the alarm has been cleared. Inserting or removing USB LCD module. The alarm message is present on the LCD after it comes up. This is a cosmetic issue, and does not indicate a system issue. Workaround: Run system_check manually. |
430915 | When a power supply or fan tray FRU is inserted into a running BIG-IP system, a critical alarm may be raised indicating low power and/or fan speeds. This is due to the amount of time it takes for the power and/or fan speed levels to reach their steady state levels relative to when the sensors are monitoring them. Insertion of power supply or fan tray FRU. Critical alarm raised for temporary, non-serious issue. Workaround: None. |
431936 | The SASP monitor does not mark pool members down when the GWM server cannot be reached. The GWM server does not send a RST packet to terminate its connection to the SASP monitor in case of a network failure. The pool members are not marked down for a SASP monitor in case of a GWM/network failure. They are marked down when the TCP connection to the GWM terminates on a connection timeout which was observed around 10 minutes. This is the correct behavior. Workaround: Use the ICMP monitor in conjunction with the SASP monitor. The ICMP monitor should use the GWM server as its destination. This monitor should be associated with each of the nodes that are present in the pool using the SASP monitor. The pool members will be marked down when the GWM server cannot be reached. |
432407 | The GUI becomes inaccessible after the system logs become large and the user navigates to log lists under System :: Logs. This event is most likely to occur when the logging options are configured to show the most output. For example: Enabled, Verbose, Debug. The issue is most easily seen when the system has been configured with Audit logging enabled, particularly MCP, it sends numerous messages to the var/log/audit log. This causes the log to become large, which after time might render the GUI inaccessible. When logs become large, the GUI might become inaccessible if the user attempts to view the log files through the GUI. Workaround: Configure logging options to show only the most severe output: Emergency, Error, etc. (available under the System :: Logs). If the system is already in this unresponsive state, issue the command 'bigstart restart tomcat'. |
433235 | When using certain iRules in congested traffic situations. it is possible for TMM to crash. There are several conditions resulting from iRules that require queuing. Meeting all internal conditions generally requires high concurrency and rare sequences of internal events. Examples include: -- Using 'discard' in a 'when CLIENT_DATA' clause with aborts or half-closes queued by the peer. -- Using 'release' after a connection is closed. TMM cores. Workaround: Modify iRules to handle additional conditions. |
433572 | DTLS does not work with rfcdtls cipher on the B2250 blade This occurs as a result of hardware acceleration offload on the B2250 blade when using dtls on vCMP. DTLS does not work with rfcdtls cipher on the B2250 blade Workaround: None. |
434356 | When an internal/external data-group configuration is modified, it doesn't reflect in a client SSL profile. Modifying a data group configuration. You have to manually restart tmm or re-apply the data-group to the SSL profile each time the data-group is modified. Workaround: Restart tmm or re-apply the data-group to the SSL profile each time the data-group is modified. |
434364 | "When upgrading from 10.x or installing a 10.x originated UCS on 11.x, bigpipe is used to parse the newly created file-object definitions which had been generated from files in the 10.x install. If the filename being upgraded to file-object starts with a '.', then on initial load, bigpipe will give an error while trying to load the generated configuration, resulting in an error message similar to: BIGpipe parsing error (/config/bigpipe/bigip.conf Line 107): 012e0017:3: The requested item (.myfile.txt {) is invalid (external_monitor_file_object_key | show | list | help) for 'external monitor file object'" The installation of a UCS or configuration roll-forward from 10.x to 11.x in which the previous install had files that were upgraded to file-objects, but whose filename started with a '.' The UCS will not install properly, and/or the configuration on initial boot will not load. Workaround: Edit the name of the file-object in question which would be found in /config/bigpipe/bigip.conf to remove the leading '.' character from the object name, and make any references to the file-object match that change. |
434517 | If a HTTP_RESPONSE event fires due to the server sending an early response (i.e. a response before the entire request has been sent), then HTTP::retry does not work correctly. Client begins sending a request. The server responds before that request is completely sent. A HTTP::retry is called in the HTTP_RESPONSE event. Typically, early server responses are error conditions. Workaround: HTTP::respond or HTTP::redirect may be used at the cost of an extra client-side request. |
435332 | If there are users defined on a version 10.2.1 BIG-IP system to have administrator or resource-admin roles, and they have partition access to a single partition, these user config objects fail to load during an upgrade to version 11.x. "Here is a sample user config from 10.2.1: user v-abban { password crypt '$1$UIPmGYdY$yewCx.a2qNDauz/UB1Jbp/' description 'v-abban' group 500 home '/home/v-abban' shell '/bin/false' role administrator in Common }" Upgrade or load UCS fails with the following error: 01070821:3: User Restriction Error: The administrator, resource administrator, auditor and web application security administrator roles may not be restricted to a single partition. Workaround: Prior to upgrade, edit the bigip_sys.conf to have the role line as follows: ... role administrator in [All] } |
435385 | Unable to access the GUI. This occurs with frequent add/delete of vCMP guests. The speed at which the add/delete operations might also be relevant. TMUI becomes unresponsive. Workaround: To work around this, try add/delete at a greater interval. To recover, run the command: bigstart restart. |
435488 | Cannot configure route domain for centralized management infrastructure (CMI) device unicast-address. (CMI is also referred to as device service clustering (DSC).) Try to configure non-default route-domain for CMI device unicast-address. Cannot configure route domain. This is not a supported configuration. If you use a route-domain address, the configuration does not work, and the system posts a number of log errors indicating that. Workaround: Do not configure non-default route-domain for CMI device unicast-address. |
435494 | DTLS handshake may fail when UDP messages are round robin among TMMs. "DTLS configuration. Round Robin DAG enabled for DTLS UDP packets." DTLS handshake could fail Workaround: Disable Round Robin DAG for DTLS packets. |
435646 | lsn-pool inbound setting does not work when not associated with a virtual server. "lsn-pool with inbound or hairpinning enabled That lsn-pool is not associated with a virtual server but is assigned by an iRule." inbound and hairpinning is not enabled for subscribers using that lsn-pool when assigned via an iRule. Workaround: Create a virtual server for each lsn-pool. |
435814 | CGNAT connections for a single client might exceed connection limits. This occurs when the persistence-timeout value is fewer than 30 seconds on lsn-pools with connection limits Connection limits are not enforced. Workaround: Set persistence timeout to a value greater than 30 seconds. |
436170 | When FIPS fails to attach, tmm crashes when attaching an SSL profile. This transient issue occurs because of a timing issue during software initialization, in which SSL initialization is occasionally called before FIPS attaches. TMM crashes during bootup. This is typically a transient issue, and not an indication of actual FIPS hardware failure. Workaround: Run the EUD test. If FIPS passes the test, a TMM restart resolves the issue. |
436813 | Messages for sync statuses differ when there is a sync config in memory that is newer than the one in the binary database, and the system is restarted. This occurs when set-sync-leader and then issue a bigstart restart before saving the config. On one system, the message posted is 'Not All Devices Synced', and on another, 'Changes Pending'. This issue is cosmetic only. The actual sync statuses will be correct. Workaround: Save the configuration on a device before rebooting it. |
436825 | Under certain conditions, nodes (or any other object with an IP address) in a partition that belong to route domain 0 will be treated as part of the default route domain for the partition after an upgrade. "All of these conditions must be true: - A system is being upgraded from any TMOS v10.x release to any TMOS v11.x release after 11.1. Upgrading to 11.0 or 11.1 is not affected, but the upgrade process resets the partition's default-route-domain setting to 0. - It has a partition that has its default route domain set to a nonzero route domain - That partition contains nodes with no route domain set (so the default is used) - That partition contains other nodes in route domain 0" Those objects may no longer be addressable or able to connect. Workaround: "Set the partition's default route domain ID to 0 before upgrading, then set it back to its previous value after the upgrade. This field is only used by the GUI and shell, so temporarily changing it to 0 will have no effect on the dataplane." |
437226 | The SERVER_CLOSED execution counter is incremented by 2 for every 1 run when the flow is parked in CLIENT_CLOSE. This occurs in the stats for SERVER_CLOSED when the flow is parked in CLIENT_CLOSE. The stats for SERVER_CLOSED become inaccurate due to parking. Workaround: None. This is a cosmetic issue. TMM does not core. |
437768 | Do not use 'bigip1' as a device name. The BIG-IP system uses it as the factory default device name. This occurs when using 'bigip1' as the device name. You might see an error similar to the following: 01070710:3: Can't save/checkpoint DB object, class:devicegroup_device status:13 - EdbCfgObj.cpp, line 127. Unexpected Error: Loading configuration process failed. Workaround: Treat 'bigip1' as a reserved word, and do not use it for device names. |
437905 | "HTTP compression for certain image files may fail on the BIG-IP 2000s/2200s and 4000s/4200v platforms. As a result of this issue, you may encounter one or more of the following symptoms: - BIG-IP iHealth lists Heuristic H450131 on the Diagnostics : Identified : Low|Medium screen. - The BIG-IP system resets the client connection. - You observe error messages in the following files with the same time stamp: /var/log/ltm :: -- crit tmm[19290]: 01010025:2: Device error: (null) Cave Creek compression error, err = -11. -- crit tmm[19290]: 01010025:2: Device error: (null) qa_dc_ctx_done: hw_comp Error. /var/log/tmm :: -- notice dcCompression_ProcessCallback() - : Recoverable error: stateful compression overflow. You may need to increase the size of your destination buffer and resubmit this request." "HTTP compression may fail on some BIG-IP 2000s/2200s and 4000s/4200v platforms. This issue occurs when all of the following conditions are met: The BIG-IP system is configured to use hardware HTTP compression. Note: This behavior is by default for BIG-IP platforms equipped with hardware compression. You can modify this behavior using the compression.strategy database variable. However, F5 recommends that you keep this database variable set to its default value because changing it may impact system resources. For more information, refer to the Profiles for Managing HTTP Traffic chapter in the BIG-IP Local Traffic Manager: Concepts guide. The BIG-IP system is compressing a Portable Network Graphic (PNG) image file." The client browser receives an incomplete image file and experiences a connection reset. Workaround: "To work around this issue, you must obtain an engineering hotfix for this issue and install it on the affected BIG-IP system. The engineering hotfix introduces a new quickassist.compression.buffsize_multiplier database variable that you must configure its value to 300. To obtain an engineering hotfix for this issue, contact F5 Support. To modify the quickassist.compression.buffsize_multiplier database variable, perform the following procedure: Impact of workaround: Performing the following procedure should not have a negative impact on your system. 1. Log in to the Traffic Management Shell (tmsh) by typing the following command: tmsh. 2. Modify the value of the quickassist.compression.buffsize_multiplier database variable to 300 by typing the following command: modify /sys db quickassist.compression.buffsize_multiplier value 300. 3. Save the change by typing the following command: save /sys config." |
438177 | RSA key/cert pair must be configured as a default in clientssl profile even for only DSA/ECDSA ciphers. If ciphers only contain DSA/ECDSA ciphers. The connection cannot be built up if no RSA key/cert is configured on clientssl profile. Workaround: The clientssl profile must have RSA key/cert configured. |
438324 | Virtual servers configured with Fast HTTP profiles can fail if TCP uses ipport hash on B2150/B2100 blades. The B2150/B2100 DAG (Disaggregator) hash cannot use both IP address and TCP port in selecting tmm in ipport mode. This occurs when TCP is configured to use ipport hash on B2150/B2100 blades and the virtual servers use Fast HTTP profiles. TCP-based virtual servers configured with the Fast HTTP profile can fail. Workaround: To work around this, you can either use port hash or use profiles other than Fast HTTP for TCP-based virtual servers. |
438666 | iControl/REST relies on automatic parsing of tmsh output in order to reply to requests. The structure of 'show sys raid array' does not provide that support, so the array-members statistics are dropped and not returned in the output. This happens for any 'stats' query on a BIG-IP system that has RAID. Clients cannot get array-members statistics using iControl/REST. Workaround: Use tmsh or other UI (iControl/SOAP). |
439507 | Running the qkview utility might take a very long time, up to 30 minutes, possibly longer if there are thousands of tunnels or virtual IPs created. This occurs when there are 500 virtual network interfaces or more in a configuration. qkviews are slow to generate. Workaround: Wait for qkview to finish, which might take up to 30 minutes. |
439628 | Updating the Dynamic Ratio of a node or pool member using TMSH or iControl, instead of a built-in dynamic ratio monitor such as SNMP, results in a 'configuration sync needed' status, or an automatic sync if auto sync is enabled. This occurs when the following conditions are met. - Multiple devices in a device group. - Updating dynamic ratio via TMSH or iControl. - For automatic sync, auto sync is enabled on the sync-failover group. The sync status might unexpectedly transition to 'Changes Pending'. If automatic sync is enabled, the device group performs a ConfigSync immediately. If automatic sync is enabled, and the dynamic ratio is updated frequently (such as by an External monitor or an iControl script), the following additional impacts may occur: - An administrator's pending changes to the configuration may unexpectedly roll back on a receiving device. - A sync conflict may potentially occur. Workaround: "The following 'guishell' command syntax can be used to update the dynamic ratio as an alternative to using TMSH: guishell -c ""update pool_member set dynamic_ratio=dynamic_ratio_number. Where pool_name='/path/pool_name', node_name='/path/node_name', and port='port#'"". The node name is the full folder path to the object name, which might be the node address with the pool folder prepended. In external monitor scripts, the node name is available in the NODE_NAME environment variable. Example: guishell -c ""update pool_member set dynamic_ratio=123 where pool_name='/Common/SMTP_Servers' and node_name='/Common/10.50.5.251' and port='25'""." |
439860 | When user enables or disables a virtual server, the SNMP traps do not exist. However, when virtual server changes up/down state due to pool member monitoring, the traps exist. Workaround: None. |
440199 | Using the LCD buttons to change the console baud rate to anything other than 9600 or 19200 may cause the rate to default to 19200. This occurs when using the LCD to change the baud rate. Console input/output may not be usable after the changes. Workaround: Use tmsh to change the console baud rate for rates higher than 19200 baud. |
440365 | At upgrade or UCS installation time, one or more files which share the same name may not be copied to a staging location, eventually leading to an error message at configuration load time, of the form, 'File object by name (filename) is missing.' In a 10.x system it's possible that files of different types (e.g. certificates, keys, external monitors, etc.) which are to be upgraded to file-objects in an 11.x system may have identical filenames though they reside in different directories on the BIG-IP system. For instance, a certificate located in /config/ssl/ssl.crt/example and a key in /config/ssl/ssl.key/example, on a 10.x system which is to be upgraded could cause this condition. Error at first boot of a newly upgraded partition, or UCS load time. Workaround: Modify the duplicately named files and any references to them in the configuration before upgrade. |
440431 | Response Logging generates a blank $HTTP_STATUS response when used with certain iRule commands. "This issue occurs when the following condition is met: A virtual server with Response Logging configured has an iRule assigned that uses either the HTTP::respond or HTTP::redirect command. The Request Logging profile gives you the ability to specify the data and format for HTTP requests and responses that you want to include within the log file. Parameters, such as $HTTP_STATUS, are used to specify information that is included within the log file. The HTTP::respond and HTTP::redirect iRule commands allow you to customize the response sent to the client and are intended to run immediately when triggered. Therefore, no further processing of response data should occur. As a result, the system logs blank status information when using the $HTTP_STATUS parameter within the Request Logging profile for Response Logging." The system logs invalid information. As a result of this issue, you may encounter the following symptom: -- BIG-IP iHealth lists Heuristic H465653 on the Diagnostics :: Identified :: Medium screen. If $HTTP_STATUS is used within the Response Logging template, the output will be blank. Workaround: To work around this issue, you can use the iRule to generate the required logs, rather than the Request Logging profile. If an iRule is calling HTTP::respond or HTTP::redirect, you can log directly from that iRule using the log iRule command, and record parts of the old response, or the new one, depending on what is required. |
440959 | SNMP DCA monitor reject delayed responses with ICMP unreachable result. Within the threshold of configured timeout and retry, in the event of an ICMP unreachable, the monitor marks the weight to the default (1). Configure a pool_member with SNMP_DCA monitor. Delay the SNMP server's response. Delayed SNMP responses are rejected by the monitor. Workaround: "Write an external monitor script, using the snmpget utility. For example: ------------ # values provided by bigd node_ip=`echo $1 | sed 's/::ffff://'` # example: use snmp get command=$(snmpget -v 2c -c private '$node_ip' -r 3 -t 5 .1.3.6.1.4.1.2021.4.5.0 .1.3.6.1.4.1.2021.4.6.0 .1.3.6.1.4.1.2021.11.50.0 .1.3.6.1.4.1.2021.11.51.0 .1.3.6.1.4.1.2021.11.52.0 .1.3.6.1.4.1.2021.11.53.0 .1.3.6.1.4.1.2021.9.1.2 .1.3.6.1.4.1.2021.9.1.9) To configure an external monitor: --------------------------------- -- tmsh create sys file external-monitor my_snmp_exec source-path file:/config/monitors/my_snmp2.sh. -- tmsh create ltm monitor external my_snmp run my_snmp_exec. -- tmsh create ltm node nodeA address 1.1.1.1 monitor my_snmp." |
441146 | Flooding on forwarding ports for some HSB equipped platforms are being delayed. The delays are due to the absence of an event-driven flushing of HSB L2 entries, when interfaces changes to a STP blocked state. This occurs with the BIG-IP 3900, 6900, 8900, 8950 platforms. This is seen with multiple parallel interfaces on the same VLAN between the BIG-IP system and a remote switch, with STP enabled. Delays are observed with the BIG-IP system again reverting to use the STP selected forwarding port, after the original forwarding port was disabled and re-enabled. Workaround: None. |
441719 | The CRYPTO command might trigger a core when using invalid algorithms (for example, using a symmetric key (hamc-sha 256) instead of an asymmetric key (SHA algorithm ). This is a negative test that only helps to verify iRule completeness. This occurs when the CRYPTO:: commands use invalid algorithms. The system drops a core. Workaround: Only use the same type of algorithms (asymmetric or symmetric alone). |
441789 | If provisioning is changed too quickly, some processes are not allowed to properly finish. This can lead to core files. Changing provisioning levels before module daemons are fully up. Core file generation. Workaround: Wait several seconds between provisioning operations to ensure the daemons are running before re-provisioning. |
441796 | "When you run hsb_snapshot or qkview from the command line, this may cause a watchdog reboot. One or more messages similar to this appear in the log: info kernel: Program hsb_snapshot tried to access /dev/mem between 164e6b000 and 164e6c000." Running qkview or hsb_snapshot from the command line. System reboot. Workaround: Do not run qkview or follow workaround procedure in SOL10052 |
442227 | When using tmsh, a user can set the start time or end time for the database download schedule as 24:01. The supported time range is between 00:00 and 23:59. User could set the download schedule more than 24 hours in start time or end time using tmsh Download schedule might behave randomly. Workaround: To prevent any problem with the schedule, set the time range between 00:00 and 23:59 or use the GUI to set the time. |
442409 | "Packet sizes greater than 6144 might cause panic and reboot on BIG-IP 3600 and BIG-IP 1600 platforms. The panic results in log messages in ltm log: - notice bge_fast_ifoutput: packet_data_compact failed to reduce pkt size below 4. - notice panic: ifoutput: packet_data_compact failed to reduce pkt size below 4." This occurs on certain types of gigabit Ethernet interfaces, and only on BIG-IP 3600 and BIG-IP 1600 platforms. Typically, this is an indicator that something upstream is sending an invalid list of xfrags. BIG-IP system operation is interrupted while the system reboots. Note that this error should never happen, but if it does, it indicates an underlying issue that needs investigation. Workaround: Set MTU below 4000. |
442489 | Licensed SSL and compression limits totals are not shown. Any multi-core system with SSL and/or compression licensed. Might result in confusion or assumption of different limits than actually exist. This is a cosmetic issue and does not affect system functionality. Workaround: None. |
442569 | Some benign SELinux errors that can occur in this release when installing a hotfix: -- /usr/sbin/load_policy: Can't load policy: No such file or directory. -- semodule: Failed! This occurs when installing a hotfix on the BIG-IP 5000, 7000, and 10000 platforms (with SSDs). The system presents messages that appear severe, but are actually benign: Can't load policy: No such file or directory and semodule: Failed! Workaround: None, but these errors are benign and SELinux corrects itself after reboot. |
442613 | After user modifies tag map data group content, the tag replacement function may still use the old tag mapping data. After user assigns a data group to FIX profile's sender tag map attributes, user modifies the content of the data group. The replaced tag may still be the data defined in the old data group, this causes the FIX message receiver to not recognize the tag and reject the message. Workaround: After user modifies data group, user must then remove the data group map from the FIX profile, update the profile, re-add the it and update the profile again. |
445430 | Although the Nominal and Minimum provisioning levels are not supported in this release of software, the system does not prevent them from being configured. When doing so, the system automatically provisions the vCMP module to dedicated. If the system has already provisioned vCMP to the dedicated level, then any running guests will be restarted. vCMP is provisioned as Dedicated and provisioning is changed to the unsupported Nominal and Minimum levels. vCMP guests will be restarted, which might result in potential traffic lost. Workaround: If vCMP is already provisioned, do not attempt to adjust the provisioning levels to Nominal, Minimum, or Dedicated. |
446712 | When FTP is used with LSN pools, the data connections do not count towards the LSN client connection limit count. FTP is configured with LSN pool whose client connection limit value is greater than zero. Data connections (active/passive mode) are not counted. This might result in a subscriber being able to create more connections than specified by LSN pool client connection limit Workaround: None. |
446713 | 1st boot to v11.5.0 causes daemon restarts and error messages on B4300/B4300N blades. This happens on each blade except blade1 (which is the Primary). When this occurs, the system posts various error messages and the daemon restarts. Workaround: None. |
446717 | When running 'tmsh show sys hardware' on the Primary blade, the 'Blade Temperature Status' reports a blade other than the Primary. In addition, all other slots under this category are not reported. This occurs when running the command 'tmsh show sys hardware' on the Primary blade. tmsh reports the wrong slot under 'Blade Temperature Status' on the Primary blade. Workaround: To find out the temperature status of the Primary blade, use the EUD sensor test. |
446963 | When messages are queued after processing of the HUDCTL_ABORT, processing those messages might cause a crash. After processing ABORT no other messages should be processed. But in the case in which HUDCTL_SHUTDOWN queued. HUDCTL_ABORT is processed and then HUDCTL_SHUTDOWN (queued by SIP filter), causing the crash. TMM crashes and the system creates a core file. Workaround: None. |
448409 | The command 'load sys config verify' causes loss of sync configuration and initiates a provisioning cycle. The 'verify' option on the 'load sys config' command is designed to ensure that a configuration (either from a file or pasted to the terminal) is valid, but not have it take effect. This affects the ConfigSync communication channel if configured. The ConfigSync connection, including the connections to other devices, might be lost. In addition, provisioning might be impacted. Workaround: You can avoid this issue by using the 'load sys config verify' command 'merge' option, which keeps the current configuration during the validation step. Once affected by this issue, the workaround is to re-load the full configuration using the command: tmsh load sys config partitions all. |
448477 | devmgmtd (also known as devmgmtd++ on older versions) may crash during some provisioning operations. This happens during some provisioning operations. A core dump will be left on the device, but no further ill effects. Workaround: None. |
449158 | iRule: nexthop to 'vlan:mac address' does not forward the packet. HTTP request to a vs:80 with a default pool and an iRule that specifies nexthop to a MAC address on the internal VLAN. Packet forwarding does not occur. Workaround: None. |
449502 | Diameter monitor script doesn't allow custom grouped AVPs that contain only a single element. Capabilities Exchange Answer (CEA) with a custom grouped AVP containing only a single attribute. Duplicating the attribute in the Diameter monitor script doesn't work either. The monitor will fail. Workaround: Use multiple attributes, or use non-custom grouped-AVP. |
449747 | All of the self links and reference links in iControl REST responses will contain localhost instead of an IP address or a hostname or an FQDN. This occurs when using iControl. iControl REST clients will need to substitute 'localhost' with the correct server name (or IP address or FQDN) when navigating links returned in responses .This is by design. Workaround: iControl REST clients will need to substitute 'localhost' with the correct server name (or IP address or FQDN) when navigating links returned in responses. |
450671 | "A BIG-IP UDP virtual server may not send an ICMP Destination Unreachable message Code 3 (port unreachable). As a result of this issue, you may encounter the following symptoms: -- Client applications may not respond or appear to hang. -- When attempting to troubleshoot the connectivity issue from remote devices, no ICMP diagnostic data is available from the BIG-IP system." This issue occurs when the following condition is met: All pool members for the UDP virtual server are unavailable. In versions 11.3.0 through 11.4.1, the system silently drops the request. In versions 11.5.0 and later, the system sends back the ICMP message with type 13 ('administratively filtered'). Workaround: None. |
453232 | The double-tagging packet stats counters are only supported the on VIPRION blades: B2250, B4300, B4340, and B4350, and on BIG-IP platforms: 10000, 10050, 10050N, 10200, 10250, 12050. Double-tagging packet counters are not supported on the B2100/B2150 VIPRION blades or the BIG-IP platforms 5000 series and 7000 series. The system is configured for and passing double-tagged traffic and showing zero values for the Double Tagged Packets stats in the GUI, TMSH, or via the iControl APIs. When running the command 'tmsh show net interface all-properties' on the unsupported platforms, 'DoubleTag Pkts In' and 'DoubleTag Pkts Out' always show a value of 0 (zero). Workaround: None. |
453362 | SSL forward proxy does not work with OneConnect when there are multiple connections from the same client to the same server. This occurs with virtual servers configured with OneConnect. SSL forward proxy does not work. Workaround: Multiple connections worked fine without OneConnect. |
454209 | TMM crash on UDP DNS virtual without datagram-load-balancing enabled. DNS virtual server without datagram lb mode. TMM crash with a backtrace including dns_dev_pool coring at line 360. Failover and potential traffic interruption. Workaround: Enable datagram-lb-mode in the UDP profile used by the DNS virtual server, or turn off DNS queuing via the db variable dns.queuing. |
454640 | Secondary blades' mcpd instances might restart on boot. This might occur intermittently on VIPRION bladed systems or VCMP guests. This might be the result of a race condition that occurs when /config is synced between the blades and when the mcpd process starts. The mcpd process restarts on secondary blades. The process eventually returns to normal, and the system finishes booting. The system posts messages similar to the following: 01071038:5: Secondaries couldn't load master key from the database. 01070734:3: Configuration error: Configuration from primary failed validation: 01071029:5: Master Key not present. Workaround: This issue has no workaround at this time. |
454671 | When SIP is used with LSN pools, the media connections do not count towards the LSN client connection limit count. SIP ALG is configured with an LSN pool whose client connection limit value is greater than zero. Media connections are not counted. This might result in a subscriber being able to create more connections than specified by LSN pool client connection limit Workaround: None. |
454672 | When RTSP is used with LSN pool, the media connections do not count towards the LSN client connection limit. RTSP is configured with LSN pool whose client connection limit value is greater than zero. Media connections are not counted toward the LSN pool client connection limit. This might result in a subscriber being able to create more connections than specified. Workaround: None. |
455090 | The hashtag character '#' is a Tcl comment command that causes the Tcl parser to ignore the rest of the line. When user inserts a '#' character to a command that has an open curly brace ({) at the end of line, there is a mismatch of open and close braces. However, the user can save the iRule script through the web interface and TMSH. "1. '#' at the start of a line that ends with '{'. 2. The ending '{' perfectly matches a '}' in the script." When the iRule script runs at traffic time, system fails. Workaround: Comment out or delete the matching closing '}' brace character. |
455467 | QinQ VLAN functionality requires supported versions of software running on the guest and host. "QinQ VLAN configurations fail to load on vCMP guests The host or guest has a QinQ configuration object and is not running QinQ supported software" "This only applies to QinQ VLANs in a vCMP environment. This does not impact legacy vCMP VLAN functionality (non QinQ VLANs configured per guest on the host)" Workaround: None. |
455525 | "If for some special reasons, the role and partition information are not present, there are two cases where this might occur: When the user's role and partition information is not provided, by default, the no-access role and all partitions are assumed. If the user's role and partition are explicitly deleted, this is also allowed with no further error message. This is potentially useful in cases where you want to preserve the user data such as password for later re-activation the user. In both cases, the user cannot login successfully due to the lack of the necessary role-partition information." User's role and partition information is missing or removed. The user with missing role and partition information is prohibited from login. Workaround: None. |
456024 | When vCMP is not provisioned, and you load vCMP guest objects, the guest state changes to CONFIGURED to avoid failing to load the entire configuration. This occurs when you save a UCS file from a vCMP-provisioned host with guests in the PROVISIONED or DEPLOYED state. After loading the UCS, the BIG-IP system successfully reboots into vCMP mode, but the guests cannot automatically deploy. Workaround: You must manually change the state of desired guests to PROVISIONED or DEPLOYED. |
456378 | When using ipother profile, if there is an iRule that fires on CLIENT_ACCEPTED that contains a discard or reject action, TMM is going to failover. Virtual server with ipother profile and an iRule firing on CLIENT_ACCEPTED with discard or reject action. TMM cores. Workaround: Use CLIENT_DATA as the firing event for the iRule. Will have the same expected result when discarding the connection. |
456508 | Deleting persistence entries using iRules in Port block allocation (PBA) mode does not completely remove persistence. This occurs because having a PBA block implies that some persistence exists. This occurs when the following conditions are met: -- LSN mode equals PBA. -- iRules use LSN::persistence-entry to create and delete address persistence entries Using lsndb to view persistence entries may cause confusion as the deleted persistence entries might still be present. These persistence entries go away when they timeout. Workaround: None. |
458527 | When running spanning tree, a BIG-IP device sends TCN BPDUs after receiving a topology change notification on its root port. A BIG-IP device is connected to another switch running spanning tree and the BIG-IP device is not the root switch of the tree. No observable network impact from the TCN flag being sent in the BPDU. Workaround: None. |
458529 | When a BIG-IP system is running spanning tree protocol and receives BPDUs from another device containing a worse root path cost, it may not honor the hold timer value on the BPDUs received, and consequently it will send BPDUs at a faster rate than requested. Spanning tree is running and has a better root path cost than an adjacent switch that has a lower transmit hold count than what is configured on the BIG-IP system. Spanning Tree BPDUs sent out more frequently than they should. Workaround: Set the transmit hold count on the BIG-IP system to be the same as all other devices on the network that are participating in spanning tree. |
459471 | ssl-ocsp and ssl-cc-ldap auth profiles can contain the same name leading to issues when trying to delete them. ssl-ocsp and ssl-cc-ldap objects have the same name. Cannot delete both of these auth profile objects. Workaround: Do not create the two auth profiles with the same name. |
459671 | iRules source different procs from different partitions and executes the incorrect proc. Multiple iRule procs defined in multiple admin partitions. iRules "proc" lookup algorithm is not deterministic, or Virtual Servers are improperly caching and sharing the lookup results. Workaround: To work around this issue, ensure all iRule proc names defined in the BIG-IP configuration are unique. |
460500 | Cannot load config containing iRules signed with Global comments. This occurs when using iRules with Global comments (outside any WHEN block) before the first block or after the last block. Global comments between WHEN blocks do not cause any issue. The config file cannot be loaded, and the system posts the following error: 01071485:3: iRule (/Common/irule2) content does not match the signature. Unexpected Error: Loading configuration process failed. Workaround: You can use either of these workarounds: -- Delete the Global comments (outside WHEN blocks) that lie either at the beginning or at the end of the iRule (before the first or after the last WHEN block). -- Delete the signing entries (definition-signature and signing-key) from the config file before loading it. |
461140 | You cannot configure High Availability (HA) using IPv6 IP address formatting. This occurs when using IPv6 formatted IP addresses. "When adding a peer device using an IPv6 address using the web interface, the system posts the following error message: 'java.io.IOException: Could not read response from server: ParseError at [row,col]:[1,150] Message: The reference to entity 'destaddr' must end with the ';' delimiter.' The system posts a similar error message performing the same operation using TMSH: 'Unexpected Error: Could not add ca-device (error from devmgmtd): [evConnection.cpp:162 tryConnect] evConnect(m_ev, fd, (void *) &destaddr, sizeof(destaddr), &::evOutgoingConnection, this, &m_connId): Network is unreachable.'" Workaround: Set up a IPv4 Self IP in an HA VLAN (VLAN on which each device can communicate with the other). Then add that Self IP to the device. To do so, in TMSH, run a command similar to the following: 'modify cm trust-domain Root ca-devices add { 10.10.3.102 } username admin password admin name 8950-3.example.com'. Running that command retrieves the already-set-up IPv6 addresses for management-ip, the config-sync IP addresses, and Network failover IP addresses already exist from the peer device and syncs both of them, so that HA device trust can work correctly. |
461199 | Memory increases when using certain iRule methods related to Diameter (for example, AVP::insert, AVP::replace, AVP::codes). Inside the underlying function dime_method_optional_args_parse, A call to the function Tcl_GetIndexFromObj was not decrementing the refcount of an object. This issue occurs when all of the following conditions are met: -- You have configured a virtual server to process Diameter messages. -- The virtual server references an iRule that uses Diameter based commands. For example, AVP::insert, AVP::replace, AVP::codes. As a result of this issue, you may encounter one or more of the following symptoms: -- The BIG-IP system fails to process traffic for a brief period of time. -- The BIG-IP system fails over to another host in the device group. -- TMM generates a core file in the /var/core directory. Workaround: None. |
461375 | The dhcp-enabled property was removed because it cannot be modified and its presence can lead to misunderstanding the configuration. This occurs in version 11.6.0. Can cause misunderstanding of the configuration data. Workaround: None. |
461524 | Unable to install an ISO software images or hotfixes using iControl REST. Using iControl REST to install software images or hotfixes. The system posts an error: Operation is not supported on component /sys/software/image, and the operation fails. Workaround: Use the GUI or TMSH to install software images or hotfixes. |
461776 | Setting the DB variable 'qinq.cos' to 'outer' has no effect on the VLAN priority of packets arriving at customer-tagged interfaces and does not correctly affect the egress Class-of-Service (CoS) mapping. Q-in-Q VLANs on customer-tagged interfaces. Using the outer tag to affect VLAN CoS is not supported. Workaround: None. |
462043 | On the 5000 and C2400 platforms, when the DB variable 'qinq.cos' is set to 'inner'; a packets inner priority bits do not determine the CoS mapping when the incoming packet is customer-tagged and the outgoing interface is service-tagged. On 5000 and C2400 platforms. Incorrect egress CoS queue mapping. In this case, all packets are mapped to CoS queue 0. Workaround: None. |
462507 | If CGNAT Port block allocation (PBA) is configured for block lifetimes, when the lifetime expires, the system terminates any flows still associated with that port block. However, SIP media flows cannot be terminated, so the block cannot be released until the media flows terminate. "This occurs when the following conditions are met: -- Using CGNAT PBA mode. -- block lifetime set. -- Using SIP-ALG. -- Media flows outlive block lifetime." Blocks cannot be released as expected until media flows terminate. Workaround: None. |
462524 | "When a User-Agent identifies a browser which has known compression limitations, the 'browser workarounds' disable compression. Browsers requiring these workarounds include: - Microsoft Internet Explorer 6.0 - Netscape Navigator 4.1 - Netscape Navigator 5.0 Unfortunately, the functionality will falsely identify many modern browsers as needing compression workarounds, disabling compression." Enable HTTP compression browser workarounds. HTTP compression will not compress responses for modern browsers. Workaround: Disable browser workarounds. If legacy clients require compression workarounds, use an iRule that selectively disables compression depending on the User-Agent. |
462754 | The system does not support SSL mirroring with L7 mirroring, When an SSL connection is mirrored, after a few failovers, the connection is reset or the response is delayed for up to several minutes. This occurs when SSL connections are mirrored. The connection is reset or the response is delayed for up to several minutes. The BIG-IP system does not forward request to server. In addition, you cannot use L7 features like iRules on mirrored SSL virtual servers. Workaround: None. SSL mirroring is not supported with L7 mirroring. |
462881 | tmsh allows configuration of a virtual server with mismatched ip-protocol and transport-layer profile. For example, ip-protocol tcp with a UDP profile or ip-protocol udp with a TCP profile. Configure a virtual server with mismatched ip-protocol and transport-layer profiles (e.g. ip-protocol udp, profiles { tcp }). Traffic reaching a misconfigured virtual server can crash tmm, resulting in an outage. Workaround: Configure virtual server with matching ip-protocol and transport-layer profile. |
463970 | When using 'LB::reselect pool current_pool' in an iRule, the pool stats do not get increased/updated (although virtual servers stats do get increased as expected). This occurs when using an iRule containing the LB::reselect pool pool2 command in LB_SELECTED. The Pool stats don't get increased (tmsh show ltm pool), resulting in misleading stats reporting, and possibly incorrect traffic based load balancing. Workaround: "Add extra logic in the iRule to ensure the redundant call to LB::reselect pool SAME_POOL is not performed. To do so, you can use an iRule similar to the following: if {[LB::server pool] ne ""/Common/pool_name""}{ LB::reselect pool ""/Common/pool_name"" }" |
464437 | TMM crashes while loading an external datagroup that has already been loaded. External datagroup is already loaded, and is then re-loaded. TMM crashes. Workaround: To avoid this issue, wait a few seconds between load and reload the same external data group. |
464923 | Trying to use a netHSM key without the HSM license causes the SSL handshake to fail with the general error in sign server key exchange. This issue might occur when using netHSM without HSM licensing. "The system posts potentially confusing errors similar to the following (with ssl debug logs turned on): -- debug tmm3[28399]: 01260009:7: Connection error: ssl_hs_vfy_sign_srvkeyxchg:8309: sign_srvkeyxchg (80) -- info tmm3[28399]: 01260013:6: SSL Handshake failed for TCP 10.10.10.13:47804 -> 10.10.10.23:443" Workaround: License HSM. To determine whether this is the issue related to these messages, you can turn on tmm.verbose. Then, if netHSM is not licensed, you can the following message at /var/log/tmm: notice No license for external HSM. |
466016 | When primary blade in rebooted we may flush routing table before secondary blade becomes active and that can cause traffic outages. Traffic flow may be impacted. Workaround: "force blade failover first before rebooting blade. With failover new blade will become primary and pick up routing functions before routing daemons as killed." |
466285 | When certain users switch partitions, their displayed role shows Unknown. After a few seconds, the appropriate role displays for the active partition. A user with access only to specific partitions and switches partitions. This occurs only with the Chrome browser. Unknown is shown as their role in the top bar in the GUI. This issue is only cosmetic, the user's actual role changes immediately. Any activity in the intervening time period is performed as the user's true role in that partition. Workaround: Use Firefox or Internet Explorer browsers. |
466837 | Using the GUI to modify a virtual server with multiple profiles results in multiple audit logs. This occurs with multiple profiles on a virtual server. The system writes multiple audit logs for a single user transaction. This is intended functionality. Workaround: This issue has no workaround at this time. |
467043 | Modifying banner and banner-text while sshd service is disabled, result in error. This occurs when modifying banner and banner-text while sshd service is disabled. The system posts an error. Workaround: Workaround is to change config order to enable login before banner change, or perform the operations in separate commands. -- tmsh modify sys sshd login enabled banner disabled banner-text none. -- tmsh modify sys sshd login enabled. -- tmsh modify sys sshd banner disabled banner-text none. |
467089 | When performing a policy-sync the GUI disconnects from the BIG-IP system, and the Administrator will not be able to access the platform. This most often occurs when a large number of devices are within the device group being synced to. The exact number of devices that will cause this issue depends upon the specifications of the platform you are using (less powerful machines might be affected while syncing to smaller numbers), and the size of the policy being synced. If the policy is large or contains hosted content files, you are more likely to experience this issue. Once disconnected the GUI does not always connect to the server, which means you must connect via ssh and then run the command: bigstart restart tomcat. This restarts the GUI. Once back up, the GUI should be usable. Workaround: Run the command: bigstart restart tomcat. This restarts the GUI. Once back up, the GUI should be usable. |
468505 | tmsh crypto commands will fail when executed in tmsh batch mode. tmsh batch mode and 'sys crypto' commands. tmsh crypto commands will fail when executed in tmsh batch mode. Workaround: Run the tmsh 'sys crypto' commands outside of a 'cli transaction' i.e. not in batch mode. |
469035 | If the configuration includes encrypted items (for example, an LDAP bind password) that are empty strings, a SecureVault rekey operation fails. Empty string as encrypted configuration item. This might occur when using the tmsh command 'modify /sys crypto master-key, or during the introduction of a device into a Trust Domain. The rekey operation fails, and the system posts an error similar to the following: with this error: 01071029:5: master_decrypt failed during rekey. This might result in a ConfigSync failure. Workaround: Do not use empty strings as passwords. Alternately, remove the problematic configuration object (which may require changing system authentication to a different source), perform the rekey operation, and then recreate the configuration. |
469366 | A config sync operation might fail with a parent-profile-not-found error message, despite the fact that the parent profile is present in the running configuration of both systems. On the sync target (the system receiving the configuration, and the one that reports a sync failure), a system-supplied profile (e.g. /Common/serverssl) has been modified, and is present in /config/bigip.conf. An administrator is unable to synchronize system configurations. The system might post messages similar to the following example: '01020036:3: The requested parent profile (/Common/serverssl) was not found.' Workaround: "One of the following: 1. Manually replicate the changes on the base profile to the system that is sourcing the config sync. 2. Undo the changes to the base profile on the system that is receiving the config sync (to do so, save the configuration, manually remove the base profile from /config/bigip.conf, and then re-load the configuration), and then perform a force sync operation. 3. Perform a sync in the other direction. Important: Performing a sync in this direction overrides any unsync'd changes on the other system." |
469549 | "Upon reviewing the log file in /var/log/ltm, a user may see the following error: err mcpd[8105]: 01070820:3: User Modification Denied: User (root) may not change the role of system account (admin)" This only happens during the first reboot after a software install. If the error is seen again, the audit log should be checked. There is no known impact at this time. Workaround: None. |
470203 | Setting a remote syslog destination to a localhost address results in recursive log messages. Using 127.0.0.1 or a hostname resolving to it as a host for syslog's remote-server. Using a localhost address as a remote syslog destination results in continual log entries until the BIG-IP system runs out of disk space. Workaround: Use a non-local remote host for syslog's remote-server. |
470807 | When an iRule specifies a data-group that is not in Common, or that does not have an explicit path to it, it does not result in an error when the iRule is saved, or during runtime. User saves an iRule with a data-group not in Common or with an explicit path to it. When such an iRule is saved, it can cause all traffic to fail. Workaround: None. |
471492 | When running IP reputation database on small (less than or equal to 4 GB) vCMP or VE instances, or on older platforms with less than or equal to 4 GB of memory, iprepd can use enough memory to make the system wait for disk I/O. This can make the system sluggish when disk operations are taking place. This typically exists on HDD equipped systems only. SSD systems are typically not affected. Extensive disk I/O, such as logging to disk or rotating logs, or when installing software, might result in a system that does not respond to user interaction as expected. Swap might increase, as well. Workaround: Provision 'large control plane' in the GUI provisioning page. Alternatively, add 100 to the existing value of the db variable provision.extramb. (which is zero by default). |
471835 | After changing the configuration while port blocks are active, the 'Active zombie port block' statistic may become invalid. More than one lsn-pool with overlapping address spaces, and virtual servers using these lsn-pools. Zombie timeout must be enabled on the pool and there must be active zombie port blocks. The PBA zombie statistics for the lsn-pool may be invalid. Workaround: None. |
472187 | When an internal virtual server is created for ICAP use without specifying a pool or source IP address, the resulting virtual server status is a gray-colored box. When the internal virtual server is modified to reference a pool, the virtual server status changes to a gray-colored circle. When the virtual server is modified from an internal virtual server to a standard virtual server, the virtual server status changes to a green-colored circle. When the virtual server is modified from a standard virtual server to an Internal virtual server, the virtual server status remains a green-colored circle. This occurs when creating Internal virtual servers for ICAP use without specifying a pool or source IP address. The status indicator might be confusing, however, it does not adversely affect functionality of the device. Workaround: Although this is a cosmetic issue, you can change the virtual server type from internal to standard to internal to have the gray status markers display green. |
472412 | When you force-offline a node, the associated pool member State shows 'Disabled (Only persistent or active connections allowed)', not 'Forced Offline (Only active connections allowed)' in the GUI. Force-offline a node, and then view the associated pool member State. Existing persistence records disappear, and the connection get load balanced to the available pool member, which is forced offline behavior. The state of the pool member is gray and 'disabled', not 'forced offline'. Workaround: None. |
472553 | eventd spins at 100% and memory consumption grows over time. If an eventd consumer is deleted while there are events pending, eventd can spin at 100% and its memory consumption will grow. System may be impacted due to eventd cycle usage, and eventually experience increasing memory consumption. Workaround: None. |
472573 | Cannot set a password of 14 characters --the maximum length-- for the security officer. "Occurs when the following conditions are met: - NG FIPS security device installed. - Initialize FIPS security domain. - Attempt to set password of maximum length (14 characters)." Setting a password using more than 14 characters prevents the creation of the security officer password, and causes device initialization to fail. Workaround: Use a password shorter than 14 characters for the security officer. |
472581 | Trying to use 'default' as the FIPS security officer password results in an invalid encryption error from the fips-util. Trying to use 'default' as the FIPS security officer password. You cannot use the word 'default' as the security officer password. Although this is expected behavior, the error message posted does not provide a relevant explanation. The system posts errors similar to the following: -- Invalid encrypted password. -- Failed to set security officer's password: 1073742342. -- Failed to create security domain. -- INITIALIZATION FAILED! -- The FIPS device is NOT operational. In version 11.1.0 and earlier, the error was similar to the following: -- Creating crypto user and crypto officer identities. -- password should not be default. -- Failed to set security officer's password. Workaround: Use a password other than the word 'default'. |
473213 | Failed system fan emergency alert is exhibited as critical alert at LED and LCD screen. A failure of a system fan would cause this issue to appear. Relatively small event causes unnecessary critical alarm instead of just emergency level. This alarm should be treated at an emergency level and not critical. Workaround: None. |
473724 | If a DC PSU hotswap is performed on BIG-IP 10000-series or 12000-series appliances, but the PSU is left unpowered, the front panel PSU LED is amber, but no other alerts, LCD messages or LED indications are issued to indicate that the appliance is in a non-redundant PSU state. "This occurs on BIG-IP 10000-series or 12000-series appliances if a DC PSU is hot-swapped but external power is not applied. FND850 DC PSUs for BIG-IP 10000-series or 12000-series appliances do not indicate their presence to the BIG-IP system until external power is applied. Thus, the presence of an unpowered DC PSU in this case is not detected, and its status is reported as Not Present. By design, no alerts are issued by BIG-IP for non-present PSUs." Operators may not be aware that the appliance is left in a non-redundant PSU state after a DC PSU hot-swap. This is expected behavior. FND850 DC PSUs for BIG-IP 10000-series or 12000-series appliances do not indicate their presence to the BIG-IP system until external power is applied. Workaround: "When hot-swapping DC PSUs on BIG-IP 10000-series or 12000-series appliances, verify the success of the operation by: 1. Verify that the front panel PSU LED for the newly inserted PSU is Green. 2. Verify that the status of the newly inserted PSU is reported as Good by the 'system_check -d' or 'tmsh show sys hardware' utilities." |
474179 | SOAP monitors configured with a leading colon':' in the URL path fail. SOAP monitor configured with leading colon ':' in the URL path. Monitor fails. Enabling monitor debug provides additional clues, indicating 'Error calling getaddrinfo'. Workaround: A leading ':' in a URL path is now allowed by RFC 3986, section 3.3. If the URL path is, in fact, a colon, then a leading slash should work (i.e., /:). No errors occur when embedding a colon in a URL path. If your URL path begins with a colon, you need to either escape the colon, or need to add a leading slash. |
474797 | "If malformed SSL packets are sent to the BIG-IP system, the following errors can be logged to /var/log/ltm: Device error: cn9 core general. crypto codec cn-crypto-4 queue is stuck." Malformed SSL packets being sent to the BIG-IP system. Error logs in /var/log/ltm. This is a cosmetic issue only, and the errors can be safely ignored. Workaround: None. |
475346 | The Expire Certificate Response Control setting in the Server SSL profile is not honored. "This issue occurs when all of the following conditions are met: A virtual server with an associated Secure Sockets Layer (SSL) pool member is configured with an SSL server profile to request a server certificate. The SSL server is serving data with an expired certificate, and certificate is not trusted by the BIG-IP system. The SSL server profile specifies that the system should not drop the connection if the certificate is untrusted. The SSL server profile specifies that the system should drop the connection if the certificate has expired." The BIG-IP system fails to drop the expired SSL certificate. This is expected behavior. Workaround: Although this is expected behavior, you can avoid the issue by not using expired certificates on your SSL server, or by using the trusted certificates. |
475896 | "tmsh load /sys config from-terminal of an external-monitor, does not work. Specifically, running the following command does not work: load sys config from-terminal sys file external-monitor ext_monitor { source-path ... }" This occurs when running the command 'tmsh load /sys config from-terminal' external-monitor. The system posts the following error: Failed: name (/Common/external_monitor_name) cache path expected to be non empty. This error prevents using cut and paste to configure external monitors. Workaround: None. |
475997 | When performing LAN-speed transfers of large files (hundreds of MB) over SSL, the throughput speed of the transfer significantly drops if the hardware SSL offloading is performed. The performance drop is from ~30% - ~50% depending on the cipher suite used. This issue occurs when hardware SSL offloading is turned on. The performance degrades from ~30% - ~50% depending on the cipher suite used. Workaround: Change the "scheduler.hsbpollmode.ltm" to "always" can be used as a workaround for this issue. |
476010 | The inband monitor might not cause pool members/pools to be marked offline after the expected number of failures. A virtual server with an inband monitor. Traffic might be disrupted for a longer-than-expected period of time after a pool member goes offline. The issue might be more readily apparent when there is only one pool member. Workaround: None. |
476136 | On VIPRION B2250 and B4300/B4340N blades, you might encounter log entries of this type: notice HA: ha_enabled_put(daemon_heartbeat, tmm, FALSE): error 01140012 or notice HA: ha_enabled_put(daemon_heartbeat, tmm, TRUE): error 01140012. This occurs only on VIPRION B2250, B4300, B4340N blades. The system posts the error messages. These messages are benign and can be safely ignored. Workaround: None. |
476398 | The TCP profile options Receive Window and Send Buffer are not used. TCP profile has Multipath TCP (MPTCP), Rate Pacing, or Limited Transmit Recovery enabled, or congestion algorithms illinois, woodside, westwood, cdg, chd, cubic, or vegas are selected. This prevents configuring these settings. Workaround: Modify TCP Auto Tuning by disabling sys db variable using the following command: tmsh modify sys db tm.tcpprogressive.autobuffertuning value disable. |
476544 | mcpd runs out of memory when a connection's send message queue has a lot of messages in it. The connection's m_current_msg_byte_cnt is high, but does not account for the entire 2 GB virtual memory space. mcpd runs out of memory when a connection's send message queue has a lot of messages in it. The connection's m_current_msg_byte_cnt is high, but does not account for the entire 2 GB virtual memory space. mcpd cores and restarts if it runs out or memory. Workaround: None. |
476920 | Any iRule command that references an IP address may not resolve properly without an explicit route domain. This occurs when the when the route domain is not given as part of ip address%route_domain ID. Default route domain ID of the partition is not used with any IP-address-referencing iRule command. Workaround: Explicitly provide the route domain ID with the IP address. |
477705 | The 'untrusted-cert-response-control=drop' command is not honored. This occurs when the following conditions are met: virtual server is deployed with a SSL server profile that is configured to request a server certificate and drop the connection if the certificate is untrusted. The SSL handshake is not properly dropped. Workaround: This issue has no workaround at this time. |
477786 | Depending on the release, sending a SYN packet to a self IP address with Port Lockdown set to Allow None might respond to the SYN with a RST packet, or might silently drop the SYN. "With Port Lockdown configured to Allow None, the LTM behaves differently upon receiving a SYN packet. In 11.3.0 and 11.4.1, when receiving a SYN packet the LTM replies with RST. In 11.4.0, 11.5.1, and 11.6.0, when receiving a SYN packet the LTM does not reply (sends a REJECT)." Inconsistent behavior based on version; sometimes RST in response to SYN on closed port, and sometimes nothing (REJECT). Because the traffic is not allowed in either case, there is no fundamental impact. This is primarily a behavioral difference between releases. Workaround: None. |
477967 | TMM segfaults when attempting to apply TSO processing to an outbound packet that does not need it. Occurs when applying TSO to packets. TMM crashes and the system fails over. Workaround: None. |
477992 | Errors when enabling Debug Monitoring for an iApp-created pool member and disabling strict updates for the iApp. Create pool members via an iApp, and attempt to enable logging on the pool member. Instance-specific monitor logging fails for pool members created in iApps. The log is never created. The system posts error messages in /var/log/ltm stating the log file cannot be opened. Workaround: If logging is required, bigdlog is available. To enable logging, run the following command: tmsh modify sys db bigd.debug value enabled. |
478497 | Irrelevant alerts for malware and encryption modules were sent when phishing was detected, confusing diagnosis of threat. Workaround: None. |
478986 | When power is removed from the PSU but the PSU remains in the system, 'tmsh show sys hardware' reports the PSU as 'not-present'. This occurs when an installed DC powered PSU loses power, and the user runs the command 'tmsh show sys hardware'. Only the message is incorrect. Although the PSU is present, the system cannot read its data without power, so the system marks the PSU 'not present'. Once power is restored, all information is available. Workaround: Plug the power cable into the PSU. The system can now detect the power supply status and read the PSU info. |
479129 | TCP window scaling is not applied, which can be observed in transmitted packets containing small segments that are about the size of the unscaled window. SYN cookies have been activated. Poor performance / throughput. Workaround: None. |
479262 | The 'readPowerSupplyRegister error' is logged in LTM log when DC PSU loses its power. When a DC powered PSU loses its power, the system logs 'readPowerSupplyRegister error' messages in the LTM log. This occurs because PSU data is not available without power. The 'readPowerSupplyRegister error' messages occur because PSU data is not available without power. When the system is in this state, you can safely ignore these messages. Workaround: None. You can safely ignore this error message in this case. |
479670 | If a licensing operation happens when the vCMP host and a guest have different blades as primary, then the status might show an incorrect number of downed links. vCMP host and guest have different blades specified as the primary. Although the system might report an incorrect number of downed links, this is a cosmetic issue. The system functions correctly. Workaround: Ensure that the host and guest have the same blades specified as the primary. |
479872 | Virtual servers configured without protocol profiles on both the clientside and serverside do not pass traffic. This occurs on virtual servers configured without protocol profiles on both the clientside and serverside. Attempts to connect to the virtual server might result in RSTs ('no local listener'), or the virtual address might not respond to ARP if there are no other functional virtual servers on the same virtual address. Virtual servers affected by this issue do not pass traffic. Workaround: If a protocol profile with a context (clientside or serverside) is specified when defining a virtual server, ensure that a protocol profile is specified for the peer context. |
480206 | IKE peer configuration objects in non-common partition is visible to all in GUI. If an IKE peer object is configured in non-common partition, users can see it in GUI even though it does not belongs to common partition. This causes inconsistent partition behavior for ike-peer objects in BIG-IP and these objects will not be stored in their respective partition configuration files. Also, Users in one partition can see list of ike peer objects belonging to other partitions. Workaround: None |
481001 | Software auto update settings are not synced between two devices in a sync group. Conditions leading to this issue include performing a full sync with systems that have different auto-update settings. This can lead to software auto update settings not being consistent across two devices. Workaround: Adjust the software-update configuration on each device in a configuration synchronization group. |
483694 | If the primary blade of a cluster fails over and a new primary is elected, then the new primary might not have the up-to-date sync accounting information. If this happens, the sync state may be something other than 'In Sync', usually 'Not All Devices Synced'. Unknown. The system may unexpectedly advise the user to perform a CMI sync. Workaround: It is safe to perform the requested sync. |
483953 | ICMP type 3 code 4 (needsfrag) messages are elicited when TMM transmits packets at the TM.MinPathMTU size if the path MTU is lower than that value. "Path MTU discovery results are cached by default. If a client responds to an IP datagram with an ICMP needsfrag message with a very small MTU (smaller than the value of the TM.MinPathMTU database variable), the cached path MTU value will be set to the TM.MinPathMTU value even though this still isn't able to traverse the path. This can affect multiple endpoints when a low MTU is advertised by an endpoint (misconfigured or malicious) behind a shared NAT address." "TMM may use and enforce a low path MTU for clients capable of handling a higher path MTU, but may use an MTU too high to reach clients whose path MTU is lower than TM.MinPathMTU. This metric will live for 10 minutes by default." Workaround: "This issue has no workaround at this time. The route metric lifetime can be lowered using route.metrics.timeout db key." |
484542 | tmsh does not validate QinQ tag-mode and allows invalid values to be set. User sets QinQ tag-mode to non-'none' value on unsupported platform None Workaround: None. |
484683 | The other Peer of a high-availability (HA) pair cannot show the summary of cert-chain by 'tmsh run sys crypto check-cert verbose enabled' after config-sync. "Conditions leading to this issue include: 1.) Setup an HA Pair 2.) Import Certificate chain to one BIG-IP system. 3.) 'run config-sync' to sync the Certificate chain to the peer BIG-IP system." The other Peer of HA Pair cannot show the summary of cert-chain by 'tmsh run sys crypto check-cert verbose enabled' after config-sync. Workaround: "Copy the cert-chain file to a place (such as /shared/tmp/), and update the cert-chain using: ********************************************************* root@(eng-3900A)(cfg-sync In Sync)(Standby)(/Common)(tmos)# modify sys file ssl-cert Cert-Chain_Browser_Serv.crt source-path file:/shared/tmp/Cert-Chain_Browser_Serv.crt_58761_1 *********************************************************" |
485176 | The RADIUS::avp replace iRule command will core when only two arguments are passed to it. Must be running an iRule that executes a RADIUS::avp replace command with only two arguments. TMM cores, which can result in a failover. Workaround: None. |
485327 | "By default the tmsh cli global settings service value is name. That implies that for a user configuration, the ports are saved by their names and not port numbers." This occurs when upgrading. Loading a UCS configuration with port names fails on an upgrade if the port name is not present in /etc/services in the upgrade version. The failure message appears similar to the following: The requested value (*:hosts2-ns }) is invalid (ip_addr | member) for 'dest' in 'monitor'. Workaround: Run the following tmsh command prior to saving the UCS file. (tmos)# tmsh cli global settings service number. The config will then load successfully on an upgrade. |
485714 | "The bigd process will go into a restart loop, with the following log message in /var/log/ltm: Fatal error: An unexpected failure occurred while performing an OpenSSL cryptography operation. Root error: 10219:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:323:" This issue occurs when there is an encrypted password on a monitor. The bigd process will restart. Workaround: Enter the plaintext password in the Monitor UI page. |
486722 | The default config-sync timeout is 300 seconds. This time is not sufficient when configuration includes 1000s of FIPS keys. Config-sync operation times out and reports failure. FIPS HA setup and 1000s of FIPS keys in the configuration. config-sync fails Workaround: Increase the config-sync timeout value. Note: The desired timeout value depends on the size of the configuration and the TMOS version. You can increase the timeout value using the following series of commands: -- tmsh mod /sys httpd fastcgi-timeout timeout-val. -- tmsh save sys conf. -- bigstart restart httpd. |
486735 | Maximum connections is not accurate when TMM load is unevenly distributed. Maximum connection statistics report the sum of maximum connections per TMM, not the maximum connections virtual server. This occurs when the load disaggregated to available TMMs is uneven. This causes the various TMMs to measure their individual maximum connections at significantly different times, resulting in higher-than-expected maximum connections. Workaround: Ensure the configuration matches traffic patterns, so the load of connections is evenly distributed across all TMMs. |
487660 | LSN Translation failures in persistence mode when cmp-hash is set to src-ip on ingress VLAN and to dst-ip on egress VLAN. Persistence is enabled on the LSN pool, and cmp-hash is set to src-ip on ingress VLAN and to dst-ip on egress VLAN, when the lsn-pool port range is relatively small (under 1000), or a blade is added or removed. Translation mode is NAPT or PBA. Translation failures. The system posts an error similar to the following: debug tmm9[25268]: 01670012:7: [0.9] Translation failed client 200.200.200.101,10096. Workaround: Adequately provision the LSN pool. |
487795 | Front panel port Ethernet TX pause is currently disabled for the following platforms: B4200, B4300, B2100, B2150, B2250, 5000-series, 7000-series, 10000-series, 11000-series, and 12250. This occurs on the B4200, B4300, B2100, B2150, B2250, 5000-series, 7000-series, 10000-series, 11000-series, and 12250 platforms. Front panel Ethernet TX pause flow-control non-functional. Workaround: None. |
489957 | The RADIUS::avp command fails when AVP contains multiple attributes (VSA) within an AVP. One AVP contains multiple attributes (VSA). RADIUS::avp command fails. Workaround: None. |
490121 | PVA current and maximum stats are incorrectly reported when using a FastL4 profile with a SERVER_CONNECTED iRule event. For each connection that is established, the current connection count is incremented twice and decremented only once when the connection is terminated. This leads to a lingering connection, which skews the stats. A fastL4 virtual with a SERVER_CONNECTED iRule event. The current and maximum PVA stats are incorrectly reported. Workaround: This issue has no workaround at this time. |
491032 | The performance of a single SSL connection to a guest running on a Nitrox PX based platform is about half the speed of running the same operation on a BIG-IP system. This is due to limitations of the virtualization method used for the SSL hardware on these platforms. Run a single SSL connection such as https curl to a guest running on a Nitrox PX based platform. Performance of a single SSL connection is about 50% slower than expected compared to the performance of the same platform running in non-vCMP mode. Workaround: This issue has no workaround at this time. |
491076 | When a blade fails, any non-mirrored connections on that blade are lost. The loss of these connections are not correctly accounted for when determining LSN client connection count limits. This may cause some clients to reach their connection count limit prematurely. Blade failure on a chassis based system. This condition is most likely to occur when default DAG is configured on LSN VLANs. Client connection count limits reached prematurely. Workaround: In order to make the client connection counter accurate again an effected client must not have any active connections or make any new connections for a time greater than any connections configured timeout. (default 300 seconds). After the client connection counter entry times out, the client connection counter will accurately reflect the number of client connections. |
491116 | When BIG-IP systems are in HA with auto-sync enabled and full-sync disabled, and there are changes made to clientSSL profiles that are associated with virtual servers, and the changes are synced manually, 'TMM clock advanced' messages could be seen in the LTM logs. BIG-IP systems in HA with auto-sync enabled, full-sync disabled. Changes made to ClientSSL profiles associated with virtual servers. Manual sync. Generally minor and transient, some potential for partial disruption. Workaround: None. |
491894 | A sync group may go red and log an sync error while a full sync is still in process. Unknown The state of the sync group goes red momentarily and a log is produced, however the sync eventually succeeds. Workaround: None. |
493060 | If dynamic multicast routing is enabled and a system originates multicast traffic on a VLAN that is a child of a VLAN group, the traffic may not be bridged to the other child VLAN. Dynamic multicast routing enabled, and VLAN group configured. Global multicast traffic does not traverse VLAN groups. Workaround: None. |
493061 | Priority order of Diameter Router Profile static routes is determined by order in bigip.conf. In the GUI, it appears that the user can assign priority order to static routes for a Diameter Router Profile. If there are multiple static routes attached to a Diameter Router Profile, the first route that appears in the list of routes in bigip.conf is the one the system uses. However, the order of precedence is actually dependent on the order in which the routes appear in the 'routes' list within the Router Profile configuration. Workaround: To change the priority order of static routes for a Diameter Router Profile, the user must manually edit the bigip.conf configuration file, or use tmsh to manually order the static routes in the Router Profile. |
493100 | vCMP guests support a db variable tmm.wlite.pinning which will "pin" a guest to a specific nitrox device. This setting is not dynamic and requires a restart of guest or guest tmm. vCMP guest running on a Nitrox PX based platform that uses worker lite Changing the db variable will not automatically affect the running guest until the guest tmm is restarted. Workaround: Redeploy the guest or restart the guest tmm |
493206 | A virtual server that is assigned to a static route is not honored. Specifically, traffic is not filtered to be only on that virtual server. A static route is configured with a virtual server. The traffic continues to be routed to the static route without matching the virtual server. Workaround: None. |
494019 | System matches to previous Diameter Route Application ID after modifying the application ID value. This occurs after modifying the application ID value for a Diameter Route object. The Diameter Route might continue to match Diameter messages against the old application ID until TMM is restarted. Workaround: Always restart TMM after changing the value of application ID in a Diameter Route. |
495242 | The system posts the following message in the mcpd log: Failed to unpublish LOIPC object. This is an intermittent issue that occurs on standby systems in High Availability configurations. In this case, the system is attempting to remove a file/directory that does not exist. Either it has already been removed or it was not created. The system posts the following error: err mcpd[7143]: 010716d6:3: Failed to unpublish LOIPC object for (loipc_name.1417443578.297505208). Call to (shm_unlink) failed with errno (2) errstr (No such file or directory). This is a benign error that can be safely ignored. Workaround: None. |
496038 | After a chassis fan tray is removed, the system_check utility still shows the stale data from time before the removal. Remove chassis fan tray There is a warning in the ltm log when the chassis fan tray is removed. So, the impact of the system_check inconsistency is small. Workaround: None. |
496137 | "No messages are logged to /var/log/boot.log on the following platforms: VIPRION B2100, B2150, B2250 blades BIG-IP 2000-/4000-/5000-/7000-/10000-/12000-series appliances" "Affects the following platforms: VIPRION B2100, B2150, B2250 blades BIG-IP 2000-/4000-/5000-/7000-/10000-/12000-series appliances" Missing diagnostic information that would otherwise be logged to /var/log/boot.log. Workaround: None. |
496155 | tmsh show ltm persistence persist-records sometimes shows an incorrect number of entries on VIPRION chassis. When there are multiple slots on a VIPRION chassis, and the command is executed on a secondary from the primary. Results are not reported correctly in tmsh. Results display a fluctuating number of src ip persistence entries. Workaround: Specify the virtual server name in the tmsh command directly, instead of running the command for all virtual servers. |
496788 | MPI failures and a slow failover are observed when B4340N devices, which were attached and used by TMM, become unavailable. Random PCI resets can cause the issue to appear. Momentary loss of traffic passing on the B4340N platform until failover completes Workaround: None. |
497304 | "When deleting an HTTP iApp, the system posts errors similar to this in the LTM log, along with similar sync errors in the GUI: -- err mcpd[6629]: 01070265:3: The HTTP Profile (/Common/http-test-farm1.app/http-test-farm1_http) cannot be deleted because it is in use by a sflow http data source (16). -- err mcpd[6629]: 01071488:3: Remote transaction for device group /Common/HA_Group to commit id 895 6070871290648001573 /Common/cr-ltm-bb2.ns.uwaterloo.ca 0 failed with error 01070265:3: The HTTP Profile (/Common/http-test-farm1.app/http-test-farm1_http) cannot be deleted because it is in use by a sflow http data source (16)." Auto-sync must be enabled. HTTP iApp must have been reconfigured prior to deleting the iApp. Sync failure. Cannot delete the iApp manually after the error occurs. Workaround: Do not use auto-sync. If the sync failure has already occurred, refer to SOL13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/kb/en-us/solutions/public/13000/000/sol13030.html) for information on how to restore configuration sync. |
500303 | "Occasionally, when the Virtual Server status changes, the Virtual Address status may not me communicated to the routing services (that is, the tmrouted service). This can result in incorrect routes." Exact conditions unknown, but it can occur when the Virtual Server status changes. Virtual Addresses may have advertised routes when they are down, or vice versa. Workaround: None. |
500317 | When using FastL4, connection might not be immediately removed from the connection table, taking up to 60 seconds until they are removed. This requires a FastL4 with loose-init enabled and loose-close disabled. Connections are not immediately removed from the connection table. This can result by impacting traffic by using up more memory on the unit. Workaround: Disable loose-init or enable loose-close. |
500648 | LSA update packets were not sent out within the expected time leading to the expiration of the LSA update timer. The SNMP traps gets sent out as a result. BIG-IP systems in high availability setup and OSPF configured with peer nodes. Can generate false alarms. Workaround: None available. |
501984 | When an iRule fails in LB_SELECTED, it is possible for TMM to crash. The TMM failure is dependent on timing. Using iRules with a rule for when LB_SELECTED on a vip. TMM outage resulting in brief loss of service or HA failover. Workaround: None. |
503037 | Issue when configuring Self certificate whose name length is greater than or equal to 64. Configure certificate name with length greater than or equal to 64 bytes. "- If the Name value is longer than 63 characters and the Issuer is set to Self, the system creates the certificate and key, but truncates the object name at 63 characters. There is no warning message in this case. - If the Name field is longer than 6" Workaround: Use fewer than 64 characters for Self certificate names. |
504827 | tmm crash with panic string 'top filter' appearing in tmm log. Configure DHCP relay virtual server that conflicts with other virtual server address/port. A rarely encountered tmm crash, which might result in network outage. The system posts a message similar to the following: notice panic: ../modules/hudfilter/hudnode.c:310: Assertion 'top filter' failed. Workaround: "Avoid configuring virtual servers that share address:port with DHCP relay virtual server. In releases prior to version 11.6.0, use regular IP forwarding virtual servers if the virtual server is not for Relay but just for 'forwarding'. When the virtual server destination is not 255.255.255.255, it is typically for forwarding, not for Relay." |
505037 | Modifying a monitored pool with a gateway failsafe device can put secondary into restart loop Only occurs in clustered environments, when modifying a monitored pool to set the gateway failsafe device while the secondary is down. Symptom occurs when the secondary comes back up and attempts to update the health status of a pool. Secondary in a restart loop. Workaround: Remove the gateway failsafe device. Re-apply when the blade is up. |
506459 | If multiple IPsec tunnel interfaces are established, some of their IPsec traffic selector stats may not show up on CLI and GUI. When there are multiple IPsec interfaces, running the command 'tmsh show net ipsec ipsec-sa' shows all of the existing traffic selector stats. However, if the command is specified with a traffic selector name, some of the traffic selector stats do not show up. The display does not show the traffic selector stats. The tunnel works correctly; this is a display issue. Workaround: Run the command 'tmsh show net ipsec ipsec-sa' to show SA status for all IPsec |
506543 | Disabled ephemeral pool members continue to be selected for new connections. FQDN parent node is disabled causing its derived ephemeral pool members to be marked disabled. Unexpected traffic load balanced to disabled pool members Workaround: None. |
507140 | Sod daemon stalls while writing to syslog, and is halted repeatedly on startup. DNS failure while multiple syslog connections are being established. Sod daemon does not start successfully. Workaround: There are two workarounds: -- Remove duplicate remote servers in syslog configuration. -- Add 120 seconds delay in sod startup script. |
507206 | Multicast Out stats are always zero for the management interface. Statistics information on the management interface. The Multicast Out stats can help determine whether multicast network failover is working (from looking at a qkview). The missing stat might also delay or confuse other troubleshooting activities unrelated to network failover. Workaround: Run the following command: clsh 'ethtool -S eth0 | grep tx_mcast_packets'. |
507566 | GUI fails to successfully make edits to an external datagroup file. A large external datagroup is loaded and edits are attempted via the GUI. The datagroup file is not updated correctly, and the system posts no error messages. iRules/datagroup dependent functions might fail to behave as expected. Workaround: Use TMSH to make edits to external datagroup files. |
508361 | bcm56xxd daemon keep restarting and generating core files with signal SIGABORT. The problem happens when there are too many VLANs configured. All the switch ports will stop working, since the daemon bcm56xxd does not function as expected. Workaround: "Customer can try to disable the heartbeat of the bcm56xxd: # tmsh modify sys daemon-ha bcm56xxd heartbeat disabled The heartbeat can be re-enabled with # tmsh modify sys daemon-ha bcm56xxd heartbeat enabled" |
509202 | Scripts may retain a reference to a flow after being aborted in the presence of a periodic after command. Abort a flow while a periodic after command is pending Zombie flows/memory leak Workaround: None. |
509568 | Mirrored DS-Lite connections on a standby device are dropped within 60 seconds. Connections are not carried over in a failover. CGNAT, DS-Lite tunnels on a mirrored traffic group, high-availability active-standby configuration. DS-Lite connections are not mirrored and are therefore lost on failover. Workaround: None. |
510588 | When using the non-default trunk.cluster.distribution mode, with a cross blade trunk and the only remaining trunk member for the slot disabled, results in trunk errors when re-enabling this (non favor local) trunk member interface. Re-enabled local trunk member interface of a balanced cross blade trunk (i.e. using non favor local members) may not function correctly. Workaround: A restart of the bcm56xxd daemon may be required to re-add all the trunk members of a balanced cross blade trunk. |
510612 | If a TCP virtual server is configure as loose init and also hardware syncookie is enabled, the flow will not be set up when hardware syncookie is triggered. TCP virtual server with loose init with hardware syncookie enabled and triggered. Failed ACK will be sent to virtual server and cause numerous RESETs. Normal traffic continues without error. Workaround: Avoid hardware syncookie and loose init configuration. |
511324 | The HTTP::disable command does not work correctly after the first request is complete. If called during the second request (or response), then the connection is reset with an error message. HTTP::disable is called in a request after the first. The pass-through data reaches the server-side before the server-side HTTP filter expects it. The connection is reset. Workaround: None. |
511326 | The BIG-IP system does not forward messages when configured as SIP ALG with translation. The BIG-IP system is configured as SIP ALG with translation, and the subscriber sends a SUBSCRIBE message to receive a notification. The Subscriber does not receive any notification regarding the subscribed events. Workaround: None. |
512130 | Remote role group authentication fails if there is a space in attribute name of remote-role role-info. This occurs when the auth remote-role role-info attribute name contains a space character. LDAP authentication fails. Workaround: "Remove space characters from LDAP attribute group name. Another option is to use ""\20"" in place of spaces in the remote-role's role-info member-of attribute, for example: memberOf=CN=Some Big Group,CN=Users,DC=DOMAIN,DC=COM becomes: memberOf=CN=Some\20Big\20Group,CN=Users,DC=DOMAIN,DC=COM" |
512320 | Diameter messages can be retransmitted if the serverside connection experiences a handshake failure and the virtual has an iRule with a LB_FAILED/LB::reselect combination. This occurs because both the clientside diameter filter and mlb proxy attempt to retransmit the same message. This occurs under the following conditions: 1. Retransmission is turned on. 2. Handshake fails. 3. LB_FAILED/LB::reselect iRule is used. Diameter messages might be retransmitted. Workaround: Turn off retransmission. |
512885 | https monitor fails to work with server that has MD5 with RSA as signature hash algorithm https monitor, server using MD5 with RSA. https monitor fails Workaround: configure the back end server to use another cipher |
513968 | When subscribers are in a different route-domain from the route-domain used for the prefix in the LSN pool, hairpin connections cannot be established. The route-domain used on the Virtual Server is different from the route-domain used on the prefix in the LSN pool. Subscribers cannot make connections to each other using public (translated) addresses. Workaround: The routes can be configured so the hairpinning takes place on an external router. |
514473 | VXLAN tunnels rely on the TMM for maintaining ARL entries representing MAC address to endpoint mappings. The BIG-IP system may undergo a brief period of inconsistency in VXLAN ARL entries across the TMM instances. "Network misconfiguration can lead to a period where the BIG-IP system receives alternating encapsulated frames with the same source MAC address from two different endpoints. This leads to conflicting, alternating ARL updates across the TMM instances. One example of network misconfiguration is the configuration of the same MAC address at two different endpoints/VTEPs. Also if the VXLAN topology contains an L2 forwarding loop, this could lead to the same effect. Currently, VXLAN does not have a standard mechanism for detecting and avoiding loops. Therefore, loops need to be avoided by network configuration. However, network HA failover typically does not lead to a period of conflicting, alternating ARL updates." During the period of inconsistency, the TMM instances may forward packets destined to the same remote MAC address to different endpoints. This lasts until the network misconfiguration is corrected and the conflicting ARL entries expire. Workaround: In addition to addressing the network misconfiguration, the condition can be mitigated by using a shorter ARL timeout. This can be done by modifying the bigdb variable vlan.fdb.timeout. |
514815 | Configuration loads but cannot re-key. This is sometimes seen as a configuration that is successfully synced but a device that cannot join a trust group. "This occurs when the following conditions are met: -- Configuration includes unused, encrypted items. -- Host is not configured with the correct master key for those items. -- Configuration is loaded under the wrong key. -- An attempt is made to change the master key for any reason." Unable to set device master key. In some cases this has no impact, but it prevents installing a UCS file containing an encrypted passphrase (as described in SOL9420, available here: https://support.f5.com/kb/en-us/solutions/public/9000/400/sol9420.html), and is somewhat difficult to detect as no other operations fail. Workaround: Remove all encrypted items from the config. Re-sync the key either manually with f5mku or with device trust. Re-install the desired configuration. |
514975 | When a reset is triggered after the connflow idle timeout expiry, the packet contains the sequence number 0 to the client side. Due to this, client rejects it as an invalid packet. Fast L4 profile with loose init and loose close enabled for nPath mode. The client connection is left idle. Workaround: None. |
515635 | Tcl monitor produces FTP error with Courier IMAP server. Courier IMAP Server when there is no message in the mailbox. IMAP monitor fails, potentially resulting in downed pool members. The systems posts an error similar to the following: ERROR: failed to complete the transfer, error code: 8 error message: FTP: weird server reply. Workaround: Add a message to the monitored mailbox. |
515668 | Clients that send UDP packets with LSN configured in DNAT mode may sometimes leave the BIG-IP untranslated. Clients that send outbound traffic must match a virtual server with an lsn-pool configured in DNAT mode. This rare occurrence might lead to failures in applications sensitive to malformed UDP packets. Workaround: None. |
516280 | With a very large number of monitors, the bigd process can consume more than 80% CPU when a slow HTTP server returns an error. ~8000 HTTP/HTTPS monitors, and a slow HTTP server returns a 500 error. bigd process uses a large percentage of CPU. Workaround: None. |
516432 | DTLS may send corrupted records when the DB variable tmm.ssl.dtlsmaxcrs is not the default value 1. When DB variable tmm.ssl.dtlsmaxcrs is not 1. DTLS sends corrupted record. Workaround: Set tmm.ssl.dtlsmaxcrs to 1. |
517456 | When there are active connections on the virtual server, resetting its virtual server stat through tmsh reset-stats ltm virtual virtual_name, doubles the client ssl profile cur_conns/cur_native_conns/cur_compat_conns. "- SSL virtual server. - Active connections on the virtual server. - Virtual server stat reset which active connections are occurring." Invalid statistics values on the client ssl profile stats. Workaround: None. |
517829 | When the BIG-IP system is configured for OCSP authentication, if the OCSP server reports that a certificate has been revoked, client connections are reset without sending SSL error alerts. BIG-IP system configured for OCSP authentication. Client connections are reset without sending SSL error alerts. Workaround: "Use the following iRule for the OSCP authentication profile instead of the system-supplied iRule:
|
518086 | SafeNet hardware security module (HSM) Traffic failure after system reboot/switchover. Restart of services on primary or secondary blade. Now traffic will fail. There will be no pkcs11 connection on new primary blade. Workaround: The workaround is to restart pkcs11d on the secondary blade. |
518258 | Using the SSL persistence profile, the CLIENTSSL_CLIENTCERT event might not be triggered during renegotiation. The SSL persistence profile is in use, and an iRule depends upon the CLIENTSSL_CLIENTCERT event. The CLIENTSSL_CLIENTCERT iRule event may not be triggered. iRule command SSL::cert does not access certs retrieved from on-demand cert auth. This is functioning as designed. Workaround: None. |
518608 | Running the startup script command 'tmsh install sys crypto...' to update the CRL file errors out with 'file... expected to exist' exception. Follow the steps in the AskF5 SOL11948: Configuring the BIG-IP system to run commands or scripts upon system startup, (available here: https://support.f5.com/kb/en-us/solutions/public/11000/900/sol11948.html) to run startup_script_sol11948.sh at startup. Adapt this script to run the command: tmsh modify /sys file ssl-crl LatestCRL.crl source-path http://custom_url/NewLatestCRL.crl. The CRL file is retrieved, but due to the error it is not installed. This is because mcpd lacks read permission to the specified temp file. The system posts an error in /var/log/ltm similar to the following: err mcpd[6253]: 01070712:3: Caught configuration exception (0), file(/var/tmp/tmsh/7QjLFt/data) expected to exist. - sys/validation/FileObject.cpp, line 3151. Workaround: Update the CRL file from the local file using the following command: tmsh -m install sys crypto crl LatestCRL.crl from-local-file /root/LatestCRL.crl. |
519064 | If a node is configured with a connection limit, the display may show a maximum connection count equal to the number of pool members using that node. Nodes configured with connection limits. Maximum connections statistic on node shows higher than the specified connection limit. This is a display issue only. The actual connection limit is enforced. Workaround: None. |
519087 | Dashboard modal popup is rendered with the following error: Unrecoverable communications error, please close this window and log in using the BIG-IP Configuration Utility. The problem occurs when a NAT port-forward to admin GUI using a different TCP port, is created and used to access the Dashboard. The dashboard is not usable. Workaround: There is no workaround at this time. |
519335 | When deploying an iApp that creates APM objects, customers can experience this error message: 01071529:3: The tunnel name (/Common/tunnel-name-that-is-longer-than-sixty-four-characters-in-its-name) cannot be longer than 64 characters. When the iApp-generated tunnel name exceeds 64 characters. iApp configuration fails. Workaround: The workaround is to shorten the iApp application name. |
520408 | TMM ASSERTs on "Subkey is a subkey" in the SessionDB when releasing a record. Possibly requires SAML traffic? But it may not. Unit down. Workaround: None. |
520928 | Virtual server page becomes unresponsive with 'Display Host Names When Possible' enabled and DNS unreachable. This occurs when the following conditions are met: -- 'Display Host Names When Possible is enabled. -- The configured DNS servers are responding with ServFail or not responding at all (unreachable). The GUI might become unresponsive. Workaround: Use TMSH to display virtual servers when 'Display Host Names When Possible' is enabled. Or disable 'Display Host Names When Possible'. |
521077 | GUI does not show the external hardware security module (HSM)-based key type correctly. This occurs when the external HSM is used to create the key. GUI shows HSM-based keys as Normal Security Type instead of HSM. Workaround: Although there is no workaround, the HSM-based key works correctly; only the Security Type description is incorrect. |
521329 | "Under some circumstances TMM may core when using deterministic NAT due to a divide by zero error. This crash is dependent on both the configuration and the traffic. When the number of subscriber addresses that disaggregates to a TMM is not evenly divided by the number of translation addresses that disaggregates to the same TMM, connections from one or more subscribers may be assigned to blocks from two translation addresses. Depending on the exact address ratio, there may be only one port using the second address. Due to an off by one error, the number of ports available for the second address may be set to zero when it should be set to one. This causes the divide by zero fault. This error only occurs if a previous connection created an address persistence entry using the second address." CGNAT using deterministic NAT mode and persistence enabled. TMM crashes Workaround: None. |
521792 | Health monitor information and status are both missing for FQDN nodes and pool members. FQDN nodes or pool members. GUI does not show health monitors info/status in node properties page, pool member properties page, or monitor instances page. Difficulty checking health monitor info/status for FQDN members. Workaround: Check logs for this info. |
522304 | Some password policy settings (maximum and minimum durations, expiration warning) are reflected in /etc/shadow when a user's password is changed. In a CMI device group, changes to password policy are correctly synced, but the settings reflected in /etc/shadow are not. CMI device group configured; maximum or minimum duration, or expiration warning, settings of password policy are used; user password is changed. Password policy may not be enforced consistently across all devices. Workaround: None. |
522632 | In v11.6.0, if AVR is not provisioned but a module that uses AVR (for example, APM) is provisioned, the Qkview utility generates error-level log messages: err tmsh[18617]: 01420006:3: virtual is not a valid entity. AVR not provisioned, but modules that use AVR (e.g. APM, AFM) are provisioned. This is a cosmetic issue. There is no impact on traffic. Workaround: This is a cosmetic issue. There is no impact on traffic. |
522837 | During a small window of opportunity, mcpd can core if it is told to restart. This often occurs when another component has failed. This issue generally occurs when another component has a problem which then initiates an mcpd restart. An mcpd core file is generated during shutdown, and it may initially appear as if mcpd coring was the cause of the restart. Workaround: None. |
523126 | When the route domain of the originating address of a NAT configuration is changed without the address itself being changed, the change does not take effect. Viewing the configuration through tmsh and the GUI indicates that the change has worked, when it is not yet in use. This occurs when editing an existing NAT configuration and changing the route domain without changing the address. The intended NAT change is not in effect. Workaround: In order to make the change take effect, delete and recreate the NAT or restart tmm. |
523128 | When syncookie is enabled, given same threshold and same traffic, Syncookie mode is easier to trigger when PVA acceleration is enabled than when PVA-acceleration is disabled. Virtual server with PVA hardware acceleration and hardware SYN cookie support. SYN cookie protection is easier to be triggered when PVA acceleration is enabled, especially when the syncache level is lowered from the default value. Workaround: "Change the pva offload state from ""embryonic"" to ""establish"" root@(localhost)(cfg-sync Standalone)(Offline)(/Common)(tmos)# modify ltm profile fastl4 fastL4 pva-offload-state establish" |
523451 | When running version 12.0.0 on vCMP host versions previous to 11.5.0, the system produces a series of benign errors in /var/run/vcmpd/guestname/qemu.pid similar to the following messages: block I/O error in device 'virtio0': Input/output error (5). Running BIG-IP software version 12.0.0 configured for vCMP on hosts with versions earlier than 11.5.0. Cosmetic: a small number of benign virtio0: Input/output errors appear in the guest's logs on the host. These errors are cosmetic and are a known and benign issue related to the version of qemu and how it handles newer linux kernels. Workaround: None needed. These are cosmetic errors that have no impact on system functionality. |
523797 | The upgrade operation might fail to update the file path name for snmp.process_name, causing a validation error. Upgrade from 10.x. The upgrade operation does not remove the parent path name from process-monitors, which might cause a validation error. Workaround: Edit the process name path to reflect the location. |
523985 | Certificate summary information about individual certificates in a bundle does not propagate to device group peers after a config sync. A certificate file is create in a folder synced to a device group. Certificate information about the bundle is not displayed on peers. However, the bundle itself is intact and available. Workaround: None. |
524123 | When an iRule invokes ISTATS::remove to remove an iStat, the iStat is not removed. Invoking the ISTATS::remove command from an iRule. The value of the iStat remains defined. Workaround: Use istats-triggers and iCall scripts to invoke the iStats command line tool indirectly. |
524722 | "Occasionally a secondary blade reboots when making changes to the configuration in a partition other than Common. The system logs an error in the /var/log/ltm file that references the type of object being modified, even though the error message indicates that it cannot. The error appears similar to the following: -- err mcpd[4187]: 01070734:3: Configuration error: Configuration from primary failed validation: 0107098a:3: The ip address (10.10.10.10%2164) for a virtual server in partition (Common) references a route domain (2164) in a different partition (PARE-RVBD). Objects may only reference objects in the same or the 'Common' partition" A chassis-based system with multiple blades, and a configuration with multiple partitions. Secondary blades restart, which may cause a failover event to occur depending on the value of min_up_cluster_member. Workaround: None. |
525400 | Connections are dropped prematurely on the standby unit, but remain up on the active unit. This issue occurs when the following conditions are met: -- HA active-standby chassis configuration. -- Connection mirroring is enabled on a virtual server configured for tunneling (e.g., pptp, ipip, gre). -- Hardware syn-cookies are enabled. Failover to the standby unit might cause mirrored client connections to be dropped. Workaround: In the TCP profile, change the 'hardware syn-cookie' setting to 'disabled'. |
525580 | "The presence of base option indicates that only the base objects in the configuration should be considered for the save operation. The non-base objects in the configuration should be ignored. However, this is not true for the following command: tmsh load sys config merge file filename.scf base." Running the command: tmsh load sys config merge file filename.scf base. This command ignores the base option. When specified with the merge option the base option is ignored. It merges the non-base configuration objects. It does not load only the base config objects as specified in the command. Workaround: None. |
526500 | Manually adding a username and encrypted password into ZebOS, either by using imish command line, or by modifying zebos.conf directly, might cause imi to core. Manually modifying the zebos.conf configuration file or adding a non-existing user using imish. The user interface to ZebOS, imi, might core. Other functionality should not be affected. Workaround: Do not add the configuration manually in ZebOS. Use the BIG-IP system facilities for adding/modifying ZebOS users. |
527206 | "An error that occurs while reading the management interface registers might cause incorrect interpretation of the management interface state, which might cause the management interface to flap. Example error sequence: -- warning chmand[7018]: 012a0004:4: getLopReg exception: No LopCmd reply match found for action=0x1 obj_id=0x67 subobj=0x0 slot=0xff. -- err chmand[7018]: 012a0003:3: GET_MEDIA failure (status=0xffffffff) page=0x%1 reg=0x0 : File mgmtif/BourneMgmtIfSvc.cpp Line 357. -- warning chmand[7018]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x5 expected=0x7. -- warning chmand[7018]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x7 expected=0x5. ... notice chmand[7018]: 012a0005:5: Interface: 2/mgmt is DOWN. ... notice chmand[7018]: 012a0005:5: Interface: 2/mgmt is UP." This problem might occur rarely on BIG-IP 2000-/4000-series, 5000-/7000-series, and 10000-/12000-series appliances and on VIPRION 2100, 2150, 2250 blades. The management interface on the affected blade or appliance might be down for several seconds, 15 seconds being a typical interval. Workaround: None. |
527393 | For a VIP with UDP protocol and fastL4 profile, SERVER_CONNECTED is fired in 10.x, but not in 11.x. Must be fastL4 profile. Unable to run iRule commands in a server-side context when data going from client to server. The SERVER_DATA event does not fire until data is returned from server (or not at all if server does not return data). The LB_SELECTED is client-side. Workaround: Change VIP from fastL4 to standard. |
527720 | "An error message similar to the following might be logged at rare intervals while the BIG-IP system is operating normally: warning chmand[7018]: 012a0004:4: getLopReg exception: No LopCmd reply match found for action=0x1 obj_id=0x67 subobj=0x0 slot=0xff. This message might be followed by a log message similar to one of the following: err chmand[7018]: 012a0003:3: GET_MEDIA failure (status=0xffffffff) page=0x%1 reg=0x0. err chmand[32142]: 012a0003:3: GET_STAT failure (status=0xffffffff) page=0x%20 reg=0x50. This message might be followed by a log message similar to the following: warning chmand[5847]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x5 expected=0x7." This problem might occur rarely on the BIG-IP 2000-/4000-series, 5000-/7000-series, and 10000-/12000-series appliances, and on VIPRION 2100, 2150, and 2250 blades. This problem might occur if the response to a request to read the status of the hardware registers for the management interface is delayed beyond the normally-expected timeout value. When this problem occurs, status of the management interface might be reported incorrectly, which might cause the management interface to flap momentarily. In this scenario, subsequent requests typically complete successfully, at which point status of the management interface is again reported normally, and expected functionality restored. Workaround: None. |
528228 | When a node is configured using a FQDN and a port specific monitor is assigned at the node level, the BIG-IP system sends the probe to the incorrect destination port. Assign port specific monitor at node level to a FQDN node. Customer cannot monitor specific port on a FQDN node. Workaround: Apply the monitor at the pool level rather than the node level for correct operation. |
528295 | A 10.x UCS containing LTM virtual servers with ARP set to disable. Loading the 10.x UCS on 11.4.x or later system leads to the ARP and ICMP echo setting value being flipped each time the load occurs. Reloading a 10.x UCS containing virtual servers on 11.4.x or later system. ARP and ICMP echo setting value being flipped each time the load occurs. Note that the ICMP echo virtual field will be flipped even if ARP is enabled. Workaround: Delete the LTM virtual servers on the 11.x version system prior to re-loading the 10.x UCS. |
528314 | Using CLI to generate new default certificate and key pairs for BIG-IP ssl profiles are not reflected in GUI or in tmsh. Using OpenSSL commands to generate a new default certificate and key pair, as described in SOL13579: Generating new default certificate and key pairs for BIG-IP ssl profiles, available here: https://support.f5.com/kb/en-us/solutions/public/13000/500/sol13579.html. After the renewal, tmsh list sys file ssl-cert default.crt command or the general properties in the GUI SSL Cert List shows the old one. This is a cosmetic issue only. The system uses the new default. Workaround: Perform a force reload of mcpd by running the following commands: -- touch /service/mcpd/forceload. -- tmsh restart sys service mcpd. |
528894 | Config sync after sub-partition config changes results extra lines in the partition's conf file. Make changes under any partition except /Common and then config sync without overwrite. /config/partitions/partition_name/bigip_base.conf in the partitions folder has trunk and ha-group configuration. /config/bigip_base.conf no longer has the trunk and ha-group configuration. Workaround: 'Sync Device to Group' with 'Overwrite Configuration' enabled. |
528955 | tmm core file Serverside connection is detached after processing HTTP response Outage / tmm restart Workaround: None. |
529162 | "If a customer disables the HSB's watchdog then they may experience an HSB transmitter failure. The watchdog is disabled using the following TCL command (added to tmm_init.tcl): HSB::enable_rx_watchdog no" Disable HSB's watchdog. An HSB transmitter failure may occur, resulting in a reboot of the device. Workaround: Don't disable the HSB's watchdog. |
529395 | A local-only network IP forwarding virtual server does not forward traffic on standby systems. BIG-IP systems in an high-availability (HA) device cluster. An IP forwarding virtual server in traffic-group-local-only. Traffic is forwarded only on active BIG-IP systems. Workaround: None. |
529400 | "If an SSL profile is configured with only RSA key/cert pair and only ecdhe-ecdsa ciphers are selected, the configuration did not show an error message. Subsequent SSL handshakes will not succeed and will show 'no ciphers selected' error messages." ecdhe-ecdsa ciphers are selected in the `ciphers' list, but no ecde-ecdsa key and cert is configured in the SSL profile. All SSL handshakes will fail with `no cipher suite selected' Workaround: When configuring an SSL profile, if an ecdhe-ecdsa cipher is selected in the 'ciphers' field, make sure ecdhe-ecdsa key/cert is also configured. |
530016 | Statistic will be incorrect or negative: 'Clients Using Max Port Blocks'. Changing the PBA client-block-limit on a LSN pool while there are active blocks and connections might result in incorrect 'Clients Using Max Port Blocks' counts in the stats. 'Clients Using Max Port Blocks' count is used for monitoring the number of clients that have reached the block limit, then this will impact operations and monitoring of lsn-pool status. Workaround: Restarting the BIG-IP system resets the counter. |
530081 | Mcpd/TMM will crash if load too many SSL certificates. Loading too many SSL certificates at a time, for example, 4000 or more SSL certificates. Mcpd/TMM might crash. Workaround: Split the config file into several smaller ones. |
530266 | Rate limit configured on a node is not honored and is exceeded. The excess per second can be as much as 10 (100%) when the limit is configured as 10. More than 1 tmm needs to be there. Rate limit needs to be configured on the node. Node rate limit feature does not work as intended. Workaround: Rate limit can be shifted from the node to pool member and it works. |
530645 | Administrator can enter a cipher string in SSL profile longer than 768 characters, and the system will appear to save and apply that cipher string. However, the system will only utilize the first 768 characters as the cipher string for the profile. Cipher suites that were truncated will not be accepted. Workaround: Do not use cipher strings longer than 768 characters. |
530877 | In very some circumstances a specific combination of configuration options may lead an iRule to run the CLIENT_ACCEPTED event twice. "All of the following conditions are needed: - standard Virtual Server configured - Virtual Server to have a TCP profile with verified accept enabled. - Address translation enabled on the Virtual Server - Node selection in iRule via node command. - Client to send initial data to be sent on the ACK of the three-way-handshake" Depending on the scenario this can lead to the specific connection to be reset. Workaround: "Several options exist: - Disabling verified accept. - Modifying the iRule to run the commands in the event on a single occasion by setting a variable and checking it on following runs." |
530927 | "If a trunk is created from interfaces that have lower than max speed (e.g. 100full-duplex on 1GbE links) adding a new interface will fail. It will lead to an error similar to the following: 01070619:3: Interface 1.4 media type is incompatible with other trunk members" "Interfaces use a lower speed then their capacity. Trunk is created where the highest speed of any of the members is this reduced speed. Interface, also lowered, is added to the trunk" Interface will not be able to be added to the trunk. Workaround: Remove all interfaces, readd them all at the same time. |
532559 | If the client-ssl profile is /Common/clientssl, its parent profile is supposed to be /Common/clientssl. But the configuration could potentially use 'defaults-from none'. "This condition could be caused by executing the following command when generating the configuration. 'tmsh modify ltm profile client-ssl clientssl defaults-from none'" The upgrade fails after booting into the new release, during the config loading phase. This occurs because the script extracts the line 'defaults-from none' and treats 'none' as its parent profile. Workaround: Edit the configuration prior to upgrading, changing the defaults-from value on the client-ssl profile to the name of that profile. |
533174 | Certain OIDs in the IP-MIB, IF-MIB and Etherlike-MIB were either not supported by the Big-IP, or the returned MIB query data related to the interface index (IfIndex) was incorrect or inconsistent with the IfIndex returned by the IF-MIB::ifTable. No special conditions. Customer could not relate interface data from one MIB table to another. Workaround: None. |
533866 | After upgrading to 11.2.1 HF15, SNMPd might not reply when a GetRequest is sent to localhost, management IP, or to the self-IP address of the BIG-IP system. Upon upgrading from 11.2.1 base install (with only the default comm-public community configured) to 11.2.1 HF15, the system boots up with no communities configured, even though no command was issued to remove the default comm-public community. SNMPD does not send replies to client. Workaround: Configure a 'public' SNMP community after upgrading to 11.2.1 HF15. |
534443 | "When configuring redundancy in 10.2.x with the GUI you do not configure the config sync peer's user name and password in the GUI. You must use tmsh commands. For example, # modify sys config-sync custom-peer-addr 10.255.252.196 user-password admin # tmsh save sys config" Setting up redundancy with the GUI in 10.2.x This can affect synchronization and upgrade. If the username and password is not set then the configuration synchronization fails with authentication errors. Upgrading is also affected because the upgrade path needs the credentials. Workaround: Use tmsh to establish config-sync peer's username and password |
534500 | When using iRules to configure persistence, if a client uses keepalive so that multiple requests come on the same connection, it is possible to write a conditional 'persist' command (e.g., to only persist based on certain requests). Using conditional 'persist' requests in an iRule. Requests that are not processed in that conditional 'persist' revert to the persistence configuration of the virtual server. Persistence should apply to the client, indicating that the client should continue using the same server. If a client disconnects and reconnects, persistence should send them to the same server as the persistence rule from the iRule indicates. In this case, clients might be redirected to different servers. This is expected behavior. Persistence is connection oriented and, once toggle on, applies to all messages on the connection. Workaround: Ensure that all paths specifically declare persistence settings. To configure for no persistence for a given message, the iRule should have a call to 'persist none'. |
535041 | Any virtual server with UDP profile executing iRule using parking command such as table set. The BIG-IP system drops all UDP packets received while waiting for iRule execution to be completed. Use iRule with parking command in virtual server with UDP profile. BIG-IP system drops all UDP packets until iRule execution is completed. Workaround: Enable datagram-load-balancing in UDP profile associated with the virtual server. It will aggregate flows and process them in parallel based on the timeout setting. |
535717 | When logged in as root, or as a user with Administrator or User Manager role, an attempt to change a user's password will succeed, even if the new password is in password history. (An ordinary user changing their own password will be prevented from making this change.) password-memory field of auth password-policy set to nonzero value Privileged users can circumvent the password history restriction Workaround: None. |
536935 | On BIG-IP 2000/4000 systems the driver that manages the MAC and PHY for the 2.x front panel ports will occasionally emit a pair of spurious log messages which appear to indicate that the [unpopulated] port had a link up message followed immediately by a link down message. This appears to occur only intermittently, only on the 2.x ports of BIG-IP 2x00/4x00 systems, and only when the ports are enabled but are not cabled to a live link partner. The impact this issue has is largely cosmetic but it can cause confusion or concern if at first glance one assumes the message is from a port that is actually in use. Workaround: "In most cases a port left unpopulated can safely be disabled with (for port 2.1 for example): tmsh modify net interface 2.1 disabled which should prevent the system from polling the MAC's link state and logging changes." |
536939 | In certain situations a chassis based system with more than one working blade may encounter service restart on the secondary blade. "- Chassis system with 2 or more working blades. - Configuration to be deleted via tmsh using a wildcard. For instance: tmsh delete ltm virtual test*" Services will restart on the secondary blade. Workaround: Do not use * wildcards with tmsh when deleting configuration elements on a chassis system. |
537073 | "This leaves the rule expecting the result of the *prior* table command instead. When that result arrives, it is treated as the result for the CLIENT/SERVER_CLOSED's iRule. This has the effect of both not actually executing the requested table command *and* supplying the wrong result." Table command does an asynch operation in an iRule on a flow which is aborted. Incorrect iRule operation. Workaround: None. |
537698 | MCPD might abort and drop a core when encountering a memory error while processing a large configuration. This might occur when the config is large enough to exhaust MCPd's memory. This might occur after a memory error. MCPd cores and restarts, putting the system in a temporarily non-functional state. Workaround: None. |
538292 | When using asynchronous task in iControl REST, specifying any version other than 12.0.0 will cause the API to become unstable in some cases. Specify any version below 12.0.0 for asynchronous task requests. In some cases, user may experience iControl REST to hang or become unresponsive. Workaround: When making requests through iControl REST using asynchronous task, specify only version 12.0.0 in the request URI. |
539385 | If Access Policy event logs include long string arguments, the log buffer grows while processing each log parameter. The log information can overflow to other files such as, user.log and message.log. "Larger value for log parameters (mainly of string type). Happens only when the parameters are very long. For example, if one assigns big string into session variables." Log information gets truncated and some amount spills over to user.log and message.log. Workaround: None. |
539699 | "- BIG-IP system reports an incorrect system time. - Chassis systems might report different system times across blades. - 'ntpq -pn' command reports ntp connection status as 'INIT'. - NTP requests are generated with incorrect source address." Configuration contains both a default route and default management-route. System time mismatch between blades. Workaround: "Configure a user alert to watch for the log message 'notice sod[5460]: 01140044:5: HA reports tmm ready' and then restart ntpd. alert TMM_ready_NTPD_restart ""HA reports tmm ready"" { exec command=""/usr/bin/bigstart restart ntpd"" }" |
539831 | "Although the BIG-IP system's management port is up and working as expected, the tmsh utility may report no media for the management port, like in the following example: # tmsh show net interface mgmt -------------------------------------------------------------- Net::Interface Name Status Bits Bits Pkts Pkts Drops Errs Media In Out In Out -------------------------------------------------------------- mgmt up 13.5G 131.0M 11.2M 111.9K 0 0 none If the system is a VIPRION chassis, then it is possible for only some of the installed blades to be affected by this issue." This issue may occur if the mcpd daemon has restarted (due to a fatal error, or user command) while BIG-IP is running. The BIG-IP system cannot display the management port's current media. For example, tmsh shows none as mgmt media in response to the following command: show net interface. Workaround: "You can resolve this issue by restarting the chmand process. On appliances, run the following command: bigstart restart chmand. On VIPRION systems, run the following command: clsh ""bigstart restart chmand""." |
540571 | TMM may core when an iRule changes the destination address of a connection to use a multicast address such as 224.0.0.1. When the BIG-IP system looks up the route, it returns an internal route with no interface designed for use with multicast traffic. LSN expects to find an interface and crashes when it attempts to use the non-existent interface. "- CGNAT enabled and LSN pools configured on active virtual server that accepts traffic. - On the same virtual server, an iRule is configured that changes the destination IP to a multicast address in the 224.0.0.0/24 network." TMM crashes, interrupting traffic flow. Workaround: There are two workarounds: -- Remove the offending iRule that is sending traffic to the 224.0.0.0/24 network. -- Prevent traffic from using that destination in the iRule. |
541126 | netHSM connection may fail with text like "cannot locate key". This will only affect Thales users. Safenet users are not affected by this issue. This may happen after restarting pkcs11d without tmm restarted right after. "SSL handshake failure with message like: SSL Handshake failed for TCP 10.10.0.1:59513 -> 10.10.1.150:20001" Workaround: "For Thales, always restart tmm after restarting pkcs11d bigstart restart pkcs11d bigstart restart tmm" |
541550 | "Authentication fails, indicating the affected user is associated with an ""unknown"" role: notice httpd[2112]: pam_bigip_authz: authenticated user bob with role 12345678 ([unknown]) in partition /bin/false" Define more than 10 remote-role groups and authenticate with a user having more than 10 roles. User cannot authenticate. Workaround: None. |
541916 | The tmm fails with a segmentation fault in hud_process_upper. This is a rarely occurring issue whose causes are not well understood. The tmm fails and restarts. Workaround: None. |
542104 | "In rare circumstances, it is possible for the TCP timestamps sent by the BIG-IP to be inconsistent between blades. TCP monitors may fail because the server fails to respond to the initial TCP SYN. TCP traffic that utilizes a SNAT may fail because the server fails to respond to the initial TCP SYN." "A server with tcp_tw_recycle enabled. A multi-blade BIG-IP chassis." Monitor failures or traffic disruption. Workaround: After confirming that the time is properly synchronized across the chassis, reboot the chassis. |
542654 | "bigd generates a core file and restarts. /var/log/ltm will show a message like: notice sod[6504]: 01140029:5: HA daemon_heartbeat bigd fails action is restart." tcp-half-open monitors are in use bigd restarts and there is an interruption in monitoring. Workaround: There is no work-around, but this has been seen extremely rarely |
544033 | In a very specific scenario a response to an IPv4 ICMP Echo to a Virtual address may not reach back to the originator. "- Client network MTU is lower than the BIG-IP system's ingress VLAN's MTU. - Client ICMP Echo is larger than Client's MTU and fragmented." Response is not received at client. Workaround: "In certain environments it may be acceptable to disable PathMTU discovery. If it is this can be worked around by disabling the following DB Key: tmsh modify sys db tm.pathmtudiscovery value disable Note this workaround is not possible in v10. v10 does not have a workaround." |
544128 | "FastL4 TCP connections may be lost during a VIPRION chassis failover that was initiated due to a blade failure. If a blade in the active chassis in a HA pair fails and a failover is initiated due to an HA Group policy, it is possible that some TCP connections established on the active before the failover will not successfully failover to the new active device." A highly-available (redundant) FastL4 configuration with mirroring enabled and an HA Group configuration with a cluster clause that will initiate a failover if the number of functional blades in the active chassis becomes less than the number in the standby chassis. TCP connections may not fail over successfully. This is particularly a problem for long-lived TCP connections (such as those used by BGP) with a significant cost associated with re-establishing those connections and the relevant application state. Workaround: None. |
544958 | "Customer create same pool member under different VIP. They suspect each pool member receiving multiple health monitor packet. Customer informed only one health monitor packet receiving. Also they want to know health monitor packet behavior if instance is ""Force offline"" or ""Disable""" 2 pools, each with a single poolmember, and both the members being the same. The pool member is "Forced Offline" from GUI. If a monitor is configured and added to one of the pools, then it behaves as expected - no packets sent to monitor the pool. However, on adding the monitor to the second pool also, packets are sent to monitor this pool member that has been forced offline. Unknown Workaround: Uncertain any mitigation is needed. |
545796 | ltm rule is not generating any stats for executed iRules "1. Moving/editing a iRule attached to a virtual server; 2. Passing traffic to the virtual server; 3. Adding the iRule back to the virtual server." No iRule usage stats available Workaround: Restart tmm. |
545856 | The Java VM crashed while attempting to monitor the proper functioning of a DB Unknown One known occurrence. Failure affects a single attempt at monitoring the DB. Workaround: Based on the information available, this failure is not persistent. A single attempt at monitoring the DB failed and proper functioning resumed without intervention. |
545946 | Transparent/translucent Vlangroup may have its MAC address set to 02:00:00:00:00 on either the first configuration load after an upgrade or on a manual mcpd db clear/reload. "Transparent/Translucent vlangroup. Upgrade to later version or manually delete mcpd DB binary." Vlangroup MAC address is incorrect and can adversely affect traffic transversing the vlangroup. Workaround: Reload configuration or alter vlangroup configuration: e.g: set back and forth between transparency modes. |
546260 | "TMM can crash if using V6RD tunnels are setup and traffic is sent through these tunnels" No special conditions. "TMM crashes when using V6RD tunnels which can cause traffic outage." Workaround: N/A |
547942 | An SNMP query response for ipAdEntAddr would sometimes return floating IPs rather than local IPs. This was due to the supporting software returning the first found IP address for a given vlan. Problem started after upgrading to v11.5.1 Eng-HF7, from v10.2.4. No impact to Big-IP services, but the returned information to the SNMP query is sometimes incorrect. Workaround: None. |
548003 | GUI Network Map page runs out of memory and the GUI hangs indefinitely. When a BIG-IP system is configured with a large number of Virtual Servers (3000+) and accompanying components (iRules, Pools, Pool Members, and Node Addresses), multiple users retrieving the Network Map might result in an Out of Memory Exception. GUI server becomes unresponsive and unable to process new requests. The GUI becomes unusable and requires a restart. Workaround: Use items in the filter bar (along the top of the screen) to reduce the result size to avoid an Out of Memory Exception. Also, increase the memory of the container server. |
548105 | When an PBA LSN pool is under-provisioned, the LSN::inbound-entry iRule will not work. PCP will also not work with an under-provisioned PBA LSN pool. Occurs when PCP or the iRules LSN::inbound-entry command is enabled on a PBA LSN pool that does not have many translation addresses. PCP or the LSN::inbound-entry iRule may not work. This would result in failing connections. Workaround: None. |
548175 | In certain circumstances, CMP demoted Fast L4 virtual servers may intermittently and incorrectly use the tcp handshake timeout instead of the configured idle timeout. #NAME? Connections may be reset earlier or closed at an unexpected time. Workaround: "Ensure that the virtual server is not CMP demoted. To do so, do one of the following: -- CMP-enable the virtual server. -- Ensure that any iRules that CMP-demotes the virtual server are corrected." |
549329 | TMM core event which leads to the failover. N/A tmm cored and caused failover. Workaround: None. |
549927 | iRule validation does not check RULE_INIT/virtual are disallowed in proc calling Under RULE_INIT event call a proc which has virtual command. Pass validation while it should not. Workaround: Do not call virtual command inside proc. |
550988 | The connections statistics for client ssl profiles are: Native, Compatibility, and Total. Total is *not* the sum of Native and Compatibility. Rather, it is the total number of handshakes completed. If the handshake does not complete, or the connection is not SSL the `total' line will still increment. Workaround: None. |
551189 | Upon repeatedly modifying the same HTTP cookie value (in the Set-Cookie header) within an iRule attached to a virtual server, the HTTP::cookie API may produce stale HTTP header data (e.g. HTTP Set-Cookie header and/or other HTTP headers). LTM Virtual Server handling HTTP traffic, with iRule attached which modifies a given HTTP cookie value through the HTTP::cookie API, on ingress and/or egress traffic (through the HTTP_REQUEST and/or HTTP_RESPONSE events). An example use-case for producing the error would be encrypting and decrypting HTTP cookies via an iRule. Repeatedly altering the same HTTP cookie value in an iRule, via the HTTP::cookie API, may yield to an HTTP request/response with inconsistent HTTP header data, including but not limited to the Set-Cookie HTTP header. Workaround: None. |
551208 | Some of the log messages watched by alertd changed from 10.x to 11.x, but the /etc/alertd/alert_nokia.conf file has not been updated accordingly. Due to the outdated regex key fields matching the specific fields in the log message fails and therefore the corresponding alarm is not deleted from the nokia_alarm table. May cause SNMP alerts to not be broadcast in Nokia-specific environment. Workaround: None. |
551572 | The LCD display may stop updating and the Status LED may begin blinking Amber on BIG-IP 10000-series appliances. The Status LED will blink Amber if the LED/LCD module does not receive updates from the BIG-IP host for 3 minutes or longer. This condition may occur if data transfers between the BIG-IP host and the LED/LCD module over the connecting USB bus becomes stalled. When this condition occurs, the front-panel LCD display will not display the current BIG-IP host status, and the Status LED will blink Amber. There is no impact to BIG-IP host operations, and no disruption to traffic. Workaround: This condition can be cleared by pressing one of the buttons on the LCD display to navigate the LCD menus. The button-press event generates USB traffic which will trigger recovery from the USB stalled transfer condition. |
552278 | Fast L4 proxy operates in TTL decrement mode. That means that for Fast L4 software-transformed flows (that is, no PVA acceleration) the system decrements TTL by 1 during the transform. In comparison, for the ePVA assisted flows, the system operates in preserve mode (no TTL change). For all ePVA assisted flows. Inconsistent behavior on IP TTL handling between ePVA and tmm for Fast L4 flows: TTL is not decremented for ePVA assisted flows, but TTL is decremented for flows without hardware acceleration. Workaround: Disable hardware acceleration to see TTL decrements. |
553027 | Truncated responses after a HTTP::collect A pipelined HTTP request handled by HTTP::collect. A fast response that is drained slowly by the client. If the server responds quickly to the second pipelined request, that second request may be truncated when it is sent to the client. Rare truncated responses caused by HTTP::collect of pipelined requests Workaround: None. |
553613 | FQDN nodes do not support session user-disable. Configure a monitor with recv-disable string, and set node to session user-disabled. Monitor won't mark the node down for draining persistent connections. Unable to use session drain. Workaround: None. |
553625 | When a BIG-IP proxied connection is being terminated, and the client is not accepting packets (zero window) then the connection may be reset after a timeout. "In the following scenario: 1. TCP standard VIP receives all TCP payloads and FIN/ACK from server. 2. TCP standard VIP forwards TCP payloads(same size of client receive window) 3. Client sends zero window packet. 4. TCP profile used ""fin wait 5"", then after timeout, send RST to both client and server." Drained packets from server may be lost if the client is not accepting them. Workaround: None. |
554625 | Configurations with a high number of datagroups result in an unexpected save time. When configuration contains 1000+ datagroups, then the save time is near 60 seconds. "This issues occurs when: - Configuration contains a significant number of datagroups - Running v11.0.0+" Increased save time Workaround: None. |
554977 | SSL handshake failures may crash in ssl_verify(). Certain types of failed ssl handshakes in versions 11.5 and older. TMM crash, leading to possible network outage. Workaround: None. |
555465 | With enough SessionDB entries and a small enough HA connection, you can cause the HA channel to become oversaturated. Very large number of SessionDB entries and a small/bad HA channel Mirroring and other HA related TMM usages will be disrupted. Workaround: None. |
556117 | The client-ssl profile is Case-Sensitive when configuring server-name in the client-ssl profiles and checking server_name extension in the ClientHello Message. When using mixed upper-lower case server-name in the client-ssl profile configuration and ClientHello messages. The system treats mixed upper-lower case server-name as different names which violate the RFC6066, which states: "Currently, the only server names supported are DNS hostnames. DNS hostnames are case-insensitive." Workaround: "1. Configure only one client-ssl profile with same server-name. 2. Use only lower-case server-name when configure the client-ssl profile. 3. Use lower-case server-name in the Client side." |
556262 | tmm may time out and be killed by sod in case of Nitrox lockup. The system issues a SIGABRT from sod, at which point the tmm leaves a core file and the BIG-IP system fails over to the standby unit, if applicable. BIG-IP platforms with a Cavium Nitrox card. The device stops responding to communication from the host at a time that coincides with another process, such as the driver attempting to process completed requests. Note: This issue does not affect the BIG-IP 1000, 2400, 51x0, 2000s, 2200s, 4000s, and 4200v platforms. All other current BIG-IP platform models are equipped with Cavium Nitrox SSL or hardware compression hardware. The primary impact of this behavior is a short delay (one or two seconds) before a failover is triggered. Failover is initiated only after sod determines that tmm has failed to respond to a heartbeat. Workaround: None. |
556505 | Loading a UCS on running configuration may fail on objects with unique IP address constraints (e.g. self IPs, pool member IPs, etc). Workaround: Either load the UCS on a clean configuration (i.e. tmsh load sys config default), or run the load UCS command twice. |
557864 | bigd will restart if DNS server returns a 0 address on FQDN nodes. bigd continually restarts. Workaround: Fix DNS configuration to not return 0 address. |
558044 | This note describes behavior in FQDN nodes that may be confusing. If the FQDN node's interval is large, upon configuration (re)load, the ephemerals won't be recreated until the specified interval. Configure an FQDN node with a large interval, such as 3600 seconds. Load the configuration, and notice that runtime objects are removed. The nodes do not regenerate until 3600 seconds later. This may be confusing for customers, and may impact their pools. Workaround: Changing interval to a shorter interval, otherwise issuing a 'bigstart restart bigd' will force bigd to refresh the ephemerals immediately. |
558053 | If a pool is unmonitored, new pool members added to the pool do not increment the active_member_cnt even if traffic will be passed to it. In other cases, for FQDN pool members, the active_member_cnt does not update in user-down scenarios, or other state transitions. "1) Configure a pool without a monitor, and make use of an iRule that attempts to use the 'active_member_cnt' attribute. 2) Configure a pool with FQDN nodes and change the state to user-down, and check the active_member_cnt via an iRule or GUIshell." This doesn't impact load balancing and isn't shown in any of the UIs. None of the controlplane runtime is using this attribute either. However, it is exposed as a consumable attribute in iRules, in which case can impact customer script. Workaround: member_count will return you total members with no status information. |
558858 | Multicast traffic failures over system backplane. This may be a Linux bridge issue, owing to similarities to Linux community reports. Unknown what conditions trigger this problem, other than requiring multicast traffic through Linux bridge and IGMP snooping/querying being enabled. clustering software believes slots are not in service when they are still alive. Workaround: Older Centos 6 kernels have multicast_querier on by default (with no disable switch). So we would need to disable IGMP snooping on management bridge. Newer Centos 6 kernels have snooping enabled, but querier disabled by default. It should be safe to disable snooping on the mgmt bridge in either case. |
558893 | As a result of a known issue TMM may to forward FTP data connections when successive PORT/EPRT commands are used in succession referring to the same IP/port. "FTP Virtual server configured with an FTP profile that does inherit-parent-profile disabled. A client to request EPRT and then PORT commands referring to the same IP/PORT." TMM may reset the connection in some cases. Workaround: Change the ftp profile to enable the inherit-parent-profile option. |
559584 | A configuration containing a number of nested objects takes a long time to list or save. For example, the tmsh listing time for a ~2 MB config can exceed 30 seconds. "Following is an example of nested objects in a config. If the config contains thousands of such virtual servers, it might take longer than 30 seconds to run either of the following commands: -- tmsh list ltm virtual. -- tmsh save config. ltm virtual vs { destination 10.10.10.10:http ip-protocol tcp mask 255.255.255.255 profiles { ::: nested object http { } http_security { } tcp { } } source 0.0.0.0/0 translate-address enabled translate-port enabled vs-index 26 } ." When commands take longer than 30 seconds to complete, iControlREST times out. Workaround: None. |
559837 | "GUI logs 'Table not found' in catalina.out when some exceptions are returned before table creation. The exceptions are the actual cause of the failure. java.sql.SQLException: Table not found: SSL_CERTIFICATES_0_1652477104084229 in statement [DROP TABLE ssl_certificates_0_1652477104084229]" This occurs when listing certificates, and exceptions are returned. Misleading 'Table not found" message in catalina.out. Workaround: None. |
559916 | mcpd core from both blades of 2 blade guest after running 'tmsh show sys conn' a few times. Core on one blade (Nov 6 18:53:58) followed quite shortly after (Nov 6 18:54:11) by another and then failover. Guest was busy at time though number of connections was approx 500K. Failover. Workaround: None. |
560098 | Configuration validation may fail or configuration load may fail during upgrade. iRule with table command using 'indef' for timeout and/or lifetime. "Unable to load rule/config. Config fails to load during upgrade." Workaround: Use 'indefinite' instead of 'indef'. |
560220 | When using iControl REST, the return output of some objects does not include the partition and subPath properties. Also the name property contains the full path instead of only the object name. This occurs when running BIG-IP systems with 11.6.0 HF6 installed. Breaking custom scripts used by customers that rely on those properties. Workaround: Do not use custom scripts to gather the partition and subPath properties of objects on BIG-IP systems with 11.6.0 HF6 installed. |
560291 | The management backplane network on one cluster member of a vCMP guest may partially malfunction in that multicast packets are able to be sent out of the cluster member but incoming multicast packets from the peer members are dropped. This results in the cluster becoming "split-brained" and having two primary members; the original primary remains so while the isolated member also elects itself as a primary. This issue only occurs on vCMP guest clusters and has been found to only happen in extremely rare cases. Dataplane traffic remains unaffected. However, configuration changes will not propagated to the isolated cluster member, and stats will not be synced from the isolated cluster member. Furthermore, if the cluster is the active unit in an HA pair, this may result in a failover not occurring as expected due to the technical nature of the malfunction. Workaround: To resolve the issue, reboot the cluster member whose management backplane has malfunctioned. |
560975 | When deleting SSL keys via iControl it is possible to delete keys from the Hardware Security Module even while they are configured in an active profile. Using iControl to delete SSL key installed in hardware. Key is removed from HSM and must be reloaded. Workaround: Verify that keys are not in use before using iControl to delete them. |
562257 | Route domain addresses can be selected when configuring a device connectivity. Doing so produces an error. Having self IP addresses with a route domain. This is a cosmetic issue. The system presents an error and does not use the IP address, even though the user can select it. Workaround: None. |
562370 | SSL traffic may be stalled if there is a mismatch in mirror setting on the SSL virtual server between the active and the standby unit. SSL virtual server with mirroring enabled on the active unit and disabled on the standby unit. Connections on the active unit may be stalled up to "Handshake timeout" seconds Workaround: configure both units to have the same mirror setting on the Virtual Server. |
562406 | The total pva assisted connection counter is reported as the total number of times connections being accelerated by hardware. In the case of support dynamic HW re-offloading, a connection might be offloaded to HW multiple times, and therefore be counted in multiple time in this way. Workaround: None. |
562452 | The GUI banner 'Loading... Receiving configuration data from your device' does not disappear when updating changes in System :: Preferences page. Use a BIG-IP system running 11.6.0 HF6. Make changes to System :: Preferences page. The GUI banner 'Loading... Receiving configuration data from your device' stays without showing the modified data. Workaround: None. |
562808 | As a result of a known issue TMM may produce a core dump if a pool containing poolmembers is renamed. "- Pool with poolmembers. - Move operation is enabled via sys db key. - Pool is renamed." TMM may core. Workaround: Do not use move operation; fully delete/recreate pools if renaming is needed. |
562886 | If network HSM is in use, and the connections is lost, SSL can consume all of the system memory. network HSM is used but the connection is lost Performance Workaround: None. |
562928 | Certain url connections with "local-port" option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled with "curl: (7) couldn't connect to host" error. Using curl command with "--local-port" option causes the connections to fail in BIG-IP. TCP connections do not complete the three way handshake and traffic does not pass. Workaround: disabling "cmp" option in virtual server secures the traffic over IPsec tunnels. |
562959 | tmm restart due to internal connection to mcpd time out When there is some issue processing the packet going through IPsec tunnel. Tmm restart without core Workaround: None. |
562997 | As a result of a known issue TMM may leak memory if a pool containing poolmembers is renamed. "- Pool with poolmembers. - Move operation is enabled via sys db key. - Pool is renamed." TMM may leak memory associated to pools and poolmembers Workaround: Do not use move operation; fully delete/recreate pools if renaming is needed. |
563144 | "The iControl REST log at /var/log/icrd will have entries like the following - notice icrd_child[32206]: 01420003:5: Cannot load user credentials for user ""admin"" Current session has been terminated." Following the steps in the solution in https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15632.html, and changing the default admin user, this occurs. Many REST APIs will not function, and functionality that depends on REST will fail. Workaround: None. |
563222 | If we configure an external HSM in a non-default route domain, it will fail to work, because pkcs11d isn't route-domain aware, and the vendor library is not route domain-aware, either. Configure an external HSM in a non-default route domain We cannot configure the external HSM in a non-default route domain. Workaround: None. |
563641 | If SNAT is enabled, and routing through a peer configured with a per-client connection-mode and a non zero source_port, only one client may connect to a server at a time. A second client will not be able to connect until the previous outgoing connection times out. Do not run per-client and set the source port if you are using SNAT. Certain configuration will not work. Future versions will disallow this combination with config validation. Workaround: "Do not run per-client and set the source port if you are using SNAT. Any of the following will work: SNAT + per-client SNAT + setting source_port per-client + setting source_port" |
564699 | Even some entry presents in whitelist it can be mitigated if BADOS is configured and active configure whitelist or/and blacklist or/and Can't avoid mitigation of bad actor under attack even if it should be ignored according to the whitelist or correspondent iRule with action DOSL7::disable Workaround: Don't configure BADOS if whitelist / blacklist configured |
564899 | When csyncd is exiting during shutdown, it may leave a core dump. Unknown. None. csyncd was shutting down anyway; it just did so in an unclean manner. Workaround: None. |
565137 | Licensing a BIG-IP VE with a pool license from BIG-IQ can fail. In /var/log/ltm, you will see "Dossier error 16". "1. The BIG-IP is a VE 2. The output of ""dmidecode -s system-uuid"" differs from that of ""cat /sys/class/dmi/id/product_uuid"" Note: This has primarily been seen under KVM hypervisors, though others may be affected." Pool licensing fails, where it should succeed. Workaround: An Engineering hotfix can be provided, but there is no clean way to fix the issue locally. |
565786 | Users that log in multiple times using variations on case may get load balanced to different servers. Improper load balancing. Workaround: Use consistent case when logging in. |
566071 | It is noticed after installing the software and HSM client to the chassis, pkcs11d service is missing on some slots. HSM client installation to chassis is finished. There is no HSM service to a slot if that slot doesn't have pkcs11d service. Workaround: "If that happens, log into the slots that pkcs11d is missing, and run the following commands: bigstart add pkcs11d bigstart start pkcs11d |
566477 | The dashboard lines charts are difficult to read because there are many annotations (red-filled circles on the bottom part of the diagram). Reading any line chart with a time period other than the last five minutes reveals this issue. The user finds it difficult to read dashboard line charts. Workaround: None. This is a cosmetic issue that does not indicate a problem. |
566507 | The advertised next-hop ends up to be a floating-IP of the active traffic-group on peer LTM, while it should be the floating-IP of the traffic-group active on the current LTM. BIGIP IP HA pair in Active-Active topology with two traffic-groups where each device is active for one traffic-group. Traffic for relevant advertised routes will hit the standby device. Workaround: configure the floating address of a traffic group as the next-hop in its route-map |
566565 | If ADAPT is sending a very long HTTP request or response to an internal virtual server (IVS), its timeout might expire before sending is complete, not giving a chance for the IVS to respond. This might occur in this following case: the IVS has an ICAP profile and the ICAP server waits for the entire ICAP request before responding, by which time the ADAPT timeout has fired. A request-adapt or response-adapt profile has preview-size 0 and a timeout short enough to expire before the IVS has a chance to respond. The IVS transaction fails and ADAPT performs its service-down action. In this no-preview case, an 'ignore' (bypass) action is not possible, so the HTTP transaction fails. Workaround: Increase the timeout in the requestadapt or responseadapt profile, to cover the longest HTTP payload expected to be sent to the IVS. |
566930 | If the internal client (subscriber) is unregistered then any SIP call to/from that particular subscriber would be dropped by BIGIP SIP-ALG. SIP-ALG requires subscribers to be registered with their proxy servers through BIGIP, so that we snoop those messages to maintain a table of valid subscribers and their translated addresses. Subscribers makes/gets a sip call without registering with their proxy servers through BIGIP. SIP Call doesn't get established, since the messages gets dropped. Workaround: Its functioning as designed. The RFE is to disclose more details in the logs with proper reasoning when this condition is met. |
566995 | "Under unspecified conditions bgpd can crash. It will be restarted but routing table can be impacted." unknown. This may impact routing table and reachability. Workaround: none known. |
567065 | The HTTP request or response may be compressed when the rule in the compression policy is matched. "Compression policy associated with the virtual and request matches rule. When the action is compress request enable, the response may be compressed. When the action is compress response enable, the request may be compressed. When the action is compress request enable and compress response disable, neither request nor response will be compressed." HTTP request/response data may be compressed when undesired. Workaround: Explicitly define actions (enable/disable) for both request and response types. |
567330 | "the ltm log file will show these errors: "" err mcpd[9011]: 0107167d:3: Data publisher not found or not implemented when processing request (unknown request), tag (5130).""" "ssh'd into the secondary of a cluster (VIPRION blade or vCMP guest) ran ""tmsh show sys memory""" The error indicates that the secondary cannot display information that is only presented on a primary. Workaround: "ignore the specific error with this signature: 0107167d:3: Data publisher not found or not implemented when processing request (unknown request), tag (5130)" |
567723 | TACACS system-auth stops working after running config verify. Running config verify where the tacacs system-auth does not match the running config (e.g., altered secret or server list). Unable to login to system with tacacs system-auth. Workaround: Reload the running configuration. |
568141 | A RST packet isn't sent when a client sends a request and no servers are available. The client will then eventually get a time out error instead of getting an immediate error. An HTTP profile is assigned to a Performance L4 virtual server, and that server's pool has no available pool members. Clients could have to wait for a network timeout error instead of getting an immediate error. Workaround: None. |
568566 | "When we create a user with Auditor role, and login using the Auditor role to execute ""list sys crypto"" command, we will get the error message like: ""Unexpected Error: Can't chmod key management directory: ""/var/tmp/key_mgmt"", error: [1] Operation not permitted""." A root/admin user create a user with Auditor role, and login using the Auditor role to execute "list sys crypto" command. A use with Auditor role can not execute "list sys crypto" command. Workaround: "1. Change the security context by using ""chcon"": ******************************************** [root@eng-3900A:Active:Disconnected] tmp # chcon -u root -r object_r /var/tmp/key_mgmt/ [root@eng-3900A:Active:Disconnected] tmp # ls -lZ | grep key_mgmt drwxr-xr-x. root root root:object_r:tmp_t:s0 key_mgmt" |
568672 | Down IPsec traffic-selector is "up" in 'show net ipsec traffic-selector' and GUI If a tunnel times out and goes to the down state. Confusion on the true state of the tunnel. Workaround: N/A |
568889 | In some specific cases the standby unit's secondary blade ospf6d process might not get started when it becomes active. If the failover occurs as a result of the primary blade's mcpd restarting The new primary blade does not start ospf6d resulting in ospv3 not working as expected on the standby unit. Workaround: Run the following tmsh command on the new active unit: bigstart restart tmrouted. |
569100 | "TCL error in /var/log/ltm. TCL error: bad option ""serverside"": must be require or preclude while executing ""constrain NTLM require clientside {HTTP} serverside {CONNPOOL} preclude FTP" Virtual using the NTLM profile. Only logged when the first virtual is created or when TMM restarts. There should be no impact to the system. Workaround: None. |
569102 | "Virtual server using NTLM unusable. Errors in /var/log/ltm and /var/log/tmm similar to the following: err tmm2[27885]: 01010007:3: Config error: virtual_server_profile no suitable hudchain err tmm2[27885]: 01010007:3: Config error: add virtual server profile error notice hudchain missing required clientside filter: HTTP notice MCP message handling failed in 0x5f69c0 (16977920): Jan 20 20:29:45 - MCP Message: notice create { notice virtual_server_profile { notice virtual_server_profile_vs_name ""/Common/ntlm_profile_test"" notice virtual_server_profile_profile_name ""/Common/ntlm"" ... notice virtual_server_profile_transaction_id 72" This occurs when a Virtual server uses an NTLM profile which does not include the HTTP profile. Unusable virtual server. Workaround: The NTLM profile requires the HTTP profile. Add the HTTP profile to the virtual server. |
569288 | In rare conditions, different blades in a chassis system may use different LACP keys for the same trunk in the LACP control frames. This will cause some of the LACP trunk members not able to aggregate successfully with peer switch. This only happens in a chassis based system when certain race condition causes trunk id being modified after initial trunk creation. Non aggregated trunk members won't be able to pass traffic. Workaround: Restart lacpd in all the blades in the chassis by running command "clsh bigstart restart lacpd" |
569349 | When net cos (class of Service) feature is enabled, vlan priority for those cmp redirected packets are not being preserved from ingress to egress. "1. net cos feature is enabled 2. packet is being cmp redirected from one tmm to another tmm for processing." Egress packets are not being processed according to the ingress vlan priority by BIG-IP and down stream router. Certain packets will be dropped by downstream router due to the wrong mark of vlan priority. Workaround: None. |
569968 | sod reanimates (with core dump) snmpd due to heartbeat timeout during Big-IP startup and configuration load. During Big-IP startup and configuration load, snmpd sometimes blocks while waiting for certain system resources to become available. If snmpd blocks longer than its configured heartbeat timeout, sod reanimates it (with a core dump). Only impact is the generation of a core file. Workaround: The configured snmpd heartbeat timeout can be increased. The 11.5.1 default timeout of 60 seconds can be too short for certain platforms and configurations. The default timeout for later releases is 300 seconds. |
570281 | "Attempting to modify the 'ip-address' attribute of a static ARP / NDP entry results in the following error: Syntax Error: ""ip-address"" may not be specified in the context of the ""modify"" command. ""ip-address"" may be specified using the following commands: create, list, show" Running v11.6.0+ BIG-IQ SCVMM plugin fails to work properly Workaround: None. |
570419 | On selected devices and blades, tmm runs multiple processes. When running multiple processes, the session DB may occasionally attempt an operation that will cause a tmm segfault. In order to experience this failure, tmm must be running in multiple processes on the appliance or on the blade, and session DB usage is required with mirroring. Outage and restart of tmm. This applies when bringing up blades as well as bringing peers online. Workaround: None. |
570845 | The configuration infrastructure currently allows the invalid 'None' option to be configured on an IKE peer for phase 1 perfect forward secrecy. Although the ability to configure the 'None' option is a bug (BZ570839) which happens on specific browsers, the configuration infrastructure should have stronger checking and prevent the acceptance of an invalid 'None' option for configured IKE peers. The ability to configure and IKE peer invalid 'None' option for perfect forward secrecy occurs on Internet Explorer and Safari browsers (see BZ570839), and the configuration infrastructure does not reject this invalid configuration for these cases. IKE peer created with invalid 'None' perfect secrecy cryptographic algorithm does not allow an IKE session to be established. Workaround: Don't configure the 'None' option on an IKE peer. |
570949 | TMM crash and restart. Using the "virtual" command during ACCESS_SESSION_CLOSED event. Workaround: Avoid using virtual command in ACCESS_SESSION_CLOSED event. |
571017 | "Following message may appear in /var/log/ltm when optics are removed: soc_phy_i2c_read_devtype - eeprom soc_phy_i2c_read_bytes failed port(28)" Optics removal none Workaround: none needed |
571156 | Certs and keys attached to a HTTPs monitor are not displayed in GUI, but visible with tmsh. Certs and keys configured to a HTTPs monitor. Not able to show/configure certs/keys for HTTPs monitors. Workaround: Use tmsh. |
571560 | In rare cases, icrd may crash and create a core file while shutting down. icrd exiting, typically due to a system shutdown or reboot icrd crashes and generates a log file. Workaround: The crash of icrd during shutdown/reboot may be ignored; no services were impacted. Related core files can be deleted as desired. |
572079 | The command history and audit logs add additional escaping. Command entered into tmsh includes escape (backslash) characters. "Commands repeated from the history may not match what was entered and will be interpreted as displayed. The audit logs may contain additional quoting or escaping when compared to the command that was ran." Workaround: When repeating commands from the history which contain escaping, remove the added escaping before running. |
572224 | "Errors similar to the following in the ltm log: err tmm3[21915]: 01220001:3: TCL error: /Common/RadiusTest CLIENT_DATA - Buffer error (line 1) (line 1) invoked from within ""RADIUS::avp 26 ip4 index 0 vendor-id 12345 vendor-type 6""." The issue happens when there is a RADIUS::avp command for a vendor specific AVP and there's a RADIUS request that contains a different Vendor-type then what was specified in the iRule command. Customers are unable to use vendor-specific RADIUS AVP commands. Workaround: None. |
572246 | By default, the 'rewrite' profile is in APM portal mode. On certain platforms and/or vCMP guest deployments, when a rewrite profile using the default (APM) settings is attached to a virtual server all layer 3 connectivity will begin to fail.
|
572277 | The get_dht function in jdmarker.c in libjpeg-turbo through 1.3.0, as used in Google Chrome before 31.0.1650.48 and other products, does not set all elements of a certain Huffman value array during the reading of segments that follow Define Huffman Table (DHT) JPEG markers, which allows remote attackers to obtain sensitive information from uninitialized memory locations via a crafted JPEG image. allows remote attackers to obtain sensitive information from uninitialized memory locations via a crafted JPEG image. Workaround: upgrade libjpeg |
572343 | "What does policy status mean? published: It is validated as a published policy, which means that it has been checked and is either already applied or can be applied to a virtual server. draft: The policy is still being worked on. It may or may not be ready. Some validation won't happen (e.g. controls and requires are derived, certain controls -like asm or l7dos- need an action in every rule) legacy: The policy was validated as a legacy policy which means that rules regarding drafts/published have been circumvented. So legacy means it was either: - touched by tmsh -r 12.0.0 - touched by iControl/rest with version=12.0.0 - or modified with iControl/REST or tmsh with the 'legacy' flag Once the config has been saved and loaded, the policy will always become a published policy, since it doesn't fulfill the definition of a legacy policy anymore." Policy status is "read-only" attribute i.e. no users are expected to manipulate it. Clarification of what policy status is and how it works. Workaround: None. |
588946 | You can install v11.5.4 on the 12250v platform, but are unable to license BIG-IP. This is because v11.5.4 is not supported on the 12250v. BIG-IP v11.5.4 is not supported on the 12250v platform. Even though installation succeeds, it is not possible to license BIG-IP system. Workaround: Install a supported version of BIG-IP on the 12250v. Supported versions are 11.6.0 HF2 or later and 12.0.0 or later. |
Contacting F5 Networks
Phone: | (206) 272-6888 |
Fax: | (206) 272-6802 |
Web: | http://support.f5.com |
Email: | support@f5.com |
For additional information, please visit http://www.f5.com.
Additional resources
You can find additional support resources and technical documentation through a variety of sources.
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: http://support.f5.com/kb/en-us.html
- The F5 DevCentral web site: http://devcentral.f5.com/
- AskF5 TechNews
F5 Networks Technical Support
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5
AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
F5 DevCentral
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.
AskF5 TechNews
- Weekly HTML TechNews
- The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
- Periodic plain text TechNews
- F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.