Release Notes : BIG-IP 11.6.0 LTM and TMOS Release Notes

Applies To:

Show Versions Show Versions


  • 11.6.0
Release Notes
Original Publication Date: 03/18/2018 Updated Date: 04/18/2019


This release note documents the version 11.6.0 release of BIG-IP Local Traffic Manager and TMOS. You can apply the software upgrade to systems running software versions 10.1.0 (or later) or 11.x.


Platform support

This version of the software is supported on the following platforms:

Platform name Platform ID
BIG-IP 800 (LTM only) C114
BIG-IP 1600 C102
BIG-IP 3600 C103
BIG-IP 3900 C106
BIG-IP 6900 D104
BIG-IP 8900 D106
BIG-IP 8950 D107
BIG-IP 11000 E101
BIG-IP 11050 E102
BIG-IP 2000s, BIG-IP 2200s C112
BIG-IP 4000s, BIG-IP 4200v C113
BIG-IP 5000s, 5050s, 5200v, 5250v C109
BIG-IP 7000s, 7050s, 7200v, 7250v
BIG-IP 10000s, 10050s, 10055, 10200v, 10250v, 10255 D113
VIPRION B2100 Blade A109
VIPRION B2150 Blade A113
VIPRION B2250 Blade A112
VIPRION B4100, B4100N Blade A100, A105
VIPRION B4200, B4200N Blade A107, A111
VIPRION B4300, B4340N Blade A108, A110
VIPRION C2200 Chassis D114
VIPRION C2400 Chassis F100
VIPRION C4400, C4400N Chassis J100, J101
VIPRION C4480, C4480N Chassis J102, J103
VIPRION C4800, C4800N Chassis S100, S101
Virtual Edition (VE) Z100
vCMP Guest Z101

These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.

Most of the support guidelines relate to memory. The following list applies for all memory levels:

  • vCMP supported platforms
    • VIPRION B2100, B2150, B2250, B4200, B4300, B4340N
    • BIG-IP 5200v, 7200v, 10200v
  • PEM and CGNAT supported platforms
    • VIPRION B2100, B2150, B2250, B4300, B4340N
    • BIG-IP 5x00v(s), 7x00v(s), 10x00v(s)
    • BIG-IP Virtual Edition (VE) (Not including Amazon Web Service Virtual Edition) (3 GB, 10 GB production and combination lab models)
    • PEM and CGNAT may be provisioned on the VIPRION B4200, but it is not recommended for production, only for evaluation. PEM may be provisioned on the VIPRION B2100, but it is not recommended for production, only for evaluation. Use the B4300 or B4340N instead.
  • BIG-IP 800 platform support
    • The BIG-IP 800 platform supports Local Traffic Manager (LTM) only, and no other modules.

Memory: 12 GB or more

All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.

Memory: 8 GB

The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)

  • No more than three modules should be provisioned together.
  • On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
  • In the case of Access Policy Manager (APM) and SWG together, no module other than LTM may be provisioned, and LTM provisioning must be set to None.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category.)

  • No more than three modules (not including AAM) should be provisioned together.
  • Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
  • Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).

Memory: 4 GB or less

The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests provisioned with 4 GB or less of memory.

  • No more than two modules may be configured together.
  • AAM should not be provisioned, except as Dedicated.

vCMP memory provisioning calculations

The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory- 3 GB) x (cpus_assigned_to_guest/ total_cpus).

As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.

For certain platforms, the vCMP host can allocate a single core to a vCMP guest. However, because a single-core guest has relatively small amounts of CPU resources and allocated memory, F5 supports only the following products or product combinations for a single-core guest:

  • BIG-IP LTM standalone only
  • BIG-IP GTM standalone only
  • BIG-IP LTM and GTM combination only

Configuration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

  • Microsoft Internet Explorer 8.x, 11.x
  • Mozilla Firefox 27.x
  • Google Chrome 32.x

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP LTM / VE 11.6.0 Documentation page.

New in 11.6.0


BIG-IP External Crypto-offload (early access)

This release provides early access to the ability to leverage SSL Crypto operations from one BIG-IP system to other BIG-IP systems, offloading cryptographic operations to an external system (a crypto provider). For example, this feature allows an LTM VE instance (the crypto client) to offload RSA operations to an external BIG-IP system with RSA hardware acceleration (the crypto provider).

Latency compression selection strategy

This release introduces a new default compression selection strategy, Latency, which favors the latency of compression providers and delays selection of a provider until data arrives. This strategy helps to better distribute the workload placed on each provider. New installations of 11.6.0 have latency as the default compression selection. Upgrading to 11.6.0 changes the default compression selection to latency. For more information, see SOL15523: New latency compression strategy and compression provider selection method.

OCSP stapling with certificate status caching

OCSP stapling is the process in which a TLS server (acting as the OCSP client) interfaces with the OCSP server for a valid revocation status of its TLS certificate, and "staples" the signed OCSP response to the TLS handshake. The TLS client receives the stapled OCSP response and verifies the signature, validating the TLS server's certificate. This feature improves certification response time, and helps protect the identity of the client.

RSA public key operations in hardware

Due to their ability to provide downstream validation of intermediate certificates, SSL Root Certificates require extra protection. As a result, most new CA Root Certificates are moving to larger key length (4 KB); however this can result in a performance hit. Adding support for RSA public key operations (client certificate verification) in hardware, along with SSL Keys, provides protection and improves performance.


STARTTLS is an extension to plain text communication protocols. This feature offers a way to upgrade a plain text LDAP connection to an encrypted (TLS or SSL) connection instead of using a separate port for encrypted communication.

Appliance Mode improvements

Appliance Mode provides the ability to lock-down the BIG-IP system, reducing the attack surface and points for exploit. This functionality can make it difficult for 3rd party components that are not fully integrated into the BIG-IP system, for example, those that utilize TMSH commands. These commands are now included to improve configuration, setup, and troubleshooting

Enhanced system authentication methods for LTM BIG-IP

Utilizing APM, this release provides enhanced LTM System Authentication for the different methods: LDAP, RADIUS, Local User, TACACS+ to deliver a richer set of options such as AAA, fail-back, and dual-authentication.

IPFIX over TLS, over TCP

IPFIX over SSL/TLS provides the ability to encrypt the logging information that is sent offbox to a logging destination.

Enhanced user access control

This release adds granularity to BIG-IP access control. For any BIG-IP user, a BIG-IP administrator with the appropriate user role can now grant user access to multiple administrative partitions (instead of access to one or all only), and can assign multiple user roles to the user, one for each partition to which the user has access.

Hardware/platform support/maintenance

DSCP mapped to eight hardware CoS queues on egress

This release provides support for traffic being prioritized and dropped selectively using Differentiated Services Code Point (DSCP), based on a limited number of traffic classes that are mapped to eight user-configurable Class of Service (CoS) priorities on egress. This feature is supported only on these platforms: VIPRION B2250 blade, VIPRION B2150 blade, VIPRION B2100 blade, VIPRION B4300 blade, BIG-IP 10000 Series platform, BIG-IP 7000 Series platform, and BIG-IP 5000 Series platform.

Disk erase on SSD and HDD platforms

This release now provides end users with the ability to perform a single pass/zero write disk erase operation of solid-state disk (SSDs) drives and hard disk drives (HDDs). For more information, see SOL15521: Using the 'Security Erase Unit' ATA command to perform a disk erase for SSDs and HDDs, available at

BIG-IP 2000/4000 Series appliance platforms L2 enhancements

This release introduces enhanced L2 support, including these features on the BIG-IP 2000/4000 appliance platforms: STP (Spanning Tree Protocol), LLDP (Link Layer Discovery Protocol), ARL (Address Resolution Table), and enhanced Traffic Management Shell (tmsh) Layer 2 Forwarding table commands.

IPv6 support in ePVA (requires 11.6.0 HF5)

The 11.6.0 HF5 release features support for IPv6 in ePVA for the VIPRION B2250 blade.

UC-APL certification

This release includes features that support UC-APL (Unified Capabilities Approved Product List) certification requirements, including: smart card (CAC) authentication to the management interface, configurable banners for confidentiality, FIPS 140-2 compliance, SSL/TLS key requirements, and Appliance mode for DISA/STIG.

System support for multiple hardware (FPGA bitstream) profiles

This release adds system support that enables users to choose from two different available hardware (FPGA firmware) profiles based on provisioning: standard balanced performance profile and an L4-optimized performance profile. This feature is currently available only on the VIPRION B2250 blade in a C2200 chassis.

Traffic group limit increased from 15 to 127

This release supports a maximum of 127 traffic groups that you can configure within a Sync-Failover device group. Earlier releases supported a maximum of 15 traffic groups only.

General Functionality

Object move and rename (early access)

This release provides early access to the feature that enables move/rename of specific BIG-IP object types, such as virtual servers, virtual addresses, pools (implicitly moves pool members), nodes, monitors, profiles, iRules, iApps, device names, self IP addresses, iCall, and folders. Note that this functionality is not provided for VLANs or Partitions.

L7 Policy Matching Enhancements

This release provides a variety of enhancements to L7 policy matching (CPM).

Cubic and Westwood+ congestion control

This release adds the Cubic and Westwood+ congestion control algorithms.

Early retransmit

This release introduces support for an experimental RFC to recover lost segments quickly.

Dynamic TCP tuning

Modification of TCP profile parameters via iRules.

Tail loss probe

This release contains an enhancement to reduce the impact of retransmission timeouts (RTO) on web transactions.

TCP profile redesign

This release provides a redesign of the TCP profile page, to enhance usability.

FIX protocol-based routing together with low latency

FIX data that is available in the first 2144 bytes of a flow can be parsed and used in traffic management, such as routing a flow to a specific backend server based on SenderCompID. Performance L4 virtual servers can extract application data to make the traffic management decisions. Once the decision has been made, the flow is moved to the ePVA for low-latency TCP-based data transfer.

Adaptive response time monitoring

This release provides Adaptive response time monitoring, which measures the amount of time between when the BIG-IP system sends a probe to a resource and when the system receives a response from the resource. It adds an extra dimension to existing monitor capabilities. Use adaptive response time monitoring to enhance server utilization under heavy load and to optimize moderately configurable web applications that are served by servers with limited capacity.

Populate pools by FQDN

This release includes the ability to configure a BIG-IP system with nodes and pool members that are identified with fully-qualified domain names (FQDNs). When configuring pool members with FQDN, addresses dynamically follow DNS changes. Fully dynamic DNS-managed pools may even be created.

Device Trust Group on the Device Management Overview page

The Device Management Overview page in the BIG-IP Configuration utility now reports the status of the special trust device group, which contains all devices in the local trust domain. This new status on the Overview page can help users troubleshoot and resolve sync issues, which are sometimes caused by device trust not being properly established.

IPFIX support with iRules

Ability to use iRules to generate log messages encoded in IPFIX/NetFlow format, containing standard and custom Information Elements.

Support Alert Functionality

The new alert system aligns with and is part of the Unified Logging Infrastructure, with its configuration officially part of standard MCP schemas/CMI/DG, and so on, so that alerts can be raised for any message that originated in the system that is potentially destined for any/all endpoints, including offbox destinations.

Net-SNMP Upgraded to Version 5.7.2

The Net-SNMP software on the BIG-IP system is now upgraded to version 5.7.2.

Kernel Upgraded to RedHat 6.4 Version

The kernel on the BIG-IP system is now upgraded to RedHat 6.4 version 2.6.32-358.23.2.

HTTP 2.0 (experimental) Profile

Local Traffic functionality now includes an HTTP/2 profile type that you can use to manage HTTP/2 traffic, improving the efficiency of network resources while reducing the perceived latency of requests and responses. The Local Traffic HTTP/2 profile enables you to achieve these advantages by multiplexing streams and compressing headers with Transport Layer Security (TLS) or Secure Sockets Layer (SSL) security. Note that subsequent versions of the HTTP/2 protocol might be incompatible with this release. The HTTP 2.0 specification is currently in a draft phase (draft 13).

SPDY 3.1

This release supports SPDY version 3.1 functionality.

iCheck functionality improves monitors scalability

In this release, the BIG-IP system includes new iCheck functionality, which improves scalability of FTP, SMTP, POP3, and IMAP monitors. iCheck functionality supports more monitors, while reducing the load on BIG-IP systems. For example, FTP monitoring provides a 600% improvement in sustained monitor performance. Additionally, iCheck functionality provides smoother performance characteristics as monitors approach full capacity. For example, F5 Networks tested 6,000 monitors showing smooth traffic characteristics throughout the range.

High performance SIP proxy

In this release, you can use the BIG-IP system as a Session Initiation Protocol (SIP) proxy. When the BIG-IP system is placed between your SIP routers, session border controllers, and soft switches, you can configure the system to route and load balance SIP messages across the servers on your SIP network.

IPSec IKEv2 support

IPsec options on Big-IP systems now include support for IKEv2. When you configure IKE peers, you can choose between IKEv1 and IKEv2. If you choose IKEv2, you have the additional benefit of using route domains.

Bandwidth measurement per subscriber and/or flow

This release includes a mechanism for bandwidth measurement (rate or bytes) per subscriber, per application, or per flow. Other elements in the network can use this information to dynamically apply relevant services, for example, video encoding.


802.1QinQ on switch enabled platforms

This release supports IEEE 802.1QinQ on switch-enabled platforms: 5000, 7000, 10000, B2100, B2200, B4300 series platforms, which allows for overlapping VLAN IDs, particularly benefiting vCMP or Partitions and route-domain deployments

vCMP virtual disk templates

You can speed up vCMP guest deployment by using virtual disk templates. On the first vCMP guest installation, the vCMP system creates a virtual disk template for the specific initial-image (and, if present, initial-hotfix). For subsequent guest installations of the same initial-image/hotfix, vCMP host administrators can use the virtual disk template, which speeds up the deployment process.

vCMP guest data visible from host

This version provides a summary of vCMP guest data from within the vCMP host. This data facilitates access to the current state of each guest. The BIG-IP Configuration utility shows the current active software image, the provisioned modules, and HA status. You can access each guest for additional information, such as Installed Images and Available Images, and other Resource Provisioned information such as License Status, Required Disk and Required Memory. The Guest name link opens the guest's Properties tab. The HA Status shows a Failed link when there is an HA Status failure. The link opens the guest's HA Status tab.

vCMP guest access to ISO/hotfix images from hypervisor

vCMP now allows file access from within a vCMP guest to the images stored on the host (hypervisor) side. This facilitates installation of ISO/hotfix images to guests and reduces storage space for those images.

Historical vCMP Statistics

From the vCMP host, you can view detailed historical vCMP statistics in the Analytics section of the Configuration utility. The statistics provide an overview of vCMP performance, network throughput, CPU usage, and disk usage in graphical form. You can customize the information that is displayed, the time periods, and what information you want to appear on the overview screen.


CGNAT: Improved compatibility of CGNAT ALG port selection

This release improves compatibility of application layer gateway (ALG) profiles with Carrier-Grade NAT (CGNAT) port picking methods, including Deterministic NAT (DNAT) and Port Block Allocation (PBA) translation modes. Improved CGNAT port selection compliance is now available in the FTP, SIP and RTSP ALG profiles, allowing the ALGs to select the correct port based on the subscriber, and provide reliable reverse mappings of translated addresses for all traffic.

CGNAT: Port Block Allocation support

Port block allocation (PBA) mode is an address-port translation mode option that reduces CGNAT logging, by logging only the allocation and release of each block of ports. When a subscriber first establishes a network connection, the BIG-IP system reserves a block of ports on a single IP address for that subscriber, and logs the block allocation. The system releases the block when no more connections are using it, and logs the block release. This functionality reduces the logging overhead, which significantly decreases log storage and improves system performance when compared to NAPT logging, because the CGNAT logs only the allocation and release of each block of ports once.

CGNAT: MAP Border Relay support

Mapping of Address and Port with Encapsulation, as defined by the IETF draft draft-ietf-softwire-map-10, is a stateless IPv4 to IPv6 transition technology, which provides a scalable, high performance solution for mapping private IPv4 addresses to public IPv4 addresses and transporting traffic over an IPv6 infrastructure. The BIG-IP system plays the role of the border relay (BR) in a MAP deployment, supporting MAP deployments alongside stateful CGNAT solutions.

CGNAT: Configurable logging enhancements

This release provides configurable log profiles for ALG and LSN logging. It allows a user to control the type of log messages generated, and also inclusion of optional log elements in the logged message. The ALG (FTP,SIP, RTSP) logging profile allows for the configuration of logging options for various events that apply to high-speed logging destinations. The LSN logging profile allows for the configuration of logging options for various LSN events that apply to high-speed/IPFIX logging destinations.


LTM Concepts and TMOS Concepts guides

The LTM Concepts and TMOS Concepts guides have been broken into smaller guides. This provides more focused and easier-to-find relevant content. The following list details the guides that now contain this content:

BIG-IP System: Essentials

BIG-IP System: Initial Configuration

BIG-IP Local Traffic Management Basics

BIG-IP System: User Account Administration

BIG-IP Digital Certificates: Administration

BIG-IP Folders: Administration

BIG-IP System: iRules Concepts

BIG-IP Local Traffic Management: Profiles Reference

BIG-IP System: Operations

BIG-IP TMOS: Routing Administration

BIG-IP System: SSL Administration

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in the following guides, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.

Installation checklist

Before you begin:

  • Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
  • Update/reactivate your system license, if needed, to ensure that you have a valid service check date.
  • Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
  • Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are running Application Acceleration Manager, set provisioning to Minimum.
  • If you are running Policy Enforcement Manager, set provisioning to Nominal.
  • If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
Installation method Command
Install to existing volume, migrate source configuration to destination tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 11.2.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP- volume HD1.3

Post-installation tasks

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in the following guides, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.
After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
  3. Log on to the browser-based Configuration utility.
  4. Run the Setup utility.
  5. Provision the modules.
  6. Convert any bigpipe scripts to tmsh. (Version 11.x does not support the bigpipe utility.)
Note: You can find information about running the Setup utility and provisioning the modules in the BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Upgrading from earlier versions

Your upgrade process differs depending on the version of software you are currently running.

Warning: Do not use the 10.x installation methods (the Software Management screens, the b software or tmsh sys software commands, or the image2disk utility) to install/downgrade to 9.x software or operate on partitions. Depending on the operations you perform, doing so might render the system unusable. If you need to downgrade from version 10.x to version 9.x, use the image2disk utility to format the system for partitions, and then use a version 9.x installation method described in the version 9.x release notes to install the version 9.x software.

Upgrading from version 10.1.0 (or later) or 11.x

When you upgrade from version 10.1.0 (or later) or 11.x software, you use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help.

Upgrading from versions earlier than 10.1.0

You cannot roll forward a configuration directly to this version from BIG-IP version 4.x, or from BIG-IP versions 9.0.x through 9.6.x. You must be running version 10.1.0 software. For details about upgrading to those versions, see the release notes for the associated release.

Upgrading to 4th element versions from versions earlier than 11.5.0

You cannot directly update from pre-11.5.0 versions (e.g., v11.4.x, v11.2.x, etc.) to any 4th element version (e.g., v12.1.3.1, v13.1.0.1, etc.). Direct upgrade to 4th element versions is supported only from v11.5.0 and later. For pre-11.5.0 versions, you must first upgrade to v11.5.0 or later. The recommended upgrade path is from v11.4.1 to v12.1.3, and then to v12.1.3.1. For details about upgrading to those versions, see the release notes for the associated release.

Automatic firmware upgrades

If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might reboot additional times to perform all necessary firmware upgrades.

Upgrading earlier configurations

When you upgrade from an earlier versions of the software, you might need to know about or take care of these configuration-specific issues.

ID Number Description
ID 223704 When you import a single configuration file (SCF file) that contain VLANs of the same name that exist in different administrative partitions, the operation fails with a unknown operation error. To work around this issue, before installing an SCF file, run the tmsh load sys config default command. This returns the system to the default configuration, so subsequent configuration import operations should succeed as expected.
ID 366172 A pre-v11.x configuration that was created with the bigpipe cli ip addr option set to name may cause configuration load failure on upgrade due to resolved names saved to the bigp.conf file rather than IP addresses. The workaround is to change the cli setting to 'cli ip addr number', save the config on the pre-v11.x unit, and then run the upgrade.
ID 370964 When upgrading a 10.x standard active/standby pair, the recommendation is to start with the device with the numerically highest management IP address. There is a change in behavior in 11.1.0 that automatically selects the system with the highest management IP address as the active member of the device group. Depending on your configuration, an upgrade could result in lost traffic.
ID 378430 "When upgrading to version 11.x, with a WAM policy containing no nodes, the upgrade fails with the following error message: Tmsh load failed: 01071419:3: Published policy (/Common/empty_policy) must have at least one node. Unexpected Error: Loading configuration process failed. There are two options for working around this problem: 1. Before upgrading, add a new node to the empty policy with the default settings. Publish the policy. Then upgrade. 2. Before upgrading, remove the empty policy from any applications and delete the policy. You may create a copy of the policy before deleting, as long as you do not publish the copied policy. Then upgrade."
ID 384569 "If an object is in a partition with the default route domain set, and that object refers to an object with an IP address in /Common, a config rolled forward from a previous release might not load. - When using the default route domain for a partition, all objects with addresses should be in that partition. To work around this issue, move objects into /Common or edit the config file and for all conflicting objects in common, append %0 to the name/address. For example, if a pool in partition_1 references a member in route-domain 0: ... shell write partition Common node { addr } ... shell write partition partition_1 pool rd0-pool1 { members {} } ... change it to: ... shell write partition Common node { addr } ... shell write partition partition_1 pool rd0-pool1 { members {} } ..."
ID 394873 The upgrade process does not update Tcl scripts (such as iRules) in the configuration. This might cause issues when iRule syntax changes between releases. After upgrading, you might need to modify iRules to reflect any changes in iRule syntax.
ID 398067 As of version 11.0 a check is performed to ensure a failover unicast address actually exists. In configurations using the management port for failover, the management IP and unicast failover IP must be identical for failover to function properly. They must also be identical before upgrading. Releases preceding and including 11.3.0 do not automatically modify the unicast failover IP when the management IP is changed or vice-versa. This can cause failures when loading the config after an upgrade. This is an example error: 0107146f:3: Self-device unicast source address cannot reference the non-existent Self IP (a failover IP); Create it in the /Common folder first. Before upgrading, ensure that the management IP and unicast failover IP are identical.
ID 399013 On 10.x-to-11.x upgrade, the UCS restore lowers the cache size by 25% for all web-acceleration profiles.
ID 399510 "On BIG-IP Virtual Edition systems running software prior to 11.3.0 with statically configured management port IP addresses only, disable the DHCP service with the command ""tmsh modify sys global-setting mgmt-dhcp disabled"" prior to upgrading to this release of BIG-IP software. Disabling the DHCP service prior to upgrading will preserve the static IP address configuration as part of the installation. Statically configured management port IP addresses on BIG-IP hardware platforms are not required to have this configuration change prior to upgrading."
ID 401367 Version 11.x added validation around the use of CACHE:: commands on virtual servers with RAM cache enabled. The result is that upgrading from version 10.x to 11.x fails under certain configuration conditions, for example, if the configuration contains a CACHE_RESPONSE event in an iRule, and there is not an associated Web Acceleration profile applied to that virtual server. To work around the upgrade failure, locate and remove the applicable iRules and virtual servers in the configuration, and try loading the configuration again.
ID 401828 "Problem: The below configurations are invalid for a SIP VS a)tcp virtual with a udp profile+sip profile b) udp virtual with a tcp profile+sip profile Result: If such a configuration exists in previous versions, it will load in 11.3 but may cause a core. Solution: Customer must fix their configuration manually - a) A SIP tcp virtual must have TCP as one of its profile type. b) A SIP udp virtual must have UDP as one of its profile type."
ID 402528 There is now more stringent validation on protocol profile combinations. You cannot configure UDP, TCP, and SCTP protocol profiles for handling the same client-side or server-size traffic. In addition, the following profiles are mutually exclusive: SIP, RTSP, HTTP, Diameter, RADIUS, FTP, and DNS. If one of these profiles is assigned to a virtual server, you cannot assign another one. In the past, the BIG-IP system did not prevent such invalid combinations; now it does. If you have previous configurations containing this invalid combination of profiles, you must correct the configuration before the upgrade can succeed. When you upgrade from pre-11.3.x versions, if you see such an error message during configuration load, fix those invalid combinations and try the upgrade again.
ID 403592 Platforms with less than 6.5 GB memory cannot be upgraded to version 11.3.0 if three or more modules are provisioned. Note that upgrades from version 10.0.x display only an "upgrade failed" message as a software status. All other versions show a clear error message, guiding the users to SOL13988. Before upgrading, make sure you have only one or two modules provisioned if the BIG-IP system has less than 6.5 GB of memory.
ID 403667 In this release, improved validation does not allow users to upgrade or configure VLANs with names greater than 64 characters. This mitigates system instability found when this validation was not present. During upgrade from 10.x to 11.x, this new validation code prevents VLANs with names longer than 64 characters from passing validation. The problem is complicated by the fact that the BIG-IP system prefixes partition_path to vlan_name. That means that a VLAN named vlan_site6 in the Common partition is actually named /Common/vlan_site6. If you have VLANs with names longer than 64 characters, upgrade fails. To work around this, change the VLAN names before upgrading. This involves changing the VLAN name as well as any configuration objects that refer to that VLAN.

Fixes in 11.6.0

ID Number Description
ID 284330 "Beginning in 11.6.0, the following pages now handle IPv6 slash notation: -- System :: SNMP Access -- LTM :: SNAT Address -- LTM :: iRule DataGroup -- LTM :: Virtual Server -- Network :: Traffic Selectors"
ID 336255 "This fix introduces a ""limit-type"" OneConnect profile option (currently supported only via TMSH and iControl/REST -- GUI and iControl/SOAP support in progress). The limit-type can take on one of three values: none: behaviour is as before, ""connections"" are counted toward the pool member limit based on whether they have active, in-flight, requests or responses. strict: a hard TCP pool member connection limit is enforced. No attempt will be made to try to find a connection to reuse if at the TCP connection limit, EVEN IF ONE MIGHT BE AVAILABLE. This mode of operation is not recommended (though some customers find it useful with short idle connection timeouts). idle: if a client connection is accepted and we are at or above the TCP connection limit, a random idle connection will be dropped."
ID 336601 MTU set to management routes shall be correctly propagated to Linux kernel
ID 349680 Correct the port number provided in Via header in SIP monitoring connections.
ID 361094 This issue has been fixed. The im utility now operates correctly irrespective of the location of the .im package, including placement in the root directory (/) of the filesystem.
ID 364302 The system posts an alert and prevents deletion of a DNSSEC key being used by one or more DNSSEC zones. A DNSSEC key is only allowed to be deleted from the BIG-IP system when it is not used by any DNSSEC zones.
ID 367759 On BIG-IP VE, modifying an interface's VLAN configuration from tagged to untagged, or untagged to tagged, can result in unavailability of traffic on that interface. Restarting the tmm with "bigstart restart tmm" will correct this condition, as will deleting and recreating the VLAN with desired tagging attributes.
ID 376894 External data group files that have been edited on Microsoft Windows platforms can now be imported in their native format. Both Windows style (CRLF) as well as Unix/Linux style (LF) line endings are supported, so there is no longer a need to run these files through utilities to reformat line endings.
ID 380290 Benign agentx log messages no longer occur for the routing protocols ospfv2, ospfv3, bgp, rip, ripng.
ID 382606 Fixed a TMM core caused by connection RSTs when iRule commands have temporarily suspended execution in SERVER_CONNECTED events.
ID 395894 HTTP::cookie insert will re-use an existing cookie header of the same RFC version, rather than always inserting a new one.
ID 409732 ~/bin will only be added to the path if it exists.
ID 411101 Resolved an issue found in F5 testing for ability to tcpdump mgmt_bp_* and loopback. Also added vm_tap_* for guests.
ID 411723 There is now a message alerting the user when adding a new device when that device already has trust configured, which redefines the trust group. The message is 'Devices (IP list) already have a non-standalone trust domain. This operation will destroy and replace that domain. Continue?'
ID 415946 The BIG-IP system will stop sending HA heartbeat messages across unicast or multicast failover links that are deleted.
ID 416250 Added timeout to cancel incomplete SSL handshakes and retry
ID 417006 "Thales HSM install now needs to be done only on the primary slot on the BIG-IP cluster-mode chassis systems such as VIPRION. A single install on primary slot will take care of installing Thales on all active slots. On any already-open sessions to the BIG-IP slot(s), the PATH environment variable will need to be reloaded by executing 'source ~/.bash_profile' in order to be able to use Thales utilities. If at a later stage, a new blade is added or a disabled or powered-off blade is made active or is powered-on, the user will have to run ' -v' *only* on the new secondary slot. If the new slot is made primary before the SafeNet install, then the regular install procedure using will be required on the new primary slot."
ID 418685 You can now execute tmsh when using custom MIB.
ID 419664 Performing mibwalk of SNMP-sysIfxStat returns expected stats
ID 421964 BIG-IP system now correctly aggregates an LACP-enabled link.
ID 422085 sysL2Forward stats now return data.
ID 422094 Data connections created through FTP Active-mode transactions through the CGNAT now have the data session translation address:port logged as LSN translations.
ID 423061 Creating or modifying SNMP v3 users using the GUI or tmsh no longer adds passwords in plain text to the /config/net-snmp/snmpd.conf file. Now, passwords are encrypted.
ID 423482 Removing the gateway failsafe pool in web interface now correctly sets the pool::gateway failsafe device property.
ID 424698 An LTM Policy with a target of 'forward', event of 'request', action of 'select' and parameters of 'clone-pool', 'node', 'member', 'nexthop', or 'rateclass' now function as intended.
ID 424931 Minimize number of duplicate file events processed by csyncd
ID 426087 "After upgrading an HA pair from a 10.2 installation, this error would appear after each boot: err devmgmtd[5817]: 015a0000:3: Trust Config Update: [TrustConfigUpdateForHAPair.cpp:510 ] Cannot decrypt config sync password (encrypted 'unused'). This error message was always harmless and able to be ignored. It no longer appears."
ID 426600 tmm loop will be fixed.
ID 429011 External link down time on network failover is now supported on BIG-IP 2000 series and 4000 series platforms. You can find the Link Down Time on Failover option in the GUI under Device Management :: Device Groups :: [device_group_name] :: Failover.
ID 429365 FTP data connections now honor LSN pool translation port ranges.
ID 431239 RTSP established media connections now honor LSN pool translation port ranges or configuration.
ID 431240 RTSP ALG when used with CGNAT, the media connections now have the data session translation address:port logged as LSN translations.
ID 431926 The TCP proxy no longer can accidentally resend request or response done events.
ID 431957 When a full load sync occurs, user objects no longer sync unexpectedly.
ID 431985 Monitor instance is now correctly enabled or disabled after an incremental sync.
ID 432720 The BIG-IP will not send GARPs for a Virtual Address when the ARP has been disabled for that virtual address.
ID 434730 Automatic incremental synchronization succeeds even after a large number of synchronization operations in rapid succession.
ID 436674 The SNMPv3 trap headers now have consistent MdgAuthoritativeEngineTime and msgAAuthoritativeEngineBoots values
ID 436811 Pool member status are updated correctly if there are multiple database monitors configured to the same ip::port destination.
ID 437285 Updated socat to [was].
ID 437430 Alertd now supports the ISO 8601 date format.
ID 437637 Log message will not occur if the host is not powered off.
ID 437703 You can now use the special characters ~!#$%^&*| in HTTP headers and cookie names.
ID 437906 WebSockets and the HTTP CONNECT method now work with OneConnect.
ID 438046 Unattached and disabled VS correctly removed from LSN pool.
ID 438159 With the fix, now user can use pre-shared key with anonymous ike-peer for IKEv1 negotiation.
ID 438504 The show sys route-domain command now returns the correct information from route-domain.
ID 438826 Eliminate race condition between primary and secondary blades during secondary boot.
ID 438877 The SASP monitor ignores up to 5 consecutive unexpected send weight messages and keep looking for registration reply response from GWM. If it does not get the reply in 5 attempts then the monitor shall restart.
ID 439013 Validation now allows IPv6 link-local address with %vlan notation.
ID 439300 Due to missing permission setting, Users with role Manager and App Editor , used to see a validation error while creating AAA Http server. This error is fixed and Manager or App Editor will be able to create AAA http server objects.
ID 439424 "SafeNet HSM install now needs to be done only on the primary slot on the BIG-IP cluster-mode chassis systems such as VIPRION. A single install on primary slot will take care of installing SafeNet on all active slots. On any already-open sessions to the BIG-IP slot(s), the PATH environment variable will need to be reloaded by executing 'source ~/.bash_profile' in order to be able to use SafeNet utilities. If at a later stage, a new blade is added or a disabled or powered-off blade is made active or is powered-on, the user will have to run ' -p <HSM partition password>' *only* on the new secondary slot. If the new slot is made primary before the SafeNet install, then the regular install procedure using will be required on the new primary slot."
ID 439490 The BIG-IP system now reconnects to SafeNet HSM if the connection is interrupted, so connections continue as expected.
ID 439653 Long-lived connections consistently use policy settings from the beginning of the connection, and for the lifetime of that connection, regardless of any virtual server and policy configuration changes that occur in the interim.
ID 440179 No memory leak in creating a wildcard DS-Lite tunnel.
ID 440181 The iRule CACHE commands now work in the HTTP_REQUEST_DATA event.
ID 440425 In this release, there is a button to add a DNS resolver directly in the SOCKS and HTTP Explicit profiles.
ID 440466 A DNS nameserver is not allowed to be deleted from the BIG-IP system if it is used by a DNS zone as a transfer client. MCPD validation error message will appear when trying to delete a nameserver from the BIGIP if it's used as a transfer client of one or more DNS zones.
ID 440685 "Fix memory leak for use case: iSession + source address translation pool"
ID 440729 Fix involves saving the content signature after the CSS parser is done parsing all the data and is not waiting for more data.
ID 440756 'tmsh save sys config' output returns correct information with a single NIC configured.
ID 440812 When a wildcard virtual server is configured together with VLAN groups, and db vlangroup.forwarding.override is disabled, traffic is now correctly forwarded.
ID 440941 Fix issues discovered in testing when calling printdb during initialization.
ID 441270 The fix involves using observed length as compared to annotated length, when we have static documents like image.
ID 441336 Before v11.5.0, Clientssl profile only supports one key/cert pair, no name associated with the key/cert pair. In v11.5.0, multiple key/cert pairs are associated with one clientssl, so each key/cert pair has a name. The fix could be give a name to key/pair for the old release.
ID 441573 The ultimate fix will involve some low-level changes in the UI framework to ensure that the proper query context (in MCP) is set when selecting [All].
ID 441638 Keep the cache information in sync with packet data
ID 442020 Router bit is correctly preserved by proxy ARP/NDP code for vlan groups.
ID 442022 "Upgrade to BIOS 1.23 or newer. An alternative is to power cycle the chassis, or pull and re-insert the blade."
ID 442034 SSL persistence allows clientside to complete before closing.
ID 442336 Issued has been resolved, tmm will not core.
ID 442391 DAD and unsolicited NA works as expected.
ID 442410 Resolved TMM error message 'HUDEVT_EXPIRED (Connection expired) bad pcb magic (0x00585858)' and TMM core on standby member of HA configuration with connection mirroring and connection pooling (OneConnect) enabled.
ID 442579 Allow "DEFAULT:SSLv3" to add SSLv3 after DEFAULT.
ID 442584 Making configuration changes, such as adding/removing a profile, to the targeted virtual will not adversely affect policy execution.
ID 442869 The primary blade would formerly send a message to all secondaries every second telling them to change the primary selection time. (The actual timestamp is correct and is the same every second). Over time this might fill up the audit log. This no longer occurs and the message is now only sent when the primary actually changes.
ID 442993 Only the default managment-route is used to configure the gateway, and if unconfigured no gateway.
ID 443098 The Proxy SSL feature no longer leaks memory.
ID 444178 The policy will properly replace specified HTTP headers.
ID 445597 LSN pool client connection limit now works with SIP
ID 445610 VXLAN tunnel self IPv6 addresses can be pinged.
ID 445761 iRule FIX event allows calling proc; no validation failure is thrown now.
ID 445924 Changed code to allow IP multicast packets to be delivered to all blades so that OSPF failover can occur.
ID 446402 Deterministic NAT state information will be logged from one TMM when configuration changes.
ID 446682 the fix for this issue requires the implementation of MCP object move support for WAM objects. This functionality is only partially implemented.
ID 447080 VLAN tagged/untagged configuration change occurs immediately, and no longer requires tmm restart.
ID 447390 Loose-close no longer causes issues with traffic on FastL4 virtual servers.
ID 448054 Secondary blades now are sent the sync status information from primary blades, so the sync status will not be reset if the primary blade fails over.
ID 448476 Updated media code to recognize XFP media in PB100 blades.
ID 448606 The listener ref count no longer overflows and causes a TMM core and crash.
ID 448787 Connection tracking is now correctly disabled in non-default route domains.
ID 449017 F5 found potential data inconsistency between tmsh and icrd in date formats in testing and resolved to prevent customer issues.
ID 449636 'tmsh load sys config' no longer makes some policy's actions ineffective.
ID 449798 An issue has been corrected that potentially caused blade failures on secondary blades in a VIPRION chassis to have subsequent issues executing health monitors.
ID 449872 Using a mix of TMSH and GUI to set rule in 'Last' position no longer reorders rules.
ID 449896 Deterministic NAT (DNAT) does not pick a colliding port for the second connection, so connections complete successfully.
ID 449920 A memory leak using compression on BIG-IP 2000-series and 4000-series appliances was resolved.
ID 449989 Can now save UCS when using iControl REST.
ID 450031 No more logs observed when tm.rejectunmatched is set to false
ID 450058 Added changes from RHEL6.4 kernel sources that avoids the possible lockup condition by yielding to other tasks waiting for the swap I/O requests to complete.
ID 450091 The logging was modified to wait for the TMM to be fully operational.
ID 450202 Fix MSS calculation when using fastl4.
ID 450377 With this fix the error processing behaves as before, but the error generating message is flushed from the queue. Further PPTP messages on this control channel are processed normally.
ID 450584 Safenet HA is now supported
ID 450652 BIG-IP 5250v, BIG-IP 7250v, BIG-IP 10250v are now listed in the mkdisk menu.
ID 450698 Use a consistent method for storing external datagroups in TMM.
ID 451041 The parsing of session tickets is now correct, and the expected TCL events are fired.
ID 451059 clientssl profile (SSL server) will now check and validate the CCS payload received from the SSL client. It will be ensured that the CCS payload is a single byte of value '1'.
ID 451319 Honor Content-Length header when server responds with 4xx response with body for CONNECT request.
ID 451479 Fixed the formatting used in rsync command
ID 451544 There are no unrequired OSPF link state update packet unicast retransmissions.
ID 451843 Bridge no longer fails on Standby Unit when using MAC masquerading feature.
ID 451917 Prevented leak in large traffic groups for secure mode for Common Criteria.
ID 451960 Monitors configured with FIPS keys now work and the pool status is marked correctly.
ID 452090 MCPD validation checks are added now to make sure that user will not be able to configure two identical traffic selectors [same src/dst addr, same src/dst netmask , same src/dst port and same IP protocol].
ID 452121 BIG-IP now supports multiple SafeNet network-HSMs configured in a HA group.
ID 452232 iRule no longer uses stale qname.
ID 452315 Connection rate limit configured on Virtual with no default Pool works
ID 452387 HTTP::header is_redirect now works correctly again.
ID 452454 Forward RST packet for IP forwarding Virtual with fastL4 profile with loose initialization configured and idle timeout less than server idle timeout.
ID 452487 The pool member count is now always calculated accurately, even across configuration synchronizations.
ID 452689 Other tunnel types over IPsec tunnel interface work.
ID 453200 Improve generation of MPTCP checksums.
ID 453328 Log processing now takes TMM issuing the log into account and processes correctly.
ID 453332 Fixed an issue with iControl REST calls timing out.
ID 453798 A performance regression in synchronizing dynamic routes to secondary blades of chassis has been found and fixed.
ID 454053 Improved security with Secure state-mirroring SSL profiles requiring peer cert.
ID 454562 Prevented memory leak in secure mode for Common Criteria and updated documentation for recommended system configuration.
ID 455138 No memory leak occurs even if the route for the remote endpoint of a tunnel is misconfigured.
ID 455267 When forwarding proxy requests to an IP address that results from a DNS resolution, the route-domain parameter is now used correctly and it now is possible to use the HTTP explicit proxy (or SWG) when the target of the connection is not in route-domain 0.
ID 455361 Fixed improper handling of ICMP (Internet Control Message Protocol) 'Fragmentation Required' messages from routers. Bug resulted in extremely inefficient behavior by BIG-IP TCP segmentation offload if path MTU (Maximum Transmission Unit) was smaller than what TCP endpoints negotiated.
ID 455553 No multiple retransmission
ID 455980 This bug resolution fixes the above said problem.
ID 456753 Fix the UNIC driver calculation on when to mark an incoming packet as LRO, taking into considering an ethernet vlan header.
ID 456859 Interface to hardware compression has improved allocation strategy.
ID 457109 A range check has now been added to correctly classify and forward traffic in the case of incorrect rules in CPM policies.
ID 457130 Configuration loads correct virtual-address icmp-echo values
ID 457221 Now a "." is returned instead of an empty string, when using "DNS::question name" iRule to get the owner name of the question RR if the owner name is root.
ID 457293 When the origin CMP instance couldn't find the connection after its peer replied, re-send a REMOVE message to the peer to remove it.
ID 457300 Improved IControl REST resources to allow naming with spaces to meet customer requirements.
ID 457330 When doing tcpdump from the WebUI, traffic can now be captured for VLANs with names having 16 or more characters.
ID 458563 We no longer log the transition from "forced down" to "down".
ID 458597 Now there is no memory leak when transfer a zone to zxfrd.
ID 458600 The conditions leading up to this innocuous error were mitigated.
ID 458676 Possible internal Rsync port exposure.
ID 459001 PVA statistics for each flow are tracked in hardware and software. The software copy of the hardware flow statistics was not correctly reset when flows were evicted from the PVA hardware and then subsequently reloaded back into the hardware. This eventually resulted in a numeric underflow in the statistics counters that were then displayed with very large positive values.
ID 459052 The -f option now prepends specified file names with "var/tmp/ unless the file name already begins with "var/tmp/"
ID 459195 Before updating a cached expired browser-specific image, the cached generic image will be updated.
ID 459211 Specify a data-group record string with the hash ('#') character no longer results in a config load error.
ID 459723 CMI rsync daemon will always restart now when necessary.
ID 459929 Support large values for a policy rule ordinal.
ID 459973 You can now disable the Include Cluster option using the GUI.
ID 460178 oamd shutdown function has been updated and does not crash attempting double delete.
ID 460197 active_requests is updated when a flow using hw acceleration is reset.
ID 460390 Profile SMTP custom settings are now saved to the config and restored after a configuration load.
ID 460593 The user can create multiple VXLAN tunnels with same local endpoint address when flooding type is multipoint or none.
ID 461592 The device can process inbound VXLAN packets even if it is in a standby mode.
ID 462351 Stats for policies can now be reset from Statistics >> Module Statistics : Local Traffic >> Policies page without error message.
ID 462447 do not use anything but the standard-balanced-fpga with vCMP and this release on the B2250
ID 463652 Consider ClientSSL profile 'C' based on the parent profile 'P' defines its own certificate/key/chain entries, different from profile 'P' entries. Modifying other configuration settings e.g. Ciphers for 'P' will result into incorrect certificate/key/chain entries being shown for profile 'C' when accessed in GUI. We have fixed this GUI only issue to show correct entries for profile 'C' when profile 'P' is modified.
ID 464683 Upgrade from 11.2.1 to 11.5.0+ now works correctly.
ID 464691 The message has been improved. The user is directed to look at the installation log for details. The installation log clearly expresses the fact the that root filesystem is full.
ID 465799 OpenSSL has been upgraded to eliminate the man in the middle attack.
ID 465803 OpenSSL is being updated to fix CVE-2014-0221 CVE-2014-0195.
ID 465804 OpenSSL is being updated to code that is not vulnerable to CVE-2014-0198 CVE-2010-5298.
ID 465908 BIG-IP TLS virtual servers will now reject the connection when an early CCS message is received.
ID 466752 Monitor instance is now correctly enabled or disabled after an incremental sync.
ID 467066 Local-ip setting won't be lost after sync
ID 467706 Forward and reverse mapping are in agreement for p8dag platform.
ID 467931 "A new command has been added to help diagnose the state of the SQL monitors: /usr/share/monitors/DB_monitor cmd status [RD] [debug] RD: optional, the route domain for the desired Java daemon (each route domain gets a separate daemon) debug: optional, do debug logging Examples: /usr/share/monitors/DB_monitor cmd status /usr/share/monitors/DB_monitor cmd status 0 /usr/share/monitors/DB_monitor cmd status 17 /usr/share/monitors/DB_monitor cmd status 9 debug"
ID 468300 HTTP now waits until all filters have seen a 101 Switching Protocols or CONNECT 200 Connected response before switching into pass-through mode.
ID 469139 Modify virtual stats detail page to display values for max PVA assist, Current PVA assist and total PVA assist from the virtual server stats table and the pva struct.
ID 469867 Removing support for advertising a 1G half duplex capability under auto-negotiation, for management ports.
ID 470175 dnatutil can parse deterministic NAT state information from structured data rfc5424 log format.
ID 470402 Active FTP connections will be properly mirrored, and failover will work as expected.
ID 470994 tmm now correctly applies TSO processing to outbound packets, so tmm no longer segfaults.
ID 471070 Grant users with access to the clientssl profile access to the clientssl_certkeychain configuration items.
ID 471873 Validation is added to guard again this from happening.
ID 472157 Chrome will not abort when uploading large files.
ID 489113 PVA status and statistics are displayed correctly for VIPRION B2250 blades.

Behavior changes in 11.6.0

ID Number Description
ID 226043 There is one new db variable added for audit_forwarder: 'config.auditing.forward.multiple'. There are three options: 'broadcast', 'failover' and 'none'. The default is 'none'. When set to 'none', there the behavior is the same as in previous releases. When db variable 'config.auditing.forward.multiple' is set to 'broadcast' or 'failover', db variable 'config.auditing.forward.destination' can be set to multiple IP addresses, separated by commas ( , ), such as ',,'. This provides more than one destination IP addresses to the BIG-IP system audit_forwarder. Note that a single IP address works as well. When 'config.auditing.forward.multiple' is set to 'broadcast', the audit message is sent to all destinations. When it is set to failover, the message will be sent to the first destination. If that fails, it will try the next destination until it finds a successful one or fails all destinations. Note that 'failover' mode is not supported for radius server since it is UDP and there is no notion of failing to connect. For radius server, if config.auditing.forward.multiple' is set to 'failover', it will be treated as 'none'. When there is a failure to send the audit message, there will now be error logs in '/var/log/ltm'.
ID 284330 Providing IP address information has changed on the following pages: -- System :: SNMP Access, -- LTM :: SNAT Address, -- LTM :: iRule DataGroup, -- LTM :: Virtual Server, and -- Network :: Traffic Selectors. Instead of separate input fields for specifying IP address and mask, a single field allows for specifying IP address and routing prefix. So, for an IPv4 address that you previously specified as IP address with a netmask of, you now specify as
ID 325239 "The user ""admin"" can now be disabled. In order to do this, another user with role Administrator must be assigned as the primary admin. As with user ""admin"", the new primary admin will be forced to use local authentication, regardless of the currently configured system authentication source. Via CLI: # tmsh create auth user <ALT_ADMIN> role admin prompt-for-password # tmsh modify sys db systemauth.primaryadminuser value <ALT_ADMIN> In the GUI: * Go to System > Users. * Create a user with role Administrator. * Go to System > Platform, section Admin Account. * Click the checkbox ""Disable default admin, use alternate"". * A dropdown ""User Name"" appears, populated with eligible users. Select one. * Enter new password for the selected user. * Click ""Submit"". All GUI and TMSH sessions for ""admin"" will be automatically terminated, and ""admin"" will no longer be able to login. Additionally, login by user ""root"" can now be disabled from the GUI. Previously, this could only be done via CLI: # tmsh modify sys db systemauth.disablerootlogin value enable The new setting is on System > Platform, section Root Account. A checkbox ""disable login"" has been added."
ID 343561 Set-Cookie2 will supersede Set-Cookie when requesting a cookie by name
ID 345389 The HTTP::cookie functions are now case and sigil insensitive when operating on attributes
ID 395894 RQ-LTM-1645 means that we support RFC 6265 cookies, and this is the default format of cookies supported.
ID 418340 Beginning in this release, the system performs a full MD5 ISO verification immediately before starting an installation operation. This full MD5 ISO verification process takes a platform-dependent amount of time (for example, approximately 15 seconds on the 3900 platform). The results of the full ISO verification are stored in memory for 24 hours, so the verification does not need to be repeated if the system uses the same ISO for another installation operation within the time period. While the full ISO verification is in process, the system posts the message 'testing archive: <iso_image_file_name>'as the installation status.
ID 421570 changed how memory is reported in the dashboard, performance graphs, gui, tmsh, snmp
ID 422094 ALG now has an option enabled with a db var to log the messages and media/data connections so that they can be traced to an LSN subscriber.
ID 427579 "HA-Group score no longer includes active-bonus in data returned from command 'tmsh show sys ha-group'. Active bonus is only relevant for the active device of a traffic group."
ID 431240 ALGs now have an option enabled by db variable to log the messages and media/data connections so that they can be traced to an LSN subscriber.
ID 431272 ALGs now have an option enabled with a db variable to log the messages and media/data connections so that they can be traced to an LSN subscriber.
ID 436518 "Here is a description of the new behavior for route domains: (1) If only the destination route domain (RD) changes, the system automatically changes the RD on the source address. (2) The system never automatically changes the destination RD (even if only the source RD changed). (3) If both source and destination RD are different, this is an error. (4) On a create, if the source address is not specified, it defaults to and inherits the RD from the destination. (5) On a create, if both source and destination are specified, then both must explicitly specify the same RD, except when using the default route domain (DRD). (6) When the RD is omitted, the system uses the DRD. Therefore, if an RD is explicitly specified on either the source or the destination, and it is excluded on the other, then that specified RD must match the DRD."
ID 437398 When datagram-load-balance mode is enabled on the UDP profile, the client's max udp payload size is "remembered" for the responses. If the BIGIP alters the response (e.g. DNSSEC signing) and increases its size beyond the max, before sending the response to the client, the response will be properly truncated (per the RFC).
ID 437931 The persist cookie was only inserted on the first request unless the always_send option was set. Now, the persist cookie will always be inserted when an expiry is set..
ID 439013 It's no longer possible to use %vlan notation with non-link-local IPv6 address as object name.
ID 440095 The following settings have been moved in ltm-profile-http: 'max-header-count', 'max-header-size', and 'max-requests', were all moved to the enforcement section. 'pipelining' was changed from a boolean into a tri-state, and moved to 'pipeline' in the enforcement section. In addition, the following db variables are deprecated: Tmm.HTTP.passthru.truncated_redirect, Tmm.HTTP.passthru.invalid_header, Tmm.HTTP.passthru.unknown_method, and Tmm.HTTP.passthru.pipeline.
ID 446402 deterministic NAT configuration state information will now be logged once per change in configuration.
ID 451258 Formerly, the default ciphers list for both client and server ssl began with RSA followed by ECDHE, then DHE. After this change, the default cipher list will be DHE, RSA then ECDHE. ECDHE is last due to hardware performance.
ID 458322 "The way http/0.9 response code statistics are counted has changed for http type profiles. In previous versions, BIGIP would increment the ""profile_http_stat.http_status_other_count"" counter for all http/0.9 response codes. Going forward, the proper response code counter is incremented. e.g., an http/0.9 200 response increments ""profile_http_stat.http_status_2XX_count"", etc."
ID 461851 "With the new sweeper, a couple of changes make activation of the default aggressive sweeper capable of evicting far more flows than before. Previously, when the aggressive sweeper was initially activated (at the low water mark) the time taken to examine the entire flow table ranged from 6.4 to 25.6 seconds; after this, the entire table is examined in 6.4 seconds always. In addition, the new eviction strategies can choose flows to remove that would have otherwise remained. The prior hiwater and lowater marks are preserved in the default policy, but the effect is a higher kill rate once the aggressive sweeper is activated."
ID 466233 The following ciphers have been added to the DEFAULT cipher list:

              0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA

              1: 49196 ECDHE-ECDSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_ECDSA

              2: 163 DHE-DSS-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 DHE/DSS

              3: 159 DHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 EDH/RSA

              5: 49202 ECDH-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDH_RSA

              6: 49198 ECDH-ECDSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDH_ECDSA

              7: 157 AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 RSA

              8: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA

              9: 49195 ECDHE-ECDSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_ECDSA

              10: 162 DHE-DSS-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 DHE/DSS

              11: 158 DHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 EDH/RSA

              13: 49201 ECDH-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDH_RSA

              14: 49197 ECDH-ECDSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDH_ECDSA

              15: 156 AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 RSA

Known issues

ID Number Description
ID 221946 01070950:3: Cluster Member IP address is not on the same network as the Cluster ( This occurs when specifying the cluster management IP address without a netmask. The configured network topology must have enough addresses for the cluster management and member addresses to be configured within the same subnet. Workaround: Always specify the netmask when specifying the cluster management IP address if you plan ever to use cluster member addresses. That way, the address always gets set correctly, and you can configure the cluster member addresses on the same network.
ID 221956 Beginning with version 10.0.0, the system reports module memory mixed in with memory used by all processes. This occurs beginning with version 10.0.0. The system reports module memory mixed in with memory used by all processes. To determine actual memory usage, you must use standard Linux commands, such as ps, top, and other similar commands.
ID 221963 When you are logged on to a cluster management address, and you or another user subsequently promotes one of the secondary blades to the primary, you and the other user might need to log on again. This occurs when using cluster management and promoting secondary blades to the primary. You and other users might need to log on again. None.
ID 222005 "On boot, the following message might be seen. It is innocuous and can be ignored: err ti_usb_3410_5052.c: ti_interrupt_callback - DATA ERROR, port 0, data 0x6C" This occurs on boot. The system posts the message: err ti_usb_3410_5052.c: ti_interrupt_callback - DATA ERROR, port 0, data 0x6C None, but the message is innocuous and can be ignored.
ID 222034 If HTTP::respond is called in LB_FAILED with large headers and/or body, the response might be truncated. The Content-Length header value is correct; it is the content itself that is truncated. This issue occurs when all of the following conditions are met: -- TCP Slow Start is enabled in the TCP profile. -- HTTP::respond is used in the LB_FAILED event to return a large response. -- No other TCP data has been sent to the client. The response sent by the BIG-IP system will be truncated. For example, with slow-start enabled, and no data sent to the client yet, the response will be truncated after two packets. To work around this issue, disable TCP Slow Start in the TCP profile, or modify the iRule. For example, instead of directly using HTTP::Respond inside of an LB_FAILED event, perform a 302 Redirect to another URI, which can then be handled by an unaffected event. For more information, see SOL9456: Using the HTTP::respond iRule command in the LB_FAILED event may result in truncated responses, available here:
ID 222184 When the license expires, if you are on the License Summary page on a partition other than Common, the system automatically returns you to the Common partition, but does not activate the Reactivate button. This occurs if you are on the License Summary page on a partition other than Common The system automatically returns you to the Common partition, but does not activate the Reactivate button. The workaround is to select a different partition and then reselect the Common partition. This should reset the Reactivate button to an active state.
ID 222221 The BIG-IP system may fail to complete an SSL handshake. This issue occurs when all of the following conditions are met: -- The affected virtual server is processing the client SSL connection with an iRule. -- The iRule uses the TCP::close command in the CLIENTSSL_HANDSHAKE event. The TCP::close command can be used in the CLIENTSSL_HANDSHAKE event to close the client connection. For example, the iRule closes the client connection if the hostname requested by the client does not match the common name in the SSL cert. As a result of this issue, you may encounter the following symptoms: -- The client SSL connection stalls until the TCP connection is timed out by the BIG-IP system. -- The client SSL connection fails at the Change Cipher Spec Protocol during the SSL handshake. To work around this issue, you can insert a delay with the after command for the TCP::close command. Impact of workaround: Depending on the type and volume of the connections, the after command may introduce noticeable latency. F5 recommends that you test any such changes in an appropriate environment. For more information, see SOL14037: The BIG-IP system may fail to complete an SSL handshake , available here:
ID 222287 On multi-core platforms running in CMP mode, rates configured in a rate class are internally divided between the active TMM instances. This occurs on multi-core platforms running in CMP mode. As a result, each flow is restricted to bandwidth equal to the configured rate divided by the number of active TMM instances. In order to achieve the actual rate set on the rate class, the system must be processing at least one flow on each active TMM instance. For more information, see SOL10858: Rate classes on CMP systems are divided among active TMM instances, available here:
ID 222344 If a route learned via any dynamic routing protocol exactly matches a management static route, traffic from the Linux host will follow the dynamic route. NOTE: Regarding affected modules, the problem affects any module provisioned in TMOS as the root cause is in the core functionality shared by all modules. Dynamic routes might override static management routes. There is no workaround.
ID 223031 If you run the tcpdump utility from a B4100 blade on a VIPRION chassis containing a mix of B4100 and B4200 blades, the process does not show packets from the B4200 blades. This happens on a VIPRION chassis with a mix of B4100 and B4200 blades. tcpdump does not report packets from the B4200 blades. To work around this issue, run the tcpdump operation from the B4200 blade.
ID 223412 When configuring a ConfigSync peer IP address, the IP address must reside in the default route domain. The default route domain has an implicit value of zero (0). For example: "Checking configuration on local system and peer system... Peer's IP address: Caught SOAP exception: Error calling getaddrinfo for (Temporary failure in name resolution) Error: There is a problem accessing the peer system. BIGpipe parsing error: 01110034:3: The configuration for running config-sync is incorrect. On BIG-IP 11.x, the system returns an error message that appears similar to the following example: err mcpd[5766]: 01071430:3: Cannot create CMI listener socket on address, port 6699, Cannot assign requested address" ConfigSync operations will fail if you configure a peer address that contains an explicit route domain ID. The workaround is to not use route domains for ConfigSync operations. For more information, see SOL12089: ConfigSync operations fail when you configure a ConfigSync peer address with an explicit route domain ID, available here:
ID 223421 If a disk is removed from an array, the serial number of the disk persists in the system until the drive is manually removed. This occurs on multi-disk systems. The serial number of the disk persists even after the disk is removed from the array. There is no workaround for this issue. The serial number of the disk persists in the system until the drive is manually removed.
ID 223426 If you apply to a virtual server a TCP profile with the MD5 signature setting enabled, the virtual server incorrectly accepts connections regardless of whether the peer presents the MD5 option. This affects both client-side and server-side connections. Note that the problem does not affect TCP connections established from the BIG-IP host (for example, BGP connections). Enabling the TCP option for MD5 signatures does not cause TCP connections without MD5 signatures to be rejected or ignored. However, when the MD5 signature setting is enabled, and an MD5 signature is present, the MD5 signature is validated. The MD5-configured virtual server incorrectly accepts connections regardless of whether the peer presents the MD5 option. None. For more information, see SOL12241: A virtual server with the MD5 signature setting enabled in its TCP profile does not reject or ignore non-MD5 optioned connections, available here:
ID 223542 You cannot simply change the speed of an existing interface in a trunk. This occurs when you change the speed of an existing interface in a trunk. You cannot change the speed. You must either delete all the interfaces and add them back at the new speed, or delete the trunk and recreate it.
ID 223634 The Traffic Management Shell (tmsh) may not display dynamic Address Resolution Protocol (ARP) entries as expected. In BIG-IP 11.x, the show net arp Traffic Management Shell (tmsh) command displays dynamic ARP entries for all route domains. Additionally, you can display dynamic ARP entries for specific route domains by using the show arp any %<route domain id> command; however, you cannot specify the default route domain 0. In BIG-IP 10.x, the show net arp Traffic Management Shell (tmsh) command displays ARP entries for only the default domain. This issue occurs when you have a BIG-IP system with more than one route domain configured, and you view dynamic ARP entries using tmsh. ARP entries appear to be missing for route domains other than the default (BIG-IP 10.x). The system is unable to display only those dynamic ARP entries specific to the default route domain 0 (BIG-IP 11.x). If you are in the tmsh utility (in 10.x or 11.x), you can run the bigpipe utility to view dynamic Address Resolution Protocol (ARP) entries for a different route domain. To do so, run the command run until bigpipe arp <args...> at the tmsh command line. For more information, see SOL12623: The Traffic Management Shell may not display dynamic ARP entries as expected, available here:
ID 223651 An SSH File Transfer Protocol (SFTP) client might emit an error message containing 'Received message too long' when the user is unprivileged and may not use SFTP. This occurs when using a user with insufficient privileges uses SFTP. 'Received message too long' posted for SFTP client when the user is unprivileged. This is a known issue with SSH. For more information, see 2.9 - sftp/scp fails at connection, but ssh is OK, available here: The user must be authorized to use SFTP/SCP.
ID 223796 When an SFP is not inserted in a VIPRION interface socket, the interface status should show 'MS' (missing); instead, the interface status might show 'DN' (down). This occurs on a VIPRION chassis where there is no SFP in the interface socket. The interface status might show 'DN' (down). None.
ID 223830 It is possible that with increased throughput, SNMP stats might report lower TMM CPU usage values than top. This occurs when using SNMP stats. SNMP stats might report lower TMM CPU usage values than top. None. Overall host CPU usage is being reported correctly all the time. This is a cosmetic issue only.
ID 223885 If you apply a hash persistence profile to a FastL4 virtual server, the virtual server stops processing traffic. Note: The hash persist profile was extended in 10.0.0 with new options, but is no longer supported in combination with FastL4 virtual servers. In addition, when the hash persistence profile is initially applied and during each subsequent configuration load, the BIG-IP system logs messages to the /var/log/tmm file: notice hudfilter_init: 'HASH' is not a bottom-level filter. ... mcp error: 1031000 in mcpmsg_to_database. This occurs when using hash persistence profile with FastL4 virtual servers. FastL4 virtual servers stop processing traffic after a hash persistence profile is applied. The workaround is to use universal persist instead. You can also use the TCP or UDP profile instead of FastL4. If a hash persistence profile was applied to a FastL4 virtual server, you can restore traffic by deleting and recreating the virtual server. For more information, see SOL12078: FastL4 virtual servers stop processing traffic after a hash persistence profile is applied, available here:
ID 223954 The system does not include the .tmshrc file in a ConfigSync operation. This occurs in config sync operations. That means that each unit in a high availability configuration might have a different set of remote users. To work around this, you can manually sync the files by using a utility to copy the file from one system to the others.
ID 224073 Pinging the floating self-ip from the command line of the same system results in a no response to the ping. This no-response reply does not indicate that the floating self-ip is not working and is not responding to normal ping operations. This occurs when the floating self-IP tries to ping from the BIG-IP system command line This results in a no response to the ping. To work around this, issue the ping from another host in the network.
ID 224142 There is a pause negotiation mismatch in a trunk containing a mix of fiber and copper. To work around this issue, do not mix fiber and copper in the same trunk. This occurs in a trunk containing a mix of fiber and copper. A pause negotiation mismatch occurs. To work around this issue, do not mix fiber and copper in the same trunk.
ID 224195 The system does not prevent you from deleting a self IP address that an EtherIP tunnel uses, or from creating an EtherIP tunnel using nonexistent IP addresses. But the resulting tunnel remains inoperable. This occurs when deleting a self IP address that an EtherIP tunnel uses, or creating an EtherIP tunnel using nonexistent IP addresses. Doing so results in an inoperable tunnel. To ensure that an EtherIP tunnel operates as expected, do not delete any of the self IP addresses that are associated with VLAN "wan" and specified in the EtherIP tunnel object.
ID 224294 SASP monitor validates timeout and interval although these values are not used by the monitor. This occurs when using SASP monitor timeout and interval. This causes certain SASP monitor configurations not to load. None.
ID 224372 When you are connected using the serial console to a multi-drive platform, you might see messages similar to the following: warning kernel: RAID1 conf printout and warning kernel: disk 0, wo:0, o:1, dev:dm-14. The messages are also logged in /var/log/kern.log file. This occurs when you are directly connected by serial console of a multi-drive system. These messages appear during the time a drive is rebuilding. Note that the messages appear only when you are directly connected by serial console. They do not appear when you are logged in using SSH. This messages are benign, and you can safely ignore them.
ID 224402 When you specify a custom configsync user (that is, an account other than admin), if you have specified a maximum number of password failures, the configsync account is subject to the password lockout after the specified number of failures. This occurs for configsync users when maximum password failure is set. The configsync account is subject to the password lockout after the specified number of failures. To work around this issue, use the admin account as the ConfigSync user, or reset the non-standard account that is locked out.
ID 224406 The dashboard cannot handle numbers that exceed 32 bits. If a statistic goes above that number, dashboard values will be incorrect. This occurs dashboard and numbers that exceed 32 bits. When this occurs, there will be incorrect dashboard values. There is no workaround.
ID 224520 The bcm56xxd service's small form-factor pluggable (SFP) plug_check mechanism (for example, bs_i2c_sfp_plug_check()) looks for module-detect signal changes every five seconds, and can miss a pluggable media type swap (that is, a swap from fiber SFP to copper SFP or SFP+) because the check does not look at pluggable media type changes. This occurs when changing pluggable media. This can result in link failures, due to internal media settings that are still associated with a previously populated pluggable module. None.
ID 224665 The Proxy Exclusion List setting is not aware of administrative partitions. As of BIG-IP 10.1.0, VLAN group objects reside in administrative partitions. This means that you can create a VLAN group in an administrative partition, and then give users the authority to view and manage the object in only that partition. Proxy exclusion is a VLAN group setting, so the partition restrictions should be in effect. However, the system does not prevent you from adding proxy exclusion for a VLAN group in another partition. Doing so may result in issues for the VLAN group. Using VLAN groups and proxy exclusion. Results in issues for the VLAN group None. For more information, see SOL12711: The Proxy Exclusion List setting is not aware of administrative partitions , available here:
ID 224680 When you use the Wireshark program to view a packet from an EtherIP tunnel, the Wireshark program displays the EtherIP version as 0 rather than 3, as it should. This occurs because Wireshark evaluates the version based on the bottom four bits rather than the top. The Linux EtherIP implementation follows the same format used by coding developer David Kushi, which is correct according to RFC 3378 - EtherIP: Tunneling Ethernet Frames in IP Datagrams. This occurs when using Wireshark program to view a packet from an EtherIP tunnel. Wireshark displays the EtherIP version as 0 rather than 3, as it should None. This is believed to be a Wireshark issue.
ID 224881 On AOM-equipped platforms, changing the management IP via the front-panel LCD multiple times might result in fields on the LCD being displayed with a value of Repeatedly changing management IP using front-panel. Fields on the LCD are displayed with a value of The correct values will be displayed after a system restart.
ID 225358 Both units probe both gateway fail-safe pools regardless of their unit IDs. This occurs in HA configurations. Members of a redundant configuration continue to probe both gateway fail-safe pools. None.
ID 225431 Disabling the LCD System Menu does not persist across restarts. This is for diagnostic purposes. This occurs when you disabled the LCD display and restart the system. The LCD display setting is not saved. To prevent access or configuration changes from the LCD Systems Menu, you can re-enable and then disable the LCD System Menu after each system restart. For more information, see SOL11363: Disabling the LCD System Menu does not persist across restarts, available here:
ID 225588 Error conditions such as unreachable IP addresses, and unavailable TACACS+/RADIUS services, are not logged to /var/log/ltm for the TACACS+ RADIUS audit forwarding accounting feature. This occurs when you configure the feature using a non-existent IP or a good IP that is not running TACACS+ or RADIUS, and run some tmsh commands. Entries are logged in /var/log/audit, and no error messages are logged in /var/log/ltm. None.
ID 225851 tmsh cannot remove missing array members. When an array member is physically removed from a system, the serial number remains, listed as a 'missing' disk. This occurs when an array member is missing. The serial number remains. To remove this serial number, you can use the GUI, or you can run the 'array' command, as follows: 'array --erase <serial number>'. You can also use the GUI to remove those disk serial numbers in the System :: Disk Management. The missing array member is shown, just as it was previously, but only the serial number is listed. Remove that from the array just as you would with any installed array disk, and the system removes that serial number.
ID 226113 "ACPI: Unable to locate RSDP ACPI Error: A valid RSDP was not found (20090903/tbxfroot-219)" Limited to 6900, 8900, 8950, 11050, and PB200 platforms. These messages are benign and indicate that an ACPI capable kernel is booted on a system without ACPI support.
ID 226892 With packet filter enabled with a default action of discard/reject, you might encounter the following symptoms: -- Packet captures show that the BIG-IP system is receiving return traffic for one or more connections, but failing to forward those packets. -- Some connections may fail. DNS traffic, or traffic with IP fragments, are more likely to fail due to how TMM handles connections. -- If logging is enabled for the affected packet filter rule, many entries similar to the following example are logged to the /var/log/pktfilter file: 'local/tmm notice tmm[4835]: 01250004:5: test_pf_rule (56687): reject on external, len: 98 [IPv4 84 -- ICMP 0:0]' "After configuring packet filters, you may notice that the BIG-IP system is incorrectly dropping the return packets of certain connections. This issue occurs when all of the following conditions are met: -- The BIG-IP platform and software version support Clustered Microprocessing (CMP). -- CMP is enabled globally. -- CMP is enabled for the specific traffic-handling object. -- Packet filtering is enabled with the Filter established connections option disabled (this is the default setting)." The BIG-IP system incorrectly drops return packets, which may cause your applications to fail or work intermittently. To work around this issue, you can either define additional packet filter rules that explicitly allow return traffic, or disable CMP for the affected traffic-handling object. If the object does not allow CMP to be disabled (for example a SNAT), you can first replace it with a virtual server. For more information, see SOL12831: Using packet filters in conjunction with CMP may cause intermittent drops on return traffic, available here"
ID 226964 Node marked down by a monitor that is waiting for a manual resume mistakenly displays Enabled state when it is actually down. After a health monitor configured for manual resume has marked a node down, the Configuration utility incorrectly reports the node as Enabled instead of Forced Offline. After a health monitor configured for manual resume has marked a node down, the Configuration utility incorrectly reports the node as Enabled instead of Forced Offline. This issue only affects nodes. The issue does not affect pools or pool members. Node remains disabled, but the GUI reports Enabled. You can work around this issue by clicking the Enabled (All traffic allowed) option and clicking Update. For more information, see SOL11828: After a health monitor configured for manual resume has marked a node as down, the Configuration utility incorrectly reports that the node is still enabled, available here:
ID 227272 If you replace a tri-speed copper small form-factor pluggable (SFP) module with a fiber SFP, you may have to reinsert the fiber SFP module a second time before it accurately reports link status. This occurs when replacing copper SFPs with fiber SFPs The link does not work. You might see the following messages: 'Failed to recover link status' and 'temporarily removed from linkscan.' To work around this, remove and reseat the fiber SFP module.
ID 227281 When a full-proxy HTTP virtual with ramcache, fallback, and deferred accept configured executes reject command in CLIENT_ACCEPTED event, TMM restarts. This occurs when the virtual server is configured with all of the following elements: - HTTP profile configured with Cache Setting and a fallback host. - iRule that uses the CLIENT_ACCEPTED iRule event, along with a reject statement. - The TCP profile Deferred Accept setting is enabled. If a virtual server that is configured with the previous settings receives a connection that triggers the reject iRule statement, the TMM process may restart and temporarily fail to process traffic. To work around this, remove the fallback host statement in the HTTP profile that is used by the virtual server.
ID 227319 Ramcache configurations that approach the limit of total memory allowed for use by ramcache might cause caching to be disabled for one or more virtual servers. The Cache Setting feature (referred to as RAM Cache in BIG-IP versions prior to 11.0.0) does not take the Clustered Multiprocessing (CMP) feature into account when calculating memory consumption. When the Cache Setting feature is configured for a virtual server on a CMP-enabled platform, the amount of memory allocated for the Cache Setting feature in the HTTP profile is provisioned for each instance of the Traffic Management Microkernel (TMM). There is no workaround for this issue.
ID 227362 When you are using Fast L4 profiles and the PVA Acceleration is active, the system cannot perform the mimic functionality requested. This occurs when using Fast L4 profiles, PVA Acceleration, and Mimic for IP ToS to Client or IP ToS to Server. The system cannot perform the mimic functionality. Set the PVA Acceleration setting to None if you also specify the Mimic setting for IP ToS to Client or IP ToS to Server.
ID 227369 Generating a SIGINT or SIGQUIT on the serial console during login causes all services to halt and restart. Further, SIGQUIT may cause chmand and get caught in a loop of failed restarts, requiring a host reboot. This occurs when at any point while the password prompt is displayed, there is a signal generated, for example: -- For SIGINT, press Ctrl-C. -- For SIGQUIT, press Ctrl-4, Ctrl-\, or (in some cases) SysReq. All services halt and restart. Further, SIGQUIT may cause chmand and get caught in a loop of failed restarts, requiring a host reboot. None. But the problem no longer occurs after the first successful login from the console.
ID 246726 A virtual address is defined as the IP address with which you associate one or more virtual servers. A virtual server is represented by an IP address and a service. The BIG-IP system continues to process traffic for virtual servers after disabling the related virtual address. When a virtual address is disabled in LTM, TMM still processes traffic for the VIPs on that virtual address. For example, if you define virtual servers of, and on the BIG-IP system, then is the virtual address. If you disable the virtual address of, the BIG-IP system continues to process traffic for the virtual servers. Traffic is still processed. Disable virtual servers instead. For more information, see SOL8940: The BIG-IP system processes traffic for virtual servers after disabling the virtual address, available here:
ID 246825 You might encounter unexpected behavior when you click Clear Statistics (on the Module Statistics screens) or Clear Performance Data (on Performance statistics screens) in any view. This occurs on statistics screens and detail views where there is a Clear button. The operation clears data for all historical statistics, not just the data for the specific view you have open. None.
ID 246871 When you are on the license summary general properties screen and you refresh the browser after you reactivate a license, the system prompts you to log on again. This occurs after reactivating a license on the license summary general properties screen, and then refreshing the browser. the system prompts you to log on again None.
ID 246962 The system counts route domain health check traffic as part of IPv6 traffic statistic totals. If your configuration has a monitor on a pool in a routing domain, you will see an increase in IPv6 traffic. If you remove the monitor from the pool, the IPv6 statistics freeze (assuming there is no actual IPv6 traffic). If occurs with configurations that have a monitor on a pool in a routing domain. With this configuration, you will see an increase in IPv6 traffic. If you remove the monitor from the pool, the IPv6 statistics freeze (assuming there is no actual IPv6 traffic). None.
ID 246983 A display issue in the browser-based Configuration utility makes it appear as if users can modify user settings that they should not be able to access. For example, a user logs on using an account assigned a non-administrator role. When that user changes the password and clicks Update, the screen temporarily redisplays with available settings for file, partition, and shell access. This might occur in some Internet Explorer or Firefox browsers after changing a password. Although the user can manipulate the controls, and select different settings, the system does not accept the change. None, however this is a browser issue. Internet Explorer and Firefox might allow user to see contents of change-select controls after the form has been submitted. The controls are disabled, even though it might appear that they are functional.
ID 247012 If you use a SIP or HTTPS monitor on a server that requires authentication using a certificate signed by a certificate authority (CA), the monitor must use certificates signed by a CA that the server recognizes. Do not configure a monitor using certificates signed by an Intermediate CA because the monitor does not send such certificates to the server. This occurs when using non-CA-signed certificates on SIP or HTTPS monitors that communicate with servers that require CA-signed certificates. Authentication fails. Use CA-signed certificates.
ID 247094 If you have state mirroring enabled, when you upgrade one unit of a redundant system, the system posts messages until all systems are running the same version of the software. tmm tmm[1917]: 01340001:3: HA Connection with peer established. This occurs when upgrading redundant system configurations and the versions are not yet the same. The system posts messages until the software versions are the same. There is no workaround for this condition. All units in a redundant system must be running the same version of the software.
ID 247099 After an import default operation, the prompt is set to reboot, but the operation does not instigate the reboot operation on the primary blade, although it does on the secondary blade. This is intentional behavior: the operation causes a reboot on secondary blades, but the primary blade does not reboot automatically in this case. To activate the imported configuration, reboot the primary blade.
ID 247122 When a system timeout occurs, the system grays out the screen behind the timeout alert box. Although you can access the browser window scroll bars to view the contents of the grayed-out screen, none of the options are active.
ID 247135 Linux represents long VLAN names using the first 13 characters and an appended ~1. If you use the Linux system command ifconfig to retrieve the interface configuration of a VLAN with a name longer than 9 characters, the operation truncates the name to 8 or 9 characters. To work around this issue, use the ip addr show command to retrieve the VLAN using the IP address.
ID 247200 When a user configured for one role is logged on to the browser-based Configuration utility, and you change that user's role to another type, also using the Configuration utility, the system logs off that user. This occurs when changing the user role while that user is logged on. When that user logs back on, the system writes to the catalina.out file error messages such as Error while reading message at. None, however, these messages are benign, and you can safely ignore them.
ID 247216 The help frame crops the right edge of some of the formula definitions on the Performance statistics screen. This occurs when viewing formula definitions on the Performance statistics screen. The right side of the text is cropped, and there is no horizontal scroll bar. Click the Launch button to view the full text.
ID 247241 Occasionally, when you create an installation repository on a USB thumb drive from the BIG-IP system, the operation fails while copying the repository files to the thumb drive. (The failure might also occur when reading or writing any large file to the thumb drive from the BIG-IP system.) When the failure occurs, the system reboots and writes a log entry similar to the following in the /var/log/ltm file: -- Dec 10 11:13:12 local/8900 notice overdog[2401]: 01140108:5: Overdog scheduling exceeded 1/2 timeout of 5 seconds (measured:8060 ms) Create the installation repository on a USB thumb drive using a Linux workstation, as documented in the BIG-IP Systems: Getting Started Guide. In any case, do not perform the operation on a BIG-IP system that is actively in production to prevent the potential failure from affecting live traffic.
ID 247300 "You should not use the SSL::respond method with a CLIENTSSL_CLIENTCERT iRule event with a COMPAT mode cipher, as it can result in a handshake failure." "This occurs when you use the SSL::respond method with a CLIENTSSL_CLIENTCERT iRule event with a COMPAT mode cipher." This results in a handshake failure. None.
ID 247310 There is an extremely rare chance that, if the high-availability mirroring connection fails and recovers, the result might be a new persistence record and an expired record using the same key to send their respective messages. For example, if a record comes in that would have matched an old one on the active system, it is possible that the old record's expiration action might arrive after the new record's update action. If the key matching the old record expires, the standby system incorrectly deletes the corresponding new record. This occurs when high-availability mirroring connection fails and recovers in the time between checking persistence entries. When this occurs, there might be a new persistence record and an expired record using the same key to send their respective messages. If the key matching the old record expires, the standby system incorrectly deletes the corresponding new record. None, but the possibility of encountering the issue is very rare.
ID 247709 "When you change the idle timeout in System :: Preferences, the system must restart the httpd process. This results in a set of error messages similar to the following example: err httpd[6246]: [error] [client] Invalid method in request OPTIONS * HTTP/1.0 err httpd[6320]: [error] (9)Bad file descriptor: apr_socket_accept: (client socket) warning httpd[3064]: [warn] RSA server certificate CommonName (CN) `dhcp-137' does NOT match server name!? warning fcgi-[6376]: [warn] FastCGI: server ""/usr/local/www/mcpq/mcpq"" started (pid 6377) err httpd[6379]: [error] [client] Invalid method in request OPTIONS * HTTP/1.0 warning httpd[3064]: [warn] long lost child came home! (pid 6239) These messages occur primarily as a result of the process restart, and you can safely ignore them."
ID 247727 When you create a new profile or edit an existing profile using the all-properties option of the tmsh utility, unless you remove some options, the properties might produce unexpected behavior. This occurs when creating or editing profiles using the all-properties option. All properties become custom; that is, profile properties no longer inherit parent settings. Use the tmsh utility create and modify commands operations. When you do so, the system preserves the profile's properties inheritance.
ID 247894 The iRule substr function cannot use a string with a number in it as a terminating string. This occurs when using iRules. The iRule converts that string to integer and incorrectly uses it as a substring length. None.
ID 248489 If the user configuration set (UCS) file you roll forward at installation time contains a problem, subsequent system load operations can fail. If this happens, the remote users and administrators cannot log on to the system. This occurs when rolling forward the UCS fails. Remote users and administrators cannot log on to the system. To work around the situation, log on to the system as the root user or as the admin local user.
ID 248678 In previous releases 'bridge_in_standby' for vlangroup was enabled by default. This occurs when using 'bridge_in_standby' for vlangroup. This has caused problems for many customer deployments (presumably bridging loops).
ID 248932 "During a system reboot, the BIG-IP system may report error messages to the console that appear similar to the following example: INIT: Sending processes the KILL signal ..................................sshd(pam_audit)[4559]: user=root(root) tty=/dev/pts/1 host= attempts=1 start=""Tue Aug 5 17:25:09 2008"" end=""Tue Aug 5 17:27:54 2008"". sshd(pam_audit)[4559]: 01070417:0: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) tty=/dev/pts/1 host= attempts=1 start=""Tue Aug 5 17:25:09 2008"" end=""Tue Aug 5 17:27:54 2008"". ..........Restarting system. LinuxBIOS-2.0.0.OBJ-0215-03 REV. A build 897 OBJ-0215-03 REV. starting..." These messages occur when the system shuts down logging to the syslog-ng file before all users who are logged on have logged off. The system posts sshd(pam_audit) messages. You can safely ignore the sshd(pam_audit) messages. These messages are an indication that the syslog-ng process may have been terminated prior to sshd during system shutdown. By the time the ssh sessions were stopped, the PAM module was unable to log the message to a system log file. Should this error occur, when the system comes back up, you can use the boot marker in the audit files to confirm that the system logged out the remaining users.
ID 249083 An address wildcard virtual server has to be deleted and recreated when changed from IPv6 to IPv4. Without the intervening deletion, neither IPv6 nor IPv4 traffic matches the virtual. It works as expected when changing from IPv4 to IPv6 (formerly CR 98831). This occurs with address wildcard virtual server and changing from IPv6 to IPv4 (but not when changing from IPv4 to IPv6). Without the intervening deletion, neither IPv6 nor IPv4 traffic matches the virtual. To transfer from IPv6 to IPv4, delete the address wildcard virtual server and recreate it.
ID 284910 The BIG-IP system may continue to generate server-side TCP connections to pool members after the associated virtual server configuration is deleted. To improve connection speeds for Performance HTTP virtual servers, the BIG-IP system primes connections to the pool members. When a client makes a connection to the virtual server, if an existing server-side flow to the pool member is idle, the BIG-IP LTM system marks the connection as non-idle and sends the client request over it. This issue occurs when all of the following conditions are met: -- The configuration contains a Performance HTTP virtual server that references the base FastHTTP profile. -- The Performance HTTP virtual server processes at least one connection before being deleted. -- The Performance HTTP virtual server configuration is removed. As a result of this issue, you may encounter the following symptoms: -- Packet traces show the BIG-IP system connecting to pool members from its non-floating self IP address. -- The BIG-IP connection table includes an entry showing the recurring connections. In the following example, the any6.any connection table entry represents the client-side IP address, and is the BIG-IP self IP address: 'any6.any any6.any tcp 9 (tmm: 0)' To work around this, you can delete the pool and restart TMM. For more information, see SOL13850: The BIG-IP system may continue to create server-side TCP connections to pool members after the associated virtual server configuration is deleted , available here
ID 291327 Configuring a virtual server for multicast communications inside a route domain does not work. This occurs when configuring a virtual server for multicast communications inside a route domain. The resulting configuration does not work. Do not configure a virtual server for multicast communications inside a route domain. None, but this appears to be a rare condition.
ID 291541 If there are static Address Resolution Protocol (ARP) entries targeted to the management network in either the existing configuration or in the configuration being installed or used in a ConfigSync operation, the configuration may fail to load. This occurs when performing a config sync or loading a configuration containing static ARP entries targeted to the management network. When this occurs, the configuration may fail to load. An error message is logged to the /var/log/ltm file similar to the following example: '01070712:3: Caught configuration exception (0), Netlink reply from kernel has error: -101 - routing.cpp, line 883' "To work around the issue, first delete any static ARP entries targeted at the management network and then complete the configuration load or ConfigSync operation. Procedure for BIG IP v11.x: ----- 1.) Log in to the Traffic Management Shell (tmsh) by entering the following command: tmsh 2.) Display the list of static ARP entries configured on the BIG-IP system by typing the following command: show net arp all 3.) Identify the offending static ARP entry. 4.) Remove the offending entry by typing the following command, where <Name> is the name of the address being deleted: delete net arp <Name> For example: delete net arp /Common/ 5.) Save the change by typing the following command: save /sys config Procedure for BIG IP v10.x: ----- 1.) Log in to the BIG-IP command line as the root user. 2.) Display the list of static ARP entries configured on the BIG-IP system by typing the following command: bigpipe arp static list 3.) Identify the offending static ARP entry. 4.) Remove the offending entry by typing the following command: bigpipe arp <IP address> delete 5.) Save the change by typing the following command: bigpipe save all"
ID 291584 When backslash is used to escape quote in external data group, the backslash is duplicated when the data group is saved. Backslash is used to escape quote. More backslash is inserted to the data group and eventually leads to config load error. Delete the extra backslash.
ID 291689 When you use the Weighted Least Connections (Node) load balancing method, you must set a connection limit for each node prior to adding the pool member to the pool. This occurs with Weighted Least Connections (Node) and connection limits. If you fail to specify the connection limit for the node prior to adding the pool members, the system presents a configuration validation error. "In this release, you must use the following process to accomplish this: 1. Create a pool that uses the Weighted Least Connections (Node) load balancing method. 2. Explicitly create the node entries for the pool members on the Local Traffic Nodes Node List (create) screen. 3. For each node, specify a value other than 0 (zero) in the Connection Limit box. 4. Return to the pool configuration screen by clicking its link in the Local Traffic Pools Pool List. 5. Select the Members tab and add the pool members to the pool, using the same IP addresses as the nodes that you configured in the earlier step."
ID 291704 If you replace a copper (Cu) small form-factor pluggable (SFP) with a fiber SFP, the link might remain down, even when connected to an active peer. This occurs when you replace a copper SFP with a fiber SFP. When this occurs, the link might remain down. The workaround is to issue a bigstart restart bcm56xxd command. From the command line, 'bigstart restart bcm56xxd'.
ID 291719 When the Configuration utility restarts, system writes benign messages to catalina.out. This occurs when the Configuration utility restarts The system writes messages to catalina.out: 'log4j:ERROR A 'org.apache.log4j.ConsoleAppender' object is not assignable to a 'org.apache.log4j.Appender' variable,' 'log4j:ERROR The class 'org.apache.log4j.Appender' was loaded by log4j:ERROR,' '[org.apache.catalina.loader.StandardClassLoader@1359c1b] whereas object of type,' and 'log4j:ERROR'org.apache.log4j.ConsoleAppender' was loaded by [WebappClassLoader.' None, but these messages are benign, and you can safely ignore them.
ID 291723 At system startup, you might see messages about unrecognized md component devices. This occurs because datastor volumes are not intended to be combined into a redundant array. The disk management subsystem unintentionally tries to join them into an array, but fails. The system posts messages similar to the following: -- mdadm: Unrecognised md component device - /dev/mapper/ -- mdadm: Unrecognised md component device - /dev/mapper/ None, but no adverse result occurs, and you can safely ignore these messages.
ID 291742 In the ltm.log file, you might see mcpd warning messages similar to the following:" warning mcpd[3002]: 01070156:4: Could not remove file /config/bigip/auth/pam.d/tmm_ldap. Please remove this file manually." When you navigate to the specified directory, you do not find the files. These messages are incorrect, and you can safely ignore them.
ID 291756 On a multi-drive system, when you remove a drive, LED status might not reflect status correctly. This occurs when removing a drive on multi-drive systems. If the LED is flashing when you remove a drive from the unit, the LED status does not turn green (as it should) when disk replication begins. If the LED is not flashing, the LED turns green immediately in the transition to replicating a drive. None, but this is a cosmetic issue only, and has no effect on functionality.
ID 291761 When you complete a new installation, the Firefox browser may not recognize the SSL certificate. This occurs only on a new installation when using the Firefox browser. When this occurs, the Configuration utility posts the message 'Please wait while this BIG-IP device reboots, shutting down device.' This spins forever and never returns. This behavior is Firefox-browser specific, so when the certificate is no longer viewed as valid, the Firefox browser ignores subsequent HTTP requests. None, but the issue happens only when doing a fresh install using the Firefox browser. A configuration you roll forward includes the device certificates, so this is not an issue. The Microsoft Internet Explorer browser posts an accept-certificate dialog box when you restart the system.
ID 291768 If you create VLANs in an administrative partition other than Common, but do not create a route domain in that partition, then the VLANs you create in that partition are automatically assigned to route domain 0. If you later change the default route domain of that partition, the VLAN stays in its existing route domain, unless the VLAN has a self IP address or virtual IP address assigned to it. In that case, the VLAN moves to the new default route domain. This is an issue with VLANs and default route domains in administrative partitions. Newly created VLANs might stay in the existing route domain, unless the VLAN has a self IP address or virtual IP address assigned to it. In that case, the VLAN moves to the new default route domain. Make sure to create a route domain in any administrative partition where you create VLANs.
ID 291777 The software does not support running small form-factor pluggable (SFP)+ on SFP ports on VIPRION systems that contain B4100 blades, even if the ports are running at 1 GB. Although the system does not prevent you from doing so, and you might find such a configuration functional, we do not support nor recommend running in this configuration. This occurs when using SFP+ on SFP ports on B4100 blades on VIPRION systems. Configurations of this type intermittently lose link aggregation and produce errors. None. This is not a supported configuration.
ID 291782 Running tmsh load sys config operation (on versions 11.0.0 and 11.1.0), or b load (on version 9.4.x and 10.x), fails when pool members are configured with port numbers 63, 66, 172, 211, 564, and 629. In version 11.2.0 and later, although the tmsh load operation completes for such configurations, the command "tmsh list ltm pool members" fails. This occurs when pool members are configured with port numbers 63, 66, 172, 211, 564, and 629. Load operations may fail or may fail to be listed. The workaround is to use numbers other than these for pool member port configuration. If you want to use those ports, you can disable the utility from converting service names by running the command "tmsh modify sys db bigpipe.displayservicenames value false" (on version 11.x), or "bigpipe db bigpipe.displayservicenames false" (on version 10.x). For more information, see SOL12365: The configuration may fail to load when a pool member contains certain service numbers, available here:
ID 291784 If you set the import save value to 1 (one) and import a single configuration file (SCF), the import operation stops. This occurs when setting the import save value to 1. After initiating the SCF import, the import operation halts and does not resume. To work around this issue, set the import save value to 2 or more. Note that the default value is 2.
ID 291786 When you use the domaintool utility to delete a domain when you are configuring Kerberos delegation, if that domain serves as the default, the system removes the domain but leaves it as the designated default. To work around this issue, change the default to a different domain before the delete operation.
ID 305069 Using the COMPRESS::disable call in an HTTP_REQUEST event in an iRule does not work. This occurs in HTTP_REQUEST events in iRules. COMPRESS::disable call does not work. As a workaround, use the COMPRESS::disable call in an HTTP_RESPONSE event instead.
ID 305091 You can create duplicate virtual servers with same address space that are enabled on different VLANs in the same partition. But you cannot create duplicate virtual servers with same address space enabled on different VLANs if the VLANs are in different partitions. This occurs on duplicate virtual servers with same address space that are enabled on different VLANs on the same partition. You cannot create duplicate virtual servers with same address space enabled on different VLANs if the VLANs are in different partitions. None.
ID 305096 When using the vi editor to edit files on the BIG-IP 6900, you might have to enter as many as three escapes to return to command mode from insert mode. When using the vi editor to edit files on the BIG-IP 6900. You might have to enter as many as three escapes to return to command mode from insert mode. None.
ID 305319 SNMP queries for ltmUserStatProfileStat values do not return accurate values for user stat profile fields. Instead, the system returns a 0 (zero) or a negative number as the value. This occurs in SNMP queries for ltmUserStatProfileStat values. The system returns a 0 (zero) or a negative number as the value. None
ID 305380 If you initialize the Federal Information Processing Standards (FIPS) card and convert non-FIPS keys to FIPS keys, you must reload the configuration (using the tmsh load command) or restart the tmm process (using the bigstart restart command) before the system starts using the keys. This occurs when using FIPS. "If you try to run the system without reloading the configuration or restarting the tmm process, the system issues the following errors: 01260009:7: Connection error: ssl_hs_vfy_pms:2128: invalid pre-master secret (80) Connection error: ssl_basic_rx:232: mac miscompare (20)" "Assuming you have an SSL profile that uses the newly converted FIPS key and you plan to reload the configuration, here is the command sequence to run: fipsutil -f init convert non fips key to fips load /sys"
ID 336885 There is a memory leak that affects Firefox 3.6 but not Internet Explorer 8. The leak occurs because of an interaction between the dashboard and the web browser. The workaround is to use Internet Explorer to view the dashboard. This occurs in Firefox 3.6 and involves the dashboard interaction with the web browser. When this occurs, there is a memory leak. If running the dashboard for a long time, use Internet Explorer instead of Firefox.
ID 336986 If a hard drive is in the process of replicating and an install to a non-existent volume set is started, the array status for the replicating drive will transition to 'failed' while the volume sets are created. They are created at the very beginning of the installation, so this failed status should last no more than 1 minute. After the volume set is created, the status will go back to 'replicating', as expected. This occurs when installing to a control plane that doesn't exist yet, for example, in the middle of replication. The array status shows 'failed'. None.
ID 338426 Clusterd can core on shutdown under certain circumstances. This occurs with vCMP, and only happens when clusterd is shutting down. When this occurs, clusterd can assert. None, but it has taken care of all notifications to other system components, so the core can be safely ignored.
ID 338450 On VIPRION blades, the BIG-IP system might log error messages about kernel-owned interfaces. This is a timeout-related error on VIPRION blades. The system posts messages similar to the following: -- slot1/mychassis notice chmand[3782]: 012a0005:5: Tmstat::updateMgmtIf: HAL Svc -- error: MiiNic: failed to send cmd to driver: readPseMii ioctl on: eth2Phy & Reg:1e:1a -- returns:Invalid argument -- slot1/mychassis notice chmand[3782]: 012a0005:5: Tmstat::updateMgmtIf: HAL Svc -- error: MiiNic: failed to send cmd to driver: getStatusReg: timeout wait for result. None, but these are innocuous and can be ignored.
ID 342319 When you add a Domain Name System (DNS) server to the BIND forwarder server list from the Configuration utility, the recursion option is set to no and the forward option is not set. The parameters 'recursion yes' and 'forward only' are not being updated in named.conf when creating entries in the BIND Forwarder Server List from the GUI. This issue may cause some DNS queries that are sent to the BIG-IP system to fail. You can work around this issue by setting the recursion and forward options. For more information, see SOL12224: Configuring the BIND forwarder server list does not correctly set additional options for the named.conf file, available here:
ID 342325 If username and password have not been configured for a RADIUS accounting monitor, it will try to connect with a <NULL> username-password. This occurs when the username and password have not been configured for a RADIUS accounting monitor. The system attempts to connect with a <NULL> username-password. Configure the username and password for the RADIUS accounting monitor before attempting a connection.
ID 342423 The statsd process computes the value for system-wide CPU usage using a formula: process 'A' CPU usage divided by the number of CPUs on the chassis. Assuming a chassis is fully populated with PUMA I blades, the average is divided by 16. If a blade drops out, the number of CPUs is now 12, so while that blade is out of circulation, the data is divided by 12. However, even for the 5-second window: it is possible that the average might be calculated incorrectly. This occurs when calculating average system-wide CPU usage when a blade drops out. "Example =========== -- From time1 to time4, there are 16 CPUs on the box, and processA is using 96% of its CPU. -- At time5, one of the blades drops out. -- The calculation to compute CPU and system usage happens at this time. -- Before the blade dropped out, the system-wide average was 96/16 = 6. When the blade drops out, the system-wide average is 96/12 = 8." None. However, this is a small difference. Although blades going down should not happen often, when it does happen, it is only the first 5-second system-wide average that is affected. The next average will be correct.
ID 344226 Trying to create a CRLDP server using a name that already exists fails. The resulting error message does not indicate the problem. This occurs when creating a CRLDP server using a name that already exists. The operation fails with the message 'An error has occurred while trying to process your request.' A more accurate message is 'The requested CRLDP server ('crldp_server_name') already exists in 'partition_name'.' None.
ID 345092 "When a RAID system is booting, the system posts the message: Press 'CTRL-I'; to enter Configuration Utility..." This occurs on RAID systems during boot. Pressing Ctrl+I has no effect. It is not possible to enter the Configuration utility this way. This is a hardware constraint. Instead, you can configure RAID parameters through TMOS.
ID 345529 The BIG-IP Configuration utility may incorrectly allow you to assign certain health monitors to pools while their pool members are configured with a wildcard service port. This occurs when assigning the pool health monitor before assigning a member-specific monitor to each pool member. For LTM configurations, the system fails to pass traffic due to the configuration failing to load. For GTM configurations, sync group members may fail to answer wide IP requests. To workaround this issue, make sure to specify an Alias Port on a monitor when it needs to probe a specific service port on wildcard pool members. For more information, see SOL12400: The BIG-IP Configuration utility may incorrectly enable you to assign certain health monitors to pools and server objects that are configured with a wildcard service port, available here:
ID 347174 When starting BIG-IP VE on a Hyper-V platform, the BIG-IP VE system posts multiple Advanced Configuration and Power Interface (ACPI) messages. This occurs when starting BIG-IP VE on a Hyper-V platform. The system posts ACPI messages such as: 'ACPI: LAPIC (acpi_id[0x3f] lapic_id[0x3e] disabled)'. None, but these messages are expected and you can ignore them.
ID 348431 "If you cancel a qkview when it is being generated via the GUI, a zero-byte sized qkview will be created. Subsequent attempts will still generate a zero-byte qkview (even when deleting the previous qkview). Canceling qkview generation via the GUI does not stop the qkview process; until its finished or killed, qkviews will have size zero." Cancel a qkview while being generated via the GUI; immediately re-generate a qkview via the GUI. Confusion and inability to generate a qkview. "Wait until qkview process has finished or kill the process and regenerate. Removing the lock file (# rm /shared/tmp/.qkview_lock) will also allow it to work, but having 2 processes overwriting each other's the temp files is not recommended."
ID 348502 Deleting or renaming a vdisk from the file system (for example, using bash) will not be detected by vcmpd and can lead to unexpected behavior if the system later attempts to use that vdisk. This occurs when deleting or renaming a vdisk using the file system rather than TMSH/iControl. The system, by design, does not support the detection and handling of direct (for example, using bash) vdisk delete or rename. Deleting or renaming the vdisk files directly is not supported. Only use tmsh commands, the UI, or iControl to delete or rename vdisks.
ID 348503 "WMI monitor reports ""not found"" for LoadPercentage, CurrentConnection, GETRequestsPerSec, and POSTRequestsPerSec when probing IIS 7.5 on Windows 7."
ID 349242 The load balancing method 'Ratio Least Connections (node)' does not perform correctly with 'Performance (Layer 4)' virtual servers. This occurs when using the Ratio Least Connections load balancing method. Does not perform correctly with 'Performance (Layer 4)' virtual servers. None.
ID 349629 "The error is usually similar to : 01070257:3: Requested VLAN member (1/2.1) is currently a trunk member Unexpected Error: Loading configuration process failed." Config will fail to load.
ID 351934 Booting with SSD installed, you will be able to see the SSD sled activity light blinking while the other spinning media sleds do not. This happens when booting with SSDs installed. SSD tray is only tray to blink activity while booting. None, but this is normal behavior.
ID 352560 Proxy SSL is incompatible with persistence profiles. This occurs with persistence profiles and Proxy SSL. The result does not work. None, but persistence profiles and Proxy SSL should not exist on the same virtual server.
ID 352840 When using partition default route domains, an attempt to load a previously saved configuration which had a different default route domain on a VIPRION may result in the secondary daemons restarting. To work around this, load the default configuration before loading a config that has a different default route domain on any partition.
ID 352925 Updating a suspended iRule assigned via profile causes the TMM process to restart when trying to return to the suspended iRule. This occurs when the iRule is suspended and the TMM process is trying to restart. TMM restarts. To work around this, assign the iRule to the virtual server instead of assigning it to the profile.
ID 352957 Established flows via virtual servers with iRules using the "node <addr>" command to set the nexthop to a different address than the gateway returned in route lookup, or transparent flows to a pool member, might fail (due to mis-routing of packets) after a route table change, even if the change does not affect any of the addresses used in the flow. New flows established after the route table change will work as expected. There is no workaround for the problem.
ID 353249 LTM Virtual Server Bytes in/out and Packets in/out values may be larger than expected on PVA platforms, when using FastL4 profile with PVA in 'Assisted' mode. This occurs when using the FastL4 profile with PVA in 'Assisted' mode. LTM Virtual Server Bytes in/out and Packets in/out values may be larger than expected. None.
ID 353621 You can get an error from tmsh when adding a device to the trust-domain that says the device cannot be found. This occurs in TMSH, if the 'name' option is omitted. This only occurs in TMSH. Adding devices in the GUI does not result in an error. The system posts the error: 'The requested device ( was not found.' This error actually indicates the "name" parameter was not specified in the command. The message does not indicate that there is a connectivity issue to the device being added to the domain.
ID 354467 When you create an opaque VLAN group before creating the route domain to assign it to, opaque mode does not work. This occurs with VLAN groups created before the associated route domain. In this case, opaque mode does not work To work around this issue, you can add the VLAN group to the route domain and then set its mode to opaque, or if you are already in this state, you can restart tmm.
ID 354972 In some cases, TMSH does not properly recognize hostnames as an item reference for commands. This occurs in tmsh commands. Hostnames are not recognized when referenced in tmsh commands. Use IP addresses instead of hostnames when creating addresses with tmsh in this release. Or use the GUI.
ID 355299 PVA acceleration can be configured on a platform without a physical Packet Velocity ASIC present. This occurs when configuring PVA acceleration on a platform without PVA present. No acceleration can occur, because the platform does not support it. None, but the setting has no actual effect and is harmless.
ID 355564 "The Error message ""The requested unknown (/Common/traffic-group-1 /Common/bigip1) was not found."" might appear in the log during startup. This message does not indicate a problem, and can be ignored in this situation." Configuration is new or has been set to defaults. The error message will appear in the log during the device name change. There is no impact, as the message appears due to the device name changing.
ID 355616 ltm virtual-address objects are only shown in tmsh list output when specifically requested, as in 'list ltm virtual-address', not in commands such as 'list ltm'. This occurs when running 'tmsh ltm'. Virtual-address objects are not shown. To workaround this, use 'list ltm virtual-address' instead.
ID 356611 You can invoke imish (the shell for configuring dynamic routing) from tmsh. When you subsequently press Ctrl + Z, sshd and imishd start consuming CPU until the imish shell times out. This occurs when tmsh is not the login shell. If the system is already in this state, run the fg command, and then exit imish. This occurs when invoking imish from tmsh and press Ctrl + Z. sshd and imishd start consuming CPU until the imish shell times out. None, but suspending tmsh is not recommended behavior.
ID 356658 "Message is logged when remote authenticated users that do not have local account: alert [20843]: pam_unix(:account): could not identify user (from getpwnam())" "Remote authentication is enabled and configured on the BIG-IP system. A remote user without a corresponding local user account logs in to the BIG-IP system." alert level log is generated for valid user log in.
ID 356705 After completing the setup wizard in the Configuration utility, the user is redirected to the Welcome screen. After completing the setup wizard in the Configuration utility and returning to the Welcome screen. The menu at left should also change from the restricted setup menu to the full menu, but occasionally it does not. In this case, the workaround is to log out/in or refresh the browser.
ID 356938 Special characters (such as the Yen sign) in data group names generate garbage characters. This occurs when using special characters in data group names. The system generate garbage characters in the GUI. Do not use special characters of this type for data groups.
ID 357262 When a logging pool is not available, the system closes the connection whenever it serves an HTTP response on a logging error. This occurs when 'Respond On Error' is set to Enabled, and the associated logging pool is unavailable. The system sends a TCP reset to the client connection. Although there is no direct workaround, you can get the service back up by setting 'Respond On Error' to Disabled and update the request logging profile. You can do so at the command line by running the following command: root@(BIG-IP)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify ltm profile request-log hsl_logger proxy-respond-on-logging-error no
ID 357391 The racoon IKE (ISAKMP/Oakley) key management daemon must be initialized before it can process connections. You can determine whether racoon is initialized by looking at /var/log/racoon.log. After configuring IPsec objects, /var/log/racoon.log reports that it has loaded the configuration and there is no error after it in a message similar to the following: 2011-04-27 11:03:35: INFO: Reloading configuration from '/etc/racoon/racoon.conf'. This occurs when using racoon to negotiate IPsec tunnels. Traffic sent before initialization is complete fails to be processed. None. The racoon daemon must complete initialization before traffic is sent for processing.
ID 357656 When you use bigstart restart to restart all daemons on a guest on VIPRION platforms, the system logs a benign ltm log message. This occurs when restarting all daemons on a guest on VIPRION platforms. "The system logs the message: Apr 25 15:43:27 slot1/vcmp1 notice chmand[7975]: 012a0005:5: Chmand cleanup: Slot:Led:Color (1:3:0) not succeed: virtual void Hal::NullAnnunSvc::ledSet(Hal::LedFunction&, Hal::LedColor&, uint32_t&, uint32_t&, uint32_t&)" None, but this is a benign message and you can safely ignore it.
ID 357822 User can use "delete cm trust-domain all" to create or fix trust-domain when loading a blank or inconsistent SCF.
ID 357852 If a device that is part of an established trust-domain is added into a second, separate trust-domain, the devices in the original trust-domain still have references to the original device. This occurs when moving members from one trust-domain to another. Devices in the original trust-domain still have references to the removed device. Delete the device from the trust-domain from a certificate authority before adding it to a different trust-domain.
ID 357874 "Creating an overlapping route can cause an unclear configuration exception message, such as: 1. [root@ltm-56:Active] config # tmsh create net route test_route_ipv6 network 2002::1/128 gw 2002::3 2. [root@ltm-56:Active] config # tmsh create net route default-inet6 { gw 2002::1 } 01070712:3: Caught configuration exception (0), Netlink reply from kernel has error: -113 (for static route create: ::/0 gw 2002::1 in vlan '') - net/validation/routing.cpp, line 332." There is no workaround.
ID 358063 If you issue the command 'restart sys service all' from the tmsh shell, the next command you issue result in the error message: 'The connection to mcpd has been lost, try again.' There is no workaround.
ID 358099 If two devices have different provisioned modules, then the application with those modules configured in one device might not be able to sync to the other device. This occurs when syncing two devices that have different provisioned modules. The two devices are out of sync and cannot recover in this situation. For sync to occur correctly, both devices must have the same provisioning.
ID 358191 "If the user resets the trust and changes the host name of the device, the other devices in the trust domain still show the unchanged, former host name and show the device as still attached." This occurs in a trust configuration. Changing host name has no effect. None.
ID 358575 The traditional ConfigSync mechanism has been replaced with a more robust MCP-to-MCP communication mechanism. As a result, UCS files now load the full configuration in all cases, and no longer have the concept or ability to only load the "shared" portion. Loading of UCS files created on a different device is no longer supported. There is no workaround.
ID 358615 Because there is no 'add' option for unicast-address, if you have two existing unicast addresses, the command to add another replaces both addresses with a single address. For example, given a device with two existing unicast addresses, this command replaces both addresses with a single address: modify cm device unicast-address { { ip } } The result is that the device unicast has only the mgmt address, and has lost the internal IP address. When modifying failover unicast addresses using tmsh, you must specify all addresses, even if the intention is to remove or add a single address.
ID 358655 The system posts an error message 'No such file or directory' during kernel installation. This occurs during kernel installation. The system reports an error such as the following: info: RPM: ls: /etc/modprobe.d/*.conf: No such file or directory. None, but it does not negatively impact the installation itself.
ID 359393 In order to be compliant with the FIPS-140 standard. Keys cannot be exported from a FIPS card in plain text, hence they can only be exported by encrypting them with the master key on the FIPS card. This occurs when the master key on the FIPS card has changed since the keys have been exported. In this case, it is not possible to import the keys back into the card None.
ID 359395 Invalid or empty SSL certificates, keys, or CRLs will not be rolled forward on upgrade to v11.0.0.
ID 359491 When a system's hostname is set by the user via the tmsh setting "modify sys global-settings hostname" only the local copy of the self device is set. Remote copies of the hostname are not updated accordingly. Thus, running the command "list cm device name-of-device hostname" would have the hostname "" on the local machine and "" on other machines in the trust domain.
ID 359774 In v11.x, pools used in an HA group must be in Common. If the user has a v10.x configuration that has pools in different partitions that are used in an HA group, an upgrade to v11.x fails. HA group pools in administrative partitions other than Common. Upgrade fails. None, except ensuring that all pools used in HA groups exist in the Common administrative partition.
ID 359873 LTM-initiated SSL renegotiation is not attempted when secure renegotiation is configured as required and the peer is unpatched (does not support SSL secure renegotiation). This applies both to configuration-based (e.g., renegotiate-period), as well as iRules-based attempts to renegotiate. This occurs when secure renegotiation is required and the peer is unpatched. LTM-initiated SSL renegotiation is not attempted. None except to ensure that all peers are patched.
ID 360122 The iControl method System.Statistics.reset_all_statistics() does not reset iStats. This occurs when running the iControl method System.Statistics.reset_all_statistics(). Does not reset iStats. To work around this, do the following: 1. bigstart stop. 2. Remove all files (not directories) in /var/tmstat2. 3. bigstart start.
ID 360134 6400, 6800, 8400, and 8800 platforms with Cavium NITROX Federal Information Processing Standards (FIPS) cards do not support secure SSL renegotiation with RC4 ciphers. Initial SSL handshakes are unaffected, but attempts to perform mid-connection rehandshakes fail when SSL secure renegotiation is negotiated. This occurs on the 6400, 6800, 8400, and 8800 platforms with FIPS cards using secure SSL renegotiation with RC4 ciphers. Initial SSL handshakes are unaffected, but attempts to perform mid-connection rehandshakes fail. You can work around this by disabling SSL renegotiation or RC4 ciphers. Platforms with Cavium NITROX-PX FIPS cards are unaffected.
ID 360485 Node statistics, especially after a statistics reset, may be too high for a node whose address is in a lasthop pool. Lasthop pool configured. Inaccurate node stats. None.
ID 360675 Creating a configuration object with a FIPS 140 key will always create a key in the FIPS 140 device even when the configuration objects are not saved. Configuration objects that are not saved will require the user to delete FIPS 140 keys manually from the device. Keys can be deleted manually with "tmsh delete sys crypto fips by-handle". Key handles can be listed with "tmsh show sys crypto fips".
ID 361181 You can run the command 'fipsutil -f init' to force re-initializing the FIPS card or 'fipsutil reset' to reset the FIPS card. Both these operations delete all the keys in the card. However, issuing the command does not delete the BIG-IP configuration objects representing those keys. It also does not modify SSL profiles utilizing those keys. When there are BIG-IP configuration objects referencing to such FIPS keys, these operations will result in the failure to load configuration on reboot. This occurs when running the command 'fipsutil reset' or 'fipsutil -f init' and when BIG-IP has configuration objects referencing keys on the FIPS card. The system posts messages similar to the following: 'notice mcpd[5816]: 01390002:5: The size of the configuration DB has been extended by 2097152 bytes, now using a total of 10485760 bytes', 'err mcpd[5816]: 010713e4:3: FIPS subsystem reported error while attempting file object operation: FipsMgr::get_handle_from_modulus error unable to obtain handle. Modulus(e1:fb:55...ef:89:b3), FIPS:ERR_HSM_NOT_INITIALIZED. ', 'err mcpd[5816]: 010713e4:3: FIPS subsystem reported error while attempting file object operation: fips_insert_masked_object error on import, ERR_HSM_NOT_INITIALIZED. ', 'err mcpd[5816]: 01070712:3: Caught configuration exception (0), unable to import FIPS 140 key (/Common/zzFIPSTest) from key file.) - sys/validation/FileObject.cpp, line 4714. ', 'err tmsh[6948]: 01420006:3: Loading configuration process failed. ' "To avoid this situation, delete the FIPS keys and remove the usage from profiles before resetting or re-initializing the FIPS device. If the system gets into the failure condition, you can recover by completing this procedure: 1. Edit the bigip.conf file where the FIPS key is referenced. Delete all occurrences of the key. 2. Delete the key from /config/ssl/ssl.cavfips 3. Find and delete the key from filestore/files_d/<partition-name>/certificate_key_d/ 4. Run 'tmsh load sys config partitions all' to make sure the config loads. After this point, the config should load without issue after a reboot."
ID 361315 if you go to the System : Preferences screen and simply click the Update button without editing any values, the system incorrectly posts a Changes pending notice (that is, recommendation for synchronization). Many values on this screen are not even synchronized across BIG-IP devices. This occurs when you click the Update button on the System : Preferences screen. The system incorrectly recommends a sync, even though it's not needed. None.
ID 361470 If a virtual server's destination address is entered into tmsh with invalid IPv4 or IPv6 numbering or a hostname, the error message 'The requested virtual address (</PATH/ADDRESS>) was not found.' is displayed. This occurs when entering an invalid IPv4 or IPv6 numbering or a hostname in tmsh. The system posts the message. None.
ID 362225 Disabling connection queuing via "tmsh edit" while connections are queued causes the queued connections to become stuck. This occurs when using tmsh edit while connections are queued. Queued connections become stuck. The workaround is to use tmsh modify command instead of edit.
ID 362405 If a vdisk migration occurs, the original copy is left unchanged on the source slot. The copy is never synchronized with the new vdisk copy on the destination slot. After vdisk migration is successful, the original vdisk can be safely deleted but can also be kept as a valuable backup. However, note that if the guest is once again allocated to the slot containing the old vdisk, then that old vdisk is used without it first synchronizing with any other vdisk. This might result in unexpected behavior, for example: If that slot is the only one the guest is allocated to, it boots up with the old software, configuration, and license that existed on the guest at the time the guest was migrated to another slot. If, however, the guest is already deployed on other slots, the guest uses the old vdisk on that slot but synchronizes the software, configuration, and license from the guest's primary slot, per normal clustering behavior. None.
ID 362874 There is a misleading Upgrading Device Trust banner that can appear on GUI. The banner indicates that the device is waiting for its peer to be contacted. This occurs when a device that is configured to be in a redundant pair is upgraded to version 11.x, but its peer device cannot be contacted. After upgrading, the GUI might post the following message for several hours: 'Upgrading Device Trust Device trust is still being upgraded. Please do not make modifications to Device Management or Traffic Groups pages while this message is displayed.' If the peer device is no longer in use, the following workaround should be used to remove the banner message: * Set the trust.configupdatedone db variable to 'true'. * Set the failover.isredundant db variable to 'false'. * Restart devmgmgtd. * Reset trust.
ID 363216 A virtual server might indicate 'vlans-disabled', but does not include a list of which ones are disabled if that list is empty. The tmsh list command does not indicate that a VLAN is disabled. This can bee seen only in GUI. "This occurs when you add a VLAN to a virtual server. The default setting is disabled. For example, this means that the virtual server is disabled for no VLAN entries, which is the default setting: ltm virtual sample_vs { destination any:any profiles { fastL4 { } } vlans-disabled }" Silently disables the VLAN added to a virtual server. Running the command 'list ltm virtual all-properties' indicates whether the VLAN is enabled or disabled.
ID 363284 The cipher list 'DEFAULT:!NATIVE' is different on v10.2.2 (valid) and v11.0.0 (invalid, empty). This can cause configurations to fail loading on v11.x during the upgrade. This occurs because ciphers 'ALL' in the Client SSL profile only includes 'NATIVE' ciphers. That means that 'COMPAT' must be specified to include 'COMPAT' ciphers (e.g., EXP, EDH). As all SSLv2 ciphers are COMPAT ciphers, this also means that 'ALL:SSLv2' no longer includes SSLv2 ciphers. Note that this change impacts upgrade. So if your configuration uses COMPAT ciphers, it requires a configuration change (to specifically include COMPAT ciphers) for upgrade to complete successfully.
ID 363541 You can create an 'and' rule for the default node monitor that includes the monitor '/Common/none'. This occurs with the none monitor. When this occurs, the state of the node is not reported correctly. None.
ID 363756 Simultaneous blade-to-blade migrations of guests might occur. In rare instances, multiple migration tasks take longer than the allocated interval, and could time out. If this happens three times, the guest is placed in the "failed" state. This occurs with simultaneous blade-to-blade migrations of multiple guests on vCMP configurations. If multiple guests must migrate before power on, it is possible that the first two guests will likely migrate, while all others will fail due to timeout values. "To recover a guest from this condition, wait until all guest migration tasks complete successfully or fail after three timed-out attempts. Then on any blade with a guest in the 'failed' state, execute the 'vretry' command. This will cause any guests in the failed state on that blade to retry the failed action. Executing 'vretry' one blade at a time and waiting until all migration tasks on that blade are complete will avoid these failsafe timeouts. If a guest's retry attempts also fail, re-provisioning the guest might resolve the issue. To do this, change the guest's state to 'configured' and then subsequently back to 'provisioned' or 'deployed', as preferred. Note that this might cause the guest to be allocated to a different blade."
ID 363912 In rare occasions, when there are no monitors assigned as the default node monitor, an entry 'none' may appear in the Active select box on the 'Default Monitor' page in the Configuration utility. This still represents the fact that no monitors are selected as the default node monitor and the BIG-IP system operates as such. This occurs because tmsh allows /Common/none for the default-node-monitor GUI displays correctly, but none is not in GUI by default. None.
ID 364407 When vCMP is provisioned and guests are created, when vCMP is later deprovisioned, attempting to deletion/modification/etc. cannot succeed. Even after vCMP is deprovisioned, VLAN deletion/modification incurs a verification check that prevents VLAN from being deleted/modified. You cannot remove VLANs that a provisioned/deployed/configured vCMP guest made use of. To work around this, reprovision vCMP, delete/modify the guest, delete/modify the VLANs, and then deprovision vCMP (reboot required).
ID 364522 A user with the app_editor role can create an app service; however, because app_editor users cannot create objects (they can only update and enable/disable them), app_editor users actually cannot create an app service. This occurs with users with the app_editor role. App_editors cannot add pool members unless node already exist. There are two workarounds: 1. Use the new add_member_v2 method, which does not have this constraint (the add_member command is deprecated). 2. Have a user with the appropriate role create/manage the node address prior to using add_member.
ID 364588 Running the show cmd from /Common to display pool in another partition does not show all of the information. This occurs when you run the show command from /Common partition to display the details of a pool in another partition. The monitor instance line is missing. To work around this, navigate to the partition first. Then the show command presents the expected results.
ID 364717 There is an issue when using the node-port option with the delete command for persistence persist-records. This occurs when using the delete command to delete persistence records on a nonexistent port. The system deletes all the persist table entries irrespective of the port specified. In addition, the show command with nonexistent port displays all the entries irrespective of the port specified. None, except to ensure that the port exists before deleting the persist table entries.
ID 364978 If an active/standby system is misconfigured with unit 2 failover objects, two traffic groups are automatically created: traffic-group-1 and traffic-group-2. This occurs when an active/standby system is misconfigured with unit 2 failover objects. For traffic-group-2, the default device points toward the unit 2 box. Instead, it should point to the unit 1 box, because it is an active/standby pair. "To work around this, modify the default device to point to the unit 1 box, using a command similar to the following: tmsh modify /cm traffic-group traffic-group-2 default-device <unit 1 device name>"
ID 364994 When OneConnect is in use, server-side flows are reused, whenever possible. If this is disabled client-side (via an iRule), this can lead to a tmm crash if the server-side flow is not in a reusable state. This happens when OneConnect is enabled. tmm crash if the server-side flow is not in a reusable state "Add: when SERVER_CONNECTED { if { [info exists oc_reuse_ss_disable] } { ONECONNECT::reuse disable ONECONNECT::detach disable } } and rewrite client-side thus: set oc_reuse_ss_disable 1 # pick a new connection, so SERVER_CONNECTED fires ONECONNECT::reuse disable CACHE::disable COMPRESS::disable HTTP::disable"
ID 365006 Installing a 10.x UCS on a "clean" 11.0 will cause daemons on secondary blades to restart.
ID 365219 "Trust upgrade fails when upgrading from version 10.x to version 11.x. The upgrade fails without apparent error, but there will be one of the two following error messages in /var/log/ltm log: -- Trust configuration update for HA Pair has failed: [STACK TRACE: {java.lang.Exception: Config sync password is invalid.}{ at}. -- devmgmtd[7983]: 015a0000:3: Trust Config Update: [TrustConfigUpdateForHAPair.cpp:521 ] Skipping already-completed trust." Upgrading high availability version 10.x configurations that use the factory default admin password. Trust upgrade for version 10.x high availability configuration fails. Workaround: Change the default admin password in the 10.x configuration before upgrading to 11.0.0. This is intended functionality. The default admin password should be changed before deployment.
ID 365555 The DES ciphers have been deprecated for TLS V1.2 but TMM is including them. These ciphers are supported on earlier versions of SSL/TLS, such as SSLv3 and TLS v1.0, which are widely used. TLS v1.2 is trying to depreciate and move to higher standards. None. F5 recommends that you do not use these ciphers.
ID 365756 During the load of a bad SCF file, once an error occurs, the user is left in the partition folder where the error occurred. If the user attempts a second load, they get an error: 'Data Input Error: 01070734:3: Configuration error: Invalid mcpd context, folder not found'. This occurs when loading a bad SCF file. The system changes the cli location to folder that has the error. Fix the SCF file, change directory/context back to /Common and attempt to reload.
ID 365757 Mixed mode is presented as an option for extra disks. When trying to change the mode for logical disks, the system presents all options in the GUI and tmsh, even those that are not valid. When applied, this configuration option presents an error message: '01071372:3: Cannot change the mode for logical disk (HD2) from (NONE) to (MIXED). Disks cannot be changed to MIXED or CONTROL modes.' Only None and Datastor are functional modes for extra disks.
ID 365767 The verify option during a load .scf file operation from tmsh on the VIPRION system will cause mcpd to restart. To work around this issue, do not use the verify option on VIPRION.
ID 365836 Changing provisioning using two commands in sequence (for example, LTM=none and VCMP=dedicated)in TMSH results in a fatal TMM error. That happens when typing the two TMSH provisioning commands LTM=none and VCMP=dedicated in succession. This results in a fatal TMM error, and, if the config was not saved after entering the provisioning commands, the primary reboots, which results in no provisioned modules or the previous provisioning settings. Use the GUI or iControl to adjust the system provisioning level. Or, issue a provisioning transaction for vCMP with a custom command at the root. The following example shows how to set LTM=none and VCMP=dedicated. 'echo "create cli transaction;modify sys provision ltm level none;modify sys provision vcmp level dedicated;submit cli transaction;quit"|/usr/bin/tmsh'. When you run this transaction, secondary blades will likely reboot automatically. The primary might reboot automatically as well. If the primary does not reboot and the status is REBOOT_REQUIRED, wait two full minutes before rebooting the primary blade. Waiting ensures that provisioning completes, the secondaries have rebooted, vcmpd starts, and the system enters a quiescent state.
ID 366060 There is an issue that is rarely encountered in FTP mirroring. FTP mirroring occasionally fails when connections come from tmm0. "When it does fail, the idle timer on the standby is not updated and the connection is reaped in the 30-50 second range." None.
ID 367072 Running the command 'tmsh show sys hardware' on appliance-based system shows a Registration Key field with a -- value, even on licensed systems. This field is designed only for chassis-based systems, so you can ignore the value This occurs on appliance-based systems when running the command. The Registration Key field contains a -- value. There is no workaround, but this field is designed only for chassis-based systems, so you can ignore the value.
ID 367198 Running 'tmsh show sys hardware' on appliances shows a blank Registration Key field. This occurs when running this command on hardware other than VIPRION chassis. Blank Registration Key field. This is by design; this field is intended for VIPRION chassis only.
ID 367714 When accessing the serial console on some BIG-IP platforms, if the baud rate is changed repeatedly on the serial client, the serial console port may cease functioning. In this case, a reboot of the BIG-IP system is required to restore serial console functionality. "This problem is known to occur on BIG-IP 6900 appliances, and may also occur on BIG-IP 1600, 3600, 3900, 8900, 8950, 11000 and 11050 appliances. This problem has been observed to occur more frequently when connecting to the BIG-IP serial console from a client using a USB-to-Serial adapter. Different makes and models of USB-to-Serial adapters do not perform identically." The serial console interface to the affected BIG-IP system is lost. A reboot of the BIG-IP system is required to restore serial console functionality. The BIG-IP system can be accessed via the management IP address, or by the AOM management IP address if so configured. For more information, see SOL13331: The BIG-IP serial console port may lock up when the terminal emulator is configured with a mismatched baud rate, available at
ID 367996 Chunked HTTP responses might not be unchunked before they are compressed and forwarded to the client. This issue occurs when the following conditions are met: - The NTLM and OneConnect profiles are applied to a virtual server. - HTTP compression is enabled on the virtual server. This can also be triggered when replacing the NTLM profile with an APM access policy configuration on the virtual server Client connections might fail. To work around this issue, you can either modify the type of response chunking or disable compression. For more information, see SOL14030: The BIG-IP system may fail to unchunk server response when compression is enabled, available here:
ID 368888 The system allows you to create a virtual server (which creates the virtual address) in traffic-group 2 and a SNAT translation IP in traffic-group 1, and then to assign the SNAT IP to the virtual IP address, even though doing so could cause asymmetric routes if these traffic-groups were not active on the same unit. This occurs with multiple traffic groups and SNAT translation tables. This configuration might cause asymmetric routes. To workaround this, only perform this type of configuration when two traffic groups are active on the same unit.
ID 369596 'tmsh show ltm pool' command doesn't show the latest updates for connection and rate limits. The connection and rate limits do not get published to the UIs until a monitor instantiates a state change on the pool member or node. Note that this does not impact the data path, it is only a UI issue. Configure a pool member or node to have connection or rate limits.
ID 369640 If an iRule is assigned to two different virtuals in different contexts, the first time the rule runs any internal object conversions/lookups will be performed in the first context. When the second virtual runs the same rule, it will assume that the objects that have been looked up are correct, and point to the wrong members. Two virtuals in different folder paths use short names for objects like pools, procs, nodes and virtuals. iRule can point to objects outside the current folder path. Give each virtual it's own copy of the iRule (it is not necessary to provide complete folder paths).
ID 371647 When using ACA kerberos delegation, users must manually add the iRule _sys_auth_krbdelegate to their profile. This step must be manually done when using kerberos authentication in ACA. This does not apply to APM authentication. Add the iRule.
ID 372209 When the certificate used to verify a signed iRule expires, the iRule verification status still remains 'Verified' as long as the certificate exists on the device. This occurs when an expired certificate that was used to sign an iRule still exists on the system The iRule status remains 'Verified', even though the certificate is expired. To avoid the misleading status, the signature for iRules signed with an expired certificate should be modified to have the 'ignore verification' property set to true, or edited to remove the signature (edit the rule and remove the 'definition-signature' line).
ID 373467 MD5 certificate do not work with TLS 1.2. This occurs with TLS 1.2 and MD5 client certificates. Client does not authenticate with certificates signed with rsa-md5. None.
ID 374067 Using the 'snatpool' command in the CLIENT_ACCEPTED iRule event causes keepalive requests to originate from the self-IP of the BIG-IP system. An iRule using the 'snatpool' command in CLIENT_ACCEPTED. Keepalive connections occasionally source from the BIG-IP system's self-IP address. Use the HTTP_REQUEST event to set the SNAT pool.
ID 374109 The radvd config is not migrated to tmsh syntax during a UCS restore. The workaround is to create the config manually with tmsh.
ID 374333 When the rate of new connections (CPS) is extremely low, observed/predictive load balancing can perform uneven connection distribution across pool members. Configure a pool using predictive or observed load balancing methods. Uneven connection distribution across pool. None.
ID 375207 On rare occasions, tmsh writes an innocuous error message to /var/log/ltm based on a query to mcpd. Here is one case that issues the message: In tmsh, type the command 'generate sys icall event', and then press the tab key. The following error is posted: 01070734:3: Configuration error: Invalid wildcard query, invalid or missing class ID. None, but this message is innocuous and can be safely ignored.
ID 375605 Management IP addresses that are not saved in the configuration can remain on the interface after a reboot. This occurs if you change the management IP address, but then reboot the system before saving the configuration. Can result in inconsistent system configuration that may be difficult to discover and correct. This is a rarely encountered timing issue. Rebooting again or removing the unwanted address manually will solve the issue.
ID 375887 Using the cluster member 'disable' command with a trunk that spans blades can cause a brief period where received broadcast and multicast packets egress out the enabled trunk members of the cluster. This occurs on a trunk that spans blades. To an external device running spanning tree protocol or variant, this can look like a loop. None.
ID 376120 When a non-default route domain is configured for dynamic routing, then subsequently deleted and re-added, tmrouted might restart. Non-default route domains in use. Dynamic routing for all route domains is interrupted.
ID 376166 QSFP+ module ports do not allow a media capability setting of 1 GbE. This occurs when setting the media capability of the 10 GbE port to 1 GbE. This action fails to turn the 'link-up' LED to amber; the LED remains green. None. This action is not supported on this port.
ID 376447 If a VLAN group member is used in the configuration of another object, an error may result. It should not be possible to add that VLAN directly to a route domain since it is part of a group, however, if you create a new route domain. The VLAN appears. Attempting to add that VLAN results in the error. This occurs when using tmsh or iControl and the VLAN group feature. "The system posts an error similar to the following: 01070712:3: Caught configuration exception (0), Cannot create vlan 'vlanx' in rd0 - ioctl failed: File exists - net/validation/routing.cpp, line 395." To avoid the problem, when using tmsh and the VLAN group feature, only use the VLAN groups, never their members, when configuring other objects. Furthermore, it is not necessary to work with the VLAN group member (that is, in this case, the group is already in the route domain, so adding the VLAN itself is not even necessary).
ID 377231 VIPRION B4300 blades only support 9600 and 19200 baud, even though other baud rates are accepted. This occurs when using baud other than 9600 or 19200 on VIPRION systems. You can select other baud rates, but they do not work. None. VIPRION B4300 blades only support 9600 and 19200 baud.
ID 378055 The serial console on the B2100 blade in a VIPRION C2400 chassis cannot be set to 38400 using the tmsh command 'tmsh mod sys console baud-rate 38400,' but can be set using the AOM Command Menu. After setting to 38400 via the AOM Command Menu you can use the tmsh command to see that the baud rate has been set to 38400. This occurs on the B2100 blade on a VIPRION 2400. Cannot use tmsh to set baud rate to 38400. Use AOM to set baud rate to 38400.
ID 378967 Users in partitions attached to sync-only device groups do not sync to other devices in that device group. There are users whose active partitions are attached to a sync-only device group. This only affects sync-only device groups, not the failover device group. None.
ID 379002 MSRDP persistence fails when pool members are in route domains, causing the pool's load-balancing mechanism to be used instead. A configuration with route domains and MSRDP persistence. Connections will be load-balanced in perpetuity. Do not use route domains if possible.
ID 380047 Listing objects that exist in partitions other than /Common shows no results. This occurs when you are in the /Common partition and you attempt to list objects that exist in another partition, for example, running the command 'list ltm profile ntlm my_subfolder/my_ntlm_profile' when /Common is the active partition. Listing certain objects in subfolders of the current folder (e.g. 'list ltm profile ntlm my_subfolder/my_ntlm_profile') may not show any output. As a workaround, you can change into the partition ('cd my_partition') and then list the object: 'list ltm profile ntlm my_ntlm_profile'.
ID 380415 TMM CPU utilization statistics reported by sFlow or by running 'tmsh show sys tmm-info' are less than actual TMM CPU utilization. This occurs when using sFlow or by running 'tmsh show sys tmm-info' to report TMM CPU utilization statistics. The values reported are less than actual TMM CPU utilization. TMM CPU utilization stats can be found by running 'tmsh show sys proc-info tmm'.
ID 381123 Enabling more than 10 sFlow receivers may impact the performance of the BIG-IP system and, therefore, is not recommended. This occurs when using more than 10 sFlow receivers. Slower system performance. None. This configuration is not recommended,
ID 381710 The test-monitor and test-pool-monitor commands require the monitor or pool argument to include its partition; e.g. /Common/pool1. This occurs when using these commands inside a partition. Tab completion from inside a partition causes the partition name to be omitted. To work around this, run these commands from the root partition, or to manually type the full pool or monitor argument including partition.
ID 382040 Config sync fails after changing IP address of a pool member with a node name. IP addr change achieved by deleting the pool member and node then recreating the pool member/node. "Delete an existing pool member which has a node name set. Recreate the pool member with a different IP address using the same node name before syncing the config. Sync the configuration. ltm pool ip_mod_pl { members { ip_mod2_nd:http { address } ip_mod_nd:http { address } } } ltm node ip_mod2_nd { address } tmsh modify ltm pool ip_mod_pl members delete { ip_mod2_nd:http} tmsh delete ltm node ip_mod2_nd tmsh modify ltm pool ip_mod_pl members add { ip_mod2_nd:http { address }} tmsh run cm config-sync to-group S48-S49 On 11.4.0 and up this only happens if a full load is being done. Note that full loads may still happen on occasion even if full-load-on-sync is false for the device group." Config sync fails Current work around is to delete the pool member and node on the peer then sync the configuration. The issue does not affect pool members/nodes with no name associated with the node.
ID 382252 If TMM cores, the High Speed Bridge (HSB) driver clears its transmit and receive ring buffers as part of its shutdown routine. This causes the loss of HSB ring buffer data and state information that might be useful in diagnosing the cause of certain TMM cores resulting from invalid buffer data. "- BIG-IP platforms containing a High Speed Bridge (HSB) FPGA device. - A TMM core occurs." HSB ring buffer data and state information, that might be useful in diagnosing the cause of the TMM core, is not preserved in the resulting TMM core. None.
ID 382363 The system does not require min-up-members of a pool to be set greater than zero when also using gateway-failsafe-device on the same pool. A pool's min-up-members is 0 when gateway-failsafe-device is set. Failure to set min-up-members greater than zero when using gateway-failsafe-device might cause errors. The tmm might crash. Set min-up-members greater than zero when using gateway-failsafe-device.
ID 382577 When you run the imish 'terminal monitor' command, you do not receive the expected results. The imish command has no effect in TMOS. This occurs when running imish command. There is no display of debug logs in the imish session. The workaround is to configure the log file (under /var/log) and use the tail command to monitor it in real-time. Note: For this workaround, users must have access to bash.
ID 382613 On VIPRION 4400 chassis containing B4100 blades, the Speed LED stays with solid yellow when at 10Mb. VIPRION 4400 chassis containing B4100 blades. The Speed LED stays with solid yellow. This is not an indication of a problem with the system, even though the Platform Guide: VIPRION 4400 Series indicates that the Speed LED should blink yellow.
ID 383128 While upgrading or booting between versions on the VIPRION B2400, B4200, and B4300 Blade Series, it should be expected that firmware upgrades between versions may delay the cluster from becoming active by up to fifteen minutes. This occurs when upgrading or booting between versions on VIPRION blades. Firmware upgrades between versions may delay the cluster from becoming active by up to fifteen minutes None.
ID 383442 If a packet is split into multiple fragments and the matching part of the tcpdump filter is in a later fragment, it does not match. This occurs on multi-fragment packets. The tcpdump packets do not match. None.
ID 384717 While viewing 'watch-trafficgroup-device', if devices in the device group change, 'watch-trafficgroup-device' can sometimes become non-responsive. This occurs while viewing 'watch-trafficgroup-device' if devices in the device group change. The 'watch-trafficgroup-device' can sometimes become non-responsive. Killing the tool and restarting after the device group membership stops changing keeps the 'watch-trafficgroup-device' running stable.
ID 385274 This issue shows when an IPsec flow is routed via a gateway pool. When a monitored gateway pool member is detected to be down, a different member is selected as the gateway. The policy flow's nexthop is not always updated to reflect the member switch. IPsec flows need to be routable via a gateway pool. IPsec traffic continues to use the down pool member. N/A
ID 385508 Loading a pre-11.0.0 UCS onto a system running 11.0.0 or later resets the device trust group, and should be avoided after the original migration. Save a new 11.x UCS immediately after migration is complete and use that UCS going forward. Migrating with pre-11.0.0 UCS onto system running 11.0.0. Resets device trust group. None.
ID 385825 The CMI watch_* scripts (such as watch-devicegroup-device, watch-sys-device, watch-trafficgroup-device) should not be allowed to run indefinitely as they may adversely affect performance of the unit after a few hours. Run a CMI watch script for an extended period, for example: 'tmsh run cm watch-devicegroup-device'. May cause processes to fail, or unit to failover or unexpectedly reboot when non-tmm memory is exhausted. The CMI watch-* scripts (like watch-devicegroup-device) should not be allowed to run indefinitely. Usually problems will occur after a few hours, so keeping runs to less than an hour should normally be safe.
ID 385915 When using the tmsh command 'list net interface all lldp-tlvmap' to display the lldp-tlvmap values, you might see values that deviate from the default of 130943 (for example, 114552). "This issue occurs when Link Layer Discovery Protocol (LLDP) is enabled and you use the BIG-IP Configuration utility to manually update the properties of a BIG-IP interface. This issue occurs when unused bits in the Type, Length, Value (TLV) bitmask are incorrectly set." None. This issue is purely cosmetic. Manually modify the value as needed.
ID 386778 IPsec in HA deployment cannot use anonymous ike-peer. This occurs when using IPsec in an HA configuration. The tunnel is not created. - Create a new ike-peer with the required remote IP field holding the remote peer's IP address. - If using RSA (the default) uncheck the verify certificate field (not required when using PSK). - Change the presented ID and verified ID fields to 'address'.
ID 387106 Ramcache statistics are associated with only one virtual server per profile. The statistics for all of the virtual servers that use this profile are reflected in the ramcache statistics for that virtual server. This occurs in reporting ramcache statistics. System reports statistics for only one virtual server per profile. The workaround is to create a copy of the profile for each virtual server if the individual statistics are desired. However, this adds complexity to the configuration and should only be done when necessary.
ID 387448 Monitoring device group status from a device from outside the group might return an incorrect status. When monitoring device group status from a device that does not belong to that group, the config sync status reported could be inconsistent with the device-level status. For example, the sync status for device A is 'Changes Pending,' but the device-group to which device A belongs shows a status of 'In sync.' View the sync status from a device in the device group.
ID 388098 Running dmesg can report hda cable detect errors. This occurs when running dmesg. dmesg might display a message similar to the following: 'localhost warning kernel: hda: host side 80-wire cable detection failed, limiting max speed to UDMA33'. None. This is expected and does not indicate any problem with the hardware or software.
ID 388273 On a VIPRION, the failover daemon does not communicate correctly with the peer chassis unless the management port is configured on each blade. This occurs on a VIPRION when the failover daemon attempts communication with the peer chassis. Communication does not occur correctly, and both chassis can become active for an interval of time. Configure the management port on each blade. Specifically, assign a network address and subnet to the management port for each blade.
ID 389397 On 12050/12250 (D111) and 10350N (D112) platforms, setting the db variable platform.powersupplymonitor to disable might not stop power supply error messages on power supplies that are connected but not turned on. This occurs on BIG-IP 12050/12250 (D111), 10350N (D112), and 10000s/10050s/10200v/10250v (D113) platforms on which platform.powersupplymonitor is set to disable. The power supplies in the system that are not turned on might log error messages until power is removed. Remove power on disabled power supplies.
ID 389912 A chassis uses a yellow Secondary LED on secondary blades of the standby device to indicate that the chassis is in standby mode. On a chassis containing a single blade, there is no way to indicate standby mode with the blade LED(s). This occurs on single-bladed chassis in the standby mode. There is no blade LED indication that the chassis is in standby mode. None.
ID 389976 There is a memory leak in the kerberos delegation feature. There is no current workaround. Using Kerberos Delegation in Advance Client Authentication. APM functionality is not affected.
ID 390423 Performing a 'sync from group' causes a mismatch in LSS "Last Successful Sync' IDs. This occurs when viewing the configsync status from devices outside of a device group but in the trust domain. Viewing configsync status might be incorrect on some devices and not others. View the sync status from a device within the device group.
ID 390764 BFD session may not show the correct session "Up Time" value when user displays BFD session information using the IMI shell command 'show bfd session detail'. any bfd session parameter is modified through imish. "No functional impact. Only diagnostic. BFD session will appear has having bounced when it has not." None
ID 392085 On a standalone BIG-IP system, on the properties screen for Device Management, the Force to Standby button might become available. Since this is a standalone unit and there is no active-standby configuration, this button is not valid and it should not be clicked. This occurs on a standalone BIG-IP system. The Force to Standby button might become available, even though it is not valid. None.
ID 393647 The availability status for objects configured with a connection rate-limit can remain yellow even if the object is available to handle traffic. This occurs when using objects configured with a connection rate-limit. Once the connection rate falls below the configured value, the object's status will continue to show unavailable until the object receives additional traffic. None. However, this is a cosmetic issue and is limited to testing scenarios where the test tool stops sending traffic upon receiving a reset packet. ApacheBench is one such tool. In real world scenarios, continued traffic processing automatically restores the correct status.
ID 395148 When setting the baud rate for the front panel serial management port using the AOM command menu, the LCD display does not reflect the baud rate change until fpdd is restarted. This occurs when changing the baud rate using the AOM command menu. The incorrect baud rate might be shown. Restart fpdd using the command 'bigstart restart fpdd'.
ID 395269 Reapplying a template to reconfigure an Application Service Object deletes any firewall rules that have been created through the Security screen. This occurs when reconfiguring an iApp. Firewall rules are deleted. To retain a set of firewall rules, include creation of the desired firewall rules in the template itself.
ID 395720 On the BIG-IP 4000 platform, sometimes on boot, Ethernet devices do not get renamed. For example, eth6 should be renamed to pf1-7. This occurs on the BIG-IP 4000. Ethernet devices do not get renamed. To work around this issue, reboot the device.
ID 396122 In a non-homogeneous cluster, validation on a secondary blade may fail if the module is not allowed or resources are not available. Make sure the primary member of a cluster is the blade with the least available resources (Puma1).
ID 396273 When running dmesg, you might see errors similar to the following: 0000:17:00.0: vpd r/w failed. This is likely a firmware bug on this device. Contact the card vendor for a firmware update. This can occur when 'lspci -vvv' has been executed. This is a benign message, and you can safely ignore it. There is no workaround, but this is not a functional issue.
ID 396278 If you set MGMT IP address using the LCD module, the ltm log contains a message stating the management route was not found. This is the message: Aug 31 12:01:20 localhost err tmsh[9771]: 01420006:3: 01020036:3: The requested management route (/Common/default) was not found. This is a benign logging message that is reporting a non-existent error condition. This occurs when you set MGMT IP address using the LCD module on 1600, 2000, 3600, 3900, 4000, 5000, 6900, 7000, 8900, 10000, and 11000 platforms. The system writes this message to the ltm log: Aug 31 12:01:20 localhost err tmsh[9771]: 01420006:3: 01020036:3: The requested management route (/Common/default) was not found. There is no workaround, but this is a benign logging message that is reporting a non-existent error condition.
ID 396293 SNAT bounceback does not work when the non-default CMP hash is used on a VLAN carrying that kind of traffic. This occurs with SNAT bounceback using non-default CMP hash. SNAT bounceback does not work. None.
ID 396294 At startup, the BIG-IP 4000 logs a message 'SwEdge Error: No core edge found' in /var/log/ltm. This occurs at startup time on the BIG-IP 4000. The system logs the message 'SwEdge Error: No core edge found' in /var/log/ltm. None. This message is benign and reports a non-existent error condition.
ID 396831 Provisioning Virtual Clustered Multiprocessing (vCMP) on 2000/4000 series platforms can cause a kernel panic. vCMP is not supported on these platforms. This can occur on the 2000/4000 series platforms. A kernel panic can occur. The release notes contain information about which platforms support vCMP. You can also check the AskF5 Knowledgebase. If a vmdisks application-volume was created on a platform that does not support vCMP, it should be removed.
ID 398947 It is possible that the text 'serial8250: too much work for irq4' may be seen on the host serial console. These messages are extremely rare. The cause of the message is a temporary overload of the serial port. However, once the serial port has recovered from the overload, it continues to operate normally. The system might post the text 'serial8250: too much work for irq4' may be seen on the host serial console. None. No character loss on the console has been observed when this condition is encountered.
ID 399073 You might encounter the error 'err ntpd[5766]: Frequency format error in /var/lib/ntp/drift' in /var/log/daemon.log once after boot. This occurs after boot. The system posts the error: err ntpd[5766]: Frequency format error in /var/lib/ntp/drift. None. This message indicates an innocuous condition.
ID 399470 Switch based platforms incorrectly identify Fiber Channel SFP modules. This occurs on switch based platforms. The platform incorrectly identifies the Fiber Channel SFP. None. Switch based platforms do not support Fiber Channel SFP modules.
ID 399726 "tmm restarted during license or config loading. New tmm core file is in /shared/core. Message ""HA daemon_heartbeat tmm fails action is go offline down links and restart."" from sod daemon in /var/log/ltm file." It occurs when tmm takes more than 10 seconds to mmap in the GeoIP files as part of license loading process because of high disk latency. It may trigger failover.
ID 400078 When removing a pluggable module from some specific ports on 4300/4340N blades or on the 10000 and 12000 series platforms, it is possible for the adjoining ports to lose link briefly. For example, this might occur when removing a pluggable module from the 4300 blade's ports 1.1 or 1.5 When this occurs, it may cause established link on ports 1.2 or 1.6 respectively, to drop briefly. Workaround: None. None.
ID 400346 A DHCP option field populated with a properly formatted URL in a DHCP response may cause the dhclient process to generate an error. This occurs when DHCP sends a response containing characters such as forward slash and colon, such as might exist in a URL specified with the server-name, merit-dump or filename options. The system posts a message in daemon.log: 'err dhclient: suspect value in server_name option - discarded'. This message is benign and can safely be ignored. The message can be avoided by configuring the DHCP server to distribute a specific lease without the DHCP option, or configuring the BIG-IP management port with a static IP address. Note that the DHCP option may be required for PXE installations, or can be specified during PXE installation time.
ID 400584 lsn-pool object can be created without any member prefix, however will not function for translation until prefixes are added. lsn-pool without any member prefix lsn-pool without any member prefix will no perform translation add prefixes to lsn-pool
ID 400778 On a VIPRION system during failover in which the blade transitioning from secondary to primary, log messages make it appear that chmand is looking to delete logical disks on CF1 and HD1. This occurs on VIPRION systems. The ltm log displays messages: 'Oct 9 01:31:00 slot2/cluster err chmand[6909]: 012a0003:3: Physical disk CF1 not found for logical disk delete', 'Oct 9 01:31:00 slot2/cluster err chmand[6909]: 012a0003:3: Physical disk HD1 not found for logical disk delete'. None. These messages are benign and you can safely ignore them.
ID 402115 Using the command 'tmsh show sys memory' displays zero usage for some entries. Any running product. The division of memory usage may not be clear. None. However, the information shows the most important value, which is the memory utilization of each thread; the memory available to each thread is derivable from the total.
ID 402455 Before attempting synchronization using the GUI setup wizard, clocks of the BIG-IP devices must be synchronized. It is recommended to use an NTP server for completing this operation. This occurs when using the setup wizard. Establishing device trust group fails. To facilitate this, synchronize the clocks of the BIG-IP devices, preferably using an NTP server.
ID 402855 If a config is created with route domains and a config is created that is identical except without any route domains, then while one config is loaded, a load of a UCS of the other config may fail. Load will fail initially. Once defaults have been loaded, the configuration may be loaded again. "Clear the current config by loading defaults before loading the UCS. i.e. tmsh load sys config default ; tmsh load sys ucs <ucs_name>"
ID 402873 Source IP address for SNMP traps is inconsistent. For example, traps regarding monitor up/down status are sent with the TMM self IP as the source IP; however, traps regarding the restart of the SNMP agent are sent with the management IP as the source IP. The desired destination for SNMP traps is configured on TMM interface(s), and there is no specific management route configured. Routing change, or SNMP manager does not accept the SNMP trap if it does not come from the registered source IP address. "The recommended workaround is to configure a specific management route to make the SNMP traps consistently source from the management IP address. The following configuration will make the SNMP traps consistently source from the TMM self IP address (10.x.x.y): sys snmp { traps { my_trap { community public host 10.x.x.z } } } ltm rule trap_translate { when CLIENT_ACCEPTED { log local0. ""original src-ip is [IP::client_addr], going to translate"" snat 10.x.x.y } } ltm virtual-address 10.x.x.z address 10.x.x.z arp disabled mask traffic-group traffic-group-1 } ltm virtual trap_translate_vip { destination 10.x.x.z:snmptrap ip-forward ip-protocol udp mask profiles { fastL4 { } } rules { trap_translate } translate-address disabled translate-port disabled vlans-disabled }"
ID 403002 It is not possible to set up configuration synchronization using a configsync-ip on a nonzero route domain, but the system does not prevent you from configuring a device in this manner. This occurs when configuring route domains. The system does not prevent configuration of nonzero route domain. None.
ID 403613 The drop counters for the 1.x interfaces on the 2000s / 2200s and 4200v platforms currently do not work in LTM mode due to a hardware issue. This occurs on 2000s / 2200s and 4200v platforms drop counters for 1.x interfaces. Drop counters do not work in LTM mode. There is no workaround.
ID 403688 Hardware syncookies currently require both client side and server side profile context to have hardware syncookies enabled in order to function. This occurs with hardware syncookies. Hardware syncookies do not function. Enable client side and server side profiles for hardware syncookies.
ID 403764 If a log message is not matched by any filter, then the log will be processed by the syslog-ng daemon. To disable log processing by the syslog-ng daemon, create a filter with source equal to "all" and level equal to "debug" then route as desired.
ID 404398 Using tmsh merge to update route-domains does not work. A workaround is to manually merge the changes to /config/bigip_base.conf (or /config/partitions/<partition_name>/bigip_base.conf) and load.
ID 404588 LSN iRules persistence-entry get/set and inbound-entry get/set might not work properly for RTSP if the 'after' command is used. This occurs when using the 'after' command. LSN iRules persistence-entry get/set and inbound-entry get/set might not work properly for RTSP.
ID 405255 Issuing a 'reset-stats net interface' command in tmsh does not clear the stats for an interface with status 'disabled'. This occurs when resetting stats on a disabled interface. Stats do not reset. Enabling the interface with 'modify net interface x.y enabled' before resetting stats causes the stats to correctly clear. The interface can be disabled again afterwards if needed.
ID 405356 Hot swapping hard drives at a rate of approximately once per second may result in the drive failing to show back up after insertion. Occurs when the swapping occurs at a rate of approximately once per second. Loss of access to an affected drive. "It is possible to recover missing devices by manually forcing the kernel to rescan the SATA/SCSI host bus. To find out how many SATA/SCSI busses you have: shell> ls -l /sys/class/scsi_host/ drwxr-xr-x 3 root root 0 Feb 12 19:01 host0 drwxr-xr-x 3 root root 0 Feb 12 19:01 host1 drwxr-xr-x 3 root root 0 Feb 12 19:01 host2 drwxr-xr-x 3 root root 0 Feb 12 19:01 host3 drwxr-xr-x 3 root root 0 Feb 12 19:01 host4 drwxr-xr-x 3 root root 0 Feb 12 19:01 host5 To find out which device(s) may have an error perform the following: dmesg | grep -i sata Example Output: ata1: SATA link down (SStatus 0 SControl 300) (Indicating host bus 1 (ata1) is down. If you know the host interface which you need to rescan, perform the following: (wildcarding the Channel, Id, and LUN with '- - -'). shell> echo '- - -' > /sys/class/scsi_host/host<n>/scan (replace the <n> with the number of the SATA/SCSI host bus to be rescanned) NOTE: Do not perform this procedure on a mounted device! To verify the device was recognized and attached by the SATA/SCSI subsystem, use the proc interface. shell> cat /proc/scsi/scsi An example of the output: Attached devices: Host: scsi0 Channel: 00 Id: 00 Lun: 00 Vendor: ATA Model: WDC WD1000CHTZ-0 Rev: 04.0 Type: Direct-Access ANSI SCSI revision: 05 Host: scsi1 Channel: 00 Id: 00 Lun: 00 Vendor: ATA Model: WDC WD1000CHTZ-0 Rev: 04.0 Type: Direct-Access ANSI SCSI revision: 05 Notice after the 'Attached devices:' line above, there are 3 lines for each recognized device. Each host shows its host bus number. In the example above there are two devices. host bus 0 (scsi0) and host bus 1 (scsi(1)."
ID 405539 When you disable an interface, the state shows DISABLED. When you enable that interface, the indication for the interface still shows DISABLED. This occurs when using both tmsh and the GUI. The state of the interface remains DISABLED. However, the interface passes traffic after enabling. You can reboot correct the indicator.
ID 406071 The command [clock -clicks milliseconds] on 32 bit versions of BIG-IP will return a 32 bit version of the integer milliseconds since epoch. Since this is larger than 2^31, the value will wrap. Greater than 2^31 ms since epoch The actual number of milliseconds since epoch is not accessible, but time differences less than 2^31 milliseconds work fine. This is 24.8 days.
ID 406238 FTP active mode data connection does not work from the BIG-IP system command line, if the connection is exiting through an interface with SP DAG. "cmp-hash = src-ip or dst-ip ftp initiated from the BIG-IP" the data connection cannot be established with active mode. Use FTP passive mode for data transfer.
ID 406500 Applying a self-ip to a tunnel type vlan will connect the objects. The self should not be deleted unless disconnected from the vlan. "Repro: create net tunnels tunnel t1 profile dslite local-address create net self s1 address vlan t1 create net route r1 interface t1 delete net self s1 modify net route r1 description ""test test"" You will receive an error about no self-ip" The problem may cause the system configuration to not load.
ID 406878 If you have a version of TMOS on multiple devices configured for sync, when you upgrade them all to a later TMOS version, there might be inconsistency in what versions one device reports as being present on other devices. You can run the command 'list cm device' on a given device to see the version/build correctly shown for that particular device. This occurs after upgrading members of a trust domain from TMOS v11.0.0 or later. Sync occurs correctly; this is only a cosmetic problem. Make a change to the device's description field, or some other non-operational change. This will force the device to advertise an updated trust configuration, including the updated version field.
ID 408599 iRule node command does not work under LB_SELECTED event Using iRule node command under LB_SELECTED node command does not function properly Use node command under other events.
ID 408810 BIG-IP with Vyatta neighbor on a single link may appear to be stuck in ExStart/Exchange state because Vyatta incorrectly drops a database description packet containing a 24 byte router-LSA (zero link LSA). "OSPFv2 or OSPFv3 Neighbor is a Vyatta router" OSPF session will not come up None
ID 409059 Hairpin connections are not supported for NAT64. "lsnpool with NAT64, hairpinning enabled" hairpinned connections will not work Hairpin via upstream router
ID 410036 "If a client and server attempt to resume a TLS connection using TLS session tickets through a BIG-IP virtual server configured for Proxy SSL, the BIG-IP resets the connection. If Reset Cause Logging is enabled (refer to SOL13223), the reset cause is 'SSL Session Not Cached.'" #NAME? Resumed handshakes do not succeed, which might result in traffic disruption for the affected clients through the virtual server. Disable TLS session tickets on either the pool members, or the client systems.
ID 410114 When OSPF protocol running on BIG-IP system sends a 24 byte router LSA, Vyatta discards such an LSA and this may cause OSPF protocol to get stuck in ExStart/Exchange and never reach FULL state. This occurs intermittently. OSPF v2 protocol configured between BIG-IP system and a Vyatta neighbor. OSPFv2 protocol does not synchronize without manual intervention. In imi shell, run the command 'clear ip ospf process'. You might need to run the command multiple times.
ID 410223 For a virtual with a SIP profile configured as an ALG using the TCP transport, TCP FIN and RST packets are being unnecessarily sent by the BIG-IP to multiple peer clients/servers when one of the client/servers issues a FIN or RST packet. SIP ALG TCP virtual configuration and one of the clients/servers send a FIN or RST packet to the virtual. Unless the SIP clients/servers are configured to automatically reconnect when they receive an unexpected FIN or RST, the in-progress sessions/calls that are using the connection being closed will fail. "Configure the mblb (message based load balancing) profile to isolate the clients and servers from RST and FIN packets generated by the other client and servers. Add the following mblb profile to the SIP virtual: ltm profile mblb /Common/test { defaults-from /Common/mblb isolate-abort enabled isolate-client enabled isolate-expire enabled isolate-server enabled }"
ID 411636 The LCD System is enhanced with a new menu for DHCP. This menu reflects the current DHCP value set using LCD DHCP, tmsh, or configuration scripts. If the DHCP value is enabled, the LCD System Management menu still allows setting values for the management data. If you check the front panel, it appears as if the address is actually used. In fact, there is no connectivity to the manually configured address, because DHCP configuration is still in use. This occurs only on appliances (that is, non-chassis systems). Attempting to save the changes results in a message: 'Disable DCHP from LCD before setting IP'. To change the management IP address, use the LCD to disable DCHP first.
ID 411875 The persist command generates an erroneous intermittent error when resuming after server-side shutdown This occurs when the persist command parks and the flow is closed before it resumes. Any portion of the iRule following the park does not run, and the connection logs a spurious error. Insert a [catch] around the [persist add].
ID 412458 It is possible to misconfigure a SIP ALG virtual by adding a transport protocol profile to the virtual server that does not match the ip-protocol of the virtual server. This invalid configuration will result in a core. If a UDP profile is applied, then the ip-protocol type should be udp. If a TCP profile is applied, then the ip-protocol type should be TCP.
ID 414018 Hairpin connections between different subscriber hosts fail. The subscriber network(s) and the internet are in different route domains. Applications on different subscriber hosts cannot establish connections. Use the same route domain for the subscriber networks and the internet.
ID 414160 Configuring the VLAN used for inter-device mirroring for an IP cmp-hash mode may cause errors establishing the mirroring connection between devices. Configure the VLANs used for the mirroring connection with the default cmp-hash mode, not an IP cmp-hash mode.
ID 414454 When you update an iRule and replace an event that contains script content with a blank script, TMM cores with a stack trace. In response, TMM cores because it is trying to compile an empty script. Note that when creating a new iRule, there is a check for adding an event script with no content, so the error does not occur on create. This occurs when replacing iRule events containing valid Tcl code with whitespace or with no Tcl code. When the issue occurs, TMM cores with stack trace. To work around this issue, delete or comment out the empty event, or insert a comment.
ID 415483 A license activated on 11.2.1, or later, is not backward compatible with software versions 11.2.0, or earlier An issue occurs after performing a software downgrade from version 11.2.1, or later, to software version 11.2.0, or earlier. The license becomes non-operational. You must acquire a new License Key, or request for 'allow move' from F5 after downgrade.
ID 415961 Unused HTTP Class profiles are not rolled forward during upgrade or UCS restore. If you have defined HTTP Class profiles but have not assigned them to virtual servers, the system does not bring forward those profiles into the new configuration when you upgrade. No Policy is created from the HTTP Class profile and the profile does not appear in the new configuration. This occurs when upgrading a pre-v11.4.0 configuration with a HTTP Class profile not attached to a virtual server. You might lose unused HTTP Class profiles in the configuration. Attach all HTTP Class profiles to a virtual server before upgrade or save of a UCS.
ID 416727 "Under rare conditions, a BIG-IP appliance may exhibit the following symptoms: - repeated reboots - chmand core - I2C errors in ltm log, such as: info chmand[5876]: 012a0006:6: I2C device not ready for writing, retrying - SMBus errors in kernel log, such as: err kernel: i801_smbus 0000:00:1f.3: SMBus is busy, can't use it!" "BIG-IP 1600 or EGW 1600 platform. Other platforms which may be affected include: BIG-IP 800, 3600, 3900, 6900, 89xx, 11000, 11050" BIG-IP is inoperative, systems reboots repeatedly. "Power down the system from the AOM menu or LCD panel. Remove external power (complete cold power-down). Reconnect external power and boot BIG-IP."
ID 417045 Upon shutdown, the system posts the message 'err chmand[8873]: Error sending MCP system_information (err:1020003)’ to the ltm log. This might occur intermittently when shutting down the system. This message is benign, and the system should power up correctly.
ID 417526 "When a power cable is reconnected to a power supply, a message will typically show up in the log /var/log/ltm like this: Mar 29 11:09:37 SJPtengs-Treadstone notice chmand[9322]: 012a0016:5: Blade 0 hardware sensor notice: Power Supply 2 GPIO status(SPAFFIV04G): Good But sometimes, the status may switch from Good to Bad, then back to Good within seconds: Mar 29 11:09:37 SJPtengs-Treadstone notice chmand[9322]: 012a0016:5: Blade 0 hardware sensor notice: Power Supply 2 GPIO status(SPAFFIV04G): Good Mar 29 11:09:37 SJPtengs-Treadstone crit chmand[9322]: 012a0013:2: Blade 0 hardware sensor critical alarm: Power Supply 2 GPIO status(SPAFFIV04G): Bad Mar 29 11:09:40 SJPtengs-Treadstone notice chmand[9322]: 012a0016:5: Blade 0 hardware sensor notice: Power Supply 2 GPIO status(SPAFFIV04G): Good" This may happen when a power cable is disconnected, then re-connected to an AC power supply. This does not affect the normal operation of the BIG-IP. It simply means it may take a few seconds for the fan in the power supply to go up to speed. None.
ID 417548 The FIPS key object contains an encrypted copy of each key such that each record is ~2.5k. An out-of-memory exception can occur if thousands of FIPS keys are configured. An issue occurs if there are thousands of FIPS keys configured. It is possible to cause an out-of-memory error in the GUI. This presents a blank page in the GUI. A simple workaround is to use TMSH to list FIPS keys. Or run tmsh modify sys db provision.tomcat.extramb value 64. This increases memory provisioned for the GUI database query
ID 417720 "If a power supply fan unit becomes jammed or experiences a failure that prohibits the minimum RPM threshold to be met, the LTM log will erroneously indicate that the power supply has been turned off. For example: localhost crit chmand[8482]: 012a0013:2: Blade 0 hardware sensor critical alarm: Power Supply 2 GPIO status(73-610-125): Bad localhost crit chmand[8482]: 012a0013:2: Blade 0 hardware sensor critical alarm: Power supply #2 fan-1: Bad localhost warning chmand[8482]: 012a0018:4: Chassis power module 2 turned off." Any kind of power supply fan failure that prevents the unit from achieving the minimum spec. for RPMs. Misleading log message.
ID 417899 If you run the command 'service network restart' to stop and start all the network interfaces, the connection to LOP is lost, and the log shows 'Lopd status: 2' in the log messages to indicate the LOP has no response. This occurs when you run the command 'service network restart'. TMOS is not able to communicate with LOP firmware, which reports data about sensor and backplane interface status. Recreate the special VLAN that connects to LOP by running the command 'service lopd restart' to restart lopd.
ID 418509 It is not possible to match a literal ( in the stream filter "Stream filter enabled Stream expression includes a ( not intended as the opening of a regex group" Unable to directly match expression that contain a literal (
ID 418709 The LCD module might report the error 'Low fan speed'. However, it does not specify which fan component on the unit is low: the CPU fan, the chassis fan, or a specific PSU fan. This occurs on the 2000 series, 4000 series, 5000 series, 7000 series, and 10000 series platforms. There is an indication that a component is failing, but no indicator of which specific component is failing. Use the console to determine which fan is low either by viewing console messages/warnings as they show up or by running 'tmsh show sys hardware' or viewing the /var/log/ltm file.
ID 418890 When trying to upgrade from version 10.x to version 11.x, SSL keys can fail to roll forward. The roll-forward process does not handle what appears to be an OpenSSL bug (tested through OpenSSL 1.0.1c). This occurs when rolling forward RSA keys from version 10.x to 11.x. Rather than receiving the expected decrypt failure unable to load Private Key with a bad decrypt, approximately 0.3% respond differently, where the return is non-zero and does not contain 'bad decrypt'. In this case, the system considers the key bad even though it is fine. There is no workaround.
ID 418924 Secondary blades in a cluster go into swap when there are too many iso images in /shared/images. Too many iso images in /shared/images. Secondary blades are slow. Use tmsh or the GUI to delete as many iso images from /shared/images as feasible.
ID 418967 If two iRules in HTTP_RESPOND events are present with different priorities, and the iRule to run first executes "HTTP::retry", the second iRule will cause an error to be generated. Perform iRules with HTTP::retry with higher priority.
ID 419345 Changing Master Key on the standby of an HA configuration on a chassis might cause secondaries to restart processes. This occurs when you modify the master key on standby chassis. Users might not be able to access the cluster. The secondary blades of that chassis might experience continuous restarts of mcpd and other daemons, accompanied by 'decrypt failure' messages in the ltm log. Run the command bigstart restart on secondaries to return system functionality. In general, you should change master keys on the primary in the cluster.
ID 419621 After a blade failover, an existing inbound session may not have the delete event logged when it completes. "lsn-pool with NAPT Inbound session logging enabled HA configuration After failover" The add event for the inbound session may not have a matching delete event.
ID 419623 If a command that needs to suspend processing (for example, table, session, after, sideband, and persist) is evaluated within the content of an expr block, tmm cores. This occurs when using the table, session, after, sideband and persist commands inside an expr block within an iRule. Tmm cores. Assign result of command to a variable outside the block and operate on that value.
ID 419733 BIG-IP systems configured with additional non-default management routes via static, OSPF or other protocols might post error messages. The problem occurs when multiple management interfaces are defined. The system might post route_mgmt_entry count errors during the operation of the /usr/bin/config script. You can use an alternative method exist to configure the mgmt address and default route: GUI, iControl, tmsh, and configuration file load.
ID 419741 TMM can crash and dump core. Core analysis is typically necessary to determine whether this bug is the cause. Triggering this bug is difficult and seems to require vip-targeting-vip (e.g., use of the 'virtual' command in an iRule) and more than one blade. In rare situations, the TMM crashes. None. This occurs rarely, and the system recovers automatically. Although this workaround has not be verified, in situations where virtual A targets virtual B via the 'virtual' command, it should be sufficient for virtual A to have shorter timeouts than virtual B.
ID 420053 Although the IPFIX Logging Destination accepts transport protocol profile configuration, it does not use parameters from the profile. An IPFIX Logging destination can be configured with non-default protocol profiles, such as a custom TCP profile with specific values for Idle Timeout or Keep Alive interval, but the selections are not used. This occurs when customizing parameters within the configured protocol profile. Parameters specified within the configured protocol profile are not utilized, and default values are used instead. None.
ID 420184 A transaction fails when you create a new folder and then create an object in that new folder in a batched set of command-line commands. This occurs when a folder does not yet exist, and you try to create the folder and the object in a batched set of command-line commands. The transaction fails with an error similar to the following: 01070734:3: Configuration error: Invalid mcpd context, folder not found (/AAA). To work around this, create a folder before using batch commands to create objects in a folder.
ID 420213 The system posts an error message during trust initiation when the peer is unreachable. This occurs when configuring device trust. The system posts an error message: ' Could not read response from server: ParseError at [row,col]:[1,236] Message: The processing instruction target matching '[xX][mM][lL]' is not allowed.' This indicates that the device that you are attempting to add is not accessible from the current device (that is, there is no route). Here is a more accurate message: 'Unable to retrieve device certificate. SSL handshake failed: No route to host'
ID 420344 When BFD is configured between the HA pair neighbor and the HA pair units, BFD fails to establish a session because the IS-IS routing module uses floating self IP address for establishing adjacency rather than non-floating self IP address. BFD is used with IS-IS in HA pair configuration. BFD cannot be used with IS-IS in HA pair configuration. None.
ID 420689 A single configuration file (SCF) as generated by the command save sys config file 'name', does not contain information describing what configuration objects have synchronized between the device and other devices. This occurs with an SCF generated using the command: save sys config file 'name', Loading the SCF can cause the system to lose track of this information. From one device, run the following command: modify cm device-group <device group name> devices modify { <device name> { set-sync-leader } }'.
ID 421092 The maximum number of named variables in an iRule is 4,194,304. This occurs when using iRules. No more than 4,194,304 named variables can exist in an iRule. None.
ID 421311 'user_disabled unchecked' node becomes 'user_enabled' on config load. During config load, the values are reset to the defaults. configure node to user-disabled; load configuration. Traffic is passed to a user-disabled node. "'guishell -c ""select * from node_address""' will force all nodes to recompute the status. 'guishell -c ""select * from pool_member""' will force all pool_members to recompute the status."
ID 421702 The BIG-IP system publishes the mgmt MAC addresses using offsets of the chassis base MAC address, instead of the MAC addresses from the kernel (as ifconfig and dmesg report). This occurs on BIG-IP systems MAC addresses. MAC address is inconsistent between ifconfig and 'tmsh show sys mac'. None.
ID 421718 "Resetting the log.bcm56xxd.level variable in tmsh does not reset to the default variable properly. Using the command: tmsh modify sys db log.bcm56xxd.level reset-to-default, does not reset the default value." Using the tmsh command as noted. This particular command does not work. However, the db variable is still explicitly set-able. Set log.bcm56xxd.level manually. Do not reset to default.
ID 421851 When iRules are saved into bigip.conf, the first line is automatically indented with four whitespaces. Usually these whitespaces are removed when the config is loaded, but when an iRule starts with commented lines, the whitespace is not removed. Every subsequent save/load operation adds another four whitespaces. When users adds checksum to the iRule, loading fails at checksum verification error This occurs when both conditions are true: 1. Line 1 begins with a # character and white spaces. 2. The checksum operation is performed on the iRule. Load failure. Remove the whitespace at the beginning of the iRule
ID 421971 Renewing an existing certificate fails in UI if a user provides Subject Alternative Name (SAN) as input. Provide SAN while renewing certificate. Cannot renew certificate. Do not provide SAN information while renewing certificates.
ID 422087 "As a result of this issue, you may encounter the following symptoms: - The TMM process crashes with a SIGABRT - The BIG-IP system fails over to the peer system in a high-availability configuration. - The BIG-IP system generates a TMM core file in the /var/core directory." "- Associating a Web Acceleration profile with a virtual server - TMM has become deficient in memory." The BIG-IP system may temporarily fail to process traffic, and may fail over if configured as part of a high-availability system. There is no workaround for this issue.
ID 422259 "An IPFIX logging destination is configured with a pool of nodes to identify the collectors to which IPFIX messages should be sent. The health of the nodes and the overall pool can be monitored by the BIG-IP using a health monitor (only the default ""gateway_icmp"" monitor is supported for EA). However, if network or other issues cause the ICMP monitors to mark a node as Offline, the BIG-IP will continue to try to establish connections and send data to that node, instead of deferring such attempts until the node is declared Online again by the health monitor." Network or other issues that cause ICMP requests to a pool member to fail. Minimal, other than extra processing load that could be avoided. Under normal circumstances, if ICMP traffic to a pool member is not successful, the BIG IP will not be able to establish a connection to that member; IPFIX messages will be transmitted to other available nodes in the pool. None
ID 422292 "When a BIG-IP IPFIX logging destination uses the TCP protocol, and one or more of its destination collectors becomes unavailable, the BIG-IP system repeatedly tries to re-establish a connection to that collector. RFC 5101 requires that the exporting IPFIX process must not attempt to reestablish a connection more than once per minute. In the EA release, the IPFIX logging destination will attempt connection re-establishment more frequently than the spec requires (up to once every 1/10 seconds)." Configured IPFIX collector becomes unavailable, and the IPFIX logging destination is configured to use the TCP protocol. Frequent unsuccessful TCP connection setup attempts by the BIG-IP system. "You can configure a TCP half-open health monitor to cause a collector failure to be detected quickly. The BIG-IP system may attempt unsuccessfully to re-establish a TCP connection for a few seconds, but once the monitor has deemed the node to be unavailable, the attempts cease. This does not make the BIG-IP system strictly compliant with the RFC text, but it mitigates the situation by not attempting to reconnect at frequent intervals for excessive durations."
ID 422315 When trying to remove certain interfaces from list, the user can encounter an error in the UI. For example, if more than two interfaces exist in the Interface list on a trunk object, you receive an error if you attempt to remove one of the interfaces that appear between the first and last interfaces listed. More than two interfaces exist in Interface list on trunk object. Customer tries to remove a 'middle' interface and Update. Customers cannot remove all interfaces from Trunk using UI. Use tmsh.
ID 423304 Objects may display extra parameters that don't belong to the object. "When deleting a monitor or profile object and recreating it as a different type with the same name, after syncing parameters from former object get appended to the new object. e.g.: delete ltm monitor https monitor1 create ltm monitor http monitor1 <...> 'monitor1' now changed to http type will have parameters from the original https monitor." Bad configuration on the box that is synced to, and no obvious warning signs. "Do the changes and sync incrementally. e.g.: delete ltm monitor https monitor1 <sync> create ltm monitor http monitor1 <...> <sync>"
ID 423392 In previous versions of iRules, the variable tcl_platform was readable as: 'set myvar static::tcl_platform'. However with recent changes, the variable is in the global, not static namespace and should be accessed as '::tcl_platform'. This occurs on pre-11.4.0 iRules that use the variable 'static::tcl_platform'. iRules that worked properly under earlier versions can result in runtime Tcl exceptions (disrupting traffic) after an upgrade to v11.4.0 or later, if those iRules reference static::tcl_platform. To map tcl_platform into the static namespace in an iRule, use the following: when RULE_INIT { upvar #0 tcl_platform static::tcl_platform }. Or you can use ::tcl_platform instead of static::tcl_platform. Note: The latter workaround might demote a virtual server from CMP. For more information, see SOL14544: The tcl_platform iRules variable is not in the static:: namespace, available here:
ID 424228 If a virtual server is created without an assigned pool (i.e. the pool is assigned in the iRule) and the iRule parks, the iRule may not return from suspension and the packet will be dropped. A virtual server is created and an iRule is assigned that parks, and the virtual server has no assigned default pool. Packets are dropped. Either use the CLIENT_ACCEPTED event for UDP data or assign a default pool.
ID 424568 When a certificate contains multiple/nested OUs, the X509Data returned through iControl has only the first OU. This occurs when using iControl. X509 data returned through iControl does not return multiple/nested OUs.
ID 424649 Blades will continually fail over with a large enough translation address space in an lsn-pool in DNAT mode. An example of a translation prefix large enough to cause this problem would be /8, or several translation prefixes summing to a large number of translation addresses. an lsn-pool in deterministic mode, assigned to a virtual, with a /8 prefix (or similar number of addresses.) System is rendered unusable until DNAT mode is disabled. Change to NAPT mode, or use a smaller translation prefix range. There is no other workaround.
ID 425017 For Thales HSM clients, the tmm and pkcs11d daemons must be restarted for changes to take effect to the key protect mechanism. This occurs for Thales HSM clients when support is added for module keys and token keys, or for softcard features, or when these are enabled or disabled. Changes do not take effect. None. The tmm and pkcs11d daemons must be restarted for the changes to take effect.
ID 425018 Loading a SCF after modifying self IP may cause route in Linux kernel to be dropped. Linux host applications may not be able to connect when they are expected to. Create a config with a self IP on a VLAN and a default gateway route on that VLAN, save a SCF file, then modify the self IP in that SCF file and then load the SCF. Linux kernel default gateway route is dropped and host applications looking for the route may not be able to connect. Reset the config to default before loading modified SCF: 1. tmsh load sys default. 2. tmsh load sys scf <SCF_filename>. For more information, see SOL14572: Routes configured in a single configuration file may be missing from the Linux kernel route table after loading the single configuration file, available here:
ID 425347 vCMP guests report 'unknown' as platform type. This occurs on vCMP guests. Customer is unable to remotely determine exactly which platform is being monitored. None.
ID 425817 The boot_marker entries found in system logs might not accurately reflect the version of the software in the active slot. This occurs when slots name share a common prefix, such as 'HD1.test' and 'HD1.testing' and you run the command tmsh show sys software. The result might show the incorrect version number. None.
ID 425826 "Unit in HA configuration constantly cored until the system was rebooted. An intermittent error appears: notice panic: ../kern/xbuf.c:2273: Assertion 'valid xfrag' failed" It is unclear whether this is an high-speed bridge (HSB) issue or a driver issue. The return buffer is provided by the driver and used by HSB to return the packets. Either the provided buffer is corrupt or HSB somehow corrupts it. This issue is rare and has been seen across several platforms and HSB bitfiles. Rare issue that results in kernel panic. You might see invalid return buffer and invalid xfrag messages. This is typically cleared on reboot. The issue might also be cleared with a bitfile upgrade.
ID 425992 If the BIG-IP mgmt interface is connected to a switch port with fixed settings (e.g., 100Mbps Full duplex) but with auto-negotiation Disabled, the BIG-IP mgmt interface will be set to 100Mbps HALF duplex instead. "1. The remote switch port is configured with fixed media settings (speed, duplex) and auto-negotiation disabled. 2. The Management interface on the BIG-IP system is configured with fixed media settings (speed, duplex)." Inability to access BIG-IP via mgmt interface. "1. Enable auto-negotiation on remote switch (with only the desired option advertised). 2. Toggle the mgmt interface media setting between 'auto' and '100TX-FD' after the BIG-IP boots."
ID 426128 If the passphrase for the pkcs12 file being installed is greater than 49 characters in length, installation could fail with the error - "Key management library returned bad status: -28, Bad password". This occurs with pkcs12 files with passphrases greater than 49 characters. When this occurs, installation could fail with the error - "Key management library returned bad status: -28, Bad password". Use passphrases containing fewer than 50 characters for pkcs12 files.
ID 426129 CGNAT translation logs sent to ArcSight HSL destinations will not be in a compatible format for ArcSight to parse. "LSN pools are configured for a virtual server A log profile is configured to use an ArcSight destination and attached to the LSN pool" CGNAT log messages will not be processed correctly by ArcSight "Modify ArcSight for custom parsing Use a different log server."
ID 427260 Type tmsh show sys pptp and it shows the identical flow with different stats incremented CGNAT and PPTP-ALG with default DAG Cosmetic but may be confusing Grep and aggregate the stats for a unified view
ID 427580 When a PSU is absent from the system, LCD warning does not display module number. When the condition is detected, the ltm contains a log with all the information about which module is reporting the alert. PSU is absent. None. Use the ltm logs for troubleshooting.
ID 427924 When inserting a new blade in a VIPRION C2400 chassis, with UDP or TCP hash set to 'ipport', the new blade uses the 'port' hash instead. Rebooting the blade or restarting bcm56xxd and tmm causes the correct DAG (Disaggregator) hash to be used. UDP or TCP hash algorithm changed from default (e.g. changed from 'port' to 'ipport'). -- UDP or TCP virtual servers configured. -- New blade inserted into chassis. New blade includes external interface to which traffic will arrive. Prevents adequate distribution of traffic within a chassis, which may disrupt traffic flows or reduce the traffic throughput of the BIG-IP system. Reboot the new blade after it has been configured. Issue the 'bigstart restart' command (to restart the bcm56xxd and tmm modules and program the DAG with the correct hash type).
ID 428752 Occasionally, on shutdown/reboot of a platform, diskmonitor may be started while the system is shutting down. This occurs when the system is shutting down, halting or rebooting. After a shutdown, halt, or reboot is initiated, the system console may display this message: 011d0002: Can not access the database because mcpd is not running. The ltm log file shows the same database warning along with a date and system entry: Aug 23 14:31:02 BIG-IP.web1 warning diskmonitor: 011d0002: Can not access the database because mcpd is not running. The warning is innocuous on shutdown and may be ignored. The diskmonitor script automatically runs when the system is booted next and detects disk space issues at that time.
ID 428976 If a self IP is configured for advertisement in OSPF and is moved to a different VLAN, the LSA may be removed from the database and not readded. OSPF enabled, self IP moved between VLANs. Missing prefix from OSPF. Remove and readd connected route redistribution, delete and readd the self IP, or clear the OSPF process ("clear ip ospf process" in imish).
ID 429013 Log file permissions for one specific log file were incorrectly set. This has been fixed to address an issue with CCE-26812-8, CCE-26821-9 and CCE-27190-8 syslog-ng configuration/permissions. Since only Administrators can have advanced shell access, they are on the only ones who could be able to see the log files. This just sets the file permissions the same as the rest. Very little impact. none
ID 429075 Unable to use the WMI monitor to monitor a pool of IIS servers. A Windows Server running IIS on a virtual machine with the F5.IsHandler.dll installed. Unable to use the WMI monitor to monitor a pool of IIS servers.
ID 429096 Various tools, including the Dashboard, display an SSL TPS limit provided in the base license, ignoring any additional licensing modules that might increase the TPS limit. This occurs when the system is using licensing modules that increase base SSL TPS. An incorrect SSL TPS limit is reported. None. This a display issue only. The correct SSL TPS limit is actually used.
ID 429213 "A race condition may occur in which a monitor instance be killed abruptly if another copy of the same monitor attempts to check health of the same node IP:port in a different route domain. The killed monitor will then contribute to a monitoring timeout and potentially mark the node as down. This issue occurs because the PID file created to prevent duplicate monitoring of the same pool member is not sufficiently unique to distinguish between route domains. For example, SIP monitor named ""sip_london"" applied to pool members and would share the same PID file: /var/run/" "For health monitor types which execute outside of the bigd process (see list below), a health monitor profile is assigned to monitor 2 different nodes which have the same IP:port in different route domains. The affected monitor types include: Diameter IMAP LDAP NNTP POP3 Radius Radius Accounting RPC Scripted SIP SMB SMTP WAP" Pool members may flap down/up. "To work around this, perform the following steps: 1. Create a duplicate copy of the monitor profile, and add the route domain to the name of the monitor profile. For example: ltm monitor radius /Common/radius_seattle_rd43 { default-from /Common/radius_seattle } 2. For nodes or pool members in that route domain, replace the old monitor profile with the new duplicate monitor profile."
ID 429613 TACACS+ accounting packets are only sent to the authentication server. This occurs with TACACS+ accounting packets. These packets are only sent to the authentication server. You can use syslog to send the messages (but not TACACS+ accounting codes) to multiple destinations simultaneously.
ID 430265 If an iRule runs a periodic after{} command containing a sideband connection that is closed in a different event, a core may occur if the flow is aborted because the periodic after command was not alerted that the flow is gone. Using a periodic after { sideband connection stuff } with the opening and closing of the sideband in different events from the after command core Let the completion of the iRule close the sideband connection.
ID 430354 When an alarm light is present on the primary blade and the USB LCD dongle is then attached all of the blades go from green/Pri or green/sec to amber status and alarm light is erased. A few moments later once the LCD screen is up the blades go back to their original green pri/sec assignment but the alarm light never returns. Although the alarm message is present on the LCD after it comes up the alarm light should stay on until the alarm has been cleared. Inserting or removing USB LCD module. The alarm message is present on the LCD after it comes up. To work around this, run system_check manually.
ID 430915 When a power supply or fan tray FRU is inserted into a running BIG-IP system, a critical alarm may be raised indicating low power and/or fan speeds. This is due to the amount of time it takes for the power and/or fan speed levels to reach their steady state levels relative to when the sensors are monitoring them. Insertion of power supply or fan tray FRU. Critical alarm raised for temporary, non-serious issue.
ID 431283 "Binary command does not check if the offset argument causing moving beyond the internal buffer boundary, this may core tmm. Here is an example: binary scan [TCP::payload] @${offset_num}c var1 if ""offset_num"" is larger than payload buffer length, tmm may core." "Here is an example: binary scan [TCP::payload] @${offset_num}c var1 if ""offset_num"" is larger than payload buffer length, tmm may core." tmm may core. Check payload length and compare with the offset argument before using the command.
ID 431411 "Multicast NTP received by BIG-IP systems from an NTP server can interfere with ntpd maintaining client associations with that NTP server. The BIG-IP system may source NTP queries with the multicast address used by the NTP server or IP address" Multicast NTP is received on an appliance or virtual edition via management or tmm interfaces, and the BIG-IP system is configured to be a client to that NTP server. The BIG-IP system does not maintain time sync with the NTP server issuing NTP multicast None.
ID 431480 Occasionally, you might encounter a situation in which tmm dumps a core, and the system writes to the logs a message similar to the following: notice panic: ../base/listener.c:1116: Assertion 'laddr is not NULL' failed. The exact conditions that result in this error are unknown. When it occurs, the system posts a 'laddr is not NULL' message, and tmm dumps a core. None, but the system recovers without any user action.
ID 431936 The SASP monitor does not mark pool members down when the GWM server cannot be reached. The GWM server does not send a RST packet to terminate its connection to the SASP monitor in case of a network failure. The pool members are not marked down for a SASP monitor in case of a GWM/network failure. They are marked down when the TCP connection to the GWM terminates on a connection timeout which was observed around 10 minutes. Use the icmp monitor in conjunction with the SASP monitor. The icmp monitor should use the GWM server as its destination. This monitor should be associated with each of the nodes that are present in the pool using the SASP monitor. The pool members will be marked down when the GWM server cannot be reached.
ID 432242 Active device incorrectly marks pool members down or cycles status between up and down. This occurs with transparent VLAN groups. This occurs when monitors are configured to monitor through two layer2 devices on two different child VLANs. The issue occurs only with a significant amount of monitor traffic (for example, up to 128 nodes each way every second). The configuration might also require occasional broadcast ARP requests that were not known by the active device. This might result in monitor flapping and possible traffic misdirection on the active device. Use translucent vlan-groups instead of transparent.
ID 432407 The GUI becomes inaccessible after the system logs become large and the user navigates to log lists under System :: Logs. This event is most likely to occur when the logging options are configured to show the most output. For example: Enabled, Verbose, Debug. The issue is most easily seen when the system has been configured with Audit logging enabled, particularly MCP, it sends numerous messages to the var/log/audit log. This causes the log to become large, which after time might render the GUI inaccessible. When logs become large, the GUI might become inaccessible if the user attempts to view the log files through the GUI. Configure logging options to show only the most severe output: Emergency, Error, etc. (available under the System :: Logs). If the system is already in this unresponsive state, issue the command 'bigstart restart tomcat'.
ID 432998 The mssql monitor marks one pool member down that was considered up by the earlier software version. Other units upgraded from version 10.x that are monitoring this pool member are fine. This occurs after upgrade from version 10.x. The mssql monitor marks one pool member down that was considered up by the earlier software version. "There is a Microsoft hotfix for SQL Server 2008 that resolves this issue. After applying SQL Server 2008 R2 SP4 to the server, encrypted communications function correctly. You can read more in the KB article that addresses the issue: 'FIX: You cannot connect to SQL Server by using JDBC Driver for SQL Server after you upgrade to JRE 6 update 29 or a later version' One additional issue: looking at the customer's response, they are running SQL Server 2008 SP3 (NOT R2). I would recommend that the customer either try the post-SP3 rollup package on their 2008 server, or upgrade to 2008 R2 and apply SP4. The KB article above addresses both versions. Note, I have not tested this fix on 2008 (non-R2) because I didn't catch until recently that their server version was different than the one stated earlier."
ID 433223 "On a VIPRION B4300 blade, VIPRION B2250 blade, or BIG-IP 10000-series appliance, messages similar to the following may be logged in the LTM log every 2 seconds: info bcm56xxd[25425]: 012c0016:6: _soc_xgs3_mem_dma: ING_SERVICE_COUNTER_TABLE_Y.ipipe0 failed(NAK) info bcm56xxd[7610]: 012c0016:6: _soc_xgs3_mem_dma: EGR_VINTF_COUNTER_TABLE_Y.epipe0 failed(NAK) info bcm56xxd[11548]: 012c0016:6: _soc_xgs3_mem_dma: EGR_SERVICE_COUNTER_TABLE_X.epipe0 failed(NAK) Similar errors also appear in the bcm56xxd log file." This error is logged if an internal parity error is reported by the Broadcom switch chip when stats are read from the chip by BIG-IP. Since these errors are reported for the interface that is used to retrieve stats from the Broadcom switch chip, they are not expected to impact the packet path/traffic passing. To stop logging of these errors and clear the internal parity error from the Broadcom switch chip, perform one of the following actions: 1. Restart the bcm56xxd daemon: bigstart restart bcm56xxd 2. Reboot the affected blade or appliance. For more information, see SOL14865: Some BIG-IP systems may log excessive bcm56xxd messages, available here:
ID 433323 When a client request contains no-cache directive, ramcache excludes the request from caching and passes the request through. Because caching is disabled, the resource is not invalidated and the response is not cached. The expectation is the action should cause revalidation of the resource. Configure a virtual server with HTTP caching. Failure to invalidate resource. Increased load on origin server. None.
ID 433466 When the bundled interface (e.g., 2.1) is disabled, it might result in link issues observed with the first member of the associated unbundled interfaces (e.g., 1.1). Disabling bundled interfaces affects first member of associated unbundled interfaces. Traffic unable to pass due to ports 'Down' status. Do not disable the associated bundled interface (e.g., 2.1) when intending to use the first member of the associated unbundled interfaces (e.g, 1.1). Same for the interface bundle/unbundle relationships for 2.2/1.5, 2.3/1.9, vice-versa, etc.
ID 433572 DTLS does not work with rfcdtls cipher on the B2250 blade This occurs as a result of hardware acceleration offload on the B2250 blade when using dtls on vCMP. DTLS does not work with rfcdtls cipher on the B2250 blade no
ID 433897 If a datagroup contains entries that are longer than the maximum length allowed by a Tcl object, the datagroup can fail to load the element without warning. This occurs when an external datagroup loads strings that exceed Tcl-imposed limits. Incorrect datagroup. TMM might core if the non-loaded element is referenced. Use individual datagroup entries that are fewer than 65000 characters in length.
ID 434356 When an internal/external data-group configuration is modified, it doesn't reflect in a client SSL profile. Modifying a data group configuration. You have to manually restart tmm or re-apply the data-group to the SSL profile each time the data-group is modified. Restart tmm or re-apply the data-group to the SSL profile each time the data-group is modified.
ID 434364 "When upgrading from 10.x or installing a 10.x originated UCS on 11.x, bigpipe is used to parse the newly created file-object definitions which had been generated from files in the 10.x install. If the filename being upgraded to file-object starts with a '.', then on initial load, bigpipe will give an error while trying to load the generated configuration, resulting in an error message similar to: BIGpipe parsing error (/config/bigpipe/bigip.conf Line 107): 012e0017:3: The requested item (.myfile.txt {) is invalid (<external monitor file object key> | show | list | help) for 'external monitor file object'" The installation of a UCS or configuration roll-forward from 10.x to 11.x in which the previous install had files that were upgraded to file-objects, but whose filename started with a '.' The UCS will not install properly, and/or the configuration on initial boot will not load. Edit the name of the file-object in question which would be found in /config/bigpipe/bigip.conf to remove the leading '.' character from the object name, and make any references to the file-object match that change.
ID 434517 If a HTTP_RESPONSE event fires due to the server sending an early response (i.e. a response before the entire request has been sent), then HTTP::retry does not work correctly. Client begins sending a request. The server responds before that request is completely sent. A HTTP::retry is called in the HTTP_RESPONSE event. Typically, early server responses are error conditions. HTTP::respond or HTTP::redirect may be used at the cost of an extra client-side request.
ID 434573 "While running a version of BIG-IP older than the most recent release on a new hardware platform (recently purchased or recently acquired through RMA exchange), the 'tmsh show sys hardware' command may display the Platform ID code in place of the official F5 platform name. For example, the 'tmsh show sys hardware' command may display a Platform ID like the following: Platform Name D113 instead of the official platform marketing name, such as: Platform Name BIG-IP 10000F" This may occur if the version of BIG-IP software installed is not the most recent release, and the hardware platform is a newer variant (due to added hardware features or other manufacturing change) than was originally supported by the older BIG-IP software release. Custom automation scripts which depend on correctly matching F5 platform marketing names may fail to match the platform ID. Update platform-identification scripts to include the relevant platform IDs among the recognized match values.
ID 435022 TMM might crash if an ICMP packet refers to a closed UDP connection. "- A virtual server with UDP profile. This is more likely to occur if the UDP profile 'Datagram LB' option is enabled and/or if the UDP profile timeout is 0 or 'immediate'. - An ICMP packet (such as destination-unreachable) arrives matching the IP and p" Unexpected crash and failover. This is a rarely encountered issue. If the UDP profile timeout is set to 0 or 'immediate', consider increasing this value.
ID 435332 If there are users defined on a version 10.2.1 BIG-IP system to have administrator or resource-admin roles, and they have partition access to a single partition, these user config objects fail to load during an upgrade to version 11.x. "Here is a sample user config from 10.2.1: user v-abban { password crypt '$1$UIPmGYdY$yewCx.a2qNDauz/UB1Jbp/' description 'v-abban' group 500 home '/home/v-abban' shell '/bin/false' role administrator in Common }" Upgrade or load UCS fails with the following error: 01070821:3: User Restriction Error: The administrator, resource administrator, auditor and web application security administrator roles may not be restricted to a single partition. Prior to upgrade, edit the bigip_sys.conf to have the role line as follows: ... role administrator in [All] }
ID 435385 Unable to access the GUI. This occurs with frequent add/delete of vCMP guests. The speed at which the add/delete operations might also be relevant. TMUI becomes unresponsive. To work around this, try add/delete at a slower page. To recover, run the command: bigstart restart.
ID 435494 DTLS handshake may fail when UDP messages are round robin among TMMs. "DTLS configuration. Round Robin DAG enabled for DTLS UDP packets." DTLS handshake could fail Disable Round Robin DAG for DTLS packets.
ID 435646 lsn-pool inbound setting does not work when not associated with a virtual server. "lsn-pool with inbound or hairpinning enabled That lsn-pool is not associated with a virtual server but is assigned by an iRule." inbound and hairpinning is not enabled for subscribers using that lsn-pool when assigned via an iRule. Create a virtual server for each lsn-pool.
ID 435670 If the DB variable Persist.WellKnownProxyClass names a deleted but loaded config item in Value List Object, the system posts an error. This occurs when the configuration item was removed from the running config, but exists inside a saved config. The configuration file does not load, and the system posts an error similar to the following: Error 0x1020036 occurred: 01020036:3: The requested value_list (/Common/test_group) was not found. None.
ID 435814 CGNAT connections for a single client might exceed connection limits. This occurs when the persistence-timeout value is fewer than 30 seconds on lsn-pools with connection limits Connection limits are not enforced. Set persistence timeout to a value greater than 30 seconds.
ID 435946 "TMSH incorrectly allows a user to configure two mutually exclusive failover methods, namely auto failback and HA group, concurrently without warning. In this case, the HA group method will be used." Using TMSH to configure failover and selecting these two methods. HA group method takes the place of auto failback, which may be unexpected if the user does not know about this issue. Use the web interface instead on version 11.5.0 and later. It prevents invalid selections.
ID 436813 Messages for sync statuses differ when there is a sync config in memory that is newer than the one in the binary database, and the system is restarted. This occurs when set-sync-leader and then issue a bigstart restart before saving the config. On one system, the message posted is 'Not All Devices Synced', and on another, 'Changes Pending'. This issue is cosmetic only. The actual sync statuses will be correct. Save the configuration on a device before rebooting it.
ID 436825 Under certain conditions, nodes (or any other object with an IP address) in a partition that belong to route domain 0 will be treated as part of the default route domain for the partition after an upgrade. "All of these conditions must be true: - A system is being upgraded from any TMOS v10.x release to any TMOS v11.x release after 11.1. Upgrading to 11.0 or 11.1 is not affected, but the upgrade process resets the partition's default-route-domain setting to 0. - It has a partition that has its default route domain set to a nonzero route domain - That partition contains nodes with no route domain set (so the default is used) - That partition contains other nodes in route domain 0" Those objects may no longer be addressable or able to connect. "Set the partition's default route domain ID to 0 before upgrading, then set it back to its previous value after the upgrade. This field is only used by the GUI and shell, so temporarily changing it to 0 will have no effect on the dataplane."
ID 437226 The SERVER_CLOSED execution counter is incremented by 2 for every 1 run when the flow is parked in CLIENT_CLOSE. This occurs in the stats for SERVER_CLOSED when the flow is parked in CLIENT_CLOSE. The stats for SERVER_CLOSED become inaccurate due to parking. None. This is a cosmetic issue. TMM does not core.
ID 437586 When running lspci -vv (or -vvv) on blades containing certain chipsets, the operation might encounter a Virtual Product Data (VPD) read failure, and the operation times out with the following message from dmesg output: linux-kernel-bde 0000:12:00.0: vpd r/w failed. This occurs when lspci -vv or -vvv is run on systems with specific chipsets. The system posts the following messages in dmesg: 'linux-kernel-bde 0000:09:00.0: vpd r/w failed. This is likely a firmware bug on this device. Contact the card vendor for a firmware update.' There is no issue, other than time it takes for the pci subsystem to time out when it tries to read the VPD from the chipset. None, but this is an cosmetic issue in the firmware on the device, and does not indicate a problem with the blade. You can ignore this output from dmesg and in kern.log.
ID 437768 Do not use 'bigip1' as a device name. The BIG-IP system uses it as the factory default device name. This occurs when using 'bigip1' as the device name. You might see an error similar to the following: 01070710:3: Can't save/checkpoint DB object, class:devicegroup_device status:13 - EdbCfgObj.cpp, line 127. Unexpected Error: Loading configuration process failed. Treat 'bigip1' as a reserved word, and do not use it for device names.
ID 437905 Both ltm and/or tmm logs may show buffer overflow reports. If the report manifests exclusively in the ltm log, then Cave Creek has dealt with the error internally. But if the error manifests both in the ltm and tmm log (same timestamp), then the client will get a tcp reset and an incomplete transfer. Thus far investigation has only shown this behavior with png files, but the sample is very limited. Clients will get a tcp reset and an incomplete file. "One customer added a filter to remove png files. Meanwhile we have a *temporary* workaround: a db-variable was added. The error report in /var/log/ltm has been updated to include the variable name and current setting: Device error: (null) Cave Creek compression error, buffer overflow. Consider increasing quickassist.compression.buffsize_multiplier (currently 150) For customers who experience the -11 issue, the db-variable should be set to ""300"", and that will keep Cave Creek from running out of compression workspace."
ID 438048 You might encounter a tmm core when the iRule on the client side sends a TCP:notify request. This occurs when an iRule runs a TCP::notify on the client side, and the server side (peer conflow) of this client side does not exist/is NULL. tmm cores. None.
ID 438177 RSA key/cert pair must be configured as a default in clientssl profile even for only DSA/ECDSA ciphers. If ciphers only contain DSA/ECDSA ciphers. The connection cannot be built up if no RSA key/cert is configured on clientssl profile. The clientssl profile must have RSA key/cert configured.
ID 438324 Virtual servers configured with Fast HTTP profiles can fail if TCP uses ipport hash on B2150/B2100 blades. The B2150/B2100 DAG (Disaggregator) hash cannot use both IP address and TCP port in selecting tmm in ipport mode. This occurs when TCP is configured to use ipport hash on B2150/B2100 blades and the virtual servers use Fast HTTP profiles. TCP-based virtual servers configured with the Fast HTTP profile can fail. To work around this, you can either use port hash or use profiles other than Fast HTTP for TCP-based virtual servers.
ID 438666 iControl/REST relies on automatic parsing of tmsh output in order to reply to requests. The structure of 'show sys raid array' does not conform to the standard and, thus, the array-members are dropped and not returned in the output. This happens for any 'stats' query on a BIG-IP that has RAID. Clients will not be able to get array-members via iControl/REST. Use tmsh or other UI (iControl/SOAP).
ID 438674 The log filter functionality in TMOS allows users to publish logs from a specific set of processes to various log destinations. Configure log filter that includes tamd. Client authentication might fail. When a log filter includes tamd, the tamd process might start to leak descriptors. Do not define log filters that include tamd (tamd is included in 'all').
ID 439507 Running the qkview utility might take a very long time, up to 30 minutes, possibly longer if there are thousands of tunnels or virtual IPs created. This occurs when there are 500 virtual network interfaces or more in a configuration. qkviews are slow to generate. Wait for qkview to finish, which might take up to 30 minutes.
ID 439628 Updating the Dynamic Ratio of a node or pool member using TMSH or iControl, instead of a built-in dynamic ratio monitor such as SNMP, results in a 'configuration sync needed' status, or an automatic sync if auto sync is enabled. This occurs when the following conditions are met. - Multiple devices in a device group. - Updating dynamic ratio via TMSH or iControl. - For automatic sync, auto sync is enabled on the sync-failover group. The sync status might unexpectedly transition to 'Changes Pending'. If automatic sync is enabled, the device group performs a ConfigSync immediately. If automatic sync is enabled, and the dynamic ratio is updated frequently (such as by an External monitor or an iControl script), the following additional impacts may occur: - An administrator's pending changes to the configuration may unexpectedly roll back on a receiving device. - A sync conflict may potentially occur. "The following 'guishell' command syntax can be used to update the dynamic ratio as an alternative to using TMSH: guishell -c ""update pool_member set dynamic_ratio=<number> where pool_name='/<path>/<pool_name>' and node_name='/<path>/<node_name>' and port='<port#>'"" The node name is the full folder path to the object name, which might be the node address with the pool folder prepended. In external monitor scripts, the node name is available in the NODE_NAME environment variable. Example: guishell -c ""update pool_member set dynamic_ratio=123 where pool_name='/Common/SMTP_Servers' and node_name='/Common/' and port='25'"""
ID 440199 Using the LCD buttons to change the console baud rate to anything other than 9600 or 19200 may cause the rate to default to 19200. This occurs when using the LCD to change the baud rate. Console input/output may not be usable after the changes. Use tmsh to change the console baud rate for rates higher than 19200 baud.
ID 440215 When setting the Ethernet ports on BIG-IP 5000 and 7000 series platforms to half duplex and then pinging, the Activity LED blinks Green instead of Amber. This occurs because half-duplex operation is not supported at any speeds. This occurs when setting half-duplex on Ethernet ports on BIG-IP 5000 and 7000 series platforms. Operating in half-duplex may hang a port. There is no workaround. User must operate in full-duplex modes. This is as designed.
ID 440346 If devices are in a failover device group, and this group contains a pool with multiple health monitors enabled, then using the 'Overwrite Configuration' option may cause some monitors to be removed from the pool.
ID 440365 At upgrade or UCS installation time, one or more files which share the same name may not be copied to a staging location, eventually leading to an error message at configuration load time, of the form, "File object by name (<file>) is missing." In a 10.x system it's possible that files of different types (e.g. certificates, keys, external monitors, etc.) which are to be upgraded to file-objects in an 11.x system may have identical filenames though they reside in different directories on the BIG-IP system. For instance, a certificate located in /config/ssl/ssl.crt/example and a key in /config/ssl/ssl.key/example, on a 10.x system which is to be upgraded could cause this condition. Error at first boot of a newly upgraded partition, or UCS load time. Modify the duplicately named files and any references to them in the configuration before upgrade.
ID 440431 The hud_http_method_respond() does not work with response logging, so logging is blank when invoked. This occurs when using hud_http_method_respond() with response logging. The status logged is blank if hud_http_method_respond() was invoked. If an iRule is calling HTTP::respond or HTTP::redirect, you can log directly from that iRule, and record parts of the old response, or the new one, depending on what is required.
ID 440959 "Symptoms: - within the threshold of configured timeout and retry, in the event of an ICMP unreachable, the monitor marks the weight to the default (1)." Configure a pool_member with SNMP_DCA monitor. Delay the SNMP server's response. Delayed SNMP responses are rejected by the monitor. "The only workaround is to write an external monitor script, using the snmpget utility. For example: ------------ # values provided by bigd node_ip=`echo $1 | sed 's/::ffff://'` # example: use snmp get command=$(snmpget -v 2c -c private '$node_ip' -r 3 -t 5 . . . . . . . . To configure an external monitor: --------------------------------- tmsh create sys file external-monitor my_snmp_exec source-path file:/config/monitors/ tmsh create ltm monitor external my_snmp run my_snmp_exec tmsh create ltm node nodeA address monitor my_snmp"
ID 441013 "When you change root password in single user mode, the system posts following error: error: unable to obtain slot from Lights Out Processor (LOP) : send to lopd failed [lopd addr:/var/run/lopdsvr] [client. The root password change succeeds, but root password sync to LOP fails, because LOP is not running in single user mode." This occurs when changing the root password in single user mode. The root password change is not synchronized to LOP, and the user might fail login to LOP when using the new password. Repeat the password-change operation in multi-user mode.
ID 441146 Flooding on forwarding ports are being delayed due to the absence of the flushing requests for blocked port l2 entries from the HSB. Tmm should also act on l2 flush requests other than just for mcp delete operations.
ID 441297 When you restart mcpd on 2000/4000 series platforms configured with a Link Aggregation Control Protocol (LACP) trunk, the trunk remains down. This occurs on 2000/4000 series platforms with an LACP trunk when mcpd is restarted. Trunk status remains down after the restart, and interfaces are all reported as 'uninit'. Functionally, interfaces are all reported as 'uninit' does not affect single interface VLANs as traffic is still correctly carried. None.
ID 441482 Although there is a tmsh provision command shown for Secure Web Gateway (SWG) on platforms with less than 8 GB of memory, running the command fails because there is no support for SWG on those platforms. This applies to certain BIG-IP appliances that have less than 8 GB of memory, and to vCMP and VE guests with less than 8 GB of memory allocated. (For memory information, see the Platform Guide for your platform.) Provisioning fails with a message similar to the following: Provisioning failed with error 1 - 'Memory limit exceeded. 5656 MB are required to provision these modules, but only 3964 MB are available.' You may provision APM plus SWG only on platforms with 8 GB of memory or more. To use APM and SWG together on platforms with exactly 8 GB of memory, LTM provisioning must be set to None. (To do so, uncheck the box next to Local Traffic (LTM) on the Resources Provisioning screen, if applicable.) To fully support the LTM-APM-SWG combination, reserve at least 12 GB of memory for VE instances, or at least 16 GB for vCMP guests on BIG-IP or VIPRION platforms.
ID 441719 The CRYTPO command can trigger a core when using invalid algorithms (for example, using a symmetric key (hamc-sha 256) instead of an asymmetric key (SHA algorithm ). This is a negative test that only helps to verify iRule completeness. This occurs when the CRYPTO:: commands use invalid algorithms. The system drops a core. Only use the same type of algorithms (asymmetric or symmetric alone).
ID 441789 If provisioning is changed too quickly some processes are not allowed to properly finish. This can lead to core files. Changing provisioning levels before module daemons are fully up. Core file generation. Check daemons to ensure they are running before making changes to provisioning.
ID 441796 "When you run hsb_snapshot or qkview from the command line, this may cause a watchdog reboot. One or more messages similar to this appear in the log: info kernel: Program hsb_snapshot tried to access /dev/mem between 164e6b000->164e6c000." Running qkview or hsb_snapshot from the command line. System reboot. Do not run qkview or follow workaround procedure in SOL10052
ID 441888 Hardware syn cookies are not supported on non-HSB platforms such as 4200/2200 platforms. However, both CLI and GUI have options to enable this option. Enabling this option has no effect on unsupported platforms. This occurs on non-HSB platforms when using hardware syn cookies. Enabling this option has no effect on unsupported platforms. This is a cosmetic issue, and there is no workaround. The system internally detects whether a platform supports hardware syn cookies and ignores the setting on unsupported platforms.
ID 442227 When using tmsh, a user can set the start time or end time for the database download schedule as 24:01. The supported time range is between 00:00 and 23:59. User could set the download schedule more than 24 hours in start time or end time using tmsh Download schedule might behave randomly. To prevent any problem with the schedule, set the time range between 00:00 and 23:59 or use the GUI to set the time.
ID 442409 "The panic results in log messages in ltm log: 13 Dec 20 08:11:12 WA0201DA01 notice bge_fast_ifoutput: packet_data_compact failed to reduce pkt size below 4. 13 Dec 20 08:11:12 WA0201DA01 notice panic: ifoutput: packet_data_compact failed to reduce pkt size below 4." This has been seen only on certain types of gigabit Ethernet interfaces. BIG-IP system operation is interrupted while the system reboots. None.
ID 442477 The admin of a vCMP system performs a software upgrade to a newer version of TMOS and sees the 'emerg Provisioning: Over allocation of disk has been detected. Please check for unused application volumes.' console message upon booting into the new version. The error occurs whenever the 'vg-free' attribute of a disk (See: "tmsh list sys disk") is less than the 'vg-reserved' attribute. This most commonly occurs when vCMP is provisioned on a BIG-IP system, and then a software volume on that system is upgraded to a newer version of TMOS that consumes additional disk space. This is because, when vCMP is first provisioned, it creates an application volume ('vmdisks') that consumes the remaining available space ('vg-free' minus 'vg-reserved') of the disk at that time. Thus, the next action that requires additional disk space, such as a software upgrade, will cause the free space to dip below the reserved space, resulting in the error message. There is no immediate impact to the BIG-IP system. However, this may indicate that future attempts to create additional software volumes or upgrade pre-existing ones to versions of TMOS that require more disk space could fail unless the proper disk management actions are taken. "There is no need to take any immediate action upon seeing this error message. If the user would like to prevent the error message from appearing, they would need to make the logical disk's 'vg-free' attribute greater than its 'vg-reserved' attribute. In general, this can be accomplished by: 1) Adjusting the vg-reserved attribute directly such that it is less than or greater than vg-free. 2) Deleting any unused software volumes. 3) De-provisioning vCMP from the system, deleting the vmdisks application volume, and re-provisioning vCMP. This will cause the new vmdisks volume to be re-created with less disk space. The guests will need to be backed up beforehand. 4) Using lvreduce to reduce the size of the vmdisks app volume or any other volume that can be reduced. Backing up of the guests is recommended."
ID 442489 The values when viewing the licensed SSL and compression limits are incorrect. Any multi-core system with SSL and/or compression licensed. Users think they have a different limit than the system actually has.
ID 442569 There are some SELinux errors that can occur in this release when installing a hotfix, including /usr/sbin/load_policy: Can't load policy: No such file or directory. This occurs when installing a hotfix. The system presents messages: Can't load policy: No such file or directory. None, but these errors are benign and SELinux corrects itself after reboot.
ID 442613 After user modifies tag map data group content, the tag replacement function may still use the old tag mapping data. After user assigns a data group to FIX profile's sender tag map attributes, user modifies the content of the data group. The replaced tag may still be the data defined in the old data group, this causes the FIX message receiver does not recognize the tag and reject the message. After user modifies data group, user comes to FIX profile configuration to re-define the attribute by removing the sender tag map and adding it back.
ID 442647 Due to a mistaken internal object-size conversion, the statistical data used by the IP::stats iRule command reports a negative number when the data exceeds 2**31. Transferring more than 2 gigabytes or 2 billion packets on a connection that then uses IP::stats commands in an iRule will show a negative number. iRules cannot rely on the validity of the IP::stats counters when more than 2 gigabytes have been transferred. Upgrade to a fixed version.
ID 442961 When more packets per second than defined in TM.MaxRejectRate causing "No handle" error is reaching TMM "Limiting closed port RST response" or "Limiting icmp unreach response" messages are logged. Packets per second causing "No handle" errors has to exceed TM.MaxRejectRate. Confusing log messages. None.
ID 445430 While nominal and minimum are not supported in this release of software, they may be provisioned. In doing so, the system will automatically provision the vcmp module to dedicated. If the system already provisioned vcmp to the dedicated level, then any running guests will be restarted. "vcmp is provisioned as dedicated guests are running" guests will be restarted with a new qemu process if vcmp is already provisioned, do not attempt to adjust the provisioning levels to nominal, minimum or dedicated.
ID 445800 BIG-IP configurations fail to load after upgrading from version 10.x to 11.x. This issue occurs when all of the following conditions are met: -- Your configuration contains a pool that is monitored by the default SMTP monitor. -- You upgrade from BIG-IP 10.x to 11.x, or attempt to load a BIG-IP 10.x user configuration set (UCS) on a BIG-IP 11.x system. The configuration fails to load upon upgrade, and the system posts the error: BIGpipe unknown operation error: 01070712:3: Cannot use default monitor template (/Common/smtp) - ltm/validation/MonitorRule.cpp, line 351. "Create an attribute-less smtp monitor, assign it to all the pools that use the base smtp monitor, and load the configuration monitor smtp-defaults { <<<<< defaults from smtp interval 5 timeout 16 time until up 0 dest *:* } pool poolA { monitor all smtp-defaults <<<<< members { {} {} {} } }"
ID 446712 When FTP is used with LSN pool, the data connections do not count towards the LSN client connection limit count. FTP is configured with LSN pool whose client connection limit value is greater than zero Data connections(active/passive mode) are not counted hence a subscriber will be able to create more connections than specified by LSN pool client connection limit
ID 446713 1st boot to v11.5.0 causes daemon restarts and error messages on B4300/B4300N blades. This happens on each blade except blade1 (which is the Primary). When this occurs, the system posts various error messages and the daemon restarts. None.
ID 446717 When running 'tmsh show sys hardware' on the Primary blade, the 'Blade Temperature Status' reports a blade other than the Primary. In addition, all other slots under this category are not reported. This occurs when running the command 'tmsh show sys hardware' on the Primary blade. tmsh reports the wrong slot under 'Blade Temperature Status' on the Primary blade. To find out the temperature status of the Primary blade, use the EUD sensor test.
ID 446963 When messages are queued after processing of the HUDCTL_ABORT, processing those messages might cause a crash. After processing ABORT no other messages should be processed. But in the case in which HUDCTL_SHUTDOWN queued. HUDCTL_ABORT is processed and then HUDCTL_SHUTDOWN (queued by SIP filter), causing the crash. TMM crashes and the system creates a core file. none
ID 447043 "Ltm policies have operands that can be matched against a set of values, causing a match when the operand matches one of these values. Sometime it is desirable to match all of the values. The specific situation where this is needed is 'contains'. This is currently not possible and configuring this causes a cryptic error message; 'Failed to compile the combined policies'." "Specify an ltm rule with 2 conditions with the same operand and match type, e.g.: conditions { 0 { http-header name User-Agent contains values { Android } } 1 { http-header name User-Agent contains values { Mobile } }" It is impossible to express certain conditions like 'user-agent contains 'Android' AND 'Mobile'.
ID 447874 HTTP pipeline request might cause TCP window stay at 0 and not recover. This intermittent issue occurs when HTTP pipeline requests are sent, and those requests use the GET method. When this occurs, the resulting TCP zero window suspends data transfer. It is possible that the TCP window will be reduced to 0 (zero) and never recover. None.
ID 447958 "A slow clientside SSL connection may result in a timeout due to the new default SSL timeout of 10 seconds. tm.rstcause may indicate ""SSL alert timeout exceeded""." Clientside is clientssl, and it is a slow connection such that it may require longer than 10 seconds. Data transfer might be interrupted. Increase the alert timeout value in the configuration.
ID 448409 The 'verify' option on the 'load sys config' command is supposed to ensure that a configuration (either from a file or pasted to the terminal) is valid, but not have it take effect. However, the internal centralized management interface (CMI) state, including the connections to other devices, may be lost. Provisioning may also be impacted. This affects CMI if it is configured. CMI connections to other devices may be lost. You can avoid this issue by using the 'load sys config verify' command 'merge' option, which keeps the current configuration during the validation step.
ID 448493 SIP response is not forwarded to the client. They will get dropped. This occurs when using SIP OneConnect with an iRule that uses the node/snat command in SIP_RESPONSE event in the iRule to direct the SIP response from the server. Some SIP flows do not complete, which affects the SIP clients. Remove the node/snat command from SIP_RESPONSE event processing in the iRule.
ID 449158 "Http request to a vs:80 with a default pool and an iRule that specifies nexthop (to a mac address on the internal vlan) doesn't work - no packet forwarding occurs." "Http request to a vs:80 with a default pool and an iRule that specifies nexthop (to a mac address on the internal vlan) doesn't work - no packet forwarding occurs." Packet forwarding does not occur None
ID 449502 Diameter monitor script doesn't allow custom grouped AVPs that contain only a single element. Capabilities Exchange Answer (CEA) with a custom grouped AVP containing only a single attribute. Duplicating the attribute in the Diameter monitor script doesn't work either. The monitor will fail. Use multiple attributes, or use non-custom grouped-AVP.
ID 449596 At the command line, when you issue the 'show bgp neighbors <x.x.x.x> advertised-routes' command on one of the BIG-IP systems that is configured to establish a bgp session with another system, an error output is observed: % No such neighbor or address family. The BIG-IP system is configured to be in a bgp session with another system using IPv4 addresses. The command shows incorrect output. "Any of the three commands will give you the correct result: show bgp (ipv4|ipv6) (unicast|multicast|) neighbors (A.B.C.D|X:X::X:X) advertisedroutes show ip bgp neighbors (A.B.C.D|X:X::X:X) advertised-routes show ip bgp ipv4 (unicast|multicast) neighbors (A.B.C.D|X:X::X:X) advertised-routes"
ID 449747 All of the self links and reference links in iControl REST responses will contain localhost instead of an IP address or a hostname or an FQDN. This occurs when using iControl. iControl REST clients will need to substitute 'localhost' with the correct server name (or IP address or FQDN) when navigating links returned in responses .This is by design. iControl REST clients will need to substitute 'localhost' with the correct server name (or IP address or FQDN) when navigating links returned in responses.
ID 451549 If a fan tray is removed and replaced with another within a 30 second interval, the serial # of the new fan tray is not reflected in the hardware information. Chassis with a fan tray running any supported version of BIGIP. Any chassis where the fan tray is changed. Wait more than 30 seconds between removing the fan tray and replacing it with a new one
ID 452683 The one-line option does not work for some configuration objects. This occurs when using when the 'one-line' option is specified for certain objects, for example, the APM resource. This results in multi-line display instead of the expected one-line display. None.
ID 452837 It is not possible to add a device in the ca-devices of the Root trust domain using iControl REST. This occurs using iControl REST. Cannot set up a HA pair programmatically using iControl REST. Workaround is to set up HA using GUI or TMSH.
ID 453232 The double-tagging packet stats counters are only supported the on VIPRION blades: B2250, B4300, B4340, and B4350, and on BIG-IP platforms: 10000, 10050, 10050N, 10200, 10250, 12050. Double-tagging packet counters are not supported on the B2100/B2150 VIPRION blades or the BIG-IP platforms 5000 series and 7000 series. The system is configured for and passing double-tagged traffic and showing zero values for the Double Tagged Packets stats in the GUI, TMSH, or via the iControl APIs. When running the command 'tmsh show net interface all-properties' on the unsupported platforms, 'DoubleTag Pkts In' and 'DoubleTag Pkts Out' always show a value of 0 (zero). None.
ID 453362 SSL forward proxy does not work with OneConnect when there are multiple connections from the same client to the same server. This occurs with virtual servers configured with OneConnect. SSL forward proxy does not work. Multiple connections worked fine without OneConnect.
ID 454209 TMM crash with a backtrace including dns_dev_pool coring at line 360. DNS virtual w/o datagram lb mode. Failover, traffic interruption. Enable datagram-lb-mode in the udp profile used by the DNS virtual server, or turn off dns queueing via the db variable dns.queuing.
ID 454640 "Secondary blades' mcpd instances may restart on boot with messages like the following: 01071038:5: Secondaries couldn't load master key from the database. 01070734:3: Configuration error: Configuration from primary failed validation: 01071029:5: Master Key not present." Any VIPRION bladed system or VCMP guest may encounter this rarely. mcpd will restart on secondary blades but will then settle and the system will finish booting as normal.
ID 454671 When SIP is used with LSN pool, the media connections do not count towards the LSN client connection limit count. SIP ALG is configured with LSN pool whose client connection limit value is greater than zero Media connections are not counted hence a subscriber will be able to create more connections than specified by LSN pool client connection limit
ID 454672 When RTSP is used with LSN pool, the media connections do not count towards the LSN client connection limit count. RTSP is configured with LSN pool whose client connection limit value is greater than zero Media connections are not counted hence a subscriber will be able to create more connections than specified in LSN pool client connection limit
ID 455090 "#" is TCL comment command which causes the TCL parser to ignore the rest of the line. When user wrongly inserts "#" to a command which has an open curly brace ({) at the end of line, there is a mismatch of open and close braces, but user can save the iRule script through the web interface and TMSH and later on at traffic run-time the system fails. "1. ""#"" at the start of a line which ends with ""{"" 2. The ending ""{"" perfectly matches a ""}"" in the script" When the iRule script runs at traffic time, system fails. comment out or delete the matching closing "}".
ID 455284 Firewall rules intended to restrict access to an APM daemon running on the BIG-IP system might incorrectly interfere with TCP monitor traffic generated by the BIG-IP system on port 54321. This can occur even if a BIG-IP system is not provisioned for APM or SWG. This may result in monitors incorrectly failing, and pool members incorrectly marked down. A packet capture of the monitor traffic will show the BIG-IP system receive a SYN/ACK from a pool member, and respond with an ICMP port unreachable error. Workaround: As a workaround, add these iptables commands to the '/config/startup' script, and reboot the BIG-IP system (or manually run these commands once). These commands modify the firewall rule to prevent interference with monitoring:
  • '/sbin/iptables -D INPUT -p tcp --dport 54321 -j REJECT --reject-with icmp-port-unreachable'
  • '/sbin/iptables -D INPUT -p tcp -m tcp --dport 54321 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset'
  • '/sbin/iptables -A INPUT -p tcp -m tcp --dport 54321 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset'
ID 455467 QinQ VLAN functionality requires supported versions of software running on the guest and host. "QinQ VLAN configurations fail to load on vCMP guests The host or guest has a QinQ configuration object and is not running QinQ supported software" "This only applies to QinQ VLANs in a vCMP environment. This does not impact legacy vCMP VLAN functionality (non QinQ VLANs configured per guest on the host)"
ID 455525 "If for some special reasons, the role and partition information are not present, there are two cases where this might occur: When the user's role and partition information is not provided, by default, the no-access role and all partitions are assumed. If the user's role and partition are explicitly deleted, this is also allowed with no further error message. This is potentially useful in cases where you want to preserve the user data such as password for later re-activation the user. In both cases, the user cannot login successfully due to the lack of the necessary role-partition information." User's role and partition information is missing or removed. The user with missing role and partition information is prohibited from login.
ID 456024 When vCMP is not provisioned, and you load vCMP guest objects, the guest state changes to CONFIGURED to avoid failing to load the entire configuration. This occurs when you save a UCS file from a vCMP-provisioned host with guests in the PROVISIONED or DEPLOYED state. After loading the UCS, the BIG-IP system successfully reboots into vCMP mode, but the guests cannot automatically deploy. You must manually change the state of desired guests to PROVISIONED or DEPLOYED.
ID 456378 When using ipother profile, if there's an iRule that fires on CLIENT_ACCEPTED that contains a discard action, tmm is going to failover. Virtual server with ipother profile and an iRule firing on CLIENT_ACCEPTED with discard action. Site down since tmm fails over. Use CLIENT_DATA as the firing event for the iRule. Will have the same expected result when discarding the connection.
ID 456508 Deleting persistence entries via iRules in PBA mode will not completely remove persistence as having a PBA block implies some persistence exists. "lsn mode = PBA iRules use LSN::persistence-entry to create and delete address persistence entries" "using lsndb to view persistence entries may cause confusion as the deleted persistence entries may still be present. These persistence entries will go away when they timeout."
ID 456837 For double vlan tagged packets when a switch port or trunk's qinq-ethertype is set to non default value (default value is 0x8100), tcpdump on the switch port or trunk may not display its actual ether type. This is caused by different broadcom chip behavior on mirroring packets. User set switch port or trunk's qinq-ethertype to a value that is different from 0x8100.
ID 456854 You might see error messages indicating that a specific string 'has no meaning.' This typically occurs when an iRule uses a regular expression including a backslash (for example, \B). The system posts an error similar to the following: /Common/rule1:2: warning: ["\B" has no meaning. Did you mean "\\B" or "B"?][{\B}]. This message is cosmetic only. The config loads successfully, and the iRule works as expected.
ID 457149 If a local password policy with password expiry is set, even remotely authenticated users are subject to the password policy. This may disallow users whose password has been remotely authenticated but who have an expired password. Local password policy is set, but remote authentication used. some users may be locked out after the password policy expires their password. Do not use a local password policy with remote authentication.
ID 457799 Configuration validation disallows creation of a static route in the default route-domain with an interface in a user-defined route-domain as the nexthop. This is a design limitation. Attempt to a route to a network in the default route-domain address space with a nexthop object that is in a different route-domain. Cannot specify nexthops into a user-defined route-domain.
ID 457934 Some connections through a virtual server using SSL persistence hang and cause a high CPU condition in tmm. This occurs only when SSL persistence is configured as the default persistence profile, and there is a fallback profile of either source_addr or dest_addr. Large increase in CPU usage on the box and a percentage of SSL connections through the virtual server are delayed and eventually reset
ID 458526 When a BIG-IP device is running the spanning tree protocol, it may continue to send one or more TCN BPDU packets after receiving a Topology Change Acknowledgement BPDU.
ID 458527 When running spanning tree, a BIG-IP device sends TCN BPDUs after receiving a topology change notification on its root port. A BIG-IP device is connected to another switch running spanning tree and the BIG-IP device is not the root switch of the tree. No observable network impact from the TCN flag being sent in the BPDU.
ID 458528 When a BIG-IP product is configured to use STP mode, it behaves according to the 802.1D - 2004 standard rather than the 802.1D - 1998 standard in any instance where the standards differ.
ID 458822 "tmsh show sys cluster all-properties Availability offline State enabled Reason Too many cluster members HA offline." Blades were rebooted to the same version software, but on a different disk partition. Minimal -- mainly confusion about the state of HA Disable and re-enable blades
ID 459382 The GWM server can reset the TCP connection to the SASP monitor multiple times. In this scenario, the monitor does not re-attempt connecting the server. This results in incorrect status reporting of pool members and hence data traffic may be impacted. The GWM server sends TCP reset to the SASP monitor TCP connection. This could possibly affect data traffic send to the servers as the SASP monitor is no longer connected to the GWM server.
ID 459471 ssl-ocsp and ssl-cc-ldap auth profiles can contain the same name leading to issues when trying to delete them. Do not create the two auth profiles with the same name.
ID 459596 "Packets leaking onto network Memory leak appearing in tmm" Multicast traffic and a disabled interface Eventual TMM low memory, OOM and traffic outage due to TMM coring
ID 459671 iRules source different procs from different partitions and executes the incorrect proc. Multiple iRule procs defined in multiple admin partitions. iRules "proc" lookup algorithm is not deterministic, or Virtual Servers are improperly caching and sharing the lookup results.
ID 459753 When including cluster as a component of HA Group, clusterd on secondary blade may restart continuously. This is undesirable. When include cluster as a component of HA group and perform restart on the chassis, the clusterd on the secondary blade restarts continuously. The secondary blade becomes unusable.
ID 460500 "When loading the config containing signed iRules, the following error is shown: 01071485:3: iRule (/Common/irule2) content does not match the signature. Unexpected Error: Loading configuration process failed." The iRules must have Global comments (outside any WHEN block) before the first block or after the last block (Global comments between WHEN blocks don't cause any issue). The config file cannot be loaded. """- Delete the Global comments (outside WHEN blocks) that lie either at the beginning or at the end of the iRule (before the first or after the last WHEN block) - OR delete the signing entries (definition-signature and signing-key) from the config file before loading it. Of course the feature of signing iRules is lost here."""
ID 460627 When the SASP monitor starts up, it can attempt to open a new TCP connection to the GWM server when another connection exists to it. This happens when GWM server sends the SendWeight messages to SASP monitor immediately after the registration of the pool member is complete, but the registration of all the pool members is not complete. The SASP monitor fins an existing TCP connection to the GWM server.
ID 460751 The RTP and RTCP conn flows get setup in response to the RTSP SETUP request from the client which may ask for one or two connections. When the client has requested UDP connections then those connections are NOT expired when the controlling RTSP connection is closed. For this reason PBA zombie port blocks will not be removed until the RTP and RTCP connections using the ports are deleted. A shorter idle timeout can be configured on the RTSP profile so that RTP and RTCP connections are deleted sooner.
ID 460834 TMM asserts with tx_hist full during high rate of new active connections.
ID 461140 You cannot configure High Availability (HA) using IPv6 IP address formatting. This occurs when using IPv6 formatted IP addresses. "When adding a peer device using an IPv6 address using the web interface, the system posts the following error message: ' Could not read response from server: ParseError at [row,col]:[1,150] Message: The reference to entity 'destaddr' must end with the ';' delimiter.' The system posts a similar error message performing the same operation using TMSH: 'Unexpected Error: Could not add ca-device (error from devmgmtd): [evConnection.cpp:162 tryConnect] evConnect(m_ev, fd, (void *) &destaddr, sizeof(destaddr), &::evOutgoingConnection, this, &m_connId): Network is unreachable.'" Set up a IPv4 Self IP in an HA VLAN (VLAN on which each device can communicate with the other). Then add that Self IP to the device. To do so, in TMSH, run a command similar to the following: 'modify cm trust-domain Root ca-devices add { } username admin password admin name'. Running that command retrieves the already-set-up IPv6 addresses for management-ip, the config-sync IP addresses, and Network failover IP addresses already exist from the peer device and syncs both of them, so that HA device trust can work correctly.
ID 461157 There is no stats to indicate that the standby box is out of sync from the active The standby box is out of sync from the active box. No Obvious way to know that the standby box is out of sync from active box.
ID 461199 Memory increases when using certain iRule methods related to Diameter (for example, AVP::insert, AVP::replace, AVP::codes). Inside the underlying function dime_method_optional_args_parse, A call to the function Tcl_GetIndexFromObj was not decrementing the refcount of an object. System must execute an iRule that (indirectly) calls the underlying dime_method_optional_args_parse function. Memory increases steadily, and eventually the customer will have to reboot their BIG-IP.
ID 461375 The dhcp-enabled property was removed because it cannot be modified and its presence can lead to misunderstanding the configuration. This occurs in version 11.6.0. Can cause misunderstanding of the configuration data.
ID 461776 "Regardless of the setting of the DB variable 'qinq.cos', the VLAN priority of packets arriving at customer-tagged interfaces does not correctly affect the egress CoS mapping." VLAN Class-of-Service can not be used with Q-in-Q VLANs on customer-tagged interfaces.
ID 462507 If CGNAT PBA is configured for block lifetimes, when the lifetime expires it terminates any flows still associated with that port block. However, SIP media flows cannot be terminated, so the block cannot be released until the media flows terminate. This occurs when the following conditions are met: -- Using CGNAT PBA mode. -- block lifetime set. -- Using SIP-ALG. -- Media flows outlive block lifetime. Blocks cannot be released as expected until media flows terminate.
ID 462523 "installations of block-device-image or block-device-hotfix images within Liveinstall Signature validation enabled guests will fail without signature validation. CC MODE enables this feature by default" "installation is using a block-device-image or block-device-hotfix installation has signature validation enabled (liveinstall.checksig is enabled)" "Local iso and sig files must be used within the guest when making use of the Liveinstall signature checking feature Alternatively, if the host environment is trusted the liveinstall signature check can be disabled within the guest. The value can be modified with ""tmsh modify sys db liveinstall.checksig value disable"". New installations using block-device-image or block-device-hotfix can then take place."
ID 462524 "When a User-Agent identifies a browser which has known compression limitations, the ""browser workarounds"" will disable compression. Browsers requiring these workarounds include: - Microsoft Internet Explorer 6.0 - Netscape Navigator 4.1 - Netscape Navigator 5.0 Unfortunately, the functionality will falsely identify many modern browsers as needing compression workarounds, disabling compression." Enable HTTP compression browser workarounds. HTTP compression will not compress responses for modern browsers. "Disable browser workarounds. If legacy clients require compression workarounds, an iRule which selectively disables compression depending on User-Agent can be used."
ID 462714 A source address persistence record created on a VIP with a FastL4 profile will time out and be aged out even while traffic is flowing through that flow. The traffic that generates this bug is UDP with checksum of 0. The profile has to be FastL4. Traffic which is either UDP with checksum of 0 , or SCTP are definitely affected. Source address persistence is not usable as the entry ages out while it should not.
ID 463970 "When using ""LB::reselect pool <current pool>"" in an iRule, the pool stats don't get increased/updated at all. Virtual servers stats do get increased as expected." "Set up a virtual server with an iRule with the following event handling: when LB_SELECTED { LB::reselect pool pool2 } Hit the virtual server. Verify the Pool stats don't get increased (tmsh show ltm pool) while Virtual server stats do (tmsh show ltm virtual)." Misleading stats reporting, and probably incorrect traffic based load balancing. "Add extra logic to ensure the redundant call to LB::reselect pool SAME_POOL is not performed. Like: if {[LB::server pool] ne ""/Common/poolIwant""}{ LB::reselect pool ""/Common/poolIwant"" }"
ID 464489 "User is unable to create or modify SSL profiles, and sees an error message in the LTM log similar to: May 9 11:41:23 HouF5mgmt err mcpd[6412]: 01070313:3: Error reading cert PEM file /config/filestore/files_d/Common_d/certificate_d/:Common:default.crt_14711_1 for profile /Common/testclientssl: Memory exhausted. However, memory is not exhausted." User must have at least one SSL profile, or be attempting to create one. SSL profiles can't be created or modified.
ID 465052 TMM cores when executing an HTTP::cookie command in an iRule. If the command does not have the minimum required number of arguments, the code is not checking for this condition; it assumes they are there. An iRule command must execute an HTTP::cookie command (such as "HTTP::cookie sanitize") with missing required arguments. TMM restarts, possibly causing a failover in an active/standby system. "Ensure all HTTP::cookie commands in iRules have the correct number of arguments. A work around is to add a line ""log local0. some text"" before the line ""HTTP::cookie sanitize"". Then, there will be no tmm crash."
ID 465197 The OData $filter is implemented only for filtering iControl REST results based on the partition in which config objects reside. No other filtering can be done. Always. No filtering can be done other than partition.
ID 466285 "When certain users switch partitions, their displayed role will show Unknown for several seconds. It will switch to display their appropriate role for the selected partition after that time period. This issue only affects users who do not have access to all partitions on the BIG-IP. This issue is only cosmetic, the user's actual role switches immediately. Any activity performed in this time period will be performed as the user's true role in that partition." "A user is logged in who has access to selected partitions (not all on the box). The user switches partitions." No real impact. The user will see Unknown as their role in the top bar in the GUI.
ID 466570 When grandchild (child of a child) monitor is viewed in web UI, error "An error has occurred while trying to process your request." is displayed. "Configure a grandchild (child of a child) http monitor (either via tmsh or WebUI) save the config, then load the config via tmsh. Monitor objects are loaded alphabetically, by name. In order to encounter this bug, the grandchild must be loaded before the child. For example: http -> z_child -> a_grandchild a_grandchild will load before z_child, triggering the error." Limits the ability to manage monitors via web UI. Name monitors such that the child monitor is loaded before the grandchild.
ID 466719 The wrong address is used for BGP routing. "SELF mask | VLAN NetFailOver unit 1 floating enable route-map nexthop permit 10 match ip address prefix-list global-full-primary set community 0:100 set ip next-hop Delete floating selfip" The problem may create a routing blackhole after failover.
ID 466837 Using the GUI to modify a virtual server with multiple profiles results in multiple audit logs. This occurs with multiple profiles on a virtual server. The system writes multiple audit logs for a single user transaction. This is intended functionality.
ID 466875 Egress packets have a source address that is not associated with the VLAN or interface. "Occurs when the following conditions are met: - Virtual utilizes SNAT automap. - There exists a route matching a self-ip on interface A to a VLAN on interface B." Packets may not be routed properly. Use SNAT pool instead of automap.
ID 467043 Modifying banner and banner-text while sshd service is disabled, result in error. This occurs when modifying banner and banner-text while sshd service is disabled. The system posts an error. "Workaround is to change config order to enable login before banner change, or perform the operations in separate commands. tmsh modify sys sshd login enabled banner disabled banner-text none or tmsh modify sys sshd login enabled tmsh modify sys sshd banner disabled banner-text none"
ID 467181 The TMM can core if forced to shutdown while logging or using iRule side-channels. There is a race condition in the cleanup of existing sockets during shutdown. The variation in 11.2 has only been seen in debug builds of the TMM. In the case of this bug, syslog logging was being used. The log server fell behind, and the logging proxy was still delivering data when its socket was killed. This code was refactored in later releases to shut down "less gracefully" when the TMM is going down. The bug is essentially harmless as it has only occurred during manual shutdown of an instrumented build.
ID 467589 "The /usr/share/mysql/ script that ships with the new install (and is run hourly via cron) throws an error. The script is meant to be exited if AAM, ASM and PSM are not provisioned, but the check is not done appropriately and it continues execution, failing later. When running the script /etc/cron.hourly/ (linked to /usr/share/mysql/, the following error is output: Usage: $class->connect([$dsn [,$user [,$passwd [,\%attr]]]]) at /etc/cron.hourly/ line 27" BIG-IP with NO AAM, ASM and PSM provisioned for this issue to happen. The script gives false output and attempts to execute invalid actions. "Remount /usr partition as RW: # mount -o remount -rw /usr Edit /usr/share/mysql/ and change the original check: unless( $provisioned_am || $provisioned_asm || $provisioned_psm ) { exit 0; } to: unless( $provisioned_am == 1 || $provisioned_asm == 1 || $provisioned_psm == 1 ) { exit 0; }"
ID 467646 If the device experiences an IDE DMA timeout, some processes become unresponsive and the kernel logs messages containing 'DMA timeout error' in kern.log. An unfulfilled request from the kernel of the IDE device might result in uninterruptible, stuck processes. This occurs on VIPRION B4100/B4100N (A100), B4200/B4200N (A107) blades and on Virtual Edition (VE) configurations deployed with IDE storage drivers (Xen, Hyper-V). This condition can cause the i/o request to never complete and result in unresponsive and uninterruptible processes. Various symptoms result depending on the affected process. Some conditions might require a power cycle to correct.
ID 467868 The mcpd memory steadily increases until it runs out. Running "strings" on the resulting core file reveals many instances of a monitor error message. Must have a monitor configured that generates an error message. Slow system performance, unexpected crash and failover. Disable the monitor.
ID 468021 "When attempting to upgrade to 11.5.0 or later from an earlier release, some .ucs files may cause the system to run out of memory, and the kernel to kill the process. You may also see an error: ""UCS application failed; unknown cause.""" "In the .ucs file, in bigip.conf, is a section like this: ltm profile client-ssl /Common/my-clientssl { ... defaults-from /Common/wom-default-clientssl ... } The problem happens because /Common/wom-default-clientssl and /Common/clientssl-insecure-compatible are not correctly renamed during upgrade." It can be impossible to upgrade the software image to 11.5.0 or later because the config fixup exits in error. A workaround is to change instances of "wom-default-clientssl" and "clientssl-insecure-compatible" to "clientssl" in the configuration files in the UCS archive.
ID 468323 bdpd has one occurrence of a SIGSEGV in bgp_global_delete function while handling SIGTERM. BGP protocol daemon is killed with SIGTERM. Generates a core file but does not impact traffic or system performance.
ID 468472 "TCP4 asserts if it receives spurious internal events. This results in the following assert: ""../modules/hudfilter/tcp4/tcp4.c:937: %svalid pcb%s""" "If the tcp filter receives a spurious events, then it will cause an assert. This is a general problem with how events are internally propagated and this bug is one instance where this can occur. In the case of this bug, SSL and compression delayed propagation of events through the HUD chain/filters. This leads to a spurious event received by the TCP filter and the assert." TMM will assert and failover.
ID 468505 tmsh crypto commands will fail when executed in tmsh batch mode. tmsh batch mode and 'sys crypto' commands. tmsh crypto commands will fail when executed in tmsh batch mode. Run the tmsh 'sys crypto' commands outside of a 'cli transaction' i.e. not in batch mode.
ID 468542 Virtual server with SPDY profile ignores SNAT 'None' setting This occurs on virtual servers that have an associated SPDY profile when the Source Address Translation setting is 'None'. Virtual server with the SPDY profile determines the server-side source address using SNAT Automap, which might result in the incorrect server-side source address.
ID 469035 "If the configuration included encrypted items -- like an LDAP bind password -- that are empty strings, a SecureVault rekey operation will fail with this error: 01071029:5: master_decrypt failed during rekey. This may occur when using the ""modify /sys crypto master-key"" tmsh command, or during the introduction of a device into a Trust Domain." Empty string as encrypted configuration item The rekey operation will fail. This may result in a ConfigSync failure. Do not use empty strings as passwords. Alternately, remove the offending configuration object (which may require changing system authentication to a different source), perform the rekey operation, and then recreate the configuration.
ID 469366 A config sync operation might fail with a parent-profile-not-found error message, despite the fact that the parent profile is present in the running configuration of both systems. On the sync target (the system receiving the configuration, and the one that reports a sync failure), a system-supplied profile (e.g. /Common/serverssl) has been modified, and is present in /config/bigip.conf. An administrator is unable to synchronize system configurations. The system might post messages similar to the following example: '01020036:3: The requested parent profile (/Common/serverssl) was not found.' "One of the following: 1. Manually replicate the changes on the base profile to the system that is sourcing the config sync. 2. Undo the changes to the base profile on the system that is receiving the configsync (to do so, save the configuration, manually remove the base profile from /config/bigip.conf, and then re-load the configuration), and then perform a force sync operation. 3. Perform a sync in the other direction. Important: Performing a sync in this direction overrides any unsync'd changes on the other system."
ID 469549 "Upon reviewing the log file in /var/log/ltm, a user may see the following error: err mcpd[8105]: 01070820:3: User Modification Denied: User (root) may not change the role of system account (admin)" This only happens during the first reboot after a software install. If the error is seen again, the audit log should be checked. There is no known impact at this time.
ID 469705 TMM panics with following string: "domain != RT_DOMAIN_NONE" "SIP Requests are being processed with a via header that does not contain an ""rport"" attribute. Virtual has ""dialog aware"" SIP profile attached." TMM panic Disable the "dialog aware" option on the SIP profile, or configure SIP OneConnect.
ID 470191 Virtual with FastL4 with loose initiation and close enabled might result in tmm core. "The problem can occur when the following conditions are met: - Virtual server with FastL4 profile. - FastL4 profile has loose initiation and close enabled. - TCP FIN is received that is not associated with an existing connection." tmm core due to segfault in bigproto. System outage due to tmm shutdown. Do not enable loose initiation and close on FastL4 profile
ID 470203 Setting a remote syslog destination to a localhost address results in recursive log messages. Using or a hostname resolving to it as a host for syslog's remote-server. Using a localhost address as a remote syslog destination results in continual log entries until the BIG-IP system runs out of disk space. Use a non-local remote host for syslog's remote-server.
ID 470756 Prior to sod restarting snmpd due to a heartbeat timeout, there are often no snmpd warning/error logs leading up to the restart condition. This might occur in response to delayed snmpd responses, as an indication of failure to reach any configured DNS servers. Delayed mcpd responses are typically experienced during very high CPU utilization, which might be caused by an over-provisioned BIG-IP system. sod continues restarting snmpd (and generating a core dump) as long as the blocking conditions continue. During this time, traps and MIB queries can be affected. Address CPU utilization issues. Address communication issues with configured DNS.
ID 470807 When an iRule specifies a data-group that is not in Common, or that does not have an explicit path to it, it does not result in an error when the iRule is saved, or during runtime. User saves an iRule with a data-group not in Common or with an explicit path to it. When such an iRule is saved, it can cause all traffic to fail.
ID 471059 An HTTP Cookie value containing a space appears before the persistence cookie causes the persistence cookie to be ignored. HTTP request contains malformed cookie value that occurs before the BIG-IP system persistence cookie, For example: Cookie:foo=bar =bar; BIGipServerhttp=60361226.20480.0001 Persistence is ignored.
ID 471288 tmm might crash with session-related commands in iRules. This occurs when the following conditions are met: 1) session/table command. 2) client_closed/server_closed irule tmm might crash and failover occurs.
ID 471324 "SNAT translation happens though SNAT list is configured with 'vlans enabled' on 'vlans none'. For example, having the configuration as follows, > tmsh list ltm snat ltm snat default_snat { origins { { } } translation /Common/ vlans-enabled } This is not expected to translate, since vlans are not specified." "Having the snat list as follows, with vlans enabled flag and no vlans specified. tmsh list ltm snat all-properties ltm snat default_snat { app-service none auto-lasthop default description none metadata none mirror disabled origins { { app-service none } } partition Common source-port preserve translation /Common/ vlans none vlans-enabled }" Translation is not getting disabled. Work around is to have "vlans disabled" with the list of all vlans to be disabled.
ID 471393 Saving very large files in /config results in failure to upgrade and system rebooting due to resource starvation. This means one or more files large enough to fill up the /config directory so that the upgrade or config copy fails. Too little room left in /config. System reboots; unable to complete config operations. The workaround would be to move enough files out of the /config directory in order to avoid the problem.
ID 471843 If a user is logged into the GUI, and that user's account has a role added through TMSH, the user is not logged out of the GUI. Other actions result in the user being logged out the GUI, as expected. All changes to the user's account in the GUI will log out the edited user. The user must be logged into the GUI, another user adds a role to the user's account at the same time via TMSH. User is not logged out of the GUI for the "add role" action. No real impact is recorded on the user's experience or on the security of the GUI.
ID 472308 When the management address changes (either as a result of enabling mgmt-dhcp, or the leased address changing), the system does not synchronize this updated address to other devices in the failover device group / trust domain. (That is, the system does not trigger an update to the device_trust_group). This occurs on HA configurations. This can be catastrophic in an HA environment. The sod process discards any HA heartbeat traffic it receives (e.g. over the self IP addresses) that does not contain a 'known' cluster_mgmt_ip.
ID 472573 Cannot set a password of 14 characters --the maximum length-- for the security officer. "Occurs when the following conditions are met: - NG FIPS security device installed. - Initialize FIPS security domain. - Attempt to set password of maximum length (14 characters)." Setting a password using more than 14 characters prevents the creation of the security officer password, and causes device initialization to fail. Use a password shorter than 14 characters for the security officer.
ID 472867 Using Firefox version 31 or later cannot connect to a BIG-IP system, The browser hangs instead of connecting properly and displaying the configuration utility. No error messages are given, so it appears that the BIG-IP is down. This occurs when using Firefox version 31 or later. Cannot connect to the BIG-IP Configuration Utility using the using Firefox version 31 or later. Use a different browser, or manually regenerate the device's SSL certificate and restart the web server. To manually regenerate device SSL Certificate: 1) /usr/bin/openssl req -rand /dev/random -new -sha256 -key /config/httpd/conf/ssl.key/server.key -x509 -days 3650 -out /config/httpd/conf/ssl.crt/server.crt -extensions usr_cert. 2) bigstart restart httpd. If your system is already running version 31 or later, reinstall the version 30 Firefox browser.
ID 472944 "After STARTTLS handshake, SMTP communication fails due to one of the following reasons: - BIG-IP responses to SMTP client are desynchronized (responses that do not match the requested commands). - SMTPS profile activation mode is ""require"" and BIG-IP responds with ""530 Must issue a STARTTLS command first""" "- A virtual server with an SMTPS profile. - After STARTTLS handshake on client side and BIG-IP has sent an RSET command to SMTP server, BIG-IP receives a command (such as HELO or EHLO) from SMTP client before BIG-IP receives the RSET response from SMTP s" SMTP communication using the SMTPS profile may intermittently or consistently fail to succeed.
ID 473105 With 'pva-acceleration' set to 'guaranteed', the BIG-IP system can take up to five seconds to detect that one of either the client-side or server-side connections has not been offloaded to the ePVA hardware. This occurs with 'pva-acceleration' set to 'guaranteed' and only one of client or server connections is offloaded to hardware. This results in the connection that has not been offloaded being reset five seconds after being established.
ID 473200 Manually renaming a virtual server causes unexpected configuration load failure. This occurs when attempting to reload a BIG-IP system configuration containing a virtual server with an empty pool that was renamed by editing bigip.conf manually. "Cannot reload configuration. The system posts the following error: 01020056:3: Error computing object status for virtual_server broken (<old virtual server name>). Unexpected Error: Loading configuration process failed." "Perform any one of the following: a.) Remove the pool assignment from the virtual before renaming b.) Ensure the pool contains members before renaming c.) After renaming, issue ""bigstart restart"" Please note, some of these workarounds may result in a temporary service disruption."
ID 473213 Failed system fan emergency alert is exhibited as critical alert at LED and LCD screen. A failure of a system fan would cause this issue to appear. Relatively small event causes unnecessary critical alarm instead of just emergency level. This alarm should be treated at an emergency level and not critical.
ID 473724 If a DC PSU hotswap is performed on BIG-IP 10000-series or 12000-series appliances, but the PSU is left unpowered, the front panel PSU LED is amber, but no other alerts, LCD messages or LED indications are issued to indicate that the appliance is in a non-redundant PSU state. "This occurs on BIG-IP 10000-series or 12000-series appliances if a DC PSU is hot-swapped but external power is not applied. FND850 DC PSUs for BIG-IP 10000-series or 12000-series appliances do not indicate their presence to the BIG-IP system until external power is applied. Thus, the presence of an unpowered DC PSU in this case is not detected, and its status is reported as Not Present. By design, no alerts are issued by BIG-IP for non-present PSUs." Operators may not be aware that the appliance is left in a non-redundant PSU state after a DC PSU hot-swap. This is expected behavior. FND850 DC PSUs for BIG-IP 10000-series or 12000-series appliances do not indicate their presence to the BIG-IP system until external power is applied. "When hot-swapping DC PSUs on BIG-IP 10000-series or 12000-series appliances, verify the success of the operation by: 1. Verify that the front panel PSU LED for the newly inserted PSU is Green. 2. Verify that the status of the newly inserted PSU is reported as Good by the 'system_check -d' or 'tmsh show sys hardware' utilities."
ID 474149 SOD posts benign error message: Config digest module error: Traffic group device not found In a failover device group, if the peer device (non self device) has gone through the management IP address change, SOD fails to clean the old IP address from its internal storage, so the system subsequently and incorrectly behaves as if there is a 'configuration data inconsistent' error. System posts the benign message notice sod[8118]: 010c0062:5: Config digest module error: Traffic group device not found.
ID 474179 SOAP monitors configured with a leading ':' in the URL path will fail. Enabling monitor debug will provide additional clues, indicating "Error calling getaddrinfo". SOAP monitor configured with leading ':' in the URL path. Monitor will fail unconditionally. "A leading ':' in a URL path is now allowed by RFC 3986, section 3.3. If the URL path is, in fact, a colon, then a leading slash should work (i.e. ""/:""). If your URL path leads with a colon, you need to either escape the colon, or need to add a leading slash."
ID 474226 LB_FAILED may not be triggered if persistence member is down. This occurs when the following conditions exist: - Incoming connection has cookie matching persistence entry. - Persisted pool member has been marked down. - No other pool members are available. Cannot utilize LB::reselect command.
ID 474358 When saving/loading a configuration, a child monitor with no password set, incorrectly inherits the password set on the parent monitor. Create a child monitor without a password that inherits from another monitor that does have a password defined. Monitor might not work as expected. Create parent monitor without password. Inherit from parent monitor that contains no password. This may require two base or parent monitors for inheritance: one with a password, and one without. Or you may want to use just the base monitor without password, and apply the password to all the derived monitors.
ID 474388 Certain conditions might produce error messages similar to the following, in the core file/tmm.log: -- RVAvpBigIP01 notice RIP=0x8cc872 -- RVAvpBigIP01 notice session_process_pending_event_callback ERROR: could not send callback to - ERR_NOT_FOUND. This occurs because of a race condition, for example, one between the HTTP and APM-related profiles during which an APM-profile-related action completes after the HTTP-profile closes the connection. When the APM profile attempts to access the closed connection, TMM restarts.
ID 474797 "If malformed SSL packets are sent to Big-IP, the following errors can be logged to /var/log/ltm: Device error: cn9 core general crypto codec cn-crypto-4 queue is stuck." Malformed SSL packets being set to Big-IP. Error logs in /var/log/ltm.
ID 474983 "This issue occurs when issuing the 'tmsh show ltm virtual' command - if the connection limits of a pool member have been met, issuing the command above does not reflect the status. The work around is to refresh the pool member status by executing 'tmsh show ltm pool <name> member', or by viewing through the GUI. Please note that the TMM does the correct behavior in traffic processing, and this is just a visibility issue in TMSH." Requires a pool member whose connection limits have been met. Please note that the TMM does the correct behavior in traffic processing, and this is just a visibility issue in TMSH. The work around is to refresh the pool member status by executing 'tmsh show ltm pool <name> member', or by viewing through the GUI.
ID 475525 Connections fail to pass data and may be reset unexpectedly. "This can occur when the following conditions are met: - Virtual uses OneConnect profile. - Virtual uses serverssl profile with unclean-shutdown disabled. - Backend pool member generates an ssl/close_notify alert but does not send a tcp/fin." Connection loss. Disable OneConnect profile.
ID 475584 "Ingress packet count will differ from egress packet count. No counters show dropped packets ICMP Error Destination Unreachable is sent." "This is for IPv4 with a static route. No MAC address for the next hop and ARP request is delayed or times out. this can happen with an early burst of traffic and a delayed ARP reply." Diagnosis as to reason for lost packets is difficult or impossible. "Create a static ARP entry for the neighbor/gateway Use a monitor"
ID 475791 tmm_panic occurs ("valid pcb") when a connection is being closed and the ramcache feature is able fulfill an incoming request. "Assert may occur when the following conditions are met: - Virtual uses ramcache profile - Virtual has mirroring enabled - Device is in standby - Active unit is unable to fulfill incoming HTTP request (ramcache entry is invalid / no pool members) - Standby unit is able to fulfill mirrored request (ramcache entry is valid)" Standby unit becomes temporarily unavailable Do not use ramcache profile and connection mirroring feature together
ID 475896 "Running the following command does not work: load sys config from-terminal sys file external-monitor ext_monitor { source-path ... }" This occurs when running the command 'tmsh load /sys config from-terminal' external-monitor. The system posts the following error: Failed: name (/Common/<name>) cache path expected to be non empty. This error prevents using cut and paste to configure external monitors.
ID 476136 On VIPRION B2250 and B4300/B4340N blades, you might encounter log entries of this type: notice HA: ha_enabled_put(daemon_heartbeat, tmm, FALSE): error 01140012 or notice HA: ha_enabled_put(daemon_heartbeat, tmm, TRUE): error 01140012. This occurs only on VIPRION B2250, B4300, B4340N blades. The system posts the error messages. These messages are benign and can be safely ignored.
ID 476218 If the ePVA drops an evict command, then a flow can be orphaned in the ePVA. This could result in an increase in hash collisions, due to more space occupied in the ePVA by orphaned flows. guaranteed mode hash collisions and orphaned flows
ID 476398 The TCP profile options Receive Window and Send Buffer are not used. TCP profile has Mptcp, Rate Pacing, or Limited Transmit Recovery enabled, or congestion algorithms illinois, woodside, westwood, cdg, chd, cubic, or vegas are selected. This prevents configuring these settings. TCP Auto Tuning can be disabled by modifying a sys db variable. tmsh modify sys db tm.tcpprogressive.autobuffertuning value disable.
ID 476544 mcpd runs out of memory when a connection's send message queue has a lot of messages in it. The connection's m_current_msg_byte_cnt is high, but does not account for the entire 2GB virtual memory space. mcpd runs out of memory when a connection's send message queue has a lot of messages in it. The connection's m_current_msg_byte_cnt is high, but does not account for the entire 2GB virtual memory space. mcpd cores and restarts if it runs out or memory.
ID 476708 In a very specific mesh network configuration as shown in the SR, BGP does not correctly update TMOS when a ECMP path that had become unavailable comes back up. Using the mesh network topology in this bug, disable the downstream ECMP link such that one of the two equal cost paths becomes unavailable. Then re-enable the downstream ECMP link. ECMP does not function as desired because both available paths are not utilized. This can only be recovered by clearing the BGP connection on the affected ECMP path.
ID 476920 RESOLV::lookup does not resolve if route domain is not given as part of ip address%<route domain> ip address is not given with %route domain id. Need to explicitly provide the route domain id Provide the route domain id explicitly with the ip address.
ID 477232 When using a LSN pool with persistence mode address, in addition to reusing the same translation address for subsequent connections, the translation port also persists and is reused. LSN pool with persistence mode address. Poor utilization of available translation ports and very high levels of port reuse. In the case of TCP connections this port reuse can cause servers to reject connections because a previous connection is in the TIME_WAIT state.
ID 477375 Rarely, the SASP monitor cores. This occurs when the SASP monitor is configured in push mode. When the monitor cores, a pool member gets marked down, which might lead to an outage. This occurs rarely.
ID 477705 The 'untrusted-cert-response-control=drop' command is not honored. This occurs when the following conditions are met: virtual server is deployed with a SSL server profile that is configured to request a server certificate and drop the connection if the certificate is untrusted. The ssl handshake is not properly dropped.
ID 477742 The DTLS message sequence number is incorrect. SSL over UDP (DTLS) is configured. Incompatibility with some SSL clients. For example the OpenSSL1.0.1j. It works fine with old OpenSSL version.
ID 477786 Depending on the release, sending a SYN packet to a self IP address with Port Lockdown set to Allow None might respond to the SYN with a RST packet, or might silently drop the SYN. "With Port Lockdown configured to Allow None, the LTM behaves differently upon receiving a SYN packet. In 11.3.0 and 11.4.1, when receiving a SYN packet the LTM replies with RST. In 11.4.0, 11.5.1, and 11.6.0, when receiving a SYN packet the LTM does not reply (sends a REJECT)." Inconsistent behavior based on version, sometimes RST in response to SYN on closed port, and sometimes nothing (REJECT). Because the traffic is not allowed in either case, there is no fundamental impact. This is primarily a behavioral difference between releases.
ID 477992 The log is never created. Error messages in /var/log/ltm stating the log file cannot be opened. Create pool members via an iApp, and attempt to enable logging on the pool member. No logging, error messages. If logging is required, bigdlog is also available: 'tmsh modify sys db bigd.debug value enabled'.
ID 478920 SIP::discard is invoked only for the first 2 request messages and the other request messages are allowed to pass through. "The following iRule is present and the iRule is not invoked for all the request messages. when SIP_REQUEST { SIP::discard }" iRule is not invoked for all the SIP messages
ID 478922 "Attempting to turn on ICSA logging for non-ESP packets will lead to the following logs. Aug 21 10:47:17 2000a info tmm1[10347]: 01070417:6: ICSA: source: %A, destination: %A, spi: 0x%x, seqno: 0x%x ESP packet discarded: ""inbound""" "ICSA logging for is enabled. Connections are sent through the BIG-IP. Logs similar to the following are found in /var/log/ICSA Aug 21 10:47:17 2000a info tmm1[10347]: 01070417:6: ICSA: source: %A, destination: %A, spi: 0x%x, seqno: 0x%x ESP packet discarded: ""inbound""" ICSA logging misses information that is required for certification.
ID 478986 When power is removed from the PSU but the PSU remains in the system, 'tmsh show sys hardware' reports the PSU as 'not-present'. This occurs when an installed DC powered PSU loses power, and the user runs the command 'tmsh show sys hardware'. Only the message is incorrect. Although the PSU is present, the system cannot read its data without power, so the system marks the PSU 'not present'. Once power is restored, all information is available.
ID 479176 The TMM attempts a DNS db load while starting. This is a potential race condition that might occur intermittently after the restart. One thread hangs indefinitely and tmm receives a SIGABRT after a period of time.
ID 479262 The 'readPowerSupplyRegister error' is logged in LTM log when DC PSU loses its power. When a DC powered PSU loses its power, 'readPowerSupplyRegister error' will be logged into LTM log, because PSU data is not available without power. Cosmetic. Erroneous LTM messages.
ID 479670 If a licensing operation happens when the VCMP host and a guest have different blades as primary, then the status may show the incorrect number of downed links. Cosmetic. Ensure that the host and guest have the same blades as primary.
ID 480686 On an active VIPRION or vCMP guest with a VLAN Group configuration, the CPU usage unexpectedly rises, and traffic flowing through the device may experience high latency and packet drops. A packet capture shows packets looping internally between VLAN members of the VLAN Group. This occurs when using a VLAN Group (in Translucent or Transparent mode) on VIPRION hardware (including vCMP guest of a VIPRION), and an IP address conflict exists between the BIG-IP and another device on the VLAN Group. Note: The device causing the IP conflict may be unrelated to packets that are found looping in a packet capture. This results in high CPU usage and potentially unresponsive GUI. Traffic flowing through the VLAN Group may experience high latency and packet drops. The Self IP on the affected VLAN becomes almost impossible to reach. Disable vlangroup.flow.allocate db variable to prevent flow creation for vlangroup forwarded packets.
ID 481001 Software auto update settings are not synced between two devices in a sync group. Perform a full sync with systems that have different auto-update settings. This can lead to software auto update settings not being consistent across two devices.
ID 481082 After performing a full sync, the auto update settings of the target machine are reset to defaults. Perform a full sync with systems that have different auto update settings. Auto update settings can get out of sync, and be incorrect. After a full sync, ensure that the auto update settings on both systems are set as desired.
ID 481089 After performing a full sync, sometimes the BIG-IPs will remain out of sync. A full sync must be performed. There must be more than one active connection to mcpd, and one of them must get disconnected before the sync completes. The BIG-IPs remain out of sync even after a sync operation
ID 481138 duplicate IS-IS routes in router IS-IS routing duplicate IS-IS routes in router
ID 481162 The vs-index field on virtual servers should be the same on every blade, but is not. This applies on any chassis.
ID 481647 The OSPF daemon might assert if receiving a Link Status (LS) Update header with a length greater than 255 bytes. This occurs when the LSA header length is greater than 255 bytes in length. OSPF daemon asserts and generates a core, which might cause a service outage.
ID 481696 You might see a failover error message 'sod out of shmem' in /var/log/ltm. The conditions under which this occurs vary based on the configured shared memory usage. Failover might not function fully. System posts the message 'err sod[6300]: 01140003:3: Out of shmem, increment amount' in /etc/ha_table/ha_table.conf. Manually modify /etc/ha_table/ha_table.conf as follows: Change this line: 'ha segment path: /sod table pages: 2' to this: 'ha segment path: /sod table pages: 4'. Save the file and reboot the system.
ID 482204 Attempts to modify the ssh daemon logging level have no effect. The log level is always "info" (the system default). "Modify sshd log-level. For example, even after the following operation, sshd will continue to log info-level messages. # tmsh modify /sys sshd {log-level error}" Users are unable to filter ssh logs.
ID 483228 A race condition in the terminate handler of the icrd_child process causes it to crash and generate core. Intermittent. No functional impact.
ID 483257 Cannot delete keys without extension .key (and cert without .crt) using GUI or iControl. For the cert/key files created with no extension .key/.crt (this can be done by using gencert commands) Cannot delete keys without extension in GUI or iControl. "Delete the key/cert using tmsh. For example, tmsh delete sys crypto key abc tmsh delete sys crypto cert abc"
ID 483353 TMM may crash in HTTP compression in low-memory conditions when unable to initialize the compression provider. HTTP compression is configured and TMM is low on memory. TMM crashes and traffic outage may occur. Remove HTTP compression from the virtual to avoid the issue.
ID 483539 "Due to the incorrect MSS value, TMM might core because based on the MSS value the outgoing packet attempts to use TSO, which is not correct. This can result in a crash with the following stack trace: #2 <signal handler called> #3 tcp_tso_pkt_cleanup at ../netinet/tcp_tso.c:136 #4 tcp_tso_split (orig_pkt=0x570001574680) at ../netinet/tcp_tso.c:487 #5 nexthop_tso_output (nexthop=<value optimized out>, orig_pkt=0xe) at ../net/nexthop.c:395 #6 flow_output (cf=0x5700010c0700, pkt=0x570001574680) at ../base/flow_table.c:1861 #7 bigproto_output (cf=0x5700010c0700, conn=0x218, pkt=0x570001574680) at ../modules/hudproxy/bigproto/bigproto.c:3035" A virtual using fastL4 where a SYN packet with options is received, but the SYN packet does not contain an MSS option. If this issue occurs, then TMM will core resulting in a failover/reboot of the system.
ID 483953 When traffic has an apparent path MTU of less than TM.MinPathMTU, LTM will insert a route metric entry of TM.MinPathMTU. This entry does not benefit the eliciting endpoint in any way. Worse, the entry is to the detriment of other clients ("behind" the same address) which might benefit from a higher MTU. A low-MTU endpoint is present on network. LTM may enforce a suboptimal MTU.
ID 484245 Using the GUI to delete a network firewall rule causes a change to other rules that specify ports. This occurs when using the GUI to delete a firewall rule, and there are other rules that are limited to specific ports. The port changes to 'any' in all network firewall rules that specify ports. For example, any firewall rules that match traffic on port '80' change to match on port 'any' when this issue occurs. Use tmsh, iControl, and BIG-IQ to manage firewall rules. Use port lists instead of specifying ports. These could include lists with a single port.
ID 485189 TMM might crash and generate a core if unable to find persistence cookie. Although specific conditions for this issue are unknown, it is possibly due to having a virtual with cookie persistence enabled and iRules that disable persistence. System outage.
ID 485232 After re-enabling a blade, it does not go active even though its mate blade is active. HA group scoring must be used, and the HA scoring must be weighted equally among peers. The peer must have its blades enabled. The standby blade does not take traffic. Fail the system over to the peer by disabling its blades, then enable them and fail back (if desired).
ID 485244 The 'halt' command will now power off various platforms after halting the system. N/A Any BIGIP platform based on the Centos6 distribution (11.7.0+). Issue command 'shutdown -H now' on any system to halt the platform without powering off.
ID 485327 "By default the tmsh cli global settings service value is name. That implies that for a user configuration, the ports are saved by their names and not port numbers." This occurs when upgrading. Loading a UCS configuration with port names fails on an upgrade if the port name is not present in /etc/services in the upgrade version. The failure message appears similar to the following: The requested value (*:hosts2-ns }) is invalid (<ip addr> | <member>) for 'dest' in 'monitor'. Run the following tmsh command prior to saving the ucs file. (tmos)# tmsh cli global settings service number. The config will then load successfully on an upgrade.
ID 485432 when the mgmt port's subnet is changed, existing static routes with now topologically unreachable gateways will be removed routes exist on gateways that will not be on a local subnet after the mgmt port takes on a new network address configuration services critical for operation such as NTP, SNMP, SMTP and Log Targets may become unreachable to the BIG-IP wherein reconfiguring the mgmt port does not generate a warning. Configure static routes with gateways that are within the local subnet of the mgmt ports addressing
ID 485714 "Notice the below log message in /var/log/ltm, Oct 21 02:23:46 slot2/myvguest1 err bigd[10219]: 01060134:3: Fatal error: An unexpected failure occurred while performing an OpenSSL cryptography operation. Root error: 10219:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:323:" encrypted password on a monitor bigd restart Enter the plaintext password in the Monitor UI page.
ID 486512 Forwarded auditing messages contain the wrong nas-ip-address attribute. It should be the local IP of the box, instead it's some other random IP address. This seems to work fine when the BIG-IP is a VM. Only reproduces on hardware. Cannot pass certification because config auditing is not working properly (invalid NAS IP Address).
ID 486722 The default config-sync timeout is 300 seconds. This time is not sufficient when configuration includes 1000s of FIPS keys. Config-sync operation times out and reports failure. FIPS HA setup and 1000s of FIPS keys in the configuration. config-sync fails Follow steps in 'Fix Text' to increase timeout value.
ID 487625 Manually corrupting the filestore will cause qkview to hang.
ID 487660 "Oct 29 10:31:00 slot1/Smart debug tmm9[25268]: 01670012:7: [0.9] Translation failed client,10096 Oct 29 10:31:00 slot1/Smart debug tmm9[25268]: 01670012:7: [0.9] Translation failed client,10097 Oct 29 10:31:00 slot1/Smart debug tmm9[25268]: 01670012:7: [0.9] Translation failed client,10098" persistence mode set in LSN pool + SPDAG vlan hash Translation failures Over-provision the LSN pool
ID 487798 Racoon core and connections issue with IPsec between BIG-IP system and Azure client. IKE logging level debug2 is enabled. BIG-IP system's phase2 algorithm is SHA1 and Azure phase2 algorithms are SHA2 and SHA1. in that order. This is a configuration issue. The BIG-IP system supports SHA1 for phase2 algorithm and Azure supports SHA2 and SHA1 algorithms. When the BIG-IP as the initiator sends SHA1 for phase2, Azure rejects that with the response NO-PROPOSAL-CHOSEN. This occurs because Azure checks the BIG-IP system's proposal with SHA2 only. When Azure as initiator sends SHA2 and SHA1 for phase2, the BIG-IP system selects SHA1 as responder, and the tunnel comes up. Racoon core is seen once. Some connection issues might occur as a result of the IPsec SA re-key attempt failures. There is a crash because of logging issues when ike logging level debug2 is enabled.
ID 488188 qkview removes its temporary files on exit. If qkview is killed externally, for example by CTRL-C, temporary files remain on the disk. This can contribute to a disk filling up with garbage data. qkview is running, and killed with a signal. Superfluous files remain in /var/tmp (possibly elsewhere). Delete files in /var/tmp.
ID 488581 'SSL::disable clientside' inside HTTP_REQUEST might cause tmm core with a SIGSEGV if crypto is in progress when the iRule makes the request. This occurs in iRules that contain 'SSL::disable clientside' inside HTTP_REQUEST and crypto is in progress when HTTP_REQUEST occurs. TMM dumps a core file and the system fails over. Do not put 'SSL::disable clientside' inside HTTP_REQUEST.
ID 489013 SSD LCD RAID status menu shows incorrect messages with a single SSD installed. This occurs on the BIG-IP 7000, 10000, and 120000 series platforms when there is one SSD in the two-bay unit. On both the LCD and as the output of 'tmsh show sys raid', the system reports that the drive in bay one is undefined and the drive in bay two is missing. This is a cosmetic issue. The drive functions correctly.
ID 489015 "An LTM request-log profile that references a non-existent pool can pass validation in 11.1, but fails beyond 11.2. This can cause a load fail when rolling forward the configuration. Other possible affected classes are: DNS Zone, iFile, SSL profile, and Auth configuration."
ID 489089 The BIG-IP system cannot detect the PSU state without a power cable. This occurs on 12050s/12250v and 10350vN platforms when a PSU is removed and re-inserted with no power cable. This negatively affects the system's ability to provide an alert indicating a faulty DC PSU. In the case where the DC PSU is installed but not powered (either due to a lack of power or because of a faulty PSU), there is no alert. The lack of alert implies that PSU redundancy is in place. In this case, if the primary PSU fails, the entire system goes down, even when the redundant PSU is present. To get an indication of PSU functionality, query the PSU status with 'tmsh show sys hardware'). If there is no power cable, the result indicates that the PSU is not present, which can initiate corrective action. Plug the power cable into the PSU. The system can now detect the power supply status and read the PSU info.
ID 489153 "The log entry similar to the following appears in /var/log/ltm: Nov 6 13:33:26 6900s-2 err tmm1[15040]: 01240011:3: Compression license limit of 50 Mbit/s exceeded today." "This can occur once the following conditions have been met: 1. Compression limit has been exceeded in past 24 hours 2. Add-on license for unlimited compression limit has been installed" Unexpected log entry
ID 489732 With a 4300/4340 blade, 40 GB bundled interface (four 10 GB interfaces) connected to a Brocade switch, the interfaces remain down after a reboot. This occurs when connecting a 40 GB bundled interface on a 4300/4340 blade to a Brocade switch. Interfaces remain down, causing loss of connectivity. Disable and then re-enable the affected interface on the BIG-IP system.
ID 490121 PVA current and maximum stats are incorrectly reported when using a fastL4 profile with a SERVER_CONNECTED iRule event. For each connection that is established, the current connection count is incremented twice and decremented only once when the connection is terminated. This leads to a lingering connection, which skews the stats. A fastL4 virtual with a SERVER_CONNECTED iRule event. The current and maximum PVA stats are incorrectly reported.
ID 490139 Loading iRules from the iRules file deletes last few comment lines immediately preceding the closing bracket. This occurs when loading an iRule file from versions prior to 11.5.1. Although the comments are removed, this does not affect iRule functionality. Put comments in places other than immediately above the closing bracket.
ID 490329 Front panel LED status of a SFP+ pluggable module interface may show link when only the RX fiber of LC duplex cable is connected. Fully connect both RX and TX fibers of a LC duplex cable to a SFP+ pluggable module.
ID 491791 Performing a GET on nonexistent pool members does not show an error. This occurs when using iControl REST with nonexistent pool members. The returned response typically indicates an almost-empty resource instead of a not-found error. Use members GET for all members and iterate through the items returned to determine if a pool member exists.
ID 493117 After changing the netmask of an advertised virtual address, the address is no longer advertised. Must have an advertised virtual address, and change its netmask. tmrouted must be restarted whenever the netmask of an advertised virtual address is changed.
ID 493950 Virtual Server with unmatched context settings in a profile might block upgrade. This occurs when there is a virtual server configured with a TCP, UDP, or SCTP profile set with either (context clientside) or (context serverside), but without a corresponding profile with the other proxy side (serverside or clientside, respectively). Cannot upgrade and roll-forward a configuration, and the system might post the following error message: 01070734:3: Configuration error: Less than the required minimum number of profiles found on /Common/test-vip5: At least 1 Of but Not more than 1 Of (UDP Profile, TCP Profile, SCTP Profile) There are 2 workarounds: 1: Before upgrade, modify the existing configuration, by either removing the (context) line or by adding the corresponding context, and then saving the UCS file. 2: After a failed attempt to load the UCS file, manually modify the UCS file as described in workaround 1., and then load the file again.
ID 494019 System matches to previous Diameter Route Application ID after modifying the application ID value. This occurs after modifying the application ID value for a Diameter Route object. The Diameter Route might continue to match Diameter messages against the old application ID until tmm is restarted. Always restart tmm after changing the value of application ID in a Diameter Route.
ID 494452 When a response-adapt profile is applied to a virtual server, BIGIP FINs the connection to the server/client before NTLM authentication is fully negotiated, causing NTLM authentication to break. A virtual server configured for NTLM authentication uses a response-adapt profile. NTLM authentication does not work.
ID 494815 "Some iControl REST DELETE calls fail. These are the calls equivalent of the following tmsh commands (known ones) - tmsh delete ltm dns cache records <cache-type> type <record-type> cache <cache-name> tmsh delete ltm clientssl ocsp-stapling-responses clientssl-profile clientssl virtual <virtual> The equivalent iControl REST calls - # curl -sk -u <user>:<pwd> -X DELETE https://localhost/mgmt/tm/ltm/dns/cache/records/rrset?options=cache,<cache-name> fail with the following error - {""code"":400,""message"":""Query parameter options is invalid."",""errorStack"":[]}" always. Unable to delete certain config objects (most likely some records or cache entries that are not direct config objects).
ID 494987 If `dont-insert-empty-fragments' is removed from the server ssl profile, the connection might hang and fail. dont-insert-empty-fragments is removed from the serverssl profile The server ssl connection can hang and fail.
ID 495215 "Attempting to add a Device Management Peer results in either of the following errors: 01020036:3: The requested device (/device1) was not found. Or get_local_device: Exception caught in Management::urn:iControl:Management/Device::get_local_device() Exception: Common::OperationFailed" "This only occurs with the admin account in iControl SOAP after setting the active folder to one that is not partitioned (such as '/'): System.Session.set_active_folder('/')" The user is not able to add a peer device to the trust domain. "Use an iControl SOAP client to call the following using the admin account: System.Session.set_active_folder('/Common')"
ID 495242 The system posts the following message in the mcpd log: Failed to unpublish LOIPC object. This is an intermittent issue that occurs on standby systems in High Availability configurations. In this case, the system is attempting to remove a file/directory that does not exist. Either it has already been removed or it was not created. The system posts the following error: err mcpd[7143]: 010716d6:3: Failed to unpublish LOIPC object for (loipc_lb-zoc_http.1417443578.297505208). Call to (shm_unlink) failed with errno (2) errstr (No such file or directory). This is a benign error that can be safely ignored.
ID 495588 Configuration fails with Syntax Error after upgrading from pre-11.5.0 releases. When upgrading from a pre-11.5.0 release to version 11.5.0 or later, the key/cert have an extra period in the name (for example mykey..key and mycert..crt). Beginning with version 11.5.0, multiple key/cert pairs are associated with one clientssl, so each key/cert pair has a name. During upgrade, the system provides a name for each key/cert, which can cause problems if the existing key/cert name contains a period character. Configuration load fails, and the system posts the alert: Syntax Error:(/config/bigip.conf at line: 12) one or more configuration identifiers must be provided. Manually edit the bigip.conf to add a title for the cert-key-chain, and then run the command: tmsh load sys config.
ID 495862 "Virtual monitor status becomes yellow and get connection limit alert when all pool members forced down. Virtual status reason displays as ""The pool member's connection limit has been reached""" All pool members are forced down Invalid display of virtual status.
ID 495875 tmm might experience an infinite loop when selecting an available node for load balancing under heavy traffic conditions. This occurs when connection limit is specified for nodes, and there is heavy traffic. This causes a 10-second tmm heartbeat failure and a SIGABRT in tmm. The device goes offline and traffic processing is disrupted.
ID 500407 The following features are not supported on non-High-Speed Bridge (HSB) platforms when DNS Rapid Response is used: -- LTM iRules: + Virtual server with iRules configured in an attached DNS profile.+ Execution failure of configured iRules (e.g., for Action Allow). -- Software DoS functionality: + Query may be answered or dropped before SW DoS has a chance to execute. -- All DNS profile options: + DNS Cache. + DNSSEC. + DNS6-4 DNS Rapid Response is used. This occurs on all non-HSB platforms, e.g., VADC (VE). To determine whether a system is an HSM platform, run the Linux command: lspci. The presence of the string 'F5 Networks Ethernet controller' indicates a non_HSB platform. Some features are not supported when DNS Rapid Response is used due to performance issues.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802

For additional information, please visit

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.


AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to from the email address you are using to subscribe. Unsubscribe by sending a blank email to

Legal notices