Applies To:
Show VersionsBIG-IP AAM
- 11.5.8
BIG-IP APM
- 11.5.8
BIG-IP GTM
- 11.5.8
BIG-IP Link Controller
- 11.5.8
BIG-IP Analytics
- 11.5.8
BIG-IP LTM
- 11.5.8
BIG-IP AFM
- 11.5.8
BIG-IP PEM
- 11.5.8
BIG-IP ASM
- 11.5.8
BIG-IP Release Information
Version: 11.5.8
Build: 9.0
NOTE: This release includes fixes for the Spectre Variant 1 and Meltdown vulnerabilities (CVE-2017-5753, CVE-2017-5754).
In some configurations, installing software containing these fixes might impact performance. You can disable these fixes to recover performance. Please see K91229003 for additional Spectre and Meltdown information.
Cumulative fixes from BIG-IP v11.5.7 that are included in this release
Cumulative fixes from BIG-IP v11.5.6 that are included in this release
Cumulative fixes from BIG-IP v11.5.5 that are included in this release
Cumulative fixes from BIG-IP v11.5.4 Hotfix 4 that are included in this release
Cumulative fixes from BIG-IP v11.5.4 Hotfix 3 that are included in this release
Cumulative fixes from BIG-IP v11.5.4 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v11.5.4 Hotfix 1 that are included in this release
Cumulative fixes from BIG-IP v11.5.4 that are included in this release
Cumulative fixes from BIG-IP v11.5.3 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v11.5.3 Hotfix 1 that are included in this release
Cumulative fixes from BIG-IP v11.5.3 that are included in this release
Cumulative fixes from BIG-IP v11.5.2 Hotfix 1 that are included in this release
Known Issues in BIG-IP v11.5.x
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
723130-4 | 2-Critical | K13996 | Invalid-certificate warning displayed when deploying BIG-IP VE OVA file |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
750488-1 | 3-Major | Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records | |
750484-1 | 3-Major | Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records | |
750472-1 | 3-Major | Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records | |
750457-1 | 3-Major | Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records | |
749774-6 | 3-Major | EDNS0 client subnet behavior inconsistent when DNS Caching is enabled | |
749675-6 | 3-Major | DNS cache resolver may return a malformed truncated response with multiple OPT records |
Cumulative fixes from BIG-IP v11.5.7 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
716992-5 | CVE-2018-5539 | K75432956 | The ASM bd process may crash |
715923-4 | CVE-2018-15317 | K43625118 | When processing TLS traffic TMM may reset connections |
693744-1 | CVE-2018-5531 | K64721111 | CVE-2018-5531: vCMP vulnerability |
687193-2 | CVE-2018-5533 | K45325728 | TMM may leak memory when processing SSL Forward Proxy traffic |
686305-4 | CVE-2018-5534 | K64552448 | TMM may crash while processing SSL forward proxy traffic |
630446-3 | CVE-2016-0718 | K52320548 | Expat vulnerability CVE-2016-0718 |
710314-4 | CVE-2018-5537 | K94105051 | TMM may crash while processing HTML traffic |
710148-6 | CVE-2017-1000111 CVE-2017-1000112 |
K60250153 | CVE-2017-1000111 & CVE-2017-1000112 |
705476-6 | CVE-2018-15322 | K28003839 | Appliance Mode does not follow design best practices |
694901 | CVE-2015-8710 | K45439210 | CVE-2015-8710: Libxml2 Vulnerability |
688625-4 | CVE-2017-11628 | K75543432 | PHP Vulnerability CVE-2017-11628 |
677088-6 | CVE-2018-15321 | K01067037 | BIG-IP tmsh vulnerability CVE-2018-15321 |
662850-4 | CVE-2015-2716 | K50459349 | Expat XML library vulnerability CVE-2015-2716 |
617273-4 | CVE-2016-5300 | K70938105 | Expat XML library vulnerability CVE-2016-5300 |
582773-3 | CVE-2018-5532 | K48224824 | DNS server for child zone can continue to resolve domain names after revoked from parent |
708653-5 | CVE-2018-15311 | K07550539 | TMM may crash while processing TCP traffic |
605579-9 | CVE-2012-6702 | K65460334 | iControl-SOAP expat client library is subjected to entropy attack |
603758-4 | CVE-2018-5540 | K82038789 | Big3D security hardening |
597652-1 | CVE-2015-3217 | K20225390 | CVE-2015-3217 pcre: stack overflow caused by mishandled group empty match |
591438-3 | CVE-2015-8865 | K54924436 | PHP vulnerability CVE-2015-8865 |
673165-3 | CVE-2017-7895 | K15004519 | CVE-2017-7895: Linux Kernel Vulnerability |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
674486-2 | 3-Major | Expat Vulnerability: CVE-2017-9233 | |
674320-4 | 3-Major | K11357182 | Syncing a large number of folders can prevent the configuration getting saved on the peer systems |
672988-4 | 3-Major | K03433341 | MCP memory leak when performing incremental ConfigSync |
663924-4 | 3-Major | Qkview archives includes Kerberos keytab files | |
639575-3 | 3-Major | K63042400 | Using libtar with files larger than 2 GB will create an unusable tarball |
633465-1 | 3-Major | K09748643 | Curl cannot be forced to use TLSv1.0 or TLSv1.1 |
631172-2 | 3-Major | K54071336 | GUI user logged off when idle for 30 minutes, even when longer timeout is set |
605270-3 | 3-Major | On some platforms the SYN-Cookie status report is not accurate | |
600558-10 | 3-Major | Errors logged after deleting user in GUI | |
598039-8 | 3-Major | MCP memory may leak when performing a wildcard query | |
589856 | 3-Major | iControl REST : possible to get duplicate transaction ids when transactions are created by multiple clients | |
589338-2 | 3-Major | Linux host may lose dynamic routes on secondary blades | |
585547-4 | 3-Major | NTP configuration items are no longer collected by qkview★ | |
583502-3 | 3-Major | K58243048 | Considerations for transferring files from F5 devices |
539832-2 | 3-Major | Zebos: extended community attributes are exchanged incorrectly in BGP updates. | |
522304-1 | 3-Major | Some password policy changes are not reflected in /etc/shadow when synced in a CMI device group | |
516540-2 | 3-Major | K17501 | devmgmtd file object leak |
508556-2 | 3-Major | K17035 | CSR missing SAN when renewing cert in GUI |
457149-1 | 3-Major | K15397 | Remotely authenticated users may still obey local password policy |
424542-2 | 3-Major | tmsh modify net interface with invalid interface name or attributes will create an interface in cluster or VE environments | |
660239-4 | 4-Minor | When accessing the dashboard, invalid HTTP headers may be present | |
645589 | 4-Minor | Password-less ssh access lost for non-admin users after tmsh load sys ucs | |
530530-4 | 4-Minor | K07298903 | tmsh sys log filter is displayed in UTC time |
477700-2 | 4-Minor | K04116117 | Detail missing from power supply 'Bad' status log messages |
464650-2 | 4-Minor | Failure of mcpd with invalid authentication context. |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
618905-2 | 1-Blocking | tmm core while installing Safenet 6.2 client | |
682682-4 | 2-Critical | tmm asserts on a virtual server-to-virtual server connection | |
646643-4 | 2-Critical | K43005132 | HA standby virtual server with non-default lasthop settings may crash. |
625198-4 | 2-Critical | TMM might crash when TCP DSACK is enabled | |
581746-4 | 2-Critical | K42175594 | MPTCP or SSL traffic handling may cause a BIG-IP outage |
488908-3 | 2-Critical | K16808 | In client-ssl profile which serves as server side, BIG-IP SSL does not initialize in initialization function. |
474797-1 | 2-Critical | Malformed SSL packets can cause errors in /var/log/ltm | |
450765-1 | 2-Critical | K17332 | tmm segfault: hud_mptcp_handler HUDCTL_PERFORM_METHOD |
713951-1 | 3-Major | tmm core files produced by nitrox_diag may be missing data | |
711281-1 | 3-Major | nitrox_diag may run out of space on /shared | |
691806-5 | 3-Major | K61815412 | RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state |
680755-3 | 3-Major | K27015502 | max-request enforcement no longer works outside of OneConnect |
676355-4 | 3-Major | DTLS retransmission does not comply with RFC in certain resumed SSL session | |
641512-2 | 3-Major | K51064420 | DNSSEC key generations fail with lots of invalid SSL traffic |
619849-1 | 3-Major | In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled. | |
603609-5 | 3-Major | Policy unable to match initial path segment when request-URI starts with "//" | |
603550-4 | 3-Major | K63164073 | Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats. |
596433-1 | 3-Major | Virtual with lasthop configured rejects request with no route to client. | |
593390-1 | 3-Major | Profile lookup when selected via iRule ('SSL::profile') might cause memory issues. | |
591666-1 | 3-Major | TMM crash in DNS processing on TCP virtual with no available pool members | |
589400-5 | 3-Major | K33191529 | With Nagle disabled, TCP does not send all of xfrags with size greater than MSS. |
568743-2 | 3-Major | TMM core when dnssec queries to dns-express zone exceed nethsm capacity | |
466875-3 | 3-Major | K15586 | SNAT automap may select source address that is not attached to egress VLAN/interface |
393647-1 | 3-Major | K17287 | Objects configured with a connection rate-limit and yellow status |
716922-6 | 4-Minor | Reduction in PUSH flags when Nagle Enabled | |
708249-6 | 4-Minor | nitrox_diag utility generates QKView files with 5 MB maximum file size limit | |
629033-1 | 4-Minor | BIG-IP should send SHA1 in supported signature hash algorithm last (clientside / Server Hello). | |
604272-3 | 4-Minor | SMTPS profile connections_current stat does not reflect actual connection count. | |
589039-3 | 4-Minor | Clearing masquerade MAC results in unexpected link-local self IP addresses. | |
481820-2 | 4-Minor | Internal misbehavior of the SPDY filter |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
645615-4 | 2-Critical | K70543226 | zxfrd may fail and restart after multiple failovers between blades in a chassis. |
642039-4 | 2-Critical | TMM core when persist is enabled for wideip with certain iRule commands triggered. | |
587617-4 | 2-Critical | While adding GTM server, failure to configure new IP on existing server leads to gtmd core | |
721895-3 | 3-Major | Add functionality to configure the minimum TLS version advertised and accepted by big3d (iQuery) | |
632423-1 | 3-Major | K40256229 | DNS::query can cause tmm crash if AXFR/IXFR types specified. |
629530-8 | 3-Major | K53675033 | Under certain conditions, monitors do not time out. |
625671-1 | 3-Major | The diagnostic tool dnsxdump may crash with non-standard DNS RR types. | |
619398-3 | 3-Major | TMM out of memory causes core in DNS cache | |
657961 | 4-Minor | K44031930 | The edit button on the GSLB Wide IP create page does not place the pool name back into the select dropdown |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
672480-1 | 2-Critical | WebSSO plugin process may become unresponsive in rare situations for Kerberos SSO | |
632798-3 | 2-Critical | K30710317 | Double-free may occur if Access initialization fails |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
559953-3 | 2-Critical | tmm core on long DIAMETER::host value |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
591828-3 | 3-Major | K52750813 | For unmatched connection, TCP RST may not be sent for data packet |
Device Management Fixes
ID Number | Severity | Solution Article(s) | Description |
468710-3 | 3-Major | K32093584 | Using non-standard lettercasing for header name results in misleading error during commit of transaction |
Cumulative fixes from BIG-IP v11.5.6 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
699803 | CVE-2018-5510 | K77671456 | TMM may crash while processing IPv6 traffic |
695901-4 | CVE-2018-5513 | K46940010 | TMM may crash when processing ProxySSL data |
681710-6 | CVE-2017-6155 | K10930474 | Malformed HTTP/2 requests may cause TMM to crash |
674189-5 | CVE-2016-0718 | K52320548 | iControl-SOAP exposed to CVE-2016-0718 in Expat 2.2.0 |
670822-5 | CVE-2017-6148 | K55225440 | TMM may crash when processing SOCKS data |
649907-4 | CVE-2017-3137 | K30164784 | BIND vulnerability CVE-2017-3137 |
649904-4 | CVE-2017-3136 | K23598445 | BIND vulnerability CVE-2017-3136 |
644904-3 | CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925, CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7929, CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933, CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937, CVE-2016-7938, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973, CVE-2016-7986, CVE-2016-7992, CVE-2016-7993, CVE-2016-8574, CVE-2016-8575, CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984, CVE-2016-7985 CVE-2017-5202, CVE-2017-5203, CVE-2017-5204, CVE-2017-5205, CVE-2017-5341, CVE-2017-5342, CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485, CVE-2017-5486 |
K55129614 | tcpdump 4.9 |
643187-4 | CVE-2017-3135 | K80533167 | BIND vulnerability CVE-2017-3135 |
612128-2 | CVE-2016-6515 | K31510510 | OpenSSH vulnerability CVE-2016-6515 |
704490-2 | CVE-2017-5754 | K91229003 | CVE-2017-5754 (Meltdown) |
704483-2 | CVE-2017-5753 CVE-2017-9074 CVE-2017-7542 CVE-2017-11176 |
K91229003 | CVE-2017-5753 (Spectre Variant 1) |
699455-1 | CVE-2018-5523 | K50254952 | SAML export does not follow best practices |
676457-1 | CVE-2017-6153 | K52167636 | TMM may consume excessive resource when processing compressed data |
672124-5 | CVE-2018-5541 | K12403422 | Excessive resource usage when BD is processing requests |
671497-3 | CVE-2017-3142 | K59448931 | TSIG authentication bypass in AXFR requests |
662663-5 | CVE-2018-5507 | K52521791 | Decryption failure Nitrox platforms in vCMP mode |
645101-3 | CVE-2017-3731, CVE-2017-3732 | K44512851 | OpenSSL vulnerability CVE-2017-3732 |
643375-3 | CVE-2018-5508 | K10329515 | TMM may crash when processing compressed data |
635314-3 | CVE-2016-1248 | K22183127 | vim Vulnerability: CVE-2016-1248 |
631688-3 | CVE-2016-9311 CVE-2016-9310 CVE-2016-7427 CVE-2016-7428 CVE-2016-9312 CVE-2016-7431 CVE-2016-7434 CVE-2016-7429 CVE-2016-7426 CVE-2016-7433 | K55405388 K87922456 K63326092 K51444934 K80996302 | Multiple NTP vulnerabilities |
631204-3 | CVE-2018-5521 | K23124150 | GeoIP lookups incorrectly parse IP addresses |
627907-4 | CVE-2017-6143 | K11464209 | Improve cURL usage |
625372-1 | CVE-2016-2179 | K23512141 | OpenSSL vulnerability CVE-2016-2179 |
622178-4 | CVE-2017-6158 | K19361245 | Improve flow handling when Autolasthop is disabled |
621337-4 | CVE-2016-7469 | K97285349 | XSS vulnerability in the BIG-IP and Enterprise Manager Configuration utilities CVE-2016-7469 |
618261-4 | CVE-2016-2182 | K01276005 | OpenSSL vulnerability CVE-2016-2182 |
618258-4 | CVE-2016-2182 | K01276005 | OpenSSL vulnerability CVE-2016-2182 |
613225-4 | CVE-2016-2180, CVE-2016-6306, CVE-2016-6302 | K90492697 | OpenSSL vulnerability CVE-2016-6306 |
605039-1 | CVE-2016-2775 | K92991044 | lwresd and bind vulnerability CVE-2016-2775 |
600248-5 | CVE-2016-2177 | K23873366 | OpenSSL vulnerability CVE-2016-2177 |
600232-5 | CVE-2016-2177 | K23873366 | OpenSSL vulnerability CVE-2016-2177 |
600223-5 | CVE-2016-2177 | K23873366 | OpenSSL vulnerability CVE-2016-2177 |
599536-5 | CVE-2017-6156 | K05263202 | IPsec peer with wildcard selector brings up wrong phase2 SAs |
585424-4 | CVE-2016-1979 | K20145801 | Mozilla NSS vulnerability CVE-2016-1979 |
572272-3 | CVE-2018-5506 | K65355492 | BIG-IP - Anonymous Certificate ID Enumeration |
353229-4 | CVE-2018-5522 | K54130510 | Buffer overflows in DIAMETER |
622662-4 | CVE-2016-6306 | K90492697 | OpenSSL vulnerability CVE-2016-6306 |
617901-4 | CVE-2018-5525 | K00363258 | GUI to handle file path manipulation to prevent GUI instability. |
609691-5 | CVE-2014-4617 | K21284031 | GnuPG vulnerability CVE-2014-4617 |
600205-5 | CVE-2016-2178 | K53084033 | OpenSSL Vulnerability: CVE-2016-2178 |
600198-5 | CVE-2016-2178 CVE-2016-6306 CVE-2016-6302 CVE-2016-2216 | K53084033 | OpenSSL vulnerability CVE-2016-2178 |
598002-4 | CVE-2016-2178 | K53084033 | OpenSSL vulnerability CVE-2016-2178 |
655021-4 | CVE-2017-3138 | K23598445 | BIND vulnerability CVE-2017-3138 |
621935-4 | CVE-2016-6304 | K54211024 | OpenSSL vulnerability CVE-2016-6304 |
601268-2 | CVE-2015-8874 CVE-2016-5770 CVE-2016-5772 CVE-2016-5768 CVE-2016-5773 CVE-2016-5769 CVE-2016-5766 CVE-2016-5771 CVE-2016-5767 CVE-2016-5093 CVE-2016-5094 | K43267483 | PHP vulnerability CVE-2016-5766 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
570570-2 | 3-Major | Default crypto failure action is now 'go-offline-downlinks'. |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
707226-4 | 1-Blocking | DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations | |
534824-2 | 1-Blocking | K02954921 | Incorrect key/certificate when creating clientSSL profile and modifying key/cert in the same transaction. |
475599-3 | 1-Blocking | full "/shared" filesystem prevents tmsh from running | |
470945-1 | 2-Critical | K16891 | Memory leak in Export Policy operation |
655649-5 | 3-Major | K88627152 | BGP last update timer incorrectly resets to 0 |
645179-4 | 3-Major | Traffic group becomes active on more than one BIG-IP after a long uptime | |
644184-6 | 3-Major | K36427438 | ZebOS daemons hang while AgentX SNMP daemon is waiting. |
624692-1 | 3-Major | Certificates with ISO/IEC 10646 encoded strings may prevent certificate list page from displaying | |
621314-1 | 3-Major | K55358710 | SCTP virtual server with mirroring may cause excessive memory use on standby device |
610417-4 | 3-Major | K54511423 | Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported. |
584583-2 | 3-Major | K18410170 | Timeout error when using the REST API to retrieve large amount of data |
563905 | 3-Major | K62975642 | vCMP guest fails to go Active after the host system is rebooted |
423928-1 | 3-Major | K42630383 | syslog messages over 8 KB in length cause logstatd to exit |
524606-2 | 4-Minor | SElinux violations prevent cpcfg from touching /service/mcpd/forceload |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
621452-4 | 1-Blocking | K58146172 | Connections can stall with TCP::collect iRule |
670804 | 2-Critical | K03163260 | Hardware syncookies, verified-accept, and OneConnect can result in 'verify_accept' assert in server-side TCP |
646604-4 | 2-Critical | K21005334 | Client connection may hang when NTLM and OneConnect profiles used together |
622856-2 | 2-Critical | BIG-IP may enter SYN cookie mode later than expected | |
613524-1 | 2-Critical | TMM crash when call HTTP::respond twice in LB_FAILED | |
600982-7 | 2-Critical | TMM crashes at ssl_cache_sid() with "prf->cache.sid == 0" | |
341928-6 | 2-Critical | CMP enabled virtual servers which target CMP disabled virtual servers can crash TMM. | |
685615-1 | 3-Major | K24447043 | Incorrect source mac for TCP Reset with vlangroup for host traffic |
677525-4 | 3-Major | Translucent VLAN group may use unexpected source MAC address | |
664769-3 | 3-Major | TMM may restart when using SOCKS profile and an iRule | |
662881-4 | 3-Major | K10443875 | L7 mirrored packets from standby to active might cause tmm core when it goes active. |
633691-2 | 3-Major | HTTP transaction may not finish gracefully due to TCP connection is closed by RST | |
604880-1 | 3-Major | tmm assert "valid pcb" in tcp.c | |
572234-4 | 3-Major | When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10. | |
517456-2 | 3-Major | K00254480 | Resetting virtual server stat increments cur_conns stat in clientssl profile |
507554-2 | 3-Major | K13741128 | Uneven egress traffic distribution on trunk with odd number of members |
496950-2 | 3-Major | Flows may not be mirrored successfully when static routes and gateways are defined. | |
494333-1 | 3-Major | In specific cases, persist cookie insert fails to insert a session cookie when using an iRule | |
435055-2 | 3-Major | K17291 | ECDHE-ECDSA ciphers with hybrid certificate (RSA signed EC cert) |
248914-5 | 3-Major | K00612197 | ARP replies from BIG-IP on a translucent vlangroup use the wrong source MAC address |
554774-3 | 4-Minor | Persist lookup across services might fail to return a matching record when multiple records exist. | |
511985-2 | 4-Minor | Large numbers of ERR_UNKNOWN appearing in the logs | |
495242 | 4-Minor | mcpd log messages: Failed to unpublish LOIPC object |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
562921-2 | 2-Critical | Cipher 3DES and iQuery encrypting traffic between BIG-IP systems | |
663310-1 | 3-Major | named reports "file format mismatch" when upgrading to versions with Bind 9.9.X versions for text slave zone files★ | |
654599-3 | 3-Major | K74132601 | The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed |
644220-1 | 4-Minor | Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
691670-1 | 2-Critical | Rare BD crash in a specific scenario | |
679603-4 | 2-Critical | K15460886 | bd core upon request, when profile has sensitive element configured. |
706304-1 | 3-Major | ASU and other Update Check services overload F5 download server | |
697303-5 | 3-Major | BD crash | |
696265-1 | 3-Major | K60985582 | BD crash |
695878-1 | 3-Major | Signature enforcement issue on specific requests | |
694922-1 | 3-Major | ASM Auto-Sync Device Group Does Not Sync | |
685207-4 | 3-Major | DoS client side challenge does not encode the Referer header. | |
683241-5 | 3-Major | K70517410 | Improve CSRF token handling |
504917-2 | 3-Major | In ASM Manual Sync Only group, policies do not stay deleted or inactive on secondary after sync is pushed |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
693739-4 | 2-Critical | VPN cannot be established on macOS High Sierra 10.13.1 if full tunneling configuration is enabled | |
499800-2 | 2-Critical | Customized logout page is not displayed after logon failure | |
702490-6 | 3-Major | Windows Credential Reuse feature may not work | |
692369-1 | 3-Major | TMM crash caused by SSOv2 form based due to null config | |
689826-4 | 3-Major | K95422068 | Proxy/PAC file generated during VPN tunnel is not updated for Windows 10 (unicode languages like: Japanese/Korean/Chinese) |
684937-4 | 3-Major | K26451305 | [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users |
683113-4 | 3-Major | K22904904 | [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users |
678976-4 | 3-Major | K24756214 | Do not print all HTTP headers to avoid printing user credentials to /var/log/apm. |
610582-8 | 3-Major | Device Guard prevents Edge Client connections | |
590345-4 | 3-Major | ACCESS policy running iRule event agent intermittently hangs | |
563135-2 | 3-Major | SWG Explicit Proxy uses incorrect port after a 407 Authentication Attempt | |
541622-3 | 3-Major | APD/APMD Crashes While Verifying CAPTCHA | |
436489-3 | 3-Major | Session variables defined within the "Relay State" parameter of an SP initiated SSO session may fail. |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
696049-5 | 3-Major | High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
447570-1 | 2-Critical | tmm sigsegv |
Cumulative fixes from BIG-IP v11.5.5 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
684879-4 | CVE-2017-6164 | K02714910 | Malformed TLS1.2 records may result in TMM segmentation fault. |
653993-1 | CVE-2017-6132 | K12044607 | A specific sequence of packets to the HA listener may cause tmm to produce a core file |
653880-2 | CVE-2017-6214 | K81211720 | Kernel Vulnerability: CVE-2017-6214 |
652516-2 | CVE-2016-10088 CVE-2016-10142 CVE-2016-2069 CVE-2016-2384 CVE-2016-6480 CVE-2016-7042 CVE-2016-7097 CVE-2016-8399 CVE-2016-9576 | K31603170 | Multiple Linux Kernel Vulnerabilities |
648865-3 | CVE-2017-6074 | K82508682 | Linux kernel vulnerability: CVE-2017-6074 |
644693-6 | CVE-2016-2183, CVE-2017-3272, CVE-2017-3289, CVE-2017-3253, CVE-2017-3261, CVE-2017-3231,CVE-2016-5547,CVE-2016-5552, CVE-2017-3252, CVE-2016-5546, CVE-2016-5548, CVE-2017-3241 | K15518610 | Fix for multiple CVE for openjdk-1.7.0 |
641360-4 | CVE-2017-0303 | K30201296 | SOCKS proxy protocol error |
630475-3 | CVE-2017-6162 | K13421245 | TMM Crash |
626360-4 | CVE-2017-6163 | K22541983 | TMM may crash when processing HTTP2 traffic |
624903-2 | CVE-2017-6140 | K55102452 | Improved handling of crypto hardware decrypt failures on 2000s/2200s or 4000s/4200v platforms. |
610255-3 | CVE-2017-6161 | K62279530 | CMI improvement |
580026-4 | CVE-2017-6165 | K74759095 | HSM logging error |
573778-5 | CVE-2016-1714 | K75248350 | QEMU vulnerability CVE-2016-1714 |
563154-3 | CVE-2015-2925 CVE-2015-5307 CVE-2015-7613 CVE-2015-7872 CVE-2015-8104 | K31026324 K94105604 K90230486 | Multiple Linux Kernel vulnerabilities |
560109-4 | CVE-2017-6160 | K19430431 | Client capabilities failure |
540174-2 | CVE-2015-5364 CVE-2015-5366 | K17307 K17309 | CVE updates from https://rhn.redhat.com/errata/RHSA-2015-1623.html |
655059-1 | CVE-2017-6134 | K37404773 | TMM Crash |
648217-2 | CVE-2017-6074 | K82508682 | CVE-2017-6074: Linux Kernel Vulnerability |
638137-3 | CVE-2016-7117 CVE-2016-4998 CVE-2016-6828 | K51201255 | CVE-2016-7117 CVE-2016-4998 CVE-2016-6828 |
614147-4 | CVE-2017-6157 | K02692210 | SOCKS proxy defect resolution |
614097-4 | CVE-2017-6157 | K02692210 | HTTP Explicit proxy defect resolution |
613127-5 | CVE-2016-5696 | K46514822 | Linux TCP Stack vulnerability CVE-2016-5696 |
600069-4 | CVE-2017-0301 | K54358225 | Portal Access: Requests handled incorrectly |
592485-1 | CVE-2015-5157 CVE-2015-8767 | K17326 | Linux kernel vulnerability CVE-2015-5157 |
582813-4 | CVE-2016-0774 | K08440897 | Linux Kernel CVE-2016-0774 |
540018-3 | CVE-2014-3940 CVE-2014-3184 CVE-2015-0239 | K16429 K15685 K15912 | Multiple Linux Kernel Vulnerabilities |
533413-3 | CVE-2011-5321 CVE-2015-3636 CVE-2015-1593 CVE-2015-2830 CVE-2015-2922 | K51518670 | CVE updates from https://rhn.redhat.com/errata/RHSA-2015-1221.html |
527563-5 | CVE-2015-1805 CVE-2015-3331 CVE-2014-9419 CVE-2014-9420 CVE-2014-9585 | K17458 K16819 K17551 K17543 K17241 | Kernel Vulnerabilities |
492732-1 | CVE-2014-3184 | K15912 | Linux kernel driver vulnerabilities CVE-2014-3184, CVE-2014-3185, CVE-2014-3611, CVE-2014-3645, and CVE-2014-3646 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
651772-6 | 3-Major | IPv6 host traffic may use incorrect IPv6 and MAC address after route updates | |
545263-2 | 3-Major | Add SSL maximum aggregate active handshakes per profile and per global | |
441079-4 | 3-Major | K55242686 | BIG-IP 2000/4000: Source port on NAT connections are modified when they should be preserved |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
641013-4 | 2-Critical | GRE tunnel traffic pinned to one TMM | |
625824-4 | 2-Critical | iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory | |
542097-6 | 2-Critical | Update to RHEL6 kernel | |
448409-5 | 2-Critical | K15491 | 'load sys config verify' commands cause loss of sync configuration and initiates a provisioning cycle |
667278-6 | 3-Major | DSC connections between BIG-IP units may fail to establish | |
623930-1 | 3-Major | vCMP guests with vlangroups may loop packets internally | |
621273-5 | 3-Major | DSR tunnels with transparent monitors may cause TMM crash. | |
617628-3 | 3-Major | SNMP reports incorrect value for sysBladeTempTemperature OID | |
612721 | 3-Major | FIPS: .exp keys cannot be imported when the local source directory contains .key file | |
601709-4 | 3-Major | K02314881 | I2C error recovery for BIG-IP 4340N/4300 blades |
467195-1 | 3-Major | Allow special characters importing SSL Key and Certificate except backslash. | |
460176-3 | 3-Major | Hardwired failover asserts active even when standalone |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
659899-4 | 2-Critical | K10589537 | Rare, intermittent system instability observed in dynamic load-balancing modes |
597978-5 | 2-Critical | GARPs may be transmitted by active going offline | |
515915-3 | 2-Critical | K47804233 | Server side timewait close state causes long establishment under port reuse |
503125-2 | 2-Critical | Excessive MPI net traffic can cause tmm panics on chassis systems | |
658214-4 | 3-Major | K20228504 | TCP connection fail intermittently for mirrored fastl4 virtual server |
613369-5 | 3-Major | Half-Open TCP Connections Not Discoverable | |
611278-1 | 3-Major | Connections to a BIG-IP system's Self-IP address may fail when the VLAN cmp-hash is altered | |
587705-6 | 3-Major | K98547701 | Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools. |
554295-5 | 3-Major | CMP disabled flows are not properly mirrored | |
542009-3 | 3-Major | K01162427 | tmm might loop and get killed by sod when the system tries to process an invalid-message-length MPI message. |
536563-4 | 3-Major | Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' or 'No flow found for ACK' on subsequent packets. | |
528198-1 | 3-Major | reject in iRule event FLOW_INIT may not respond with a RST | |
520604-6 | 3-Major | K52431550 | Route domain creation may fail if simultaneously creating and modifying a route domain |
494977-1 | 3-Major | Rare outages possible when using config sync and node-based load balancing | |
488921-3 | 3-Major | BIG-IP system sends unnecessary gratuitous ARPs | |
452443-3 | 3-Major | DNS cache resolver cannot send egress traffic on a VLAN with src-ip or dst-ip cmp hash configured | |
225634-6 | 3-Major | K12947 | The rate class feature does not honor the Burst Size setting. |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
568347-3 | 2-Critical | BD Memory corruption | |
520038-2 | 3-Major | Added/updated signatures are added to certain corrupted Manual user-defined sets. | |
441075-6 | 3-Major | Newly added or updated signatures are erroneously added to Manual user-defined signature sets. |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
679235-3 | 2-Critical | Inspection Host NPAPI Plugin for Safari can not be installed | |
666454-4 | 2-Critical | K05520115 | Edge client on Macbook Pro with touch bar cannot connect to VPN after OS X v10.12.5 update |
620829-5 | 3-Major | Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly | |
597214-6 | 3-Major | Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly | |
445483-2 | 3-Major | SSO does not work with Password with '+' character for Citrix Storefront integration mode |
Cumulative fixes from BIG-IP v11.5.4 Hotfix 4 that are included in this release
Functional Change Fixes
None
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
656902 | 2-Critical | Upgrade to 11.5.4 HF3 may remove valid cipher suite configuration from SSL profile | |
655756 | 2-Critical | TMM might crash while using SSL profiles on BIG-IP 2000/4000 platforms. | |
587691-2 | 2-Critical | K41679973 | TMM crashes upon SSL handshake cancellation. |
Cumulative fixes from BIG-IP v11.5.4 Hotfix 3 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
616772-3 | CVE-2014-3568 | K15724 | CVE-2014-3568 : OpenSSL Vulnerability (Oracle Access Manager) |
616765-3 | CVE-2013-6449 | K15147 | CVE-2013-6449 : OpenSSL Vulnerability (Oracle Access Manager) |
636702-1 | CVE-2016-9444 | K40181790 | BIND vulnerability CVE-2016-9444 |
636700-2 | CVE-2016-9147 | K02138183 | BIND vulnerability CVE-2016-9147 |
636699-3 | CVE-2016-9131 | K86272821 | BIND vulnerability CVE-2016-9131 |
632618 | CVE-2016-3717 | K29154575 | ImageMagick vulnerability CVE-2016-3717 |
631582-3 | CVE-2016-9250 | K55792317 | Administrative interface enhancement |
624570-4 | CVE-2016-8864 | K35322517 | BIND vulnerability CVE-2016-8864 |
624457-2 | CVE-2016-5195 | K10558632 | Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195 |
616864-4 | CVE-2016-2776 | K18829561 | BIND vulnerability CVE-2016-2776 |
616498-3 | CVE-2009-3245 | K15404 | CVE-2009-3245 : OpenSSL Vulnerability (Oracle Access Manager) |
616491-3 | CVE-2006-3738 | K6734 | CVE-2006-3738 : OpenSSL Vulnerability (Oracle Access Manager) |
611830 | CVE-2016-7468 | K13053402 | TMM may crash when processing TCP traffic |
611469-6 | CVE-2016-7467 | K95444512 | Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector |
597394-5 | CVE-2016-9252 | K46535047 | Improper handling of IP options |
596340-4 | CVE-2016-9244 | K05121675 | F5 TLS vulnerability CVE-2016-9244 |
591328-3 | CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 | K36488941 | OpenSSL vulnerability CVE-2016-2106 |
591327-3 | CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 | K36488941 | OpenSSL vulnerability CVE-2016-2106 |
591325-3 | CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 | K75152412 | OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 |
591042-6 | CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 | K23230229 | OpenSSL vulnerabilities |
508057-2 | CVE-2015-0411 | K44611310 | MySQL Vulnerability CVE-2015-0411 |
635412-1 | CVE-2017-6137 | K82851041 | Invalid mss with fast flow forwarding and software syn cookies |
623119-3 | CVE-2016-4470 | K55672042 | Linux kernel vulnerability CVE-2016-4470 |
622496-3 | CVE-2016-5829 | K28056114 | Linux kernel vulnerability CVE-2016-5829 |
604442-3 | CVE-2016-6249 | K12685114 | iControl log |
601938-5 | CVE-2016-7474 | K52180214 | MCPD stores certain data incorrectly |
597023-5 | CVE-2016-4954 | K82644737 | NTP vulnerability CVE-2016-4954 |
594496-4 | CVE-2016-4539 | K35240323 | PHP Vulnerability CVE-2016-4539 |
593447-3 | CVE-2016-5024 | K92859602 | BIG-IP TMM iRules vulnerability CVE-2016-5024 |
591455-3 | CVE-2016-1550 CVE-2016-1548 CVE-2016-2516 CVE-2016-2518 | K24613253 | NTP vulnerability CVE-2016-2516 |
591447-4 | CVE-2016-4070 | K42065024 | PHP vulnerability CVE-2016-4070 |
587077-4 | CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2115 CVE-2016-2118 | K37603172 | Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118 |
526514-2 | CVE-2016-3687 | K26738102 | Open redirect via SSO_ORIG_URI parameter in multi-domain SSO |
524279-4 | CVE-2015-4000 | K16674 | CVE-2015-4000: TLS vulnerability |
520924-3 | CVE-2016-5020 | K00265182 | Restricted roles for custom monitor creation |
475743-2 | CVE-2017-6128 | K92140924 | Improve administrative login efficiency |
416734-2 | CVE-2012-5195 CVE-2012-5526 CVE-2012-6329 CVE-2013-1667 | K15867 | Multiple Perl Vulnerabilities |
635933-2 | CVE-2004-0790 | K23440942 | The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable |
599285-5 | CVE-2016-5094 CVE-2016-5095 CVE-2016-5096 | K51390683 | PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095 |
597010-5 | CVE-2016-4955 | K03331206 | NTP vulnerability CVE-2016-4955 |
596997-5 | CVE-2016-4956 | K64505405 | NTP vulnerability CVE-2016-4956 |
591767-4 | CVE-2016-1547 | K11251130 | NTP vulnerability CVE-2016-1547 |
573343-4 | CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 CVE-2015-8158 | K01324833 | NTP vulnerability CVE-2015-8158 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
633723-1 | 3-Major | New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot | |
620712 | 3-Major | Added better search capabilities on the Pool Members Manage & Pool Create page. | |
561348-2 | 3-Major | krb5.conf file is not synchronized between blades and not backed up | |
541549-3 | 3-Major | AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination. | |
530109-1 | 3-Major | OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled. | |
511818-5 | 3-Major | Support RSASSA-PSS signature algorithm in server SSL certificate | |
454492-2 | 3-Major | Improved handling of signature_algorithms extension to avoid using SHA1 in TLS handshake signatures |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
638935-1 | 2-Critical | Monitor with send/receive string containing double-quote may cause upgrade to fail.★ | |
624263-1 | 2-Critical | iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response | |
614865 | 2-Critical | Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors. | |
610354-3 | 2-Critical | TMM crash on invalid memory access to loopback interface stats object | |
605476 | 2-Critical | statsd can core when reading corrupt stats files. | |
601527-1 | 2-Critical | mcpd memory leak and core | |
600396-1 | 2-Critical | iControl REST may return 404 for all requests in AWS | |
570663-2 | 2-Critical | Using iControl get_certificate_bundle_v2 causes a memory leak | |
562959-3 | 2-Critical | In some error scenarios, IPsec might send packets not intended for the IPsec over the tunnel. | |
559980 | 2-Critical | Change console baud rate requires reboot to take effect | |
551661-3 | 2-Critical | Monitor with send/receive string containing double-quote may fail to load. | |
483373-1 | 2-Critical | Incorrect bash prompt for created admin role users | |
467847-1 | 2-Critical | passphrase visible in audit log | |
440752-2 | 2-Critical | qkview might loop writing output file if MCPD fails during execution | |
355806-2 | 2-Critical | Starting mcpd manually at the command line interferes with running mcpd | |
631627-3 | 3-Major | Applying BWC over route domain sometimes results in tmm not becoming ready on system start | |
631530 | 3-Major | K32246335 | TAI offset not adjusted immediately during leap second |
628164-1 | 3-Major | K20766432 | OSPF with multiple processes may incorrectly redistribute routes |
624931 | 3-Major | getLopSensorData "sensor data reply too short" errors with FND300 DC PSU | |
621417-2 | 3-Major | sys-icheck error for /usr/share/defaults/bigip_base.conf in AWS. | |
621242-2 | 3-Major | Reserve enough space in the image for future upgrades. | |
620659-1 | 3-Major | The BIG-IP system may unecessarily run provisioning on successive reboots | |
616242-1 | 3-Major | K39944245 | basic_string::compare error in encrypted SSL key file if the first line of the file is blank★ |
615934 | 3-Major | Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors. | |
614675 | 3-Major | GUI or iControl SOAP API call 'LocalLB::ProfileClientSSL::create_v2' creates invalid profile | |
608320-2 | 3-Major | iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response | |
604237-1 | 3-Major | Vlan allowed mismatch found error in VCMP guest | |
596814-2 | 3-Major | HA Failover fails in certain valid AWS configurations | |
595773-6 | 3-Major | Cancellation requests for chunked stats queries do not propagate to secondary blades | |
560510-4 | 3-Major | Invalid /etc/resolv.conf when more than one DNS servers are set and MCPD is down. | |
558858-1 | 3-Major | K80079953 | Unexpected loss of communication between slots of a vCMP Guest |
556277-4 | 3-Major | Config Sync error after hotfix installation (chroot failed rsync error)★ | |
534021-1 | 3-Major | HA on AWS uses default AWS endpoint (EC2_URL). | |
533813-2 | 3-Major | Internal Virtual Server in partition fails to load from saved config | |
502714-6 | 3-Major | K75031635 | Deleting files and file object references in a single transaction might cause validation errors |
502049-3 | 3-Major | Qkview may store information in the wrong format | |
502048-3 | 3-Major | Qkview may store information in the wrong format | |
499537-2 | 3-Major | K22406859 | Qkview may store information in the wrong format |
491406-2 | 3-Major | TMM SIGSEGV in sctp_output due to NULL snd_dst | |
460833-2 | 3-Major | MCPD sync errors and restart after multiple modifications to file object in chassis | |
420438-2 | 3-Major | Default routes from standby system when HA is configured in NSSA | |
393270-3 | 3-Major | Configuration utility may become non-responsive or fail to load. | |
605661-1 | 4-Minor | Update TZ data | |
601927-4 | 4-Minor | K52180214 | Security hardening of control plane |
599191-1 | 4-Minor | One of the config-sync scenarios causes old FIPS keys to be left in the FIPS card | |
589379-1 | 4-Minor | K20937139 | ZebOS adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route. |
551208-3 | 4-Minor | Nokia alarms are not deleted due to the outdated alert_nokia.conf. | |
516841-3 | 4-Minor | Unable to log out of the GUI in IE8 | |
500452-3 | 4-Minor | K28520025 | PB4300 blade doesn't disaggregate ESP traffic based on IP addresses in hardware |
471827-2 | 4-Minor | Firstboot early syslog-ng log: /var/run/httpd.pipe does not exist★ | |
457951-3 | 4-Minor | K19305339 | openldap/ldap.conf file is not part of ucs backup archive. |
442231-1 | 5-Cosmetic | Pendsect log entries have an unexpected severity |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
637181-2 | 2-Critical | VIP-on-VIP traffic may stall after routing updates | |
622166-1 | 2-Critical | HTTP GET requests with HTTP::cookie iRule command receive no response | |
619071-1 | 2-Critical | OneConnect with verified accept issues | |
616215-1 | 2-Critical | TMM can core when using LB::detach and TCP::notify commands in an iRule | |
611704-1 | 2-Critical | tmm crash with TCP::close in CLIENTSSL_CLIENTCERT iRule event | |
605865-1 | 2-Critical | Debug TMM produces core on certain ICMP PMTUD packets | |
603667-1 | 2-Critical | TMM may leak or corrupt memory when configuration changes occur with plugins in use | |
597966-1 | 2-Critical | ARP/neighbor cache nexthop object can be freed while still referenced by another structure | |
588351-3 | 2-Critical | IPv6 fragments are dropped when packet filtering is enabled. | |
578045-5 | 2-Critical | The HTTP_PROXY_REQUEST iRule event can cause the TMM to crash if pipelined ingress occurs when the iRule parks | |
576897-2 | 2-Critical | Using snat/snatpool in related-rule results in crash | |
575011-9 | 2-Critical | K21137299 | Memory leak. Nitrox3 Hang Detected. |
574153-3 | 2-Critical | If an SSL client disconnects while data is being sent to SSL client, the connection may stall until TCP timeout. | |
565409-3 | 2-Critical | Invalid MSS with HW syncookies and flow forwarding | |
559973-5 | 2-Critical | Nitrox can hang on RSA verification | |
526367-2 | 2-Critical | tmm crash | |
488686-4 | 2-Critical | K24980114 | Large file transfer hangs when HTTP is in passthrough mode |
484214-3 | 2-Critical | Nitrox got stuck when processed certain SSL records | |
477195-1 | 2-Critical | OSPFv3 session gets stuck in loading state | |
469770-3 | 2-Critical | System outage can occur with MPTCP traffic. | |
411233-2 | 2-Critical | New pool members take all requests until lb_value catches up. | |
629771 | 3-Major | the TCP::unused_port does erroneous accept IPV4_COMPAT addresses | |
621465 | 3-Major | The minimum IP packet fragment size is now 1 and not 24 | |
617862-3 | 3-Major | Fastl4 handshake timeout is absolute instead of relative | |
617824-1 | 3-Major | "SSL::disable/enable serverside" + oneconnect reuse is broken | |
610609-4 | 3-Major | Total connections in bigtop, SNMP are incorrect | |
610429-2 | 3-Major | X509::cert_fields iRule command may memory with subpubkey argument | |
608551-2 | 3-Major | Half-closed congested SSL connections with unclean shutdown might stall. | |
608024-2 | 3-Major | Unnecessary DTLS retransmissions occur during handshake. | |
607304-1 | 3-Major | TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap. | |
606575-2 | 3-Major | Request-oriented OneConnect load balancing ends when the server returns an error status code. | |
604977-4 | 3-Major | K08905542 | Wrong alert when DTLS cookie size is 32 |
604496-1 | 3-Major | SQL (Oracle) monitor daemon might hang. | |
603723-1 | 3-Major | TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup | |
603606-1 | 3-Major | tmm core | |
600827-3 | 3-Major | K21220807 | Stuck Nitrox crypto queue can erroneously be reported |
598874-1 | 3-Major | GTM Resolver sends FIN after SYN retransmission timeout | |
597089-3 | 3-Major | Connections are terminated after 5 seconds when using ePVA full acceleration | |
592871-1 | 3-Major | Cavium Nitrox PX/III stuck queue diagnostics missing. | |
592784 | 3-Major | Compression stalls, does not recover, and compression facilities cease. | |
591789 | 3-Major | IPv4 fragments are dropped when packet filtering is enabled. | |
591659-2 | 3-Major | K47203554 | Server shutdown is propagated to client after X-Cnection: close transformation. |
591476-6 | 3-Major | K53220379 | Stuck crypto queue can erroneously be reported |
588572-2 | 3-Major | Unnecessary re-transmission of packets on higher ICMP PMTU. | |
588569-2 | 3-Major | Don't include maximum TCP options length in calculating MSS on ICMP PMTU. | |
588115-4 | 3-Major | TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw | |
587892 | 3-Major | Multiple iRule proc names might clash, causing the wrong rule to be executed. | |
586738-3 | 3-Major | The tmm might crash with a segfault. | |
584310 | 3-Major | K83393638 | TCP:Collect ignores the 'skip' parameter when used in serverside events |
584029-7 | 3-Major | Fragmented packets may cause tmm to core under heavy load | |
583957-3 | 3-Major | The TMM may hang handling pipelined HTTP requests with certain iRule commands. | |
579926-2 | 3-Major | HTTP starts dropping traffic for a half-closed connection when in passthrough mode | |
579843-4 | 3-Major | tmrouted may not re-announce routes after a specific succession of failover states | |
572281-3 | 3-Major | Variable value in the nesting script of foreach command get reset when there is parking command in the script | |
568543-2 | 3-Major | Syncookie mode is activated on wildcard virtuals | |
556117-1 | 3-Major | client-ssl profile is case-sensitive when checking server_name extension | |
555432-2 | 3-Major | Large configuration files may go missing on secondary blades | |
554761-4 | 3-Major | Unexpected handling of TCP timestamps under syncookie protection. | |
549329-2 | 3-Major | K02020031 | L7 mirrored ACK from standby to active box can cause tmm core on active |
545450-2 | 3-Major | Log activation/deactivation of TM.TCPMemoryPressure | |
537326-4 | 3-Major | NAT available in DNS section but config load fails with standalone license | |
528734-1 | 3-Major | K04711825 | TCP keeps retransmitting when ICMP Destination Unreachable-Fragmentation Required messages are received. |
519746-2 | 3-Major | ICMP errors may reset FastL4 connections unexpectedly | |
512119-3 | 3-Major | Improved UDP DNS packet truncation | |
508486-1 | 3-Major | TCP connections might stall if initialization fails | |
503214-11 | 3-Major | Under heavy load, hardware crypto queues may become unavailable. | |
500003-3 | 3-Major | Incoming NTP packets from configured NTP server to non-local IP breaks outgoing NTP | |
499478-3 | 3-Major | K16850453 | Bug 464651 introduced change-in-behavior for SSL server cert chains by not including the root certificate |
483257-2 | 3-Major | K17051 | Cannot delete keys without extension .key (and certificates without .crt) using iControl SOAP |
468820-2 | 3-Major | MPTCP Flows may hang whan an MTU mismatch occurs on the network. | |
468300-3 | 3-Major | Filters may not work correctly with websockets or CONNECT | |
464801-1 | 3-Major | Intermittent tmm core | |
455553-8 | 3-Major | ICMP PMTU handling causes multiple retransmissions | |
442539-3 | 3-Major | OneConnect security improvements. | |
442455-4 | 3-Major | Hardware Security Module (HSM) CSR and certificate fields constraints: 15 characters and no spaces. | |
437256-1 | 3-Major | clientssl profile has no key/cert pair | |
423392-7 | 3-Major | tcl_platform is no longer in the static:: namespace | |
598860-5 | 4-Minor | IP::addr iRule with an IPv6 address and netmask fails to return an IPv4 address | |
587966-5 | 4-Minor | K77283304 | LTM FastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port |
538708-2 | 4-Minor | TMM may apply SYN cookie validation to packets before generating any SYN cookies | |
536868-2 | 4-Minor | Packet Sizing Issues after Receipt of PMTU | |
486485-2 | 4-Minor | TCP MSS is incorrect after ICMP PMTU message. | |
356841-2 | 5-Cosmetic | Don't unilaterally set Connection: Keep-Alive when compressing |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
603598-1 | 2-Critical | big3d memory under extreme load conditions | |
642330-4 | 3-Major | GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.★ | |
624193 | 3-Major | Topology load balancing not working as expected | |
613576-9 | 3-Major | QOS load balancing links display as gray | |
589256-4 | 3-Major | K71283501 | DNSSEC NSEC3 records with different type bitmap for same name. |
487144-1 | 3-Major | tmm intermittently reports that it cannot find FIPS key | |
615187 | 4-Minor | Missing hyperlink to GSLB virtual servers and servers on the pool member page. |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
614441-1 | 1-Blocking | K04950182 | False Positive for illegal method (GET) |
602749 | 2-Critical | Memory exhaustion when asking for missing page of learning suggestion occurrences | |
577668-2 | 2-Critical | ASM Remote logger doesn't log 64 KB request. | |
499347 | 2-Critical | JSON UTF16 content could be blocked by ASM as Malformed JSON | |
616169-1 | 3-Major | ASM Policy Export returns HTML error file | |
615695 | 3-Major | Fixes to bd and iprepd components not included in BIG-IP v11.5.4-HF2 | |
603945-3 | 3-Major | BD config update should be considered as config addition in case of update failure | |
576591-3 | 3-Major | Support for some future credit card number ranges | |
562775-3 | 3-Major | Memory leak in iprepd | |
366605-2 | 3-Major | response_log_size_limit does not limit the log size. | |
463314-1 | 4-Minor | Enabling ASM AJAX blocking response page feature causing cross domain AJAX requests to fail |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
565085-4 | 3-Major | Analytics profile allows invalid combination of entities for Alerts setup | |
560114-2 | 3-Major | Monpd is being affected by an I/O issue which makes some of its threads freeze | |
491185-3 | 3-Major | URL Latencies page: pagination limited to 180 pages |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
618324-3 | 2-Critical | Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor | |
592868-1 | 2-Critical | Rewrite may crash processing HTML tag with HTML entity in attribute value | |
591117-2 | 2-Critical | APM ACL construction may cause TMM to core if TMM is out of memory | |
536683-1 | 2-Critical | tmm crashes on "ACCESS::session data set -secure" in iRule | |
511478-1 | 2-Critical | Possible TMM crash when evaluating expression for per-request policy agents. | |
428068-2 | 2-Critical | Insufficiently detailed causes for session deletion. | |
625376-2 | 3-Major | In some cases, download of PAC file by edge client may fail | |
613613 | 3-Major | Incorrect handling of form that contains a tag with id=action | |
612419-3 | 3-Major | APM 11.4.1 HF10 - suspected memory leak (umem_alloc_32/network access (variable)) | |
610243-1 | 3-Major | HTML5 access fails for Citrix Storefront integration mode with gateway pass through authentication | |
610180-5 | 3-Major | SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin. | |
604767-6 | 3-Major | Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object. | |
601407 | 3-Major | Legacy PNAgent access does not work from Citrix Receiver 4.3 onwards | |
600116 | 3-Major | DNS resolution request may take a long time in some cases | |
598981-1 | 3-Major | K06913155 | APM ACL does not get enforced all the time under certain conditions |
598211-3 | 3-Major | Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode. | |
597431-6 | 3-Major | VPN establishment may fail when computer wakes up from sleep | |
597429 | 3-Major | eam maintains lock on /var/log/apm.1 after logrotate | |
592869 | 3-Major | Syntax Error when reimporting exported content containing acl-order 0 | |
592414-3 | 3-Major | IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed | |
590820-5 | 3-Major | Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser. | |
586718-5 | 3-Major | Session variable substitutions are logged | |
586006-5 | 3-Major | Failed to retrieve CRLDP list from client certificate if DirName type is present | |
582440-1 | 3-Major | Linux client does not restore route to the default GW on Ubuntu 15.10 | |
568445-7 | 3-Major | User cannot perform endpoint check or launch VPN from Firefox on Windows 10 | |
565167-3 | 3-Major | Additional garbage data being logged on user name and domain name for NTLM authentication | |
563349-2 | 3-Major | On MAC, Network Access proxy settings are not applied to tun adapter after VPN is established | |
561798-3 | 3-Major | Windows edge client may show scripting error on certain 3rd party authentication sites | |
556088-2 | 3-Major | In a chassis system with APM provisioned mcpd daemon on secondary blade will restart. | |
553063-4 | 3-Major | Epsec version rolls back to previous version on a reboot | |
553037 | 3-Major | iOS Citrix Receiver web interface mode cannot launch the apps | |
551260-3 | 3-Major | When SAML IdP-Connector Single Sign On Service URL contains ampersand, redirect URL may be truncated | |
525429-13 | 3-Major | DTLS renegotiation sequence number compatibility | |
508337-5 | 3-Major | In Chrome, parent.document.write() from frame may cause errors on pages accessed through Portal Access | |
451301-2 | 3-Major | HTTP iRules break Citrix HTML5 functionality | |
450314-1 | 3-Major | Portal Access / JavaScript code which uses reserved keywords for object field names may not work correctly | |
447565-4 | 3-Major | K33692321 | Renewing machine-account password does not update the serviceId for associated ntlm-auth. |
424368-3 | 3-Major | parent.document.write(some_html_with_script) hangs up parent frame for IE browsers | |
389484-5 | 3-Major | OAM reporting Access Server down with JDK version 1.6.0_27 or later | |
584373-1 | 4-Minor | AD/LDAP resource group mapping table controls are not accessible sometimes |
WebAccelerator Fixes
ID Number | Severity | Solution Article(s) | Description |
467542-1 | 2-Critical | TMM core in AAM assembly code during high memory utilization | |
474445-3 | 3-Major | TMM crash when processing unexpected HTTP response in WAM |
Wan Optimization Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
619757-4 | 2-Critical | iSession causes routing entry to be prematurely freed |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
649933-5 | 3-Major | Fragmented RADIUS messages may be dropped | |
550434-4 | 3-Major | Diameter connection may stall if server closes connection before CER/CEA handshake completes | |
489957-8 | 3-Major | RADIUS::avp command fails when AVP contains multiple attribute (VSA). |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
596134-1 | 2-Critical | TMM core with PEM virtual server | |
472106-1 | 2-Critical | TMM crash in a rare case of flow optimization |
Cumulative fixes from BIG-IP v11.5.4 Hotfix 2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
600662-5 | CVE-2016-5745 | K64743453 | NAT64 vulnerability CVE-2016-5745 |
599168-5 | CVE-2016-5700 | K35520031 | BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700 |
598983-5 | CVE-2016-5700 | K35520031 | BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700 |
596488-5 | CVE-2016-5118 | K82747025 | GraphicsMagick vulnerability CVE-2016-5118. |
570716-1 | CVE-2016-5736 | K10133477 | BIG-IP IPsec IKE peer listener vulnerability CVE-2016-5736 |
569467-2 | CVE-2016-2084 | K11772107 | BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084. |
565169-1 | CVE-2013-5825 CVE-2013-5830 | K48802597 | Multiple Java Vulnerabilities |
591806-4 | CVE-2016-3714 | K03151140 | ImageMagick vulnerability CVE-2016-3714 |
580596-5 | CVE-2013-0169 CVE-2016-6907 | K14190 K39508724 | TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907 |
579955-4 | CVE-2016-7475 | K01587042 | BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475 |
577826-3 | CVE-2016-1286 | K62012529 | BIND vulnerability CVE-2016-1286 |
573124-5 | CVE-2016-5022 | K06045217 | TMM vulnerability CVE-2016-5022 |
572495-4 | CVE-2016-5023 | K19784568 | TMM may crash if it receives a malformed packet CVE-2016-5023 |
563670-5 | CVE-2015-3194, CVE-2015-3195, CVE-2015-3196 | K86772626 | OpenSSL vulnerabilities |
539923-2 | CVE-2016-1497 | K31925518 | BIG-IP APM access logs vulnerability CVE-2016-1497 |
457811-1 | CVE-2013-6438 CVE-2014-0098 | K15300 | CVE-2013-6438 : HTTPD Vulnerability |
452318-2 | CVE-2014-0050 | K15189 | Apache Commons FileUpload vulnerability CVE-2014-0050 |
591918-6 | CVE-2016-3718 | K61974123 | ImageMagick vulnerability CVE-2016-3718 |
591908-6 | CVE-2016-3717 | K29154575 | ImageMagick vulnerability CVE-2016-3717 |
591894-6 | CVE-2016-3715 | K10550253 | ImageMagick vulnerability CVE-2016-3715 |
591881-5 | CVE-2016-3716 | K25102203 | ImageMagick vulnerability CVE-2016-3716 |
582952 | CVE-2011-5321 CVE-2012-6647 CVE-2012-6657 CVE-2013-0190 CVE-2013-0228 CVE-2013-1860 CVE-2013-2596 CVE-2013-2851 CVE-2013-4483 CVE-2013-4591 CVE-2013-6367 CVE-2013-6381 CVE-2013-6383 CVE-2013-7339 CVE-2014-0055 CVE-2014-0077 | K31300371 | Linux kernel vulnerability CVE-2013-4483 |
579220-2 | CVE-2016-1950 | K91100352 | Mozilla NSS vulnerability CVE-2016-1950 |
564111-2 | CVE-2015-8395 CVE-2015-8384 CVE-2015-8392 CVE-2015-8394 CVE-2015-8391 CVE-2015-8390 CVE-2015-8389 CVE-2015-8388 CVE-2015-8387 CVE-2015-8386 CVE-2015-8385 CVE-2015-8383 CVE-2015-8382 CVE-2015-8381 CVE-2015-8380 CVE-2015-2328 CVE-2015-2327 CVE-2015-8393 | K05428062 | Multiple PCRE vulnerabilities |
550596-2 | CVE-2016-6876 | K52638558 | RESOLV::lookup iRule command vulnerability CVE-2016-6876 |
541231-1 | CVE-2014-3613 CVE-2014-3707 CVE-2014-8150 CVE-2015-3143 CVE-2015-3148 | K16704 K16707 | Resolution of multiple curl vulnerabilities |
486791-3 | CVE-2014-6421 CVE-2014-6422 CVE-2014-6423 CVE-2014-6424 CVE-2014-6425 CVE-2014-6426 CVE-2014-6427 CVE-2014-6428 CVE-2014-6429 CVE-2014-6430 CVE-2014-6431 CVE-2014-6432 | K16939 | Resolution of multiple wireshark vulnerabilities |
616382 | CVE-2016-0705 | K93122894 | OpenSSL Vulnerability (TMM) |
580340-4 | CVE-2016-2842 | K52349521 | OpenSSL vulnerability CVE-2016-2842 |
580313-4 | CVE-2016-0799 | K22334603 | OpenSSL vulnerability CVE-2016-0799 |
579975-4 | CVE-2016-0702 | K79215841 | OpenSSL vulnerability |
579829-4 | CVE-2016-0702 | K79215841 | OpenSSL vulnerability CVE-2016-0702 |
579237-4 | CVE-2016-0705 | K93122894 | OpenSSL Vulnerability CVE-2016-0705 |
579085-3 | CVE-2016-0797 | K40524634 | OpenSSL vulnerability CVE-2016-0797 |
578570-3 | CVE-2016-0705 | K93122894 | OpenSSL Vulnerability CVE-2016-0705 |
577828-4 | CVE-2016-2088 | K59692558 | BIND vulnerability CVE-2016-2088 |
577823-3 | CVE-2016-1285 | K46264120 | BIND vulnerability CVE-2016-1285 |
567379-2 | CVE-2013-4397 | K16015326 | libtar vulnerability CVE-2013-4397 |
565895-3 | CVE-2015-8389 CVE-2015-8388 CVE-2015-5073 CVE-2015-8395 CVE-2015-8393 CVE-2015-8390 CVE-2015-8387 CVE-2015-8391 CVE-2015-8383 CVE-2015-8392 CVE-2015-8386 CVE-2015-3217 CVE-2015-8381 CVE-2015-8380 CVE-2015-8384 CVE-2015-8394 CVE-2015-3210 | K17235 | Multiple PCRE Vulnerabilities |
551287-3 | CVE-2010-2596 CVE-2013-1960 CVE-2013-1961 CVE-2013-4231 CVE-2013-4232 CVE-2013-4243 CVE-2013-4244 | K16715 | Multiple LibTIFF vulnerabilities |
481806-4 | CVE-2013-4002 | K16872 | Java Runtime Environment vulnerability CVE-2013-4002 |
437285-4 | CVE-2013-3571 CVE-2012-0219 CVE-2010-2799 | K14919 | Multiple socat vulnerabilities |
416372-3 | CVE-2012-2677 | K16946 | Boost memory allocator vulnerability CVE-2012-2677 |
570667-10 | CVE-2016-0701 CVE-2015-3197 | K64009378 | OpenSSL vulnerabilities |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
583631-1 | 1-Blocking | ServerSSL ClientHello does not encode lowest supported TLS version, which might result in alerts and closed connections on older Servers. | |
445633-2 | 2-Critical | Config sync of SecurID config file fails on secondary blades | |
560405-5 | 3-Major | Optional target IP address and port in the 'virtual' iRule API is not supported. | |
532685-5 | 3-Major | PAC file download errors disconnect the tunnel | |
490936-1 | 3-Major | SSLv2/TLSv1-based handshake causing handshake failures | |
544325-2 | 4-Minor | K83161025 | BIG-IP UDP virtual server may not send ICMP Destination Unreachable message Code 3 (port unreachable). |
483508-2 | 4-Minor | K70333230 | Large values may display as negative numbers for 32-bit integer variables in the MIB |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
572600 | 1-Blocking | mcpd can run out of file descriptors | |
538761-1 | 1-Blocking | scriptd may core when MCP connection is lost | |
596603-5 | 2-Critical | AWS: BIG-IP VE doesn't work with c4.8xlarge instance type. | |
583936-1 | 2-Critical | Removing ECMP route from BGP does not clear route from NSM | |
582295 | 2-Critical | K62302950 | ospfd core dump when redistributing NSSA routes in a HA failover |
574116-3 | 2-Critical | MCP may crash when syncing configuration between device groups | |
568889-5 | 2-Critical | K22989000 | Some ZebOS daemons do not start on blade transition secondary to primary. |
564427-1 | 2-Critical | Use of iControl call get_certificate_list_v2() causes a memory leak. | |
563064-5 | 2-Critical | Bringing up and tearing down an IPsec tunnel will slowly leak tmm memory | |
561814-4 | 2-Critical | TMM Core on Multi-Blade Chassis | |
559034-3 | 2-Critical | Mcpd core dump in the sync secondary during config sync | |
557144-1 | 2-Critical | Dynamic route flapping may lead to tmm crash | |
556380-3 | 2-Critical | mcpd can assert on active connection deletion | |
539784-2 | 2-Critical | HA daemon_heartbeat mcpd fails on load sys config | |
529141-4 | 2-Critical | K95285012 | Upgrade from 10.x fails on valid clientssl profile with BIGpipe parsing error★ |
510979-2 | 2-Critical | Password-less SSH access after tmsh load of UCS may require password after install. | |
507499-2 | 2-Critical | TMM can watchdog under extreme memory pressure. | |
506199-8 | 2-Critical | VCMP guests on VDAG platforms can experience excessive tmm redirects after multiple guest provisioning cycles | |
505071-2 | 2-Critical | Delete and create of the same object can cause secondary blades' mcpd processes to restart. | |
490801-3 | 2-Critical | mod_ssl: missing support for TLSv1.1 and TLSv1.2 | |
595874-3 | 3-Major | Upgrading 11.5.x/11.6.x hourly billing instances to 12.1.0 fails due to license SCD.★ | |
586878-1 | 3-Major | During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.★ | |
583285-2 | 3-Major | K24331010 | BIG-IP logs INVALID-SPI messages but does not remove the associated SAs. |
579284-5 | 3-Major | Potential memory corruption in MCPd | |
579047 | 3-Major | Unable to update the default http-explicit profile using the GUI. | |
576305-1 | 3-Major | Potential MCPd leak in IPSEC SPD stats query code | |
575735-1 | 3-Major | Potential MCPd leak in global CPU info stats code | |
575726-1 | 3-Major | MCPd might leak memory in vCMP interface stats. | |
575716-1 | 3-Major | MCPd might leak memory in VCMP base stats. | |
575708-1 | 3-Major | MCPd might leak memory in CPU info stats. | |
575671-1 | 3-Major | MCPd might leak memory in host info stats. | |
575619-1 | 3-Major | Potential MCPd leak in pool member stats query code | |
575608-1 | 3-Major | MCPd might leak memory in virtual server stats query. | |
575587-1 | 3-Major | Potential MCPd leak in BWC policy class stats query code | |
575027-3 | 3-Major | Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues. | |
574045-3 | 3-Major | BGP may not accept attributes using extended length | |
573529 | 3-Major | F-bit is not set in IPv6 OSPF Type-7 LSAs | |
571344-2 | 3-Major | SSL Certificate with special characters might cause exception when GUI retrieves items list page.★ | |
571210-3 | 3-Major | Upgrade, load config, or sync might fail on large configs with large objects. | |
571019-2 | 3-Major | Topology records can be ordered incorrectly. | |
570053-1 | 3-Major | K78448635 | HA peer's certkeychain of clientssl profile is unexpectedly either removed or re-named after config sync. |
569356-5 | 3-Major | K91428939 | BGP ECMP learned routes may use incorrect VLAN for nexthop |
569236-2 | 3-Major | K24331010 | BIG-IP logs INVALID-SPI messages but does not remove the associated SAs. |
565534-3 | 3-Major | K40254066 | Some failover configuration items may fail to take effect |
563475-1 | 3-Major | K00301400 | ePVA dynamic offloading can result in immediate eviction and re-offloading of flows. |
562044-1 | 3-Major | Statistics slow_merge option does not work | |
560975-1 | 3-Major | iControl can remove hardware SSL keys while in use | |
559939-3 | 3-Major | K30040319 | Changing hostname on host sometimes causes blade to go RED / HA TABLE offline |
558779-5 | 3-Major | SNMP dot3 stats occassionally unavailable | |
558573-3 | 3-Major | K65352421 | MCPD restart on secondary blade after updating Pool via GUI |
557281-3 | 3-Major | The audit_forwarder process fails to exit normally causing the process to consume CPU to near 100% | |
556252 | 3-Major | sysGlobalTmmStatTmUsageRatio5s and sysGlobalTmmStatNpus in chassis | |
555905-1 | 3-Major | sod health logging inconsistent when device removed from failover group or device trust | |
555039-1 | 3-Major | K24458124 | VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration |
554563-2 | 3-Major | Error: Egress CoS queue packet drop counted against both Drops In and Drops Out statistics. | |
554340-2 | 3-Major | IPsec tunnels fail when connection.vlankeyed db variable is disabled | |
553795-3 | 3-Major | Differing cert/key after successful config-sync | |
553649 | 3-Major | The SNMP daemon might lock up and fail to respond to SNMP requests. | |
551927-3 | 3-Major | ePVA snoop header's transform vlan should be set properly under asymmetric routing condition | |
551742-1 | 3-Major | Hardware parity error mitigation for the SOURCE_VP table on 10000s/10200v/10250v platforms and B4300/B4340N and B2250 blades | |
549971-3 | 3-Major | Some changes to virtual servers' profile lists may cause secondary blades to restart | |
549543-2 | 3-Major | K37436054 | DSR rejects return traffic for monitoring the server |
548385-1 | 3-Major | K25231211 | iControl calls that query key/cert from parent folder, and the name is missing the extension, result in incorrect results |
547942 | 3-Major | SNMP ipAdEntAddr indicates floating vlan IP rather than local IP | |
547532-6 | 3-Major | Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades | |
542742-3 | 3-Major | K07038540 | SNMP reports invalid data from global_stat, avg server-side cur_conns (for 5s, 1m, 5m). |
541316-5 | 3-Major | K41175594 | Unexpected transition from Forced Offline to Standby to Active |
540996-4 | 3-Major | Monitors with a send attribute set to 'none' are lost on save | |
539125-1 | 3-Major | SNMP: ifXTable walk should produce the available counter values instead of zero | |
530242-4 | 3-Major | K08654415 | SPDAG on VIPRION B2250 blades might cause traffic imbalance among TMMs |
529484-3 | 3-Major | Virtual Edition Kernel Panic under load | |
527168-3 | 3-Major | In GUI System :: Users : Authentication TACACS+ ports have max value of 32768 instead of 65535 | |
527145-3 | 3-Major | K53232218 | On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown. |
520408-1 | 3-Major | TMM ASSERTs due to subkey_record field corruption in the SessionDB. | |
517209-6 | 3-Major | K81807474 | tmsh save sys config file /var/tmp or /shared/tmp can make some BIG-IP functionality unusable |
517020-4 | 3-Major | SNMP requests fail and subsnmpd reports that it has been terminated. | |
515667-6 | 3-Major | Unique truncated SNMP OIDs. | |
512954-1 | 3-Major | ospf6d might leak memory distribute-list is used | |
510580-3 | 3-Major | Interfaces might be re-enabled unexpectedly when loading a partition | |
508076-1 | 3-Major | Cannot successfully create a key/cert via tmsh or the GUI of the form name.key1, where extension is in the name. | |
496679-3 | 3-Major | Configuration loads may fail because the 'default-device' on a traffic-group object does not contain a valid value.★ | |
491716-3 | 3-Major | SNMP attribute type incorrect for certain OIDs | |
487625-4 | 3-Major | Qkview might hang | |
486725-1 | 3-Major | GUI creating key files with .key extensions in the name causing errors | |
486512-8 | 3-Major | audit_forwarder sending invalid NAS IP Address attributes | |
483228-8 | 3-Major | The icrd_child process generates core when terminating | |
478215-5 | 3-Major | The command 'show ltm pool detail' returns duplicate members in some cases | |
474194-4 | 3-Major | iControl GlobalLB::PoolMember get_all_statistics and get_monitor_association cause memory leaks | |
453949-3 | 3-Major | small memory leak observed in audit_forwarder | |
451494-1 | 3-Major | SSL Key/Certificate in different partition with Subject Alternative Name (SAN) | |
446493-3 | 3-Major | foreign key index error on local traffic-only group★ | |
425980-2 | 3-Major | Blade number not displayed in CPU status alerts | |
421971-7 | 3-Major | Renewing certificates with SAN input in the GUI leads to error. | |
418664-3 | 3-Major | K21485342 | Configuration utility CSRF vulnerability |
405635-5 | 3-Major | Using the restart cm trust-domain command to recreate certificates required by device trust. | |
405611-2 | 3-Major | K61045143 | Configuration utility CSRF vulnerability |
400456-2 | 3-Major | HTTP monitors with long send or receive strings may not save or update | |
372118-1 | 3-Major | import_all_from_archive_file and import_all_from_archive_stream does not create file objects. | |
339825-2 | 3-Major | Management.KeyCertificate.install_certificate_from_file failing silently | |
553174-2 | 4-Minor | Unable to query admin IP via SNMP on VCMP guest | |
551481-4 | 4-Minor | 'tmsh show net cmetrics' reports bandwidth = 0 | |
551349-1 | 4-Minor | K80203854 | Non-explicit (*) IPv4 monitor destination address is converted to IPv6 on upgrade★ |
548053-1 | 4-Minor | K33462128 | User with 'Application Editor' role set cannot modify 'Description' field using the GUI. |
536746-2 | 4-Minor | K88051173 | LTM : Virtual Address List page uses LTM : Nodes List search filter. |
535544-7 | 4-Minor | Enhancement: ltm virtual translate-port, translate-address are not listed if they are enabled | |
533480-4 | 4-Minor | K43353404 | qkview crash |
519216-3 | 4-Minor | Abnormally high CPU utilization from external SSL/OpenSSL monitors | |
511332-1 | 4-Minor | K35266322 | Cannot view Pools list by Address |
481003-1 | 4-Minor | 'General database error' trying to view Local Traffic :: Pools :: Pool List. | |
468949-1 | 4-Minor | audit_forwarded started error message | |
466612-2 | 4-Minor | Missing sys DeviceModel OID for VIPRION C2200 chassis | |
452487-5 | 4-Minor | Incremental sync causes incorrect accounting of member count of pools | |
447364-2 | 4-Minor | BIG-IP may report getLopSensorData warnings at boot time or when changing a PSU | |
401893-2 | 4-Minor | Allowing tilde in HTTP Profile fields Response Headers Allowed and Encrypt Cookies | |
572133-3 | 5-Cosmetic | tmsh save /sys ucs command sends status messages to stderr | |
524281-1 | 5-Cosmetic | Error updating daemon ha heartbeat | |
470627-4 | 5-Cosmetic | Incorrect and benign log message of bandwidth utilization exceeded when licensed with rate limit in VE | |
458563-3 | 5-Cosmetic | A 'status down' message is logged when enabling a pool member that was previously disabled | |
388274-2 | 5-Cosmetic | LTM pool member link in a route domain is wrong in Network Map. | |
291469-3 | 5-Cosmetic | K10643 | SNMP query fails to return ARP entries when the ARP table exceeds 2,048 entries. |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
555549-2 | 1-Blocking | 'tmsh modify ltm node <ip_addr> state user-down' fails to bring pool member state offline. | |
579919 | 2-Critical | TMM may core when LSN translation is enabled | |
565810-5 | 2-Critical | K93065637 | OneConnect profile with an idle or strict limit-type might lead to tmm core. |
562566-3 | 2-Critical | K39483533 | Mirrored persistence entries retained after expiration |
558612-3 | 2-Critical | System may fail when syncookie mode is activated | |
554967-2 | 2-Critical | Small Client EDNS0 Limits can Sometimes Truncate DNSSEC or iRule DNS Packets | |
552937-2 | 2-Critical | HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the next pipelined request to fail. | |
552151-1 | 2-Critical | Continuous error report in /dev/log/ltm: Device error: n3-compress0 Nitrox 3, Hang Detected | |
549868-2 | 2-Critical | K48629034 | 10G interoperability issues reported following Cisco Nexus switch version upgrade. |
544375-2 | 2-Critical | Unable to load certificate/key pair | |
540568-4 | 2-Critical | TMM core due to SIGSEGV | |
534795-6 | 2-Critical | Swapping VLAN names in config results in switch daemon core and restart. | |
517613-2 | 2-Critical | ClientSSL profile might have the wrong key/certificate/chain when created with a specific set of steps | |
483665-3 | 2-Critical | Restrict the permissions for private keys | |
478812-4 | 2-Critical | DNSX Zone Transfer functionality preserved after power loss | |
468791-3 | 2-Critical | Crash when using FIX tag maps and a FIX message arrives without a SenderCompID. | |
466007-3 | 2-Critical | K02683895 | DNS Express daemon, zxfrd, can not start if its binary cache has filled /var |
459671-1 | 2-Critical | iRules source different procs from different partitions and executes the incorrect proc. | |
454583-4 | 2-Critical | SPDY may cause the TMM to crash if it aborts while there are stalled streams. | |
592854-2 | 3-Major | Protocol version set incorrectly on serverssl renegotiation | |
585412-1 | 3-Major | SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines | |
584717 | 3-Major | TCP window scaling is not applied when SYN cookies are active | |
580303-2 | 3-Major | When going from active to offline, tmm might send a GARP for a floating address. | |
579371-1 | 3-Major | K70126130 | BIG-IP may generate ARPs after transition to standby |
576296-1 | 3-Major | MCPd might leak memory in SCTP profile stats query. | |
575626-6 | 3-Major | K04672803 | Minor memory leak in DNS Express stats error conditions |
575612-4 | 3-Major | Potential MCPd leak in policy action stats query code | |
571573-3 | 3-Major | K20320811 | Persistence may override node/pmbr connection limit |
571183-3 | 3-Major | Bundle-certificates Not Accessible via iControl REST. | |
570617-5 | 3-Major | HTTP parses fragmented response versions incorrectly | |
569642-3 | 3-Major | Deleting all routes on a unit with a mirroring fastL4 Virtual may cause TMM to core | |
569349-3 | 3-Major | Packet's vlan priority is not preserved for CMP redirected flows when net cos feature is enabled | |
569288-4 | 3-Major | Different LACP key may be used in different blades in a chassis system causing trunking failures | |
566361-2 | 3-Major | K11543589 | RAM Cache Key Collision |
563591-3 | 3-Major | reference to freed loop_nexthop may cause tmm crash. | |
563419-3 | 3-Major | IPv6 packets containing extended trailer are dropped | |
563227-4 | 3-Major | K31104342 | When a pool member goes down, persistence entries may vary among tmms |
558602-2 | 3-Major | Active mode FTP data channel issue when using lasthop pool | |
557783-3 | 3-Major | K14147369 | TMM generated traffic to external IPv6 global-addr via ECMP routes might use link-local addr |
557645-1 | 3-Major | Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms. | |
556560-1 | 3-Major | K80741043 | DNS messages may become malformed if the Additional section contains an OPT record followed by multiple records. |
556103-2 | 3-Major | Abnormally high CPU utilization for external monitors | |
554977-1 | 3-Major | K64401960 | TMM might crash on failed SSL handshake |
553688-3 | 3-Major | TMM can core due to memory corruption when using SPDY profile. | |
552931-2 | 3-Major | Configuration fails to load if DNS Express Zone name contains an underscore | |
552865-5 | 3-Major | K34035224 | SSL client authentication should ignore invalid signed Certificate Verify message when PCM is set to 'request'. |
551189-2 | 3-Major | Modifying an HTTP cookie value via the HTTP::cookie iRule API may yield to incorrect HTTP header data | |
550782-2 | 3-Major | Cache Lookups for Validating Resolvers ignore the query's DNSSEC OK (DO) bit | |
550689-3 | 3-Major | Resolver H.ROOT-SERVERS.NET Address Change | |
549406-3 | 3-Major | K63010180 | Destination route-domain specified in the SOCKS profile |
548680-3 | 3-Major | TMM may core when reconfiguring iApps that make use of iRules with procedures. | |
548583-5 | 3-Major | TMM crashes on standby device with re-mirrored SIP monitor flows. | |
548563-3 | 3-Major | Transparent Cache Messages Only Updated with DO-bit True | |
547732-3 | 3-Major | TMM may core on using SSL::disable on an already established serverside connection | |
542654 | 3-Major | K52195938 | bigd may experience a heartbeat failure when tcp-half-open monitors are used |
541126-1 | 3-Major | Safenet connection may fail on restarting pkcs11d or HSM reboot or if the connection to HSM is lost and then resumed | |
540893-3 | 3-Major | Unevenly loaded tmms while using syncookies may cause occasional spurious connection resets. | |
540213-4 | 3-Major | mcpd will continually restart on newly inserted secondary blades when certain configuration exists on the primary | |
536191-3 | 3-Major | Transparent inherited TCP monitors may fail on loading configuration | |
534111-2 | 3-Major | [SSL] Config sync problems when modifying cert in default client-ssl profile | |
533820-3 | 3-Major | DNS Cache response missing additional section | |
531979-4 | 3-Major | SSL version in the record layer of ClientHello is not set to be the lowest supported version. | |
530812-5 | 3-Major | Legacy DAG algorithm reuses high source port numbers frequently | |
529899-3 | 3-Major | Installation may fail with the error "(Storage modification process conflict.)".★ | |
527742-1 | 3-Major | K15550890 | The inherit-certkeychain field of a clientSSL profile is not synchronized correctly on a standby BIG-IP system |
524641-4 | 3-Major | K11504283 | Wildcard NAPTR record after deleting the NAPTR records |
523471-3 | 3-Major | pkcs11d core when connecting to SafeNet HSM | |
521711-3 | 3-Major | K14555354 | HTTP closes connection if client sends non-keepalive request and server responds with 200 OK on One-Connect enabled virtual |
519217-2 | 3-Major | K89004553 | tmm crash: valid proxy |
516816-2 | 3-Major | RSA key with DSA-signed or ECDSA-signed certificate silently fails handshake. | |
515322-2 | 3-Major | Intermittent TMM core when using DNS cache with forward zones | |
513530-3 | 3-Major | Connections might be reset when using SSL::disable and enable command | |
513213-4 | 3-Major | FastL4 connection may get RSTs in case of hardware syncookie enabled. | |
509416-4 | 3-Major | Suspended 'after' commands may result in unexpected behaviors | |
505089-3 | 3-Major | Spurious ACKs result in SYN cookie rejected stat increment. | |
500786-4 | 3-Major | Heavy memory usage while using fastL4/BIGTCP virtual with HTTP profile | |
490174-3 | 3-Major | Improved TLS protocol negotiation with clients supporting TLS1.3 | |
469627-2 | 3-Major | When persistence is overriden from cookie to some other persistence method, the cookie should not be sent. | |
468471-1 | 3-Major | The output of DNS::edns0 subnet address command is not stored properly in a variable | |
463202-6 | 3-Major | BIG-IP system drops non-zero version EDNS requests | |
458348-3 | 3-Major | RESOLV:: iRule commands and sFlow don't function correctly when using non-default CMP hashing. | |
457109-3 | 3-Major | Traffic misclassified and matching wrong rule in CPM policy. | |
452900-3 | 3-Major | IP iRules may cause TMM to segfault in low memory scenarios | |
452659-1 | 3-Major | DNS Express zone creation, deletion or updates can slow down or stop other DNS services. | |
445471-1 | 3-Major | DNS Express zone creation, deletion or updates can slow down or stop other DNS services. | |
419217-1 | 3-Major | LTM policy fails to decompress compressed http requests | |
417006-5 | 3-Major | Thales HSM support on Chassis cluster-mode. | |
406001-5 | 3-Major | Host-originated traffic cannot use a nexthop in a different route domain | |
372473-3 | 3-Major | mcp error 0x1020003 may be logged to /var/log/tmm when TMM crashes | |
336255-8 | 3-Major | K52011109 | OneConnect Connection Limits with Narrow Source Address Masks |
546747-4 | 4-Minor | K72042050 | SSL connections may fail with a handshake failure when the ClientHello is sent in multiple packets |
541134-3 | 4-Minor | K51114681 | HTTP/HTTPS monitors transmit unexpected data to monitored node. |
499795-3 | 4-Minor | "persist add" in server-side iRule event can result in "Client Addr" being pool member address | |
492780-3 | 4-Minor | K37345003 | Elliptic Curves Extension in ServerHello might cause failed SSL connection. |
458872-1 | 4-Minor | Check SACK report before treating as dupack |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
569972-3 | 2-Critical | Unable to create gtm topology records using iControl REST | |
569521-2 | 2-Critical | Invalid WideIP name without dots crashes gtmd. | |
561539-1 | 2-Critical | [Upgrade] GTM pool member ratio setting to 0 is not honored when upgrading from v10.2.4 to v11.5.3.★ | |
539466-3 | 2-Critical | Cannot use self-link URI in iControl REST calls with gtm topology | |
533658-3 | 2-Critical | DNS decision logging can trigger TMM crash | |
471467-1 | 2-Critical | gtmparse segfaults when loading wideip.conf because of duplicate virtual server names | |
569472-3 | 3-Major | TMM segfault in lb_why_pmbr_str after GTM/BIG-IP DNS disables a GTM pool and LB why log is enabled | |
559975-4 | 3-Major | Changing the username or password used for HTTP monitor basic auth may break HTTP basic auth | |
551767-2 | 3-Major | K03432500 | GTM server 'Virtual Server Score' not showing correctly in TMSH stats |
546640-1 | 3-Major | tmsh show gtm persist <filter option> does not filter correctly | |
540576-2 | 3-Major | K29095826 | big3d may fail to install on systems configured with an SSH banner |
552352-3 | 4-Minor | K18701002 | tmsh list display incorrectly for default values of gtm listener translate-address/translate-port |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
560748 | 2-Critical | BIG-IQ discovery fails | |
451089-1 | 2-Critical | ASM REST: Incorrect/Duplicate REST id for policy after a copy is made | |
449231-1 | 2-Critical | ASM REST: Updating multiple items in a list only make one change | |
589298 | 3-Major | TMM crash with a core dump | |
585045 | 3-Major | ASM REST: Missing 'gwt' support for urlContentProfiles | |
582683-1 | 3-Major | xpath parser doesn't reset a namespace hash value between each and every scan | |
574214-2 | 3-Major | Content Based Routing daemon (cbrd) logging control | |
573406-2 | 3-Major | ASU cannot be completed if license was last activated more than 18 months before | |
572922-3 | 3-Major | Upgrade causes an ASM subsystem error of PL_PARAM_ATTRIBUTES.★ | |
566758-3 | 3-Major | Manual changes to policy imported as XML may introduce corruption for Login Pages | |
559541-3 | 3-Major | ICAP anti virus tests are not initiated on XML with when should | |
559055 | 3-Major | Staging is not disabled on wildcard parameter "*" when Learn New Parameters is set to "Add All" | |
531809-1 | 3-Major | FTP/SMTP traffic related bd crash |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
578353-1 | 2-Critical | Statistics data aggregation process is not optimized | |
529900-4 | 2-Critical | K88373692 | AVR missing some configuration changes in multiblade system |
472969-3 | 2-Critical | If you try to create more than 264 AVR profiles, avrd might crash. | |
569958-3 | 3-Major | Upgrade for application security anomalies | |
557062-3 | 3-Major | The BIG-IP ASM configuration fails to load after an upgrade.★ | |
488989-4 | 3-Major | AVRD does not print out an error message when the external logging fails | |
454071-1 | 5-Cosmetic | 'Show all' button has no effect or becomes hidden for short period of time |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
581770-1 | 1-Blocking | Network Access traffic does not pass IPv6 traffic if a Network Access resource contains IPv4&IPv6 | |
580817-4 | 2-Critical | Edge Client may crash after upgrade★ | |
579909-3 | 2-Critical | Secondary MCPD exits for APM Sandbox warning improperly treated as configuration error | |
579559-4 | 2-Critical | DTLS Networks Access may not work with some hardware platforms with Nitrox hardware acceleration | |
578844-3 | 2-Critical | tmm cores when switching to IPv6 virtual server while connected to IPv4 virtual server with Edge Client. | |
575609-4 | 2-Critical | Zlib accelerated compression can result in a dropped flow. | |
574318-4 | 2-Critical | Unable to resume session when switching to Protected Workspace | |
572563-4 | 2-Critical | PWS session does not launch on Internet Explorer after upgrade | |
571090-1 | 2-Critical | When BIG-IP is used as SAML IdP, tmm may restart under certain conditions | |
569306-5 | 2-Critical | Edge client does not use logon credentials even when "Reuse Windows Logon Credentials" is selected | |
565056-5 | 2-Critical | K87617654 | Fail to update VPN correctly for non-admin user. |
562919-1 | 2-Critical | TMM cores in renew lease timer handler | |
559138-4 | 2-Critical | Linux CLI VPN client fails to establish VPN connection on Ubuntu | |
556774-1 | 2-Critical | EdgeClient cannot connect through captive portal | |
555272-3 | 2-Critical | Endpoint Security client components (OPSWAT, EPSEC) may fail to upgrade★ | |
513083-2 | 2-Critical | d10200: tmm core when using ASM-FPS-AVR-APM-DOS on virtual server. | |
586056 | 3-Major | Machine cert checker doesn't work as expected if issuer or AltName is specified | |
581834-3 | 3-Major | Firefox signed plugin for VPN, Endpoint Check, etc | |
580421-4 | 3-Major | Edge Client may not register DLLs correctly | |
576069-1 | 3-Major | Rewrite can crash in some rare corner cases | |
575499-3 | 3-Major | VPN filter may leave renew_lease timer active after teardown | |
575292-2 | 3-Major | DNS Relay proxy service does not respond to SCM commands in timely manner | |
574781-3 | 3-Major | APM Network Access IPV4/IPV6 virtual may leak memory | |
573581-2 | 3-Major | DNS Search suffix are not restored properly in some cases after VPN establishment | |
573429-2 | 3-Major | APM Network Access IPv4/IPv6 virtual may leak memory | |
572893-5 | 3-Major | error "The modem (or other connecting device) is already in use or is not configured properly" | |
571003-4 | 3-Major | TMM Restarts After Failover | |
570640-4 | 3-Major | APM Cannot create symbolic link to sandbox. Error: No such file or directory | |
570064-4 | 3-Major | IE gives a security warning asking: "Do you want to run ... InstallerControll.cab" | |
569255-5 | 3-Major | K81130213 | Network Access incorrectly manipulates routing table when second adapter being connected if "Allow Local subnet access' is set to ON |
566908-3 | 3-Major | K54435973 | Webserver listening on local Wifi or ethernet IP cannot be accessed after VPN with proxy.pac file |
566646-2 | 3-Major | Portal Access could respond very slowly for large text files when using IE < 11 | |
565231-1 | 3-Major | Importing a previously exported policy which had two object names may fail | |
564521-2 | 3-Major | JavaScript passed to ExternalInterface.call() may be erroneously unescaped | |
564496-2 | 3-Major | Applying APM Add-on License Does Not Change Effective License Limit | |
564482-3 | 3-Major | Kerberos SSO does not support AES256 encryption | |
564262-3 | 3-Major | K21518043 | Network Access does not work if DNS cannot be resolved on client and PAC file contains DNS resolution code |
564253-6 | 3-Major | Firefox signed plugin for VPN, Endpoint Check, etc | |
563443-3 | 3-Major | WebSSO plugin core dumps under very rare conditions. | |
558946-3 | 3-Major | TMM may core when APM is provisioned and access profile is attached to the virtual | |
558870-4 | 3-Major | K12012384 | Protected workspace does not work correctly with third party products |
558631-6 | 3-Major | K81306414 | APM Network Access VPN feature may leak memory |
556597-3 | 3-Major | CertHelper may crash when performing Machine Cert Inspection | |
555457-4 | 3-Major | K16415235 | Reboot is required, but not prompted after F5 Networks components have been uninstalled |
554993-1 | 3-Major | Profile Stats Not Updated After Standby Upgrade Followed By Failover | |
554626 | 3-Major | K14263316 | Database logging truncates log values greater than 1024 |
554228-4 | 3-Major | OneConnect does not work when WEBSSO is enabled/configured. | |
554074-3 | 3-Major | If the user cancels a connection attempt, there may be a delay in estabilshing the next connection. | |
554041-4 | 3-Major | No connectivity inside enterprise network for "Always Connected" client if Network Location Awareness is enabled | |
553925-3 | 3-Major | Manual upgrade of Edge Client fails in some cases on Windows★ | |
552498-2 | 3-Major | APMD basic authentication cookie domains are not processed correctly | |
550536-4 | 3-Major | Incorrect information/text (in French) is displayed when the Edge Client is launched | |
549086-3 | 3-Major | Windows 10 is not detected when Firefox is used | |
536575-2 | 3-Major | Session variable report can be blank in many cases | |
531983-4 | 3-Major | [MAC][NA] Routing table is not updated correctly in connected state when new adapter is added | |
528548-1 | 3-Major | @import "url" is not recognized by client-side CSS patcher | |
528139-4 | 3-Major | Windows 8 client may not be able to renew DHCP lease | |
520088-1 | 3-Major | Citrix HTML5 Receiver does not properly display initial tour and icons | |
519059-2 | 3-Major | [PA] - Failing to properly patch webapp link, link not working | |
518550-5 | 3-Major | Incorrect value of form action attribute inside 'onsubmit' event handler in some cases | |
516219-2 | 3-Major | User failed to get profile license in VIPRION 4800 chassis if slot 1 is not enabled | |
492122-4 | 3-Major | K42635442 | Now Windows Logon Integration does not recreate temporary user for logon execution each time |
488811-4 | 3-Major | F5-prelogon user profile folder are not fully cleaned-up | |
487859-2 | 3-Major | K42022001 | Importing local db users from a CSV file that has no UID set, displays incorrect information in the GUI. |
473344-7 | 3-Major | Kerberos Request-Based Auth (RBA) failure when session is initially created on a different VIP. | |
472446-4 | 3-Major | Customization group template file might cause mcpd to restart | |
464687-1 | 3-Major | Copying Access Profile with Machine Cert Agent check fails | |
462268-1 | 3-Major | long session var processing in variable assignment agent | |
461084-2 | 3-Major | K48281763 | Kerberos Auth might fail if client request contains Authorization header |
458737-1 | 3-Major | non-printable characters are escaped before hexencoding | |
409323-2 | 3-Major | OnDemand cert auth redirect omits port information | |
404141-3 | 3-Major | Standby system offers option to Apply Access Policy even though it has been synced | |
399732-2 | 3-Major | SAML Error: Invalid request received from remote client is too big | |
580429-3 | 4-Minor | CTU does not show second Class ID for InstallerControll.dll | |
572543-4 | 4-Minor | User is prompted to install components repeatedly after client components are updated. | |
541156-3 | 4-Minor | Network Access clients experience delays when resolving a host |
WebAccelerator Fixes
ID Number | Severity | Solution Article(s) | Description |
575631-2 | 3-Major | Potential MCPd leak in WAM stats query code | |
551010-3 | 3-Major | Crash on unexpected WAM storage queue state |
Wan Optimization Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
552198-3 | 3-Major | K27590443 | APM App Tunnel/AM iSession Connection Memory Leak |
547537-4 | 3-Major | TMM core due to iSession tunnel assertion failure |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
572224 | 3-Major | Buffer error due to RADIUS::avp command when vendor IDs do not match |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
575582-1 | 3-Major | MCPd might leak memory in FW network attack stats. | |
575571-1 | 3-Major | MCPd might leak memory in FW DOS SIP attack stats query. | |
575569-1 | 3-Major | MCPd might leak memory in FW DOS DNS stats query. | |
575565-1 | 3-Major | MCPd might leak memory in FW policy rule stats query. | |
575564-1 | 3-Major | MCPd might leak memory in FW rule stats query. | |
575557-2 | 3-Major | MCPd might leak memory in FW rule stats. | |
575321-1 | 3-Major | MCPd might leak memory in firewall stats. | |
569337-4 | 3-Major | TCP events are logged twice in a HA setup | |
561433-6 | 3-Major | TMM Packets can be dropped indiscriminately while under DoS attack | |
556694-6 | 3-Major | DoS Whitelist IPv6 addresses may "overmatch" |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
577814 | 3-Major | MCPd might leak memory in PEM stats queries. |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
540571-4 | 2-Critical | TMM cores when multicast address is set as destination IP via iRules and LSN is configured | |
482202-2 | 2-Critical | Very long FTP command may be ignored. | |
515736-5 | 3-Major | LSN pool with small port range may not use all ports |
Device Management Fixes
ID Number | Severity | Solution Article(s) | Description |
453640-2 | 2-Critical | Java core when modifying global-settings |
Cumulative fixes from BIG-IP v11.5.4 Hotfix 1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
518275-3 | CVE-2016-4545 | K48042976 | The BIG-IP system may stop the normal processing of SSL traffic and dump a TMM core file |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
577811 | 3-Major | SNMP sysObjectID OID reports ID of blade on VIPRION 2xxx-series platforms |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
576314 | 2-Critical | SNMP traps for FIPS device fault inconsistent among versions. | |
574262 | 3-Major | Rarely encountered lockup for N3FIPS module when processing key management requests. | |
574073 | 3-Major | Support for New Platform: BIG-IP 10350 FIPS with NEBS support |
Cumulative fixes from BIG-IP v11.5.4 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
542314-7 | CVE-2015-8099 | K35358312 | TCP vulnerability - CVE-2015-8099 |
536481-8 | CVE-2015-8240 | K06223540 | F5 TCP vulnerability CVE-2015-8240 |
567475-4 | CVE-2015-8704 | K53445000 | BIND vulnerability CVE-2015-8704 |
560910-3 | CVE-2015-3194 | K86772626 | OpenSSL Vulnerability fix |
560180-3 | CVE-2015-8000 | K34250741 | BIND Vulnerability CVE-2015-8000 |
554624-1 | CVE-2015-5300 CVE-2015-7704 | K10600056 K17566 | NTP CVE-2015-5300 CVE-2015-7704 |
553902-3 | CVE-2015-5300 CVE-2015-7704 CVE-2015-7871 CVE-2015-7855 CVE-2015-7853 CVE-2015-7852 CVE-2015-7850 CVE-2015-7701 CVE-2015-7691 CVE-2015-7692 CVE-2015-7702 CVE-2015-5196 | K17516 | Multiple NTP Vulnerabilities |
546080-4 | CVE-2016-5021 | K99998454 | Path sanitization for iControl REST worker |
545786-2 | CVE-2015-7393 | K75136237 | Privilege escalation vulnerability CVE-2015-7393 |
545762-1 | CVE-2015-7394 | K17407 | CVE-2015-7394 |
540849-4 | CVE-2015-5986 | K17227 | BIND vulnerability CVE-2015-5986 |
540846-4 | CVE-2015-5722 | K17181 | BIND vulnerability CVE-2015-5722 |
540767-1 | CVE-2015-5621 | K17378 | SNMP vulnerability CVE-2015-5621 |
533156-2 | CVE-2015-6546 | K17386 | CVE-2015-6546 |
472093-2 | CVE-2015-8022 | K12401251 | APM TMUI Vulnerability CVE-2015-8022 |
445327-1 | CVE-2013-5878 CVE-2013-5884 CVE-2013-5893 CVE-2013-5896 CVE-2013-5907 CVE-2013-5910 CVE-2014-0368 CVE-2014-0373 CVE-2014-0376 CVE-2014-0411 CVE-2014-0416 CVE-2014-0422 CVE-2014-0423 CVE-2014-0428 | K53146535 | OpenJDK 1.7 vulnerabilities |
556383-2 | CVE-2015-7181 CVE-2015-7182 CVE-2015-7183 | K31372672 | Multiple NSS Vulnerabilities |
534633-1 | CVE-2015-5600 | K17113 | OpenSSH vulnerability CVE-2015-5600 |
525232-10 | CVE-2015-4024 CVE-2014-8142 | K16826 | PHP vulnerability CVE-2015-4024 |
485917-5 | CVE-2004-1060 | K15792 | BIG/IP is vulnerable to Path MTU discovery attack (CVE-2004-1060) |
427174-6 | CVE-2013-1620 CVE-2013-0791 | K15630 | SOL15630: TLS in Mozilla NSS vulnerability CVE-2013-1620 |
560948-3 | CVE-2015-3195 | K12824341 | OpenSSL vulnerability CVE-2015-3195 |
553454-3 | CVE-2015-2730 | K15955144 | Mozilla NSS vulnerability CVE-2015-2730 |
515345-4 | CVE-2015-1798 | K16505 | NTP Vulnerability |
430799-5 | CVE-2010-5107 | K14741 | CVE-2010-5107 openssh vulnerability |
567484-4 | CVE-2015-8705 | K86533083 | BIND Vulnerability CVE-2015-8705 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
557221 | 2-Critical | Inbound ISP link load balancing will use pool members for only one ISP link per data center | |
539130-7 | 3-Major | K70695033 | bigd may crash due to a heartbeat timeout |
530133 | 3-Major | Support for New Platform: BIG-IP 10350 FIPS | |
498992-9 | 3-Major | Troubleshooting enhancement: improve logging details for AWS failover failure. | |
439013-5 | 3-Major | K15162 | IPv6 link-local vlan tag handling incorrect |
425331-1 | 3-Major | On VIPRION 2xxx-series platforms, the SNMP sysObjectID OID reports Chassis ID not Blade ID | |
226043-5 | 3-Major | Add support for multiple addresses for audit-forwarder. | |
479147-5 | 4-Minor | Cannot create VXLAN tunnels with the same local-address and different multicast addresses. |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
546260-1 | 1-Blocking | TMM can crash if using the v6rd profile | |
544980-1 | 1-Blocking | BIG-IP Virtual Edition may have minimal disk space for the /var software partition when deploying from the OVA file for the Better or Best license bundle. | |
510393-2 | 1-Blocking | TMM may occasionally restart with a core file when deployed VCMP guests are stopped | |
465142-5 | 1-Blocking | K16633 | iControl LocalLB::ProfileClientSSL::create and create_v2 methods result in crash when not in /Common |
397431-8 | 1-Blocking | Improved security for Apache. | |
562427 | 2-Critical | Trust domain changes do not persist on reboot. | |
555686-2 | 2-Critical | Copper SFPs OPT-0015 on 10000-series appliance may cause interfaces to not come up and/or show corrupted serial numbers | |
544913-2 | 2-Critical | K17322 | tmm core while logging from TMM during failover |
544481-4 | 2-Critical | IPSEC Tunnel fails for more than one minute randomly. | |
530903-5 | 2-Critical | HA pair in a typical Active/Standby configuration becomes Active/Active after a software upgrade★ | |
523434-5 | 2-Critical | K85242410 | mcpd on secondary blades will restart with an error message about a sflow_http_virtual_data_source object |
520380-4 | 2-Critical | K41313442 | save-on-auto-sync can spawn multiple invocations of tmsh, starving system of memory |
513151-7 | 2-Critical | VIPRION B2150 blades show up as unknown when SNMP queries the OID sysObjectID. | |
511559-6 | 2-Critical | Virtual Address advertised while unavailable | |
510559-5 | 2-Critical | Add logging to indicate that compression engine is stalled. | |
507602-4 | 2-Critical | K17166 | Data packet over IPsec tunnel might be looping between cores after rekey if IPsec lifebyte is enabled |
504508-4 | 2-Critical | K16773 | IPsec tunnel connection from BIG-IP to some Cisco ASA does not stay up when DPD (Dead Peer Detection) is enabled |
503600-3 | 2-Critical | K17149 | TMM core logging from TMM while attempting to connect to remote logging server |
482373-5 | 2-Critical | Can not delete and re-create a new virtual server that uses the same virtual address in the same transaction | |
468473-5 | 2-Critical | K16193 | Monitors with domain username do not save/load correctly |
460165-5 | 2-Critical | General Database Error when accessing Clusters or Templates page | |
365219-3 | 2-Critical | Trust upgrade fails when upgrading from version 10.x to version 11.x.★ | |
355199-5 | 2-Critical | ePVA flow not removed when connection closed | |
556284-3 | 3-Major | K55622762 | iqsyncer: GTM/LC config sync failure with error from local mcpd Monitor parent not found |
553576-2 | 3-Major | K17356 | Intermittent 'zero millivolt' reading from FND-850 PSU |
550694 | 3-Major | K60222549 | LCD display stops updating and Status LED turns/blinks Amber |
547047-1 | 3-Major | K31076445 | Older cli-tools unsupported by AWS |
545745-3 | 3-Major | Enabling tmm.verbose mode produces messages that can be mistaken for errors. | |
542860-5 | 3-Major | TMM crashes when IPsec SA are deleted during HA Active to Standby or vice versa event | |
542320 | 3-Major | no login name may appear when running ssh commands through management port | |
539822-1 | 3-Major | tmm may leak connflow and memory on vCMP guest. | |
538133-1 | 3-Major | Only one action per sensor is displayed in sensor_limit_table and system_check | |
536939-1 | 3-Major | Secondary blade may restart services if configuration elements are deleted using a * wildcard. | |
534582-3 | 3-Major | K10397582 | HA configuration may fail over when standby has only base configuration loaded. |
533826-4 | 3-Major | SNMP Memory Leak on a VIPRION system. | |
532559-2 | 3-Major | Upgrade fails to 11.5.0 and later if 'defaults-from none' is under profile '/Common/clientssl'. | |
531986-2 | 3-Major | Hourly AWS VE license breaks after reboot with default tmm route/gateway. | |
529977-4 | 3-Major | OSPF may not process updates to redistributed routes | |
529524-5 | 3-Major | K15345631 | IPsec IKEv1 connectivity issues |
528881-5 | 3-Major | NAT names with spaces in them do not upgrade properly★ | |
528498-2 | 3-Major | Recently-manufactured hardware may not be identified with the correct model name and SNMP OID | |
528276-6 | 3-Major | K39167163 | The device management daemon can crash with a malloc error |
527431-2 | 3-Major | Db variable to specify audit forwarder port | |
526974-5 | 3-Major | Data-group member records map empty strings to 'none'. | |
526817-6 | 3-Major | snmpd core due to mcpd message timer thread not exiting | |
524490-7 | 3-Major | K17364 | Excessive output for tmsh show running-config |
524333-5 | 3-Major | K55005622 | iControl command pkcs12_import_from_file_v2 may fail if httpd is restarted or session times out. |
524300-1 | 3-Major | K71003856 | The MOS boot process appears to hang. |
523922-6 | 3-Major | Session entries may timeout prematurely on some TMMs | |
523867-2 | 3-Major | 'warning: Failed to find EUDs' message during formatting installation | |
523642-4 | 3-Major | Power Supply status reported incorrectly after LBH reset | |
523527-10 | 3-Major | K43121346 | Upgrade from 10.x to 11.2.0 or later does not add existing routing protocols to RD0.★ |
522871-4 | 3-Major | K13764703 | [TMSH] nested wildcard deletion will delete all the objects (matched or not matched) |
522837-3 | 3-Major | MCPD can core as a result of another component shutting down prematurely | |
521144-7 | 3-Major | K16799 | Network failover packets on the management interface sometimes have an incorrect source-IP |
519510-4 | 3-Major | K17164 | Throughput drop and rxbadsum stat increase in tagged VLAN with LRO/GRO on BIG-IP VE running on ESX platforms with particular network hardware |
519081-6 | 3-Major | Cannot use tmsh to load valid configuration created using the GUI. | |
518283-4 | 3-Major | K16524 | Cookie rewrite mangles 'Set-Cookie' headers |
517714-2 | 3-Major | logd core near end of its life cycle | |
517388-6 | 3-Major | Parsing the DN (for subject or issuer) in a certificate does not take into account all the possible RDNs. | |
516995-8 | 3-Major | NAT traffic group inheritance does not sync across devices | |
516322-5 | 3-Major | The BIG-IP system may erroneously remove an iApp association from the virtual server. | |
514844-3 | 3-Major | K17099 | Fluctuating/inconsistent number of health monitors for pool member |
514726-5 | 3-Major | K17144 | Server-side DSR tunnel flow never expires |
514724-4 | 3-Major | crypto-failsafe fail condition not cleared when crypto device restored | |
512618-2 | 3-Major | Continuous "Invalid sadb message" upon issuing "racoonctl -l show-sa esp" | |
511145-2 | 3-Major | IPsec Policy Link not functional. | |
510425-7 | 3-Major | K28822214 | DNS Express zone RR type-count statistics are missing in some cases |
510381-5 | 3-Major | bcm56xxd might core when restarting due to bundling config change. | |
509600-5 | 3-Major | Global rule association to policy is lost after loading config. | |
507853-10 | 3-Major | MCP may crash while performing a very large chunked query and CPU is highly loaded | |
504803-4 | 3-Major | GUI Local Traffic Pool list does not show certain Pools with name containing 'mam'. | |
504494-4 | 3-Major | K43624250 | Upgrading to 11.5.0 and later might associate a disabled HA group to traffic groups.★ |
501437-6 | 3-Major | rsync daemon does not stop listening after configsync-ip set to none | |
497304-10 | 3-Major | Unable to delete reconfigured HTTP iApp when auto-sync is enabled | |
495865-4 | 3-Major | K15116582 | iApps/tmsh cannot reconfigure pools that have monitors associated with them. |
495862-7 | 3-Major | Virtual status becomes yellow and gets connection limit alert when all pool members forced down | |
493246-1 | 3-Major | K17414 | SNMP error: Unknown Object Identifier (Index out of range:0 ) for sysCpuSensorSlot |
491556-10 | 3-Major | K16573 | tmsh show sys connection output is corrected |
489113-7 | 3-Major | K16375 | PVA status, statistics not shown correctly in UI |
485939-8 | 3-Major | K16822 | OSPF redistributing connected subnets that are configured in the network element with infinity metric in a HA pair. |
485702-7 | 3-Major | Default SNMP community 'public' is re-added after the upgrade | |
484861-10 | 3-Major | K16919 | A standby-standby state can be created when auto failback acts in a CRC disagreement scenario |
484534-5 | 3-Major | interface STP state stays in blocked when added to STP as disabled | |
483699-5 | 3-Major | K16888 | No Access error when trying to access iFile object in Local Traffic :: iRules : iFile list |
483104-6 | 3-Major | K17365 | vCMP guests report platform type as 'unknown' |
481089-6 | 3-Major | Request group incorrectly deleted prior to being processed | |
479553-6 | 3-Major | Sync may fail after deleting a persistence profile | |
479543-8 | 3-Major | Transaction will fail when deleting pool member and related node | |
476288-5 | 3-Major | Tmrouted restarted after a series of creating/deleting route domains and adding/deleting protocols due to seg fault | |
473037-7 | 3-Major | K16896 | BIG-IP 2000/4000 platforms do not support RSS with L4 data on SCTP |
470788-4 | 3-Major | K34193654 | Creating static ARP entry with unreachable IP address causes BIG-IP to be unreachable after reboot |
470756-8 | 3-Major | snmpd cores or crashes with no logging when restarted by sod | |
464225-6 | 3-Major | K16541 | 'tmsh list ltm message-routing' and 'tmsh show ltm message-routing' fail for non-admin users |
463468-9 | 3-Major | failed tmsh command generate double logs | |
462187-6 | 3-Major | K16379 | 'tmsh list net tunnels' and GUI tunnel access fail for non-admin users |
458104-6 | 3-Major | K16795 | LTM UCS load merge trunk config issue |
455980-6 | 3-Major | K17210 | Home directory is purged when the admin changes user password. |
455651-6 | 3-Major | K40300934 | Improper regex/glob validation in web-acceleration and http-compression profiles |
454392-1 | 3-Major | Added support for BIG-IP 10350N NEBS platform. | |
439299-5 | 3-Major | iApp creation fails with non-admin users | |
433466-5 | 3-Major | Disabling bundled interfaces affects first member of associated unbundled interfaces | |
410101-4 | 3-Major | HSBe2 falls off the PCI bus | |
375246-11 | 3-Major | Clarification of pool member session enabling versus pool member monitor enabling | |
549023 | 4-Minor | warning: Failed to find EUDs★ | |
548268-3 | 4-Minor | Disabling an interface on a blade does not change media to NONE | |
503841-4 | 4-Minor | Slow performance with delete_string_class_member in iControl-SOAP | |
492163-6 | 4-Minor | K12400 | Applying a monitor to pool and pool member may cause an issue. |
473163-9 | 4-Minor | RAID disk failure and alert.conf log message mismatch results in no trap | |
465675-5 | 4-Minor | K07816405 | Invalid MAX-ACCESS clause for deprecated variables: ltmNodeAddrNewSessionEnable and ltmPoolMemberNewSessionEnable. |
434096-5 | 4-Minor | TACACS log forwarder truncates logs to 1 KB | |
413708-7 | 5-Cosmetic | K31302478 | BIG-IP system may use an ephemeral source port when sending SNMP IPv6 UDP response. |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
536690-1 | 1-Blocking | K82591051 | Occasional host-tmm connections within a chassis will fail (affects APM processes trying to connect to a tmm) |
540473-5 | 2-Critical | peer/clientside/serverside script with parking command may cause tmm to core. | |
538255-2 | 2-Critical | SSL handshakes on 4200/2200 can cause TMM cores. | |
537988-3 | 2-Critical | K76135297 | Buffer overflow for large session messages |
534804-3 | 2-Critical | TMM may core with rate limiting enabled and service-down-action reselect on poolmembers | |
534052-5 | 2-Critical | K17150 | VLAN failsafe triggering on standby leaks memory |
533388-8 | 2-Critical | tmm crash with assert "resume on different script" | |
530505-2 | 2-Critical | IP fragments can cause TMM to crash when packet filtering is enabled | |
529920-6 | 2-Critical | Connection mirroring with OneConnect on a virtual server can cause TMM crash on standby unit | |
528739-5 | 2-Critical | K47320953 | DNS Cache might use cached data from ADDITIONAL sections in ANSWER responses. |
527011-4 | 2-Critical | Intermittent lost connections with no errors on external interfaces | |
520413-12 | 2-Critical | TMM may crash when using woodside congestion control | |
517590-1 | 2-Critical | Pool member not turning 'blue' when monitor removed from pool | |
517465-3 | 2-Critical | tmm crash with ssl | |
514108-7 | 2-Critical | TSO packet initialization failure due to out-of-memory condition. | |
509646-6 | 2-Critical | Occasional connections reset when using persistence | |
503343-9 | 2-Critical | TMM crashes when cloned packet incorrectly marked for TSO | |
497299-7 | 2-Critical | Thales install fails if the BIG-IP system is also configured as the RFS | |
489451-2 | 2-Critical | K17278 | TMM might panic due to OpenSSL failure during handshake generation |
483719-4 | 2-Critical | K16260 | vlan-groups configured with a single member VLAN result in memory leak |
481677-5 | 2-Critical | A possible TMM crash in some circumstances. | |
481162-6 | 2-Critical | K16458 | vs-index is set differently on each blade in a chassis |
477064-5 | 2-Critical | K17268 | TMM may crash in SSL |
472585-5 | 2-Critical | tmrouted crashes after a series configuration changes | |
470235-1 | 2-Critical | The HTTP explicit proxy may leak memory in some cases | |
459100-6 | 2-Critical | K16452 | TMM may crash when offloading one-way UDP FastL4 flow |
456766-2 | 2-Critical | K17351 | SSL Session resumption with hybrid handshake might fail |
456175-3 | 2-Critical | Memory issues possible with really long interface names | |
451059-8 | 2-Critical | SSL server does not check and validate Change Cipher Spec payload. | |
569718-3 | 3-Major | Traffic not sent to default pool after pool selection from rule | |
553311-1 | 3-Major | K13710973 | Route pool configuration may cause TMM to produce a core file |
552532-3 | 3-Major | K73453525 | Oracle monitor fails with certain time zones. |
552385 | 3-Major | Virtual servers using an SSL profile and two UDP profiles may not be accepted | |
547815-2 | 3-Major | K57983796 | Potential DNS Transparent Cache Memory Leak |
545704-3 | 3-Major | TMM might core when using HTTP::header in a serverside event | |
544028-3 | 3-Major | K21131221 | Verified Accept counter 'verified_accept_connections' might underflow. |
543993-4 | 3-Major | Serverside connections may fail to detach when using the HTTP and OneConnect profiles | |
543220-3 | 3-Major | K12153351 | Global traffic statistics does not include PVA statistics |
538603-3 | 3-Major | K03383492 | TMM core file on pool member down with rate limit configured |
537964-3 | 3-Major | K17388 | Monitor instances may not get deleted during configuration merge load |
537553-3 | 3-Major | tmm might crash after modifying virtual server SSL profiles in SNI configuration | |
533966-4 | 3-Major | Double loopback nexthop release might cause TMM core. | |
532107-5 | 3-Major | K16716213 | [LTM] [DNS] Maximum RTT value for nameserver cache still exists after nameserver cache is deleted |
530761-4 | 3-Major | TMM crash in DNS processing on a TCP virtual | |
528407-6 | 3-Major | K72235143 | TMM may core with invalid lasthop pool configuration |
528188-4 | 3-Major | Packet filters are by-passed for some fragmented ICMP echo requests to a virtual address | |
528007-5 | 3-Major | Memory leak in ssl | |
527027-3 | 3-Major | DNSSEC Unsigned Delegations Respond with Parent Zone Information | |
527024-2 | 3-Major | DNSSEC Unsigned Delegations Respond with Parent Zone Information | |
526810-8 | 3-Major | Crypto accelerator queue timeout is now adjustable | |
525958-10 | 3-Major | TMM may crash if loadbalancing to node's IP in iRule routed towards an unreachable nexthop. | |
525322-6 | 3-Major | Executing tmsh clientssl-proxy cached-certs crashes tmm | |
524960-5 | 3-Major | K17434 | 'forward' command does not work if virtual server has attached pool |
523513-5 | 3-Major | COMPRESS::enable keeps compression enabled for a subsequent HTTP request. | |
521036-4 | 3-Major | Dynamic ARP entry may replace a static entry in non-primary TMM instances. | |
520405-2 | 3-Major | tmm restart due to oversubscribed DNS resolver | |
517790-11 | 3-Major | When non-HTTP traffic causes the server-side to receive unexpected data, the connection will be dropped | |
517510-5 | 3-Major | HTTP monitor might add extra CR/LF pairs to HTTP body when supplied | |
517282-6 | 3-Major | K63316585 | The DNS monitor may delay marking an object down or never mark it down |
517124-6 | 3-Major | HTTP::retry incorrectly converts its input | |
516598-6 | 3-Major | K82721850 | Multiple TCP keepalive timers for same Fast L4 flow |
516432-4 | 3-Major | K21467711 | DTLS may send corrupted records when the DB variable tmm.ssl.dtlsmaxcrs is not the default value 1. |
516320-5 | 3-Major | TMM may have a CPU spike if match cross persist is used. | |
515482-6 | 3-Major | K93258439 | Multiple teardown conditions can cause crash |
515072-7 | 3-Major | K17101 | Virtual servers with priority groups reset incoming connections when a non-zero connection limit is increased |
514419-7 | 3-Major | TMM core when viewing connection table | |
514246-6 | 3-Major | connflow_precise_check_begin does not check for NULL | |
513319-7 | 3-Major | Incorrect of failing sideband connections from within iRule may leak memory | |
513243-5 | 3-Major | K17561 | Improper processing of crypto error condition might cause memory issues. |
512490-10 | 3-Major | Increased latency during connection setup when using FastL4 profile and connection mirroring. | |
512148-7 | 3-Major | K17154 | Self IP address cannot be deleted when its VLAN is associated with static route |
511517-8 | 3-Major | K17111 | Request Logging profile cannot be configured with HTTP transparent profile |
511057-7 | 3-Major | K60014038 | Config sync fails after changing monitor in iApp |
510921-6 | 3-Major | K23548911 | Database monitors do not support IPv6 nodes |
510164-4 | 3-Major | K53351133 | DNS Express zone RR statistics are correctly reset after zxfrd restart |
507109-6 | 3-Major | inherit-certkeychain attribute of child Client SSL profile can unexpectedly change during upgrade★ | |
505705-6 | 3-Major | Expired mirrored persistence entries not always freed using intra-chassis mirroring | |
504827-3 | 3-Major | Use of DHCP relay virtual server might result in tmm crash 'top filter'. | |
503257-13 | 3-Major | Persistence, connection limits and HTTP::respond or HTTP::redirect may result in RST | |
502747-13 | 3-Major | Incoming SYN generates unexpected ACK when connection cannot be recycled | |
498334-6 | 3-Major | K16867 | DNS express doesn't send zone notify response |
495588-4 | 3-Major | Configuration fails with Syntax Error after upgrading from pre-11.5.0 releases★ | |
493140-6 | 3-Major | K16969 | Incorrect persistence entries are created when invoking cookie hash persistence within an iRule using offset and length parameters. |
493117-12 | 3-Major | K16986 | Changing the netmask on an advertised virtual address causes it to stop being advertised until tmrouted is restarted |
490740-9 | 3-Major | TMM may assert if HTTP is disabled by another filter while it is parked | |
490429-4 | 3-Major | K17206 | The dynamic routes for the default route might be flushed during operations on non-default route domains. |
475649-6 | 3-Major | K17430 | HTTP::respond in explicit proxy scenarios may cause TMM crash due to assert |
475125-2 | 3-Major | K17428 | Use of HTTP::retry may cause TMM crash |
472748-4 | 3-Major | SNAT pool stats are reflected in global SNAT stats | |
471059-7 | 3-Major | Malformed cookies can break persistence | |
467551-5 | 3-Major | K17011 | TCP syncookie and Selective NACK (profile option) causes traffic to be dropped |
464651-7 | 3-Major | K16636 | Multiple root certificates with same 'subject' and 'issuer' may cause the tmm to core. |
458822-5 | 3-Major | Cluster status may be incorrect on secondary blades | |
453720-6 | 3-Major | clientssl profile validation fails to detect config with no cert/key name and no cert/key★ | |
452246-4 | 3-Major | K17075 | The correct cipher may not be chosen on session resumption. |
447043-11 | 3-Major | K17095 | Cannot have 2 distinct 'contains' conditions on the same LTM policy operand |
442869-7 | 3-Major | GUI inaccessible on chassis when var/log/audit log is full | |
441638-9 | 3-Major | K14972 | CACHE::header insert fails with 'Out of bounds' error for 301 Cache response |
441058-5 | 3-Major | K17366 | TMM can crash when a large number of SSL objects are created |
429011-8 | 3-Major | K15554 | No support for external link down time on network failover |
424831-4 | 3-Major | K14573 | State Mirroring does not work for an HA pair that uses only hardwired (serial) failover, without network failover |
418890-5 | 3-Major | K92193116 | OpenSSL bug can prevent RSA keys from rolling forward★ |
364994-14 | 3-Major | K16456 | TMM may restart or disabled connections may be reused when a OneConnect profile is configured and OneConnect reuse is disabled be an iRule. |
348000-16 | 3-Major | HTTP response status 408 request timeout results in error being logged. | |
534458-4 | 4-Minor | K17196 | SIP monitor marks down member if response has different whitespace in header fields. |
532799-4 | 4-Minor | K14551525 | Static Link route to /32 pool member can end using dst broadcast MAC |
513288-2 | 4-Minor | Management traffic from nodes being health monitored might cause health monitors to fail. | |
503560-5 | 4-Minor | Statistics profiles cannot be configured along with HTTP transparent profile on the same virtual server. | |
446830-2 | 4-Minor | Current Sessions stat does not increment/decrement correctly. | |
446755-5 | 4-Minor | K70440102 | Connections with ramcache and clientssl profile allowing non-SSL traffic may stall |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
469033-15 | 2-Critical | Large big3d memory footprint. | |
437025-5 | 2-Critical | K15698 | big3d might exit during loading of large configs or when a connection to mcpd is dropped. |
529460-5 | 3-Major | K17209 | Short HTTP monitor responses can incorrectly mark virtual servers down. |
517582-5 | 3-Major | [GUI] [GTM] Cannot delete Region if attempting to delete another region referenced by a record. | |
514731-4 | 3-Major | K17100 | GTM Fails to change GTM server with IPv4 'Address Translation enabled |
510888-8 | 3-Major | [LC] snmp_link monitor is not listed as available when creating link objects | |
494305-6 | 4-Minor | K36360597 | [GUI] [GTM] Cannot remove the first listed dependent virtual server from dependency list. |
494070-4 | 4-Minor | K59225090 | BIG-IP DNS cannot use a loopback address with fallback IP load balancing |
451211-3 | 4-Minor | Error using GUI when setting debug option on GTM SIP monitor. |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
555057-1 | 2-Critical | ASM REST: Removing a Signature Set From One Security Policy Removes It From All Security Policies. | |
555006-1 | 2-Critical | ASM REST: lastUpdateMicros is not updated when changing a Custom Signature | |
552139-3 | 2-Critical | K61834804 | ASM limitation in the pattern matching matrix builtup |
540424-1 | 2-Critical | ASM REST: DESC modifier for $orderby option does not affect results | |
515728-4 | 2-Critical | Repeated BD cores. | |
478351-2 | 2-Critical | K17319 | Changing management IP can lead to bd crash |
475551-5 | 2-Critical | Flaw in CSRF protection mechanism | |
547000-3 | 3-Major | K47219203 | Enforcer application might crash on XML traffic when out of memory |
544831 | 3-Major | ASM REST: PATCH to custom signature set's attackTypeReference are ignored | |
542511-1 | 3-Major | K97242554 | 'Unhandled keyword ()' error message in GUI and/or various ASM logs |
540390-1 | 3-Major | ASM REST: Attack Signature Update cannot roll back to older attack signatures | |
538195-5 | 3-Major | Incremental Manual sync does not allow overwrite of 'newer' ASM config | |
535188-5 | 3-Major | Response Pages custom content with \n instead of \r\n on policy import. | |
534246-4 | 3-Major | rest_uuid should be calculated from the actual values inserted to the entity | |
530598-2 | 3-Major | Some Session Tracking data points are lost on TMM restart | |
529610-4 | 3-Major | K32565535 | On HA setups ASM session tracking page display an empty list when in fact there are asm entries in session db |
528071-2 | 3-Major | ASM periodic updates (cron) write errors to log | |
526162-6 | 3-Major | K52335623 | TMM crashes with SIGABRT |
521183-3 | 3-Major | Upgrade from 11.2.x (or earlier) to 11.5.x/11.6.x can fail when an active DoS profile exists with 'Prevention Duration' set to a value less than 5★ | |
519053-4 | 3-Major | Request is forwarded truncated to the server after answering challenge on a big request | |
514313-3 | 3-Major | K00884154 | Logging profile configuration is updated unnecessarily |
502852-4 | 3-Major | Deleting an in-use custom policy template | |
498189-6 | 3-Major | ASM Request log does not show log messages. | |
491371-4 | 3-Major | K17285 | CMI: Manual sync does not allow overwrite of 'newer' ASM config |
491352-4 | 3-Major | Added ASM internal parameter to add more XML memory | |
484079-5 | 3-Major | K90502502 | Change to signature list of manual Signature Sets does not take effect. |
478674-10 | 3-Major | K08359230 | ASM internal parameters for high availability timeout was not handled correctly |
471766-3 | 3-Major | Number of decoding passes configuration | |
470779-3 | 3-Major | The Enforcer should exclude session awareness violations when counting illegal requests. | |
466423-1 | 3-Major | ASM REST: Partial PATCH to User-Defined Signature-Set Filter Resets Other Fields to Defaults | |
442313-6 | 3-Major | Content length header leading whitespaces should not be counted as digits | |
440913-2 | 3-Major | Apply Policy Fails After Policy Diff and Merge |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
458823-2 | 2-Critical | TMM Crash can lead to crash of other processes | |
535246 | 3-Major | K17493 | Table values are not correctly cleaned and can occupy entire disk space. |
530952-4 | 3-Major | MySql query fails with error number 1615 'Prepared statement needs to be re-prepared' | |
530356-1 | 3-Major | Some AVR tables that hold ASM statistics are not being backed up in upgrade process. | |
529903-2 | 3-Major | Incorrect reports on multi-bladed systems | |
519252-1 | 3-Major | SIP statistics upgrade★ | |
474613-2 | 3-Major | Upgrading from previous versions★ | |
472125-3 | 3-Major | IP Intelligence report data is not roll-forwarded between installations as it should★ | |
537435-4 | 4-Minor | Monpd might core if asking for export report by email while monpd is terminating |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
553330-2 | 1-Blocking | Unable to create a new document with SharePoint 2010 | |
555507-3 | 2-Critical | K88973987 | Under certain conditions, SSO plugin can overrun memory not owned by the plugin. |
537227-6 | 2-Critical | EdgeClient may crash if special Network Access configuration is used | |
532340-2 | 2-Critical | When FormBased SSO or SAML SSO are configured, tmm may restart at startup | |
530622-2 | 2-Critical | EAM plugin uses high memory when serving very high concurrent user load | |
502269-2 | 2-Critical | Large post requests may fail using form based SSO. | |
480272-8 | 2-Critical | K17117 | During OAM SDK initialization, ObConfig initialization returns wrong accessgate ID |
459584-2 | 2-Critical | K11596702 | TMM crashes if request URI is empty or longer than 4096 bytes. |
437611-3 | 2-Critical | K16104 | ERR_NOT_FOUND. File: ../modules/hudfilter/access/access_license.c, Function: access_read_license_settings, Line: 204 |
558859 | 3-Major | Control insertion to log_session_details table by Access policy logging level. | |
551764-1 | 3-Major | K14954742 | [APM] HTTP status 500 response of successful Access Policy in clientless mode on chassis platform |
549588-3 | 3-Major | EAM memory leak when cookiemap is destroyed without deleting Cookie object in it | |
544992-2 | 3-Major | Virtual server profile changes are ignored if it has /Common/remotedesktop and /Common/vdi assigned (Citrix/Vmware View iApp) | |
539270-2 | 3-Major | A specific NTLM client fails to authenticate with BIG-IP | |
539229-4 | 3-Major | EAM core while using Oracle Access Manager | |
537614-2 | 3-Major | Machine certificate checker fails to use Machine cert check service if Windows has certain display languages | |
532761-1 | 3-Major | APM fails to handle compressed ICA file in integration mode | |
528808-2 | 3-Major | Source NAT translation doesn't work when APM is disabled using iRule | |
526637-1 | 3-Major | tmm crash with APM clientless mode | |
522791-1 | 3-Major | K45123459 | HTML rewriting on client might leave 'style' attribute unrewritten. |
482177-2 | 3-Major | K16777 | Accessing Sharepoint web application portal interferes with IdP initiated SAML SSO |
467256-1 | 3-Major | K25633150 | Deleting OPSWAT/Epsec packages from GUI does not delete files from disk causing UCS packages to bloat |
462598-3 | 3-Major | K17184 | Failover triggered due to a TMM crash resulting from unavailable APM renderer pool members. |
446860-6 | 3-Major | APM Exchange Proxy does not honor tmm.access.maxrequestbodysize DB variable and is subject to ID 405348 | |
533723-7 | 4-Minor | [Portal Access] Client side HTML rewriter should not rewrite content within "textarea" tag. | |
491080-2 | 4-Minor | K92821195 | Memory leak in access framework |
473685-2 | 4-Minor | Websso truncates cookie domain value |
WebAccelerator Fixes
ID Number | Severity | Solution Article(s) | Description |
525478-3 | 3-Major | K80413728 | Requests for deflate encoding of gzip documents may crash TMM |
517013-2 | 3-Major | CSS minification can on occasion remove necessary whitespace | |
506557-5 | 3-Major | K45240941 | IBR tags might occasionally be all zeroes. |
506315-10 | 3-Major | WAM/AAM is honoring OWS age header when not honoring OWS maxage. | |
501714-4 | 3-Major | System does not prevent low quality JPEGs from optimizing to higher quality (becoming larger) does not work when AAM image optimization enabled and JPEG quality in policy is higher than JPEGs on OWS. | |
476476-9 | 3-Major | Occasional inability to cache optimized PDFs and images | |
384072-5 | 3-Major | K10442159 | Authorization requests not being cached when allowed. |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
528955-2 | 3-Major | TMM may core when using Request Adapt profile | |
523854-4 | 3-Major | K35305250 | TCP reset with RTSP Too Big error when streaming interleaved data |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
540484-4 | 2-Critical | K04005785 | "show sys pptp-call-info" command can cause tmm crash |
533562-5 | 2-Critical | K15320373 | Memory leak in CGNAT can result in crash |
515646-9 | 2-Critical | K17339 | TMM core when multiple PPTP calls from the same client |
494743-8 | 2-Critical | K17389 | Port exhaustion errors on VIPRION 4800 when using CGNAT |
494122-6 | 2-Critical | K02533962 | Deterministic NAT state information from HSL is not usable on VIPRION B4300 blades |
490893-9 | 2-Critical | K16762 | Determinstic NAT State information incomplete for HSL log format |
500424-5 | 3-Major | dnatutil exits when reverse mapping one of the snippet results in "No tmms on the blade" error | |
486762-2 | 3-Major | K05172346 | lsn-pool connection limits may be invalid when mirroring is enabled |
480119-5 | 3-Major | K16112 | Vague error - Error ERR_BOUNDS connflow ... processing pullup of control message. |
Cumulative fixes from BIG-IP v11.5.3 Hotfix 2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
534630-3 | CVE-2015-5477 | K16909 | Upgrade BIND to address CVE 2015-5477 |
530829-2 | CVE-2015-5516 | K00032124 | UDP traffic sent to the host may leak memory under certain conditions. |
529509-4 | CVE-2015-4620 | K16912 | BIND Vulnerability CVE-2015-4620 |
527799-10 | CVE-2015-4000 CVE-2015-1792 CVE-2015-1791 CVE-2015-1790 CVE-2015-1789 CVE-2015-1788 CVE-2014-8176 | K16674 K16915 K16914 | OpenSSL library in APM clients updated to resolve multiple vulnerabilities |
527630-2 | CVE-2015-1788 | K16938 | CVE-2015-1788 : OpenSSL Vulnerability |
523032-5 | CVE-2015-3456 | K16620 | qemu-kvm VENOM vulnerability CVE-2015-3456 |
506034-5 | CVE-2014-9297 CVE-2014-9298 CVE-2014-9750 CVE-2014-9751 | K16393 | NTP vulnerabilities (CVE-2014-9297,CVE-2014-9298) |
532522-4 | CVE-2015-1793 | K16937 | CVE-2015-1793 |
531576-2 | CVE-2016-7476 | K87416818 | TMM vulnerability CVE-2016-7476 |
520466-3 | CVE-2015-3628 | K16728 | Ability to edit iCall scripts is removed from resource administrator role |
516618-4 | CVE-2013-7424 | K16472 | glibc vulnerability CVE-2013-7424 |
513382-2 | CVE-2015-0286 CVE-2015-0287 CVE-2015-0289 CVE-2015-0293 CVE-2015-0209 CVE-2015-0288 | K16317 | Resolution of multiple OpenSSL vulnerabilities |
527639-5 | CVE-2015-1791 | K16914 | CVE-2015-1791 : OpenSSL Vulnerability |
527638-5 | CVE-2015-1792 | K16915 | OpenSSL vulnerability CVE-2015-1792 |
527637-5 | CVE-2015-1790 | K16898 | PKCS #7 vulnerability CVE-2015-1790 |
527633-5 | CVE-2015-1789 | K16913 | OpenSSL vulnerability CVE-2015-1789 |
500091-3 | CVE-2015-0204 | K16139 | CVE-2015-0204 : OpenSSL Vulnerability |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
503652-1 | 2-Critical | K17162 | Some SIP UDP connections are lost immediately after enabling a blade on the Active HA unit. |
502443-9 | 2-Critical | K16457 | After enabling a blade/HA member, pool members are marked down because monitoring starts too soon. |
520705-4 | 3-Major | Edge client contains multiple duplicate entries in server list | |
490537-4 | 3-Major | Persistence Records display in GUI might cause system crash with large number of records | |
374067-2 | 3-Major | K14098 | Using CLIENT_ACCEPTED iRule to set SNAT pool on OneConnect virtual server interferes with keepalive connections |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
516184 | 1-Blocking | IKEv1 for IPsec does not work when VLAN cmp-hash is set to non-default values | |
542898 | 2-Critical | Virtual Edition: Disk partition /var shows 100% after live install to 12.0.0 | |
513454-2 | 2-Critical | An snmpwalk with a large configuration can take too long, causing snmpd or mcpd restarts | |
509503-3 | 2-Critical | tmsh load sys config merge file 'filename' takes signficant time for firewall rulelist configuration | |
507327-2 | 2-Critical | Programs that read stats can leak memory on errors reading files | |
495335-4 | 2-Critical | K17436 | BWC related tmm core |
479460-4 | 2-Critical | SessionDb may be trapped in wrong HA state during initialization | |
420107-3 | 2-Critical | TMM could crash when modifying HTML profile configuration | |
364978-2 | 2-Critical | Active/standby system configured with unit 2 failover objects★ | |
546410-1 | 3-Major | K02151433 | Configuration may fail to load when upgrading from version 10.x.★ |
540638 | 3-Major | GUI Device Management Overview to display device_trust_group | |
535806-4 | 3-Major | Not enough free disk space for live install of BIG-IP 12.0.0 from 11.5.3 VE | |
533458-2 | 3-Major | Insufficient data for determining cause of HSB lockup. | |
533257-1 | 3-Major | tmsh config file merge may fail when AFM security log profile is present in merged file | |
530122 | 3-Major | Improvements in building hotfix images for hypervisors. | |
527021-2 | 3-Major | BIG-IQ iApp statistics corrected for empty pool use cases | |
526419-2 | 3-Major | Deleting an iApp service may fail | |
524326-3 | 3-Major | Can delete last ip address on a gtm server but cannot load a config with a gtm server with no ips | |
524126-3 | 3-Major | K02142351 | The DB variable provision.tomcat.extramb is cleared on first boot.★ |
523125-1 | 3-Major | K17350 | Disabling/enabling blades in cluster can result in inconsistent failover state |
520640-1 | 3-Major | K31002924 | The iControl Management.Zone.get_zone() method can return zone options in a format inconsistent for use with the Management.Zone.set_zone_option() method. |
519877-3 | 3-Major | External pluggable module interfaces not disabled correctly. | |
519068-2 | 3-Major | device trust setup can require restart of devmgmtd | |
518039-2 | 3-Major | BIG-IQ iApp statistics corrected for partition use cases | |
517580-2 | 3-Major | K16787 | OPT-0015 on 10000-series appliance may cause bcm56xxd restarts |
516669-2 | 3-Major | K34602919 | Rarely occurring SOD core causes failover. |
513974-4 | 3-Major | K16691 | Transaction validation errors on object references |
513916-4 | 3-Major | K80955340 | String iStat rollup not consistent with multiple blades |
513649-3 | 3-Major | Transaction validation errors on object references | |
510119-3 | 3-Major | HSB performance can be suboptimal when transmitting TSO packets. | |
509782-2 | 3-Major | K16780 | TSO packets can be dropped with low MTU |
509504-4 | 3-Major | K17500 | Excessive time to save/list a firewall rule-list configuration |
507575-3 | 3-Major | An incorrectly formated NAPTR creation via iControl can cause an error. | |
507331-6 | 3-Major | Using saved configuration with 11.5.2 on AWS may cause SSLv3 to be enabled. | |
506041-5 | 3-Major | K01256304 | Folders belonging to a device group can show up on devices not in the group |
502238-2 | 3-Major | K16736 | Connectivity and traffic interruption issues caused by a stuck HSB transmit ring |
501517-5 | 3-Major | K17478 | Very large configuration can cause transaction timeouts on secondary blades |
499260-2 | 3-Major | Deleting trust-domain fails when standby IP is in ha-order | |
497564-5 | 3-Major | Improve High Speed Bridge diagnostic logging on transmit/receive failures | |
483683-7 | 3-Major | K16210 | MCP continues running after "Unexpected exception caught in MCPProcessor::rm_DBLowHighWide" error |
481696-5 | 3-Major | Failover error message 'sod out of shmem' in /var/log/ltm | |
473348-5 | 3-Major | K16654 | SNMP hbInterval value not set to 300 sec after upgrade from 11.2.x to 11.3.0 or later |
472365-5 | 3-Major | The vCMP worker-lite system occasionally stops due to timeouts | |
470184-1 | 3-Major | K17284 | In Configuration Utility, unable to view or edit objects in Local Traffic :: iRules :: Data Group List |
455264-2 | 3-Major | K54105052 | Error messages are not clear when adding member to device trust fails |
451602-6 | 3-Major | DPD packet drops with keyed VLAN connections | |
441100-1 | 3-Major | iApp partition behavior corrected | |
436682-6 | 3-Major | Optical SFP modules shows a higher optical power output for disabled switch ports | |
410398-8 | 3-Major | sys db tmrouted.rhifailoverdelay does not seem to work | |
405752-2 | 3-Major | K22040410 | TCP Half Open monitors sourced from specific source ports can fail |
362267-2 | 3-Major | K17488 | Configuring network failover on a VIPRION cluster using the blade management addresses results in 'Cannot assign requested address' errors★ |
359774-5 | 3-Major | Pools in HA groups other than Common★ | |
355661-2 | 3-Major | K85476133 | sod logs error 010c003b:3: bind fails on recv_sock_fd, Cannot assign requested address |
523863-1 | 4-Minor | istats help not clear for negative increment | |
475647-3 | 4-Minor | VIPRION Host PIC firmware version 7.02 update | |
465009-2 | 4-Minor | VIPRION B2100-series LOP firmware version 2.10 update | |
464043-4 | 4-Minor | Integration of Firmware for the 2000 Series Blades | |
460456-3 | 4-Minor | FW RELEASE: Incorporate 5000, 5050, 5250 BIOS 2.06.214.0 | |
460444-3 | 4-Minor | VIPRION B4300 BIOS version 2.03.052.0 update | |
460428-3 | 4-Minor | BIG-IP 2000-/4000-series BIOS version 2.02.171.0 update | |
460422-3 | 4-Minor | BIOS 4.01.006.0 for BIG-IP 10000, 10250, 10350 platforms. | |
460406-3 | 4-Minor | VIPRION B2100-series BIOS version 1.06.043.0 update | |
460397-3 | 4-Minor | FW RELEASE: Incorporate B2250 BIOS 1.26.012.0 | |
447075-3 | 4-Minor | CuSFP module plugged in during links-down state will cause remote link-up | |
443298-3 | 4-Minor | FW Release: Incorporate VIPRION 2250 LOP firmware v1.20 |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
522784-3 | 1-Blocking | After restart, system remains in the INOPERATIVE state | |
420341-5 | 1-Blocking | K17082 | Connection Rate Limit Mode when limit is exceeded by one client also throttles others |
419458-3 | 1-Blocking | HTTP is more efficient in buffering data | |
530963-3 | 2-Critical | BIG-IP TLS doesn't correctly verify Finished.verify_data on non-Cavium platforms | |
530769 | 2-Critical | F5 SFP+ module becomes unpopulated after mcpd is restarted in a clustered environment. | |
528432-1 | 2-Critical | Control plane CPU usage reported too high | |
527826-1 | 2-Critical | K31622556 | IP Intelligence update failed: Missing SSL certificate★ |
527649-1 | 2-Critical | Upgrade sets client/server SSL profiles Ciphers field to DEFAULT if upgraded cipherstring effectively contains no ciphersuites.★ | |
523079-1 | 2-Critical | Merged may crash when file descriptors exhausted | |
521548-5 | 2-Critical | Possible crash in SPDY | |
521336-1 | 2-Critical | pkcs11d initialization retry might post misleading error messages and eventually result in a pkcs11d core | |
499422-2 | 2-Critical | K31310380 | An optimistic ACK sent by a server in response to a BIG-IP FIN/ACK packet result in a FIN/ACK storm. |
478592-5 | 2-Critical | K16798 | When using the SSL forward proxy feature, clients might be presented with expired certificates. |
474601-4 | 2-Critical | FTP connections are being offloaded to ePVA | |
468375-2 | 2-Critical | K16779 | TMM crash when MPTCP JOIN arrives in the middle of a flow |
450814-9 | 2-Critical | Early HTTP response might cause rare 'server drained' assertion | |
443157-1 | 2-Critical | zxfrd might crash when the zone file (zxfrd.bin) is deleted from the directory /var/db | |
431283-3 | 2-Critical | iRule binary scan may core TMM when the offset is large | |
402412-10 | 2-Critical | FastL4 tcp handshake timeout is not honored, connection lives for idle timeout. | |
545821 | 3-Major | Idle timeout changes to five seconds when using PVA full or Assisted acceleration. | |
530795-1 | 3-Major | In FastL4 TCP virtual servers, ICMP might send wrong SEQ number/ACK number. | |
524666-2 | 3-Major | DNS licensed rate limits might be unintentionally activated. | |
522147-1 | 3-Major | 'tmsh load sys config' fails after key conversion to FIPS using web GUI | |
521813-3 | 3-Major | Cluster is removed from HA group on restart | |
521774-2 | 3-Major | K17420 | Traceroute and ICMP errors may be blocked by AFM policy |
521538-3 | 3-Major | K08025400 | Keep-alive transmissions do not resume after failover of flows on an L4 virtual, when the sequence number is known |
521522-2 | 3-Major | K21981142 | Traceroute through BIG-IP may display destination IP address at BIG-IP hop |
521408-2 | 3-Major | Incorrect configuration in BigTCP Virtual servers can lead to TMM core | |
520540-2 | 3-Major | Specific iRule commands may generate a core file | |
518086-1 | 3-Major | Safenet HSM Traffic failure after system reboot/switchover | |
518020-10 | 3-Major | K16672 | Improved handling of certain HTTP types. |
517556-2 | 3-Major | DNSSEC unsigned referral response is improperly formatted | |
515759-2 | 3-Major | K92401129 | Configuration objects with more than four vlans in vlan list may cause memory utilization to increase over time |
515139-4 | 3-Major | K17067 | Active FTP session with inherit profile and address translation disabled may not decrement pool member current connections statistics |
514604-2 | 3-Major | Nexthop object can be freed while still referenced by another structure | |
512383-4 | 3-Major | K68275911 | Hardware flow stats are not consistently cleared during fastl4 flow teardown. |
512062 | 3-Major | K21528300 | A db variable to disable verification of SCTP checksum when ingress packet checksum is zero |
510638-2 | 3-Major | K37513511 | [DNS] Config change in dns cache resolver does not take effect until tmm restart |
507529 | 3-Major | Active crash with assert: tmm failed assertion, non-zero ha_unit required for mirrored flow | |
507127-1 | 3-Major | DNS cache resolver is inserted to a wrong list on creation. | |
504899-1 | 3-Major | Duplicated snat-translation addresses are possible (a named and an anonymous (created by snatpool) one) | |
504105-3 | 3-Major | RR-DAG enabled UDP ports may be used as source ports for locally originated traffic | |
501516-4 | 3-Major | If a very large number of monitors is configured, bigd can run out of file descriptors when it is restarted. | |
497584-5 | 3-Major | The RA bit on DNS response may not be set | |
496758-4 | 3-Major | K16465 | Monitor Parameters saved to config in a certain order may not construct parameters correctly |
488600-1 | 3-Major | iRule compilation fails on upgrade★ | |
479682-5 | 3-Major | K16862 | TMM generates hundreds of ICMP packets in response to a single packet |
478617-7 | 3-Major | K16451 | Don't include maximum TCP options length in calculating MSS on ICMP PMTU. |
478439-5 | 3-Major | K16651 | Unnecessary re-transmission of packets on higher ICMP PMTU. |
478257-6 | 3-Major | Unnecessary re-transmission of packets on ICMP notifications even when MTU is not changed | |
476097-3 | 3-Major | K15274113 | TCP Server MSS option is ignored in verified accept mode |
468472-6 | 3-Major | Unexpected ordering of internal events can lead to TMM core. | |
465590-4 | 3-Major | K17531 | Mirrored persistence information is not retained while flows are active |
462714-3 | 3-Major | K66236389 | Source address persistence record times out even while traffic is flowing on FastL4 profile virtual server |
460627-5 | 3-Major | K17059 | SASP monitor starts a new connection to the Group Workload Manager (GWM) server when a connection to it already exists |
455762-3 | 3-Major | K17094 | DNS cache statistics incorrect |
454018-6 | 3-Major | K16540 | Nexthop to tmm0 ref-count leakage could cause TMM core |
452439-4 | 3-Major | K15574 | TMM may crash when enabling DOS sweep/flood if a TMM process has multiple threads |
451960-3 | 3-Major | HTTPS monitors do not work with FIPS keys | |
449848-5 | 3-Major | Diameter Monitor not waiting for all fragments | |
442686-1 | 3-Major | DNSX Transfers Occur on DNSX authoritative server change | |
422107-7 | 3-Major | K17415 | Responses from DNS transparent cache will no longer contain RRSIG for queries without DO bit set |
422087-4 | 3-Major | K16326 | Low memory condition caused by Ram Cache may result in TMM core |
375887-5 | 3-Major | K17282 | Cluster member disable or reboot can leak a few cross blade trunk packets |
374339-5 | 3-Major | HTTP::respond/redirect might crash TMM under low-memory conditions | |
352925-4 | 3-Major | K16288 | Updating a suspended iRule and TMM process restart |
342013-5 | 3-Major | K27445955 | TCP filter doesn't send keepalives in FIN_WAIT_2 |
514729-1 | 4-Minor | 10.2.1 system with SSL profile specifying ciphers 'DEFAULT:!HIGH:!MEDIUM' fails to upgrade to 11.5.1, 11.5.2, 11.5.3, or 11.6.0. |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
515797-2 | 2-Critical | Using qos_score command in RULE_INIT event causes TMM crash | |
526699-5 | 3-Major | K40555016 | TMM might crash if BIG-IP DNS iRule nodes_up references invalid IP/Port. |
516685-1 | 3-Major | ZoneRunner might fail to load valid zone files. | |
516680-1 | 3-Major | ZoneRunner might fail when loading valid zone files. | |
515033-1 | 3-Major | [ZRD] A memory leak in zrd | |
515030-2 | 3-Major | K74820030 | [ZRD] A memory leak in Zrd |
514236-2 | 3-Major | [GUI][GTM] GUI does not prefix partition to device-name for BIG-IP DNS Server IP addresses | |
496775-6 | 3-Major | K16194 | [GTM] [big3d] Unable to receive mark LTM virtual server up if there is another VS with same ltm_name for the bigip monitor |
471819-1 | 3-Major | The big3d agent restarts periodically when upgrading the agent on a v11.4.0 or prior system and Common Criteria mode is enabled. | |
465951-1 | 3-Major | K12562945 | If net self description size =65K, gtmd restarts continuously |
225443-6 | 3-Major | gtmparse fails to load if you add unsupported SIP monitor parameters to the config | |
479084-3 | 4-Minor | ZoneRunner can fail to respond to commands after a VE resume. | |
353556-2 | 4-Minor | big3d https monitor is unable to correctly monitor the web server when SSL protocol is changed |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
524428-2 | 2-Critical | Adding multiple signature sets concurrently via REST | |
524004-2 | 2-Critical | Adding multiple signatures concurrently via REST | |
520280-2 | 2-Critical | Perl Core After Apply Policy Action | |
516523-1 | 2-Critical | Full ASM Config Sync was happening too often in a Full Sync Auto-Sync Device Group | |
487420-3 | 2-Critical | BD crash upon stress on session tracking | |
532030-2 | 3-Major | ASM REST: Custom Signature Set Created via REST is Different Than When Created From GUI | |
526856-2 | 3-Major | "Use of uninitialized value" warning appears on UCS installation due to ASM signature inconsistency | |
523261-2 | 3-Major | ASM REST: MCP Persistence is not triggered via REST actions | |
523260-2 | 3-Major | K52028045 | Apply Policy finishes with coapi_query failure displayed |
523201-1 | 3-Major | Expired files are not cleaned up after receiving an ASM Manual Synchronization | |
520796-2 | 3-Major | High ASCII characters availability for policy encoding | |
520585-1 | 3-Major | Changing Security Policy Application Language Is Not Validated or Propagated Properly | |
516522-2 | 3-Major | K04420402 | After upgrade from any pre-11.4.x to 11.4.x through 12.0.0, the configured redirect URL location is empty.★ |
514061-1 | 3-Major | K17562 | False positive scenario causes SMTP transactions to hang and eventually reset. |
512668-2 | 3-Major | ASM REST: Unable to Configure Clickjacking Protection via REST | |
510499-1 | 3-Major | K17544 | System Crashes after Sync in an ASM-only Device Group. |
506407-1 | 3-Major | K04420402 | Certain upgrade paths to 11.6.x lose the redirect URL configuration for Alternate Response Pages★ |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
533098 | 3-Major | K68715215 | Traffic capture filter not catching all relevant transactions |
531526-1 | 3-Major | K17560 | Missing entry in SQL table leads to misleading ASM reports |
525708-2 | 3-Major | K17555 | AVR reports of last year are missing the last month data |
519022-1 | 3-Major | K01334306 | Upgrade process fails to convert ASM predefined scheduled-reports.★ |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
525920 | 1-Blocking | VPE fails to display access policy | |
492149-2 | 1-Blocking | Inline JavaScript with HTML entities may be handled incorrectly | |
488736-6 | 1-Blocking | Fixed problem with iNotes 9 Instant Messaging | |
482266-1 | 1-Blocking | Windows 10 support for Network Access / BIG-IP Edge Client | |
482241-5 | 1-Blocking | Windows 10 cannot be properly detected | |
437670-2 | 1-Blocking | Race condition in APM windows client on modifying DNS search suffix | |
526833 | 2-Critical | Reverse Proxy produces JS error: 'is_firefox' is undefined | |
526754-3 | 2-Critical | F5unistaller.exe crashes during uninstall | |
525562-2 | 2-Critical | Debug TMM Crashes During Initialization | |
520298-1 | 2-Critical | Java applet does not work | |
520145-2 | 2-Critical | [Policy Sync] OutOfMemoryError exception when syncing big and complex APM policy | |
519864-2 | 2-Critical | Memory leak on L7 Dynamic ACL | |
518260-4 | 2-Critical | Missing NTLMSSP_TARGET_INFO flag on NTLMSSP_CHALLENGE message | |
517988-1 | 2-Critical | TMM may crash if access profile is updated while connections are active | |
517146-2 | 2-Critical | Log ID 01490538 may be truncated | |
516075-5 | 2-Critical | Linux command line client fails with on-demand cert | |
514220-2 | 2-Critical | New iOS-based VPN client may fail to create IPv6 VPN tunnels | |
513581 | 2-Critical | Occasional TMM crash when HTTP payload is scanned through SWG | |
509490-1 | 2-Critical | [IE10]: attachEvent does not work | |
507681-9 | 2-Critical | Window.postMessage() does not send objects in IE11 | |
506223-1 | 2-Critical | A URI in request to cab-archive in iNotes is rewritten incorrectly | |
497118-6 | 2-Critical | Tmm may restart when SAML SLO is triggered | |
487399-3 | 2-Critical | VDI plugin crashes when View client disconnects prematurely | |
474058-7 | 2-Critical | K16689 | When the BIG-IP system is configured as Service Provider, APD may restart under certain conditions |
471874-6 | 2-Critical | K16850 | VDI plugin crashes when trying to respond to client after client has disconnected |
452163-1 | 2-Critical | Cross-domain functionality is broken in AD Query★ | |
451469-3 | 2-Critical | APM User Identity daemon doesn't generate core | |
540778 | 3-Major | Multiple SIGSEGV with core and failover with no logged indicator | |
539013-2 | 3-Major | DNS resolution does not work on a Windows 10 desktop with multiple NICs after VPN connection has been established in some cases | |
537000-3 | 3-Major | Installation of Edge Client can cause Windows 10 crash in some cases | |
534755-2 | 3-Major | Deleting APM virtual server produces ERR_NOT_FOUND error | |
532096-3 | 3-Major | Machine Certificate Checker is not backward compatible with 11.4.1 (and below) when MatchFQDN rule is used | |
531883-3 | 3-Major | Windows 10 App Store VPN Client must be detected by BIG-IP APM | |
531483-1 | 3-Major | Copy profile might end up with error | |
530697-3 | 3-Major | Windows Phone 10 platform detection | |
529392-3 | 3-Major | Win10 and IE11 is not determined in case of DIRECT rule of proxy autoconfig script | |
528726-2 | 3-Major | AD/LDAP cache size reduced | |
528675-3 | 3-Major | BIG-IP EDGE Client can indefinitely stay "disconnecting..." state when captive portal session expired | |
526617-2 | 3-Major | TMM crash when logging a matched ACL entry with IP protocol set to 255 | |
526578-2 | 3-Major | Network Access client proxy settings are not applied on German Windows | |
526492-3 | 3-Major | DNS resolution fails for Static and Optimized Tunnels on Windows 10 | |
526275-2 | 3-Major | VMware View RSA/RADIUS two factor authentication fails | |
526084-1 | 3-Major | Windows 10 platform detection for BIG-IP EDGE Client | |
525384-3 | 3-Major | Networks Access PAC file now can be located on SMB share | |
524909-3 | 3-Major | Windows info agent could not be passed from Windows 10 | |
523431-1 | 3-Major | Windows Cache and Session Control cannot support a period in the access profile name | |
523390-1 | 3-Major | Minor memory leak on IdP when SLO is configured on bound SP connectors. | |
523329 | 3-Major | When BIG-IP is used as SAML Identity Provider(IdP), TMM may restart under certain conditions. | |
523327-3 | 3-Major | In very rare cases Machine Certificate service may fail to find private key | |
523222-7 | 3-Major | Citrix HTML5 client fails to start from Storefront in integration mode when Access Policy is configured with Redirect ending. | |
521835-1 | 3-Major | [Policy Sync] Connectivity profile with a customized logo fails | |
521773-1 | 3-Major | K10105099 | Memory leak in Portal Access |
521506-3 | 3-Major | Network Access doesn't restore loopback route on multi-homed machine | |
520642-2 | 3-Major | Rewrite plugin should check length of Flash files and tags | |
520390-2 | 3-Major | Reuse existing option is ignored for smtp servers | |
520205-2 | 3-Major | Rewrite plugin could crash on malformed ActionScript 3 block in Flash file | |
520118-3 | 3-Major | Duplicate server entries in Server List. | |
519966-1 | 3-Major | APM "Session Variables" report shows user passwords in plain text | |
519415-4 | 3-Major | apm network access tunnel ephemeral listeners ignore irules (related-rules from main virtual ) | |
519198-2 | 3-Major | [Policy Sync] UI General Exception Error when sync a policy in non-default partition as non-default admin user | |
518981-1 | 3-Major | RADIUS accounting STOP message may not include long class attributes | |
518583-3 | 3-Major | Network Access on disconnect restores redundant default route after looped network roaming for Windows clients | |
517564-2 | 3-Major | APM cannot get groups from an LDAP server, when LDAP server is configured to use non-default port | |
517441-4 | 3-Major | apd may crash when RADIUS accounting message is greater than 2K | |
516839-7 | 3-Major | Add client type detection for Microsoft Edge browser | |
516462-3 | 3-Major | Gateways for excluded address space routes are not adjusted correctly during roaming between networks on Windows machines | |
515943-1 | 3-Major | "Session variables" report may show empty if session variable value contains non-English characters | |
514912-2 | 3-Major | Portal Access scripts had not been inserted into HTML page in some cases | |
513969-2 | 3-Major | UAC prompt is shown for machine cert check for non-limited users, even if machine cert check service is running | |
513953-2 | 3-Major | K17122 | RADIUS Auth/Acct might fail if server response size is more than 2K |
513706-3 | 3-Major | K16958 | Incorrect metric restoration on Network Access on disconnect (Windows) |
513283 | 3-Major | Mac Edge Client doesnt send client data if access policy expired | |
513165-1 | 3-Major | SAML Service Provider generated SLO requests do not contain 'SessionIndex' attribute | |
513098-2 | 3-Major | K17180 | localdb_mysql_restore.sh failed with exit code |
512345-6 | 3-Major | K17380 | Dynamic user record removed from memcache but remains in MySQL |
512245 | 3-Major | Machine certificate agent on OS X 10.8 and OS X 10.9 uses local host name instead of hostname | |
511961-2 | 3-Major | BIG-IP Edge Client does not display logon page for FirePass | |
511854-3 | 3-Major | K85408112 | Rewriting URLs at client side does not rewrite multi-line URLs |
511648-3 | 3-Major | K16959 | On standby TMM can core when active system sends leasepool HA commands to standby device |
511441-2 | 3-Major | K17564 | Memory leak on request Cookie header longer than 1024 bytes |
510709-3 | 3-Major | Websso start URI match fails if there are more than 2 start URI's in SSO configuration. | |
507116-3 | 3-Major | K17030 | Web-application issues and/or unexpected exceptions. |
505755-4 | 3-Major | K11043155 | Some scripts on dynamically loaded html page could be not executed. |
500938-4 | 3-Major | Network Access can be interrupted if second NIC is disconnected | |
500450-2 | 3-Major | ASM and APM on same virtual server caused Set-Cookie header modification done by ASM not honored by APM websso. | |
498782-5 | 3-Major | K17104 | Config snapshots are deleted when failover happens |
495702-3 | 3-Major | K40419383 | Mac Edge Client cannot be downloaded sometimes from management UI |
495336-5 | 3-Major | K39768154 | Logon page is not displayed correctly when 'force password change' is on for local users. |
494565-3 | 3-Major | K65181614 | CSS patcher crashes when a quoted value consists of spaces only |
494189-3 | 3-Major | Poor performance in clipboard channel when copying | |
493006 | 3-Major | Export of huge policies might endup with 'too many pipes opened' error | |
492701-2 | 3-Major | Resolved LSOs are overwritten by source device in new Policy Sync with new LSO | |
492305-2 | 3-Major | Recurring file checker doesn't interrupt session if client machine has missing file | |
490830-3 | 3-Major | Protected Workspace is not supported on Windows 10 | |
488105-2 | 3-Major | TMM may generate core during certain config change. | |
483792-6 | 3-Major | when iSession control channel is disabled, don't assign app tunnel, MSRDP, opt tunnel resources | |
483286-2 | 3-Major | APM MySQL database full as log_session_details table keeps growing | |
482699-2 | 3-Major | VPE displaying "Uncaught TypeError" | |
482269-2 | 3-Major | APM support for Windows 10 out-of-the-box detection | |
482251-2 | 3-Major | K95824957 | Portal Access. Location.href(url) support. |
480761-2 | 3-Major | Fixed issue causing TunnelServer to crash during reconnect | |
479451-2 | 3-Major | K16737 | Different Outlook users with same password and client IP are tied to a single APM session when using Basic auth |
478492-5 | 3-Major | K17476 | Incorrect handling of HTML entities in attribute values |
478333-4 | 3-Major | Edge-Client client shows an error about corrupted config file, when User's profile and temp folders located on different partitions | |
474779-2 | 3-Major | EAM process fails to register channel threads (MPI channel) with TMM, and subsequent system call fails. | |
474698-5 | 3-Major | BIG-IP as IdP can send incorrect 'Issuer' element for some SLO requests under certain conditions. | |
473255-2 | 3-Major | K41869058 | Javascript sibmit() method could be rewritten incorrectly inside of 'with' statement. |
472256-4 | 3-Major | K17259 | tmsh and tmctl report unusually high counter values |
472062-2 | 3-Major | K17480 | Unmangled requests when form.submit with arguments is called in the page |
471117-3 | 3-Major | K17546 | iframe with JavaScript in 'src' attribute not handled correctly in IE11 |
468441-2 | 3-Major | OWA2013 may work incorrectly via Portal Access in IE10/11 | |
468433-2 | 3-Major | K16860 | OWA2013 may work incorrectly via Portal Access in IE10/11 |
468137-12 | 3-Major | Network Access logs missing session ID | |
466745-2 | 3-Major | Cannot set the value of a session variable with a leading hyphen. | |
457902-5 | 3-Major | No EAM- log stacktrace in /var/log/apm on EAM crash event. | |
457760-6 | 3-Major | EAM not redirecting stdout/stderr from standard libraries to /var/log/apm | |
457603-3 | 3-Major | K25117932 | Cookies handling issue with Safari on iOS6, iOS7 |
457525-3 | 3-Major | K17359 | When DNS resolution for AppTunnel resource fails, the resource is removed |
454086-4 | 3-Major | K15832 | Portal Access issues with Firefox version 26.0.0 or later |
452527-2 | 3-Major | K17178 | Machine Certificate Checker Agent always works in "Match Subject CN to FQDN" mode |
442528-5 | 3-Major | Demangle filter crash | |
440841-4 | 3-Major | sso and apm split tunnelling log message is at notice level | |
438969-2 | 3-Major | HTML5 VMware View Client does not work with APM when Virtual Server is on non-default route domain | |
437744-7 | 3-Major | K15186 | SAML SP service metadata exported from APM may fail to import. |
425882-4 | 3-Major | Windows EdgeClient's configuration file could be corrupted on system reboot/sleep | |
424936-1 | 3-Major | apm_mobile_ppc.css has duplicate 1st line | |
423282-7 | 3-Major | K17116 | BIG-IP JavaScript includes can be improperly injected in case of conditional commment presence |
420512-1 | 3-Major | All Messages report does not display any data when the Log Levels are selected to filter data based on Log levels | |
416115-13 | 3-Major | Edge client continues to use old IP address even when server IP address changed | |
408851-3 | 3-Major | Some Java applications do not work through BIG-IP server | |
402793-13 | 3-Major | APM Network Accces tunnel slows down and loses data in secure renegotiation on Linux and Mac clients | |
532394-1 | 4-Minor | Client to log value of "SearchList" registry key. | |
524756-1 | 4-Minor | APM Log is filled with errors about failing to add/delete session entry | |
517872-2 | 4-Minor | Include proxy hostname in logs in case of name resolution failure | |
513201-5 | 4-Minor | Edge client is missing localization of some English text in Japanese locale | |
510596-5 | 4-Minor | Broken DNS resolution on Linux client when "DNS Default Domain Suffix" is empty | |
510459-2 | 4-Minor | In some cases Access does not redirect client requests | |
507321-2 | 4-Minor | JavaScript error if user-defined object contains NULL values in 'origin' and/or 'data' fields | |
504461-3 | 4-Minor | Logon Page agent gets empty user input in clientless mode 3 when a Variable Assign agent resides in front of it. | |
497627-2 | 4-Minor | K58125050 | Tmm cores while using APM network access and no leasepool is created on the BIG-IP system. |
482145-4 | 4-Minor | Text in buttons not centered correctly for higher DPI settings | |
464547-5 | 4-Minor | Show proper error message when VMware View client sends invalid credentials to APM | |
454784-2 | 4-Minor | in VPE %xx symbols such as the variable assign agent might be invalidly decoded. |
WebAccelerator Fixes
ID Number | Severity | Solution Article(s) | Description |
514785-3 | 1-Blocking | TMM crash when processing AAM-optimized video URLs | |
522231-2 | 3-Major | TMM may crash when a client resets a connection | |
521455-5 | 3-Major | K16963 | Images transcoded to WebP format delivered to Edge browser |
511534-2 | 3-Major | K44288136 | A large number of regular expressions in match rules on path-segments may cause an AAM policy to take too long to load, |
476460-4 | 3-Major | WAM Range HTTP header limited to 8 ranges | |
421791-4 | 3-Major | K15559 | Out of Memory Error |
Wan Optimization Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
461216-2 | 2-Critical | Cannot rename some files using CIFS optimization of the BIG-IP system. | |
497389-2 | 3-Major | Extraneous dedup_admin core | |
457568-1 | 3-Major | K16966 | Loading of configuration fails intermittently due to WOC Plug-in-related issues. |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
521556-2 | 2-Critical | Assertion "valid pcb" in TCP4 with ICAP adaptation | |
516057-5 | 2-Critical | Assertion 'valid proxy' can occur after a configuration change with active IVS flows. | |
512054-4 | 3-Major | K17135 | CGNAT SIP ALG - RTP connection not created after INVITE |
511326-3 | 3-Major | K24410405 | SIP SUBSCRIBE message not forwarded by BIG-IP when configured as SIP ALG with translation. |
499701-6 | 3-Major | SIP Filter drops UDP flow when ingressq len limit is reached. | |
480311-4 | 3-Major | K47143123 | ADAPT should be able to work with OneConnect |
448493-11 | 3-Major | SIP response from the server to the client get dropped |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
524748 | 2-Critical | PCCD optimization for IP address range | |
468688-1 | 2-Critical | Initial sync fails for upgraded pair (11.5.x to 11.6)★ | |
530865-1 | 3-Major | AFM Logging regression for Global/Route Domain Rules incorrectly using virtual server logging profile (if it exists) | |
523465-1 | 3-Major | Log an error message when firewall rule serialization fails due to maximum blob limit being hit. | |
515187 | 3-Major | Certain ICMP packets are evaluated twice against Global and Route Domain ACL rules. | |
515112-2 | 3-Major | Delayed ehash initialization causes crash when memory is fragmented. | |
513565-3 | 3-Major | AFM Kill-on-the-fly does not re-evaluate existing flows against any Virtual/SelfIP ACL policies if a Global or Route-Domain rule action is modified from Accept-Decisively to Accept. | |
509919-1 | 3-Major | Incorrect counter for SelfIP traffic on cluster | |
497671 | 3-Major | iApp GUI: Unable to add FW Policy/Rule to context via iApp | |
485880-3 | 3-Major | Unable to apply ASM policy with forwarding CPM policy via GUI, generic error | |
459024-1 | 3-Major | Error L4 packets encounter configured whitelist entries that do not match the protocol | |
533808-2 | 4-Minor | Unable to create new rule for virtual server if order is set to "before"/"after" | |
533336-1 | 4-Minor | Display 'description' for port list members | |
510226-1 | 4-Minor | All descriptions for ports-list's members are flushed after the port-list was updated | |
495432-1 | 5-Cosmetic | Add new log messages for AFM rule message load/activation in datapath. |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
491771-1 | 2-Critical | Parking command called from inside catch statement | |
450779-1 | 2-Critical | PEM source or destination flow filter attempts match against both source and destination IPs of a flow | |
439249-1 | 2-Critical | PEM:Initial quota request in the rating group request is not as configured. | |
526295-4 | 3-Major | BIG-IP crashes in debug mode when using PEM iRule to create session with calling-station-id and called-station-id | |
511064-2 | 3-Major | K17108 | Repeated install/uninstall of policy with usage monitoring stops after second time |
495913-3 | 3-Major | TMM core with CCA-I policy received with uninstall | |
478399-6 | 3-Major | PEM subscriber sessions are created without PEM licensed, if "radiusLB-subscriber-awre" profile is configured. | |
464273-1 | 3-Major | PEM: CCR-I for the Gx session has only one subscriber ID type even if session created has more than one type | |
438608-1 | 3-Major | PEM: CCR-U triggered during Gy session may not have Request Service Unit (RSU) | |
438092-2 | 3-Major | PEM: CCR-U triggered by RAR during Gy session will have not have Requested Service Unit(RSU) | |
449643-2 | 4-Minor | Error message 'Gx uninit failed!' and 'Gy unint failed!' received during boot of the system |
Device Management Fixes
ID Number | Severity | Solution Article(s) | Description |
525595-1 | 1-Blocking | K38134424 | Memory leak of inbound sockets in restjavad. |
509273-3 | 2-Critical | hostagentd consumes memory over time | |
509120-1 | 2-Critical | BIG-IQ 4.5.0 cannot discover version pre-11.5.4 BIG-IP versions due to /tmp removal★ |
Cumulative fixes from BIG-IP v11.5.3 Hotfix 1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
511651-2 | CVE-2015-5058 | K17047 | CVE-2015-5058: Performance improvement in packet processing. |
Functional Change Fixes
None
Cumulative fixes from BIG-IP v11.5.3 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
513034-2 | CVE-2015-4638 | K17155 | TMM may crash if Fast L4 virtual server has fragmented packets |
492368-10 | CVE-2014-8602 | K15931 | Unbound vulnerability CVE-2014-8602 |
489323-6 | CVE-2015-8098 | K43552605 | Out-of-bounds memory access when 'remotedesktop' profile is assigned to a virtual server. |
507842-4 | CVE-2015-1349 | K16356 | Patch for BIND Vulnerability CVE-2015-1349 |
500088-10 | CVE-2014-3571 | K16123 | OpenSSL Vulnerability (January 2015) - OpenSSL 1.0.1l update |
497719-12 | CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296 | K15934 | NTP vulnerability CVE-2014-9293, NTP vulnerability CVE-2014-9294, NTP vulnerability CVE-2014-9295, and NTP vulnerability CVE-2014-9296 |
477281-9 | CVE-2014-6032 | K15605 | Improved XML Parsing |
441613-8 | CVE-2015-8022 | K12401251 | APM TMUI Vulnerability CVE-2015-8022 |
447483-7 | CVE-2014-3959 | K15296 | CVE-2014-3959 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
500303-11 | 1-Blocking | K17302 | Virtual Address status may not be reliably communicated with route daemon |
499947-3 | 2-Critical | Improved performance loading thousands of Virtual Servers | |
502770-3 | 3-Major | clientside and serverside command crashes TMM | |
451433-2 | 3-Major | HA group combined with other failover (e.g., VLAN Failsafe or Gateway Failsafe) | |
368824-1 | 3-Major | K24050031 | There is no indication that a failed standby cannot go active. |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
477218-6 | 1-Blocking | Simultaneous stats query and pool configuration change results in process exit on secondary. | |
452656-4 | 1-Blocking | NVGRE tunnel traffic might stall if the sys db variable tm.tcplargereceiveoffload is set to 'enable' | |
425729-1 | 1-Blocking | mcpd debug logging hardening | |
509276-3 | 2-Critical | VXLAN tunnels with floating local addresses generate incorrect gratuitous ARPs on standby device | |
507487-3 | 2-Critical | ZebOS Route not withdrawn when VAddr/VIP down and no default pool | |
504496-4 | 2-Critical | AAA Local User Database may sync across failover groups | |
501343-2 | 2-Critical | In FIPS HA setup, peer may use the FIPS public-handle instead of the FIPS private-handle | |
484733-5 | 2-Critical | aws-failover-tgactive.sh doesn't skip network forwarding virtuals | |
471860-2 | 2-Critical | K16209 | Disabling interface keeps DISABLED state even after enabling |
467196-4 | 2-Critical | K16015 | Log files limited to 24 hours |
466266-3 | 2-Critical | In rare cases, an upgrade (or a restart) can result in an Active/Active state★ | |
438674-4 | 2-Critical | K14873 | When log filters include tamd, tamd process may leak descriptors |
430323-3 | 2-Critical | VXLAN daemon may restart when 8000 VXLAN tunnels are configured | |
412160-4 | 2-Critical | K90882247 | vCMP provisioning may cause continual tmm crash. |
394236-4 | 2-Critical | MCP unexpectedly exits, "failure has occurred, There is no active database transaction, status: 0 - | |
514450-2 | 3-Major | VXLAN: Remote MAC address movement does not trigger ARL updates across TMMs. | |
513294-1 | 3-Major | LBH firmware v3.07 update for BIG-IP 5000-/7000-series appliances | |
512485-2 | 3-Major | Forwarding of flooded VXLAN-encapsulated unicast frames may introduce additional forwarding | |
503604-2 | 3-Major | Tmm core when switching from interface tunnel to policy based tunnel | |
501953-1 | 3-Major | HA failsafe triggering on standby device does not clear next active for that device. | |
501371-2 | 3-Major | K39672730 | mcpd sometimes exits while doing a file sync operation |
500234-3 | 3-Major | TMM may core during failover due to invalid memory access in IPsec components | |
495526-2 | 3-Major | IPsec tunnel interface causes TMM core at times | |
494367-4 | 3-Major | HSB lockup after HiGig MAC reset | |
491791-2 | 3-Major | GET on non-existent pool members does not show error | |
489750-2 | 3-Major | K16696 | Deletion of FIPS keys by-handle may delete key in FIPS-card even if key exists in BIG-IP config |
488374-3 | 3-Major | K17019 | Mismatched IPsec policy configuration causes racoon to core after failed IPsec tunnel negotiation |
484706-7 | 3-Major | K16460 | Incremental sync of iApp changes may fail |
477789-2 | 3-Major | SSL Certificate can accommodate & (ampersand) in the Common Name, Organization Name, Division and SAN. | |
468235-3 | 3-Major | The worldwide City database (City2) does not contain all of the appropriate Proxy strings. | |
456573-5 | 3-Major | Sensor read faults with DC power supply | |
453489-3 | 3-Major | userauth_hostbased mismatch: warnings from VIPRION for localhost or slotN | |
439343-9 | 3-Major | Client certificate SSL authentication unable to bind to LDAP server | |
420204-2 | 3-Major | FIPS key deletion by-handle does not post an error if corresponding key object exists but the keyname is more than 32 characters long | |
509063-1 | 4-Minor | K17015 | Creating or loading guest on cluster with empty slot 1 can result in error |
493223-2 | 4-Minor | syscalld core dumps now keep more debugging information | |
441642-4 | 4-Minor | K16107 | /etc/monitors/monitors_logrotate.conf contains an error |
437637-2 | 4-Minor | Sensor critical alarm: Main board +0.9V_CN35XX | |
492422-3 | 5-Cosmetic | K24508323 | HTTP request logging reports incorrect response code |
456263 | 5-Cosmetic | Platform marketing name for B4300 is incorrectly shown as A108 | |
440605-4 | 5-Cosmetic | Unknown BigDB variable type 'port_list' |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
445329-2 | 1-Blocking | K17273 | DNS cache resolver connections can be slow to terminate |
507611-1 | 2-Critical | K17151 | On BIG-IP 2000- and 4000-series platforms BGP sessions with TCP MD5 enabled might fail to establish connection to neighbors. |
506304-3 | 2-Critical | UDP connections may stall if initialization fails | |
505222-3 | 2-Critical | DTLS drops egress packets when traffic is sufficiently heavy. | |
504225-1 | 2-Critical | Virtual creation with the multicast IPv6 address returns error message | |
503620-2 | 2-Critical | ECDHE_ECDSA and DHE_DSS ciphers do not work with OpenSSL 1.0.1k and later | |
495030-3 | 2-Critical | Segfault originating from flow_lookup_nexthop. | |
493558-3 | 2-Critical | K16206 | TMM core due to SACK hole value mismatch |
486450-5 | 2-Critical | iApp re-deployment causes mcpd on secondaries to restart | |
480370-7 | 2-Critical | K17147 | Connections to virtual servers with port-preserve property will cause connections to leak in TMM |
475460-6 | 2-Critical | K16581 | tmm can crash if a client-ssl profile is in use without a CRL |
474974-2 | 2-Critical | Fix ssl_profile nref counter problem. | |
474388-4 | 2-Critical | K16957 | TMM restart, SIGSEGV messages, and core |
456853-2 | 2-Critical | DTLS cannot handle client certificate when client does not send CertVerify message. | |
511130-2 | 3-Major | TMM core due to invalid memory access while handling CMP acknowledgement | |
510720-2 | 3-Major | K81614705 | iRule table command resumption can clear the header buffer before the HTTP command completes |
510264-2 | 3-Major | TMM core associated with smtps profile. | |
508716-3 | 3-Major | DNS cache resolver drops chunked TCP responses | |
506702-2 | 3-Major | TSO can cause rare TMM crash. | |
506282-5 | 3-Major | K16168 | GTM DNSSEC keys generation is not sychronized upon key creation |
505964-3 | 3-Major | Invalid http cookie handling can lead to TMM core | |
504633-7 | 3-Major | DTLS should not update 'expected next sequence number' when the record is bad. | |
504396-3 | 3-Major | When a virtual's ARP or ICMP is disabled, the wrong mac address is used | |
504306-7 | 3-Major | https monitors might fail to re-use SSL sessions. | |
503979-3 | 3-Major | High CPU usage when DNS cache resolver sends a large number of DNS queries to the backend name server. | |
503741-14 | 3-Major | K16662 | DTLS session should not be closed when it receives a bad record. |
503118-1 | 3-Major | clientside and serverside command crashes TMM | |
502959-3 | 3-Major | Unable get response from virtual server after node flapping | |
502683-6 | 3-Major | Traffic intermittently dropped in syncookie mode, especially when hardware syncookie is on | |
502174-6 | 3-Major | DTLS fragments do not work for ClientHello message. | |
502149-2 | 3-Major | K06334742 | Archiving EC cert/key fails with error 'EC keys are incompatible for Webserver/EM/iQuery.' |
501690-7 | 3-Major | TMM crash in RESOLV::lookup for multi-RR TXT record | |
499950-6 | 3-Major | In case of intra_cluster ha, node flapping may still lead to inconsistent persistence entries across TMMs | |
499946-2 | 3-Major | K16801 | Nitrox might report bad records on highly fragmented SSL records |
499430-6 | 3-Major | K16623 | Standby unit might bridge network ingress packets when bridge_in_standby is disabled |
499150-2 | 3-Major | K16721 | OneConnect does not reuse existing connections in VIP targeting VIP configuration |
497742-5 | 3-Major | Some TCP re-transmits on translucent vlangroup skip bit-flip on source MAC address | |
495574-6 | 3-Major | K16111 | DB monitor functionality might cause memory issues |
495443-3 | 3-Major | K16621 | ECDH negotiation failures logged as critical errors. |
495253-5 | 3-Major | K16603 | TMM may core in low memory situations during SSL egress handling |
494322-5 | 3-Major | The HTTP_REQUEST iRule event may cause the TMM to crash if the explicit proxy is used | |
493673-5 | 3-Major | K12352524 | DNS record data may have domain names compressed when using iRules |
491518-5 | 3-Major | SSL persistence can prematurely terminate TCP connection | |
491454-8 | 3-Major | SSL negotiation may fail when SPDY profile is enabled | |
490713-5 | 3-Major | FTP port might occasionally be reused faster than expected | |
485472-4 | 3-Major | iRule virtual command allows for protocol mismatch, resulting in crash | |
485176-5 | 3-Major | K07324064 | RADIUS::avp replace command cores TMM when only two arguments are passed to it |
484305-5 | 3-Major | K16733 | Clientside or serverside command with parking command crashes TMM |
483539-6 | 3-Major | With fastL4, incorrect MSS value might be used if SYN has options without MSS specified | |
481844-4 | 3-Major | tmm can crash and/or use the wrong CRL in certain conditions | |
481216-5 | 3-Major | Fallback may be attempted incorrectly in an abort after an Early Server Response | |
478734-4 | 3-Major | Incorrect 'FIPS import for failed for key' failure when operation actually succeeds | |
471625-7 | 3-Major | After deleting external data-group, importing a new or editing existing external data-group does not propagate to TMM | |
471535-6 | 3-Major | TMM cores via assert during EPSV command | |
461587-6 | 3-Major | TCP connection can become stuck if client closes early | |
456763-2 | 3-Major | L4 forwarding and TSO can cause rare TMM outages | |
456413-4 | 3-Major | Persistence record marked expired though related connection is still active | |
455840-5 | 3-Major | EM analytic does not build SSL connection with discovered BIG-IP system | |
447272-4 | 3-Major | K17288 | Chassis with MCPD audit logging enabled will sync updates to device group state |
444710-8 | 3-Major | Out-of-order TCP packets may be dropped | |
438792-10 | 3-Major | Node flapping may, in rare cases, lead to inconsistent persistence behavior | |
435335-6 | 3-Major | K16038 | SSL proxy session ID cache does not respect limit set by tmm.proxyssl.cachesize |
428163-2 | 3-Major | Removing a DNS cache from configuration can cause TMM crash | |
415358-6 | 3-Major | Remote login shell hardening | |
384451-8 | 3-Major | Duplicated cert/keys/chain might cause SIGABRTs and low-memory conditions | |
498597-8 | 4-Minor | K16761 | SSL profile fails to initialize and might cause SSL operation issues |
459884-5 | 4-Minor | Large POST requests are not handled well by APM. | |
451224-2 | 4-Minor | IP packets that are fragmented by TMM, the fragments will have their DF bit | |
436468-2 | 4-Minor | DNS cache resolver TCP current connection stats not always decremented properly | |
442647-4 | 5-Cosmetic | K04311130 | IP::stats iRule command reports incorrect information past 2**31 bits |
435044-4 | 5-Cosmetic | K22006218 | Erroneous 'FIPS open failed' error on platforms without FIPS hardware |
Performance Fixes
ID Number | Severity | Solution Article(s) | Description |
497619-7 | 3-Major | K16183 | TMM performance may be impacted when server node is flapping and persist is used |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
479142-8 | 3-Major | K16173 | Deleting a virtual server does not delete the resource record (RR) in ZoneRunner Daemon (ZRD) |
475549-2 | 3-Major | Input handling error in GTM GUI | |
468519-6 | 3-Major | BIG-IP DNS configuration load failure from invalid bigip_gtm.conf file. | |
420440-7 | 3-Major | K14413 | Multi-line TXT records truncated by ZoneRunner file import |
491554-5 | 4-Minor | K54162409 | [big3d] Possible memory leakage for auto-discovery error events. |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
464735-1 | 2-Critical | Errors and unavailable virtual server upon deactivation of ASM policy that is assigned to a non-default rule of L7 policy | |
509968 | 3-Major | BD crash when a specific configuration change happens | |
501612-5 | 3-Major | Spurious Configuration Synchronizations | |
485764-4 | 3-Major | K17401 | WhiteHat vulnerability assessment tool is configured but integration does not work correctly |
482915-7 | 3-Major | K17510 | Learning suggestion for the maximum headers check violation appears only for blocked requests |
475819-6 | 3-Major | K17325 | BD crash when trying to report attack signatures |
442157-2 | 3-Major | Incorrect assignment of ASM policy to virtual server | |
512687-2 | 4-Minor | Policy parameter fields minimumValue and maximumValue do not accept decimal values through REST but accept decimal through GUI |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
441214-3 | 2-Critical | K17353 | monpd core dumps in case of MySQL crash |
497681-3 | 3-Major | Tuning of Application DoS URL qualification criteria | |
479334-4 | 3-Major | monpd/ltm log errors after Hotfix is applied | |
439514-6 | 4-Minor | Different time-stamps are translated to the same time (due to DST clock change) and causes database errors |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
488986-13 | 1-Blocking | K16582 | Access policy cannot enter Windows Protected Workspace on Internet Explorer versions 10 and 11, and edge client. |
507782-6 | 2-Critical | TMM crashes for Citrix connection when Address field in the ICA file has non-patched/invalid data | |
506235-4 | 2-Critical | TMM Crash | |
505101-4 | 2-Critical | tmm may panic due to accessing uninitialized memory | |
495901-4 | 2-Critical | Tunnel Server crash if probed on loopback listener. | |
494098-9 | 2-Critical | K16857 | PAC file download mechanism race condition |
493360-4 | 2-Critical | Fixed possible issue causing Edge Client to crash during reconnect | |
489328-8 | 2-Critical | When BIG-IP virtual accessed with multiple tabs with long initial URLs before session creation can cause TMM crash. | |
484454-7 | 2-Critical | K16669 | Users not able to log on after failover |
441790 | 2-Critical | Logd core formed, while executing provisioning run script(mod_combo_7000_12721.py) on 5000 and 7000 series platforms | |
511893 | 3-Major | Client connection timeout after clicking Log In to Access Policy Manager on a Chassis | |
509956-5 | 3-Major | Improved handling of cookie values inside SWG blocked page. | |
509758-3 | 3-Major | EdgeClient shows incorrect warning message about session expiration | |
508719-7 | 3-Major | K22391125 | APM logon page missing title |
508630-3 | 3-Major | The APM client does not clean up DNS search suffixes correctly in some cases | |
507318-2 | 3-Major | JS error when sending message from DWA new message form using Chrome | |
506349-5 | 3-Major | BIG-IP Edge Client for Mac identified as browser by APM in some cases | |
504606-6 | 3-Major | Session check interval now has minimum value | |
503319-5 | 3-Major | K16901 | After network access is established browser sometimes receives truncated proxy.pac file |
502441-7 | 3-Major | Network Access connection might reset for large proxy.pac files. | |
501498-4 | 3-Major | APM CTU doesn't pick up logs for Machine Certificate Service | |
499620-8 | 3-Major | BIG-IP Edge Client for MAC shows wrong SSL protocol version; does not display the protocol version that was negotiated. | |
499427-4 | 3-Major | Windows File Check does not work if the filename starts with an ampersand | |
498469-8 | 3-Major | Mac Edge Client fails intermittently with machine certificate inspection | |
497436-3 | 3-Major | Mac Edge Client behaves erratically while establishing network access connection | |
497325-5 | 3-Major | K16643 | New users cannot log in to Windows-based systems after installing BIG-IP EDGE client in certain deployment |
496817-7 | 3-Major | Big-IP Edge client for Windows fails to connect to Firepass server if tunnel is established through a proxy | |
495319-9 | 3-Major | Connecting to FP with APM edge client is causing corporate network to be inaccessible | |
495265-6 | 3-Major | SAML IdP and SP configured in same access profile not supported | |
494637-6 | 3-Major | K80550446 | localdbmgr process in constant restart/core loop |
494284-10 | 3-Major | K16624 | Mac Edge Client, with primary language of German shows unneeded text shown under disconnected status. |
494176-1 | 3-Major | Network access to FP does not work on Yosemite using APM Mac Edge Client. | |
494088-5 | 3-Major | APD or APMD should not assert when it can do more by logging error message before exiting. | |
494008-4 | 3-Major | tmm crash while initializing the URL filter context for SWG. | |
493487-5 | 3-Major | K45558362 | Function::call() and Function::apply() wrapping does not work as expected |
493164-4 | 3-Major | K62553244 | flash.net.NetConnection::connect() has an erroneous security check |
492238-9 | 3-Major | K16848 | When logging out of Office 365 TMM may restart |
492153-7 | 3-Major | K17055 | Edge clients shuts down the DTLS channel if the state of IP address on the adapter that was used to build the tunnel, changes to deprecated. |
491233-9 | 3-Major | K16105 | Rare deadlock in CustomDialer component |
490844-2 | 3-Major | K50522620 | Some controls on a web page might stop working. |
490681-5 | 3-Major | K17470 | Memcache entry for dynamic user leaks |
490675-5 | 3-Major | K16855 | User name with leading or trailing spaces creates problems. |
489382-8 | 3-Major | Machine Cert allows mismatched SubjectCN and FQDN for browsers in case of valid cert | |
488892-4 | 3-Major | JavaRDP client disconnects | |
486597-7 | 3-Major | Fixed Network Access renegotiation procedure | |
486268-7 | 3-Major | APM logon page missing title | |
485355-4 | 3-Major | Click-to-Run version of Office 2013 does not work inside PWS (Protected WorkSpace) | |
484847-13 | 3-Major | DTLS cannot be disabled on Edge Client for troubleshooting purposes | |
484582-3 | 3-Major | APM Portal Access is inaccessible. | |
483601-4 | 3-Major | K16895 | APM sends a logout Bookmarked Access whitelist URL when session is expired. |
480817-4 | 3-Major | Added options to troubleshoot client by disabling specific features | |
480242-7 | 3-Major | APD, APMD, MCPD communication error failure now reported with error code | |
477898-2 | 3-Major | Some strings on BIG-IP APM EDGE Client User Interface were not localized | |
477795-4 | 3-Major | SSL profile passphrase may be displayed in clear text on the Dashboard | |
476038-9 | 3-Major | Mac Edge Client crashes on OS X 10.7 if a user adds new server using its IP address rather than DNS name | |
476032-6 | 3-Major | BIG-IP Edge Client may hang for sometime when disconnecting from Firepass server | |
475735-2 | 3-Major | K30145457 | Failed to load config after removing peer from sync-only group |
475505-8 | 3-Major | Windows Phone 8.1 built-in browser is not properly detected by BIG-IP system. | |
474582-2 | 3-Major | Add timestamps to logstatd logs for Policy Sync | |
473386-13 | 3-Major | K17540 | Improved Machine Certificate Checker matching criteria for FQDN case |
473129-6 | 3-Major | K15943 | httpd_apm access_log remains empty after log rotation |
470205-4 | 3-Major | /config/.../policy_sync_d Directory Is 100% Full | |
469824-9 | 3-Major | Mac Edge client on Mac mini receives settings for iOS Edge Client | |
468395-2 | 3-Major | K63044556 | IPv4 Allocation failure ... is out of addresses |
458770-4 | 3-Major | [Mac][Edge] Edge client doesn't handle ending redirects to the same box if second access policy assumes interaction | |
456608-5 | 3-Major | Direct links for frame content, with 'Frame.src = url' | |
453455-9 | 3-Major | Added support of SAML Single Logout to Edgeclient. | |
452464-6 | 3-Major | K28271912 | iClient does not handle multiple messages in one payload. |
452416-6 | 3-Major | tmctl leasepool_stat and snmp apmLeasepoolStatTable return incorrect values | |
452010-4 | 3-Major | K16609 | RADIUS Authentication fails when username or password contain non-ASCII characters |
442698-9 | 3-Major | APD Active Directory module memory leak in exception | |
437743-8 | 3-Major | Import of Access Profile config that contains ssl-cert is failing | |
436201-15 | 3-Major | JavaScript can misbehave in case of the 'X-UA-Compatible' META tag when a client uses IE11 | |
432900-12 | 3-Major | APM configurations can fail to load on newly-installed systems★ | |
431149-8 | 3-Major | K17217 | APM config snapshot disappears and users see "Access Policy configuration has changed on gateway" |
428387-9 | 3-Major | SAML SSO could fail if SAML configuration contains special XML characters (&,<,>,",') | |
403991-9 | 3-Major | Proxy.pac file larger than 32 KB is not supported | |
489364-6 | 4-Minor | Now web VPN client correctly minimizes IE window to tray | |
482134-6 | 4-Minor | APD and APMD cores during shutdown. | |
465012-5 | 4-Minor | Rewrite plugin may crash if webtrace or debug log level is enabled for Portal Access | |
464992-8 | 4-Minor | Mac Edge fails to pass machine certificate inspection if domain component is included in search criteria | |
461597-10 | 4-Minor | MAC edge client doesn't follow HTTP 302 redirect if new site has untrusted self-signed certificate | |
461560-6 | 4-Minor | Edge client CTU report does not contain interface MTU value | |
460427-6 | 4-Minor | Address collision reported when the Primary blade goes down or its TMM crashes in an Chassis IntraCluster environment. | |
451118-8 | 4-Minor | Fixed mistakes in French localization | |
449525-1 | 4-Minor | apd and apmd constantly restarting | |
432423-8 | 4-Minor | Need proactive alerts for APM license usage | |
493385-9 | 5-Cosmetic | BIG-IP Edge Client uses generic icon set even if F5 icon set is configured | |
486344-4 | 5-Cosmetic | French translation does not properly fit buttons in BIG-IP Edge client on Windows |
WebAccelerator Fixes
ID Number | Severity | Solution Article(s) | Description |
486346-2 | 2-Critical | Prevent wamd shutdown cores | |
488917-1 | 4-Minor | Potentially confusing wamd shutdown error messages |
Wan Optimization Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
485182-4 | 3-Major | K19303084 | wom_verify_config does not recognize iSession profile in /Common sub-partition |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
503676-5 | 2-Critical | SIP REFER, INFO, and UPDATE request do not trigger SIP_REQUEST or SIP_REQUEST_SEND iRule events | |
500365-5 | 2-Critical | TMM Core as SIP hudnode leaks | |
482436-9 | 2-Critical | K16973 | BIG-IP processing of invalid SIP request may result in high CPU utilization |
466761-5 | 2-Critical | Heartbeat, UDP packet with only double CRLF, on existing SIP flow results in connection loss. | |
455006-6 | 2-Critical | K50532341 | Invalid data is merged with next valid SIP message causing SIP connection failures |
507143-2 | 3-Major | K17071 | Diameter filter may process HUDCTL_ABORT message before processing previously queued events leading to tmm assertion |
472092-6 | 3-Major | ICAP loses payload at start of request in response to long execution time of iRule | |
464116-5 | 3-Major | HTTP responses are not cached when response-adapt is applied |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
512609-2 | 2-Critical | Firewall rules specifying wildcard IPv6 addresses match IPv4 addresses | |
478470 | 4-Minor | AFM Online Help updated: DoS Detection Threshold Percentage |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
484278-3 | 2-Critical | K16734 | BIG-IP crash when processing packet and running iRule at the same time |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
493807-4 | 2-Critical | K15989 | TMM might crash when using PPTP with profile logging enabled |
487660-1 | 3-Major | K16268 | LSN translation failures when persistence is enabled, cmp-hash is set to src-ip on ingress VLAN and to dst-ip on egress VLAN and using a small port range |
Device Management Fixes
ID Number | Severity | Solution Article(s) | Description |
462827-8 | 1-Blocking | K16634 | Headers starting with X-F5 may cause problems if not X-F5-REST-Coordination-Id |
463380-4 | 3-Major | K16693 | URIs with space characters may not work properly in ODATA query |
Cumulative fixes from BIG-IP v11.5.2 Hotfix 1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
496849-2 | CVE-2014-9326 | K16090 | F5 website update retrievals vulnerability |
477274-12 | CVE-2014-6031 | K16196 | Buffer Overflow in MCPQ |
496845-2 | CVE-2014-9342 | K15933 | NTP vulnerability CVE-2014-9296 |
477278-11 | CVE-2014-6032 | K15605 | XML Entity Injection vulnerabilities CVE-2014-6032 and CVE-2014-6033 |
468345-2 | CVE-2015-1050 | K16081 | Blocking page with harmful JavaScript can be run by system administrator |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
382157-2 | 3-Major | K17163 | Stats presented by the MIB sysVlanStatTable does not match sflow vlan stats |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
498704-1 | 2-Critical | Module provisioning doesn't properly account for disk space | |
487567-3 | 2-Critical | Addition of a DoS Profile Along with a Required Profile May Fail | |
472202-2 | 2-Critical | Potential false positive report of DMA RX lockup failure | |
507461-2 | 3-Major | Net cos config may not persist on HA unit following staggered restart of both HA pairs. | |
504572-3 | 3-Major | K30038035 | PVA accelerated 3WHS packets are sent in wrong hardware COS queue |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
509310-1 | 2-Critical | Bad outer IPv4 UDP checksum observed on egressing VxLAN traffic on VIPRION chassis and 5000 series appliances | |
498005-1 | 2-Critical | The HTTP:payload command could cause the TMM to crash if invoked in a non-HTTP event | |
506290-3 | 3-Major | MPI redirected traffic should be sent to HSB ring1 | |
505452-1 | 3-Major | New db variable to control packet priority for TMM generated packets | |
505056-3 | 3-Major | BIG-IP system might send an egress packet with a priority different from that of ingress packet on the same flow. | |
496588-2 | 3-Major | HTTP header that is larger than 64K can be analyzed incorrectly, leading to TMM crash |
Performance Fixes
ID Number | Severity | Solution Article(s) | Description |
489259-2 | 2-Critical | [AFM] packets from good ip's are being dropped by DoS Sweep & Flood logic | |
496998-2 | 3-Major | Update offenders more aggressively. Increase batch size for Dwbld processing. |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
510287 | 1-Blocking | Create ASM security policy by BIG-IQ | |
509663 | 1-Blocking | ASM restarts periodically with errors in asm_config_server.log: ASM Config server died unexpectedly | |
508908-2 | 2-Critical | Enforcer crash | |
507919-2 | 2-Critical | Updating ASM through iControl REST does not affect CMI sync state | |
504182-2 | 2-Critical | Enforcer cores after upgrade upon the first request★ | |
498361 | 2-Critical | Manage ASM security policies from BIG-IQ | |
493401-3 | 2-Critical | Concurrent REST calls on a single endpoint may fail | |
489705-3 | 2-Critical | K16245 | Running out of memory while parsing large XML SOAP requests |
481476-10 | 2-Critical | MySQL performance | |
468387-2 | 2-Critical | Enforcer core related to specific error condition in the session db | |
511477 | 3-Major | Manage ASM security policies from BIG-IQ | |
511029 | 3-Major | "selfLink" for ASM Policy was incorrect for iControl REST | |
510818 | 3-Major | Manage ASM security policies from BIG-IQ | |
508519-1 | 3-Major | Performance of Policy List screen | |
508338-2 | 3-Major | Under rare conditions cookies are enforced as base64 instead of clear text | |
507905-1 | 3-Major | Saving Policy History during UCS load causes db deadlock/timeout★ | |
507289-1 | 3-Major | User interface performance of Web Application Security Editor users | |
506386-1 | 3-Major | Automatic ASM sync group remains stuck in init state when configured from tmsh | |
506355-2 | 3-Major | Importing an XML file without defined entity sections | |
505624-2 | 3-Major | Remote logger will continue to get DoS L7 messages after it was removed from the virtual server configuration | |
504973-2 | 3-Major | Configuring a route domain with 32 bit subnet mask, 128 bit mask saved instead | |
497769-2 | 3-Major | Policy Export: BIG-IP does not export redirect URL for 'Login Response Page' | |
496565-2 | 3-Major | Secondary Blades Request a Sync | |
496011-2 | 3-Major | K17385 | Resets when session awareness enabled |
490284-6 | 3-Major | K17383 | ASM user interface extremely slow to respond (e.g., longer that 2 minutes to render policy list) |
469786-2 | 3-Major | K04393808 | Web Scraping Mitigation: Display of request status when configuration includes an ASM iRule |
465181-4 | 3-Major | Unhandled connection error in iprepd causes memory leak in iprepd or merged | |
510828 | 5-Cosmetic | Manage ASM security policies from BIG-IQ |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
461715-2 | 2-Critical | AVR: Collecting geolocation IDs | |
503471-2 | 3-Major | K17395 | Memory leak can occur when there is a compressed response, and abnormal termination of the connection |
500034-2 | 3-Major | [SMTP Configuration] Encrypted password not shown in GUI | |
489682-4 | 3-Major | K40339022 | Configuration upgrade failure due to change in an ASM predefined report name★ |
468874-1 | 3-Major | K17456 | Monpd errors appear when AVR loads data to MySQL |
467945-4 | 3-Major | Error messages in AVR monpd log |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
497662-4 | 1-Blocking | BIG-IP DoS via buffer overflow in rrdstats | |
431980-2 | 2-Critical | K17310 | SWG Reports: Overview and Reports do not show correct data. |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
514651 | 2-Critical | db variable to disable rate-tracker | |
514266 | 2-Critical | Change firewall rules with ip-protocol ICMP and ICMP type 0, code 0 cause pccd crash | |
513403-3 | 2-Critical | K16490 | TMM asserts when certain ICMP packets (e.g multicast echo) are classified by AFM and match rules at Global and Route Domain context with logging enabled for these rules and also log-translations is enabled in AFM Logging configuration. |
510162 | 2-Critical | potential TMM crash when AFM DoS Sweep & Flood is configured | |
503541-3 | 2-Critical | Use 64 bit instead of 10 bit for Rate Tracker library hashing. | |
501480-2 | 2-Critical | AFM DoS Single Endpoint Sweep and Flood Vectors crash TMM under heavy traffic. | |
500925-2 | 2-Critical | Introduce a new sys db variable to control number of merges per second of Rate Tracker library. | |
498227 | 2-Critical | Incorrect AFM firewall rule counter update after pktclass-daemon restarts. | |
497342-2 | 2-Critical | TMM crash while executing FLOW_INIT event (with multiple commands that abort the connection) in an iRule attached to an AFM firewall rule. | |
489845-1 | 2-Critical | Sometimes auto-blacklisting will not function after the provisioning of AFM and APM modules | |
511406 | 3-Major | K16421 | Pagination issue on firewall policy rules page |
510224-1 | 3-Major | All descriptions for address-list members are flushed after the address-list was updated | |
506452-1 | 3-Major | Issues with firewall rules configured with a source or destination IPv6 address whose most significant bit is 1 | |
504384-3 | 3-Major | ICMP attack thresholds | |
503085-2 | 3-Major | Make the RateTracker threshold a constant | |
502414-3 | 3-Major | Make the RateTracker tier3 initialization number less variant. | |
501986-2 | 3-Major | Add a sys db tunable to make Sweep and Flood vectors be rate-limited per-TMM process | |
500640-2 | 3-Major | K21264026 | TMM core might occur if FLOW_INIT iRule attached to Virtual server |
497732 | 3-Major | Enabling specific logging may trigger other unrelated events to be logged. | |
497667 | 3-Major | Configuring of ICMPv4/ICMPv6 ip-protocol in mgmt port ACL Rules generated error | |
497263-2 | 3-Major | Global whitelist count exhausted prematurely | |
496278 | 3-Major | K16294 | Disabling/enabling Rule within Rule List causes disabling/enabling of other Rule with the same name |
495928-4 | 3-Major | APM RDP connection gets dropped on AFM firewall policy change | |
495698 | 3-Major | iRule can be deleted even though it exists in a rule-list | |
495390-2 | 3-Major | An error occurs on Active Rules page after attempting to reorder Rules in a Policy | |
485771-2 | 3-Major | TMM crashes while executing multiple FLOW_INIT events and one of the event triggers an abort. | |
469297-2 | 3-Major | Address list summary page does not display the description for individual address list entries. | |
465229-1 | 3-Major | Fix for Policy Rule Names Displaying Distorted in Rare Conditions | |
464972-2 | 3-Major | Wrong parsing of Country Code (Geo) from address region list if Country name contains parentheses. | |
464966-1 | 3-Major | Active Rule page may display incorrectly if showing multiple rules and at least one rule list | |
464762-1 | 3-Major | Rule lists may not display schedules for rules that have them | |
464222-1 | 3-Major | Policy Rule Missing from TMSH Overlapping Status Output | |
458810-1 | 3-Major | Time field may not display correctly in log search function | |
445984-1 | 3-Major | Wrong overlapping status is shown if there are firewall rules with source or destination port range that begins with "1" | |
438773-1 | 3-Major | Network Firewall event logs page pops up date/time picker automatically during drag-and-drop | |
506470 | 4-Minor | Reduce pccd OOM probability with port expansion change | |
497311-1 | 4-Minor | Can't add a ICMPv6 type and code to a FW rule. | |
473589-1 | 4-Minor | Error at attempt to add GeoIP with parentheses. |
Cumulative fix details for BIG-IP v11.5.8 that are included in this release
750488-1 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Cache does not always include an EDNS OPT Record in responses to queries that contain an EDNS OPT Record.
Conditions:
Responses to queries with EDNS0 record to DNS Cache do not contain the RFC-required EDNS0 record.
Impact:
Some compliance tools and upstream DNS servers may consider the BIG-IP non-compliant, and report it as such.
This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.
Workaround:
None.
Fix:
Corrected EDNS OPT record handling in DNS Cache.
Note: Any NOSOA and NOAA results from the EDNS Compliance Tester used for DNS Flag Day are false positives and are expected when testing against DNS Cache. The EDNS Compliance Tester assumes an authoritative server, and makes non-recursive queries. For example, you might see a Resolver response similar to the following:
example1.com. @10.10.10.126 (ns.example1.com.): dns=nosoa,noaa edns=nosoa,noaa edns1=ok edns@512=noaa ednsopt=nosoa,noaa edns1opt=ok do=nosoa,noaa ednsflags=nosoa,noaa optlist=nosoa,noaa,subnet signed=nosoa,noaa,yes ednstcp=noaa
These types of responses are expected when running the validation tool against DNS Cache.
750484-1 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Cache drops a DNS query that contains an EDNS OPT Record that it does not understand.
Conditions:
If a client (such as a DNS Flag Day compliance tool) or upstream DNS Server sends an invalid ENDS OPT record.
Impact:
DNS Cache drops the request. Clients (such as a DNS Flag Day compliance tool) or upstream DNS server will experience a timeout for that query.
This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.
Workaround:
None.
Fix:
When a query with an invalid EDNS OPT version is received by DNS Cache, the system now sends a response with the BADVERS error code, as stipulated by the RFC.
Note: Any NOSOA and NOAA results from the EDNS Compliance Tester used for DNS Flag Day are false positives and are expected when testing against DNS Cache. The EDNS Compliance Tester assumes an authoritative server, and makes non-recursive queries. For example, you might see a Resolver response similar to the following:
example1.com. @10.10.10.126 (ns.example1.com.): dns=nosoa,noaa edns=nosoa,noaa edns1=ok edns@512=noaa ednsopt=nosoa,noaa edns1opt=ok do=nosoa,noaa ednsflags=nosoa,noaa optlist=nosoa,noaa,subnet signed=nosoa,noaa,yes ednstcp=noaa
These types of responses are expected when running the validation tool against DNS Cache.
750472-1 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Express drops a DNS query that contains an EDNS OPT Record that it does not understand.
Conditions:
If a client (such as a DNS Flag Day compliance tool) or upstream DNS Server sends an invalid ENDS OPT record.
Impact:
DNS Express drops the request. Clients (such as a DNS Flag Day compliance tool) or upstream DNS server will experience a timeout for that query.
This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.
Workaround:
None.
Fix:
When a query with an invalid EDNS OPT version is received by DNS Express, send a response with the BADVERS error code as stipulated by the RFC.
Note: The EDNS Compliance Tester should produce output similar to the following when run against DNS Express:
example1.com. @10.10.10.125 (ns.example1.com.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok ednstcp=ok
750457-1 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Express does not always include an EDNS OPT Record in responses to queries that contain an EDNS OPT Record.
Conditions:
Queries to DNS Express containing an ENDS0 record it does not understand.
Impact:
DNS Express responses might not contain the RFC-required ENDS0 record. Some compliance tools and upstream DNS servers may consider the BIG-IP non-compliant, and report it as such.
This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.
Workaround:
None.
Fix:
Corrected EDNS OPT record handling in DNS Express.
Note: The EDNS Compliance Tester should produce output similar to the following when run against DNS Express:
example1.com. @10.10.10.125 (ns.example1.com.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok ednstcp=ok
749774-6 : EDNS0 client subnet behavior inconsistent when DNS Caching is enabled
Component: Global Traffic Manager (DNS)
Symptoms:
When EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled, the responses differ in their inclusion of EDNS0 client subnet information based on whether the response was supplied by the cache or not.
Conditions:
This occurs when EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled.
Impact:
Inconsistent behavior.
Workaround:
None.
Fix:
In this release, responses are now consistent when caching is enabled.
749675-6 : DNS cache resolver may return a malformed truncated response with multiple OPT records
Component: Global Traffic Manager (DNS)
Symptoms:
A configured DNS resolving cache returns a response with two OPT records when the response is truncated and not in the cache.
Conditions:
This can occur when:
-- A DNS resolving cache is configured.
-- The DNS query being handled is not already cached.
-- The response for the query must be truncated because it is larger than the size the client can handle (either 512 bytes or the buffer size indicated by an OPT record in the query).
Impact:
A DNS message with multiple OPT records is considered malformed and will likely be dropped by the client.
Workaround:
A second query will return the cached record, which will only have one OPT record.
Fix:
DNS cache resolver now returns the correct response under these conditions.
723130-4 : Invalid-certificate warning displayed when deploying BIG-IP VE OVA file
Solution Article: K13996
Component: TMOS
Symptoms:
The OVA signing certificate that signs BIG-IP Virtual Edition (VE) OVA files expired. When deploying a BIG-IP VE from an OVA file, an invalid-certificate warning might be displayed due to the expired OVA signing certificate.
Conditions:
This issue may be encountered during the creation of new instances of BIG-IP VE in clients that check the validity of the OVA signing certificate (e.g., VMware).
Note: Existing BIG-IP VE instances are not subject to this issue.
Impact:
There might be questions about the integrity of the OVA file, and in some cases, might not be able to deploy a new instance from an OVA file.
Workaround:
The expired OVA signing certificate has been replaced with a valid signing certificate.
Fix:
The expired OVA signing certificate has been replaced with a valid signing certificate.
721895-3 : Add functionality to configure the minimum TLS version advertised and accepted by big3d (iQuery)
Component: Global Traffic Manager (DNS)
Symptoms:
big3d advertises a TLSv1.0 version. Even though big3d requires previously exchanged certificates to validate a connection request, the TLSv1.0 advertisement triggers various vulnerability scanners and is flagged.
Conditions:
Running a vulnerability scanner or other SSL test tool.
Impact:
The scanner or tool reports that big3d might potentially accept a TLSv1.0 connection request (which is considered insecure). Vulnerability scanners then flag the BIG-IP system as vulnerable.
Workaround:
Although there is no workaround, because big3d accepts connections only from clients that match the certificates on the BIG-IP system, the risk is minimal.
In addition, you can deploy firewall rules to accept connections only on port 4353 from know BIG-IP systems.
Fix:
This version adds a db variable for the big3d
big3d.minimum.tls.version. By default the value is 'TLSv1'. You can also specify TLSV1.1 or TLSV1.2 (the setting is case insensitive).
After changing the DB variable, restart big3d. Change the value on all BIG-IP systems that are subject to scans. This includes GTM as well as LTM configurations.
716992-5 : The ASM bd process may crash
Solution Article: K75432956
716922-6 : Reduction in PUSH flags when Nagle Enabled
Component: Local Traffic Manager
Symptoms:
When Nagle is enabled in the TCP profile, the number of PUSH flags generated by the BIG-IP system drops substantially compared to the Nagle-disabled case, or to the Nagle-enabled case prior to v12.1.2-HF1. This matters most when there is a single outstanding unsent segment in the send buffer awaiting acknowledgment of all other data.
Conditions:
-- Nagle is enabled.
-- Running BIG-IP software versions later than v12.1.2-HF1.
Note: The problem is only impactful when the client withholds ACKs when there is no PUSH flag.
Impact:
If the client withholds ACKs, this can save handset power, but it also causes Nagle's algorithm to withhold the last bit of data, increasing latency.
Workaround:
Set Nagle to the 'Auto' setting or 'Disabled'.
Mote: To take advantage of some of the Nagle benefits, use 'Auto'.
Fix:
Revised PUSH flag setting logic to set the flag in cases where sending is Nagle-limited.
715923-4 : When processing TLS traffic TMM may reset connections
Solution Article: K43625118
713951-1 : tmm core files produced by nitrox_diag may be missing data
Component: Local Traffic Manager
Symptoms:
When the nitrox_diag utility generates a tmm core file, that file might include data for only one tmm thread instead of all tmm threads.
Conditions:
-- Running the nitrox_diag utility.
-- Using devices with the Cavium Nitrox crypto card.
-- The nitrox_diag utility generates a tmm core file.
Impact:
The resulting core file might include data for only one tmm thread instead of all tmm threads, making it more difficult for F5 to diagnose reported problems with the Cavium Nitrox crypto card. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
When the nitrox_diag utility generates a tmm core file, that file now includes data for all tmm threads instead of only one.
711281-1 : nitrox_diag may run out of space on /shared
Component: Local Traffic Manager
Symptoms:
Running nitrox_diag may lose collected data if there is insufficient free space for the tar file to be created.
Conditions:
-- Running nitrox_diag.
-- Insufficient free space available on /shared.
Impact:
Might lose data required to diagnose problems with Cavium Nitrox chips.
Workaround:
The only workaround is to ensure there is enough free space for the files to be created.
In general, planning enough space for two copies of a tmm core file and two copies of a qkview works. That might require approximately one gigabyte. Though more might be needed for systems with a large amount of RAM.
Fix:
nitrox_diag now clears the older data before gathering new data, instead of after. Note, however, that if there is insufficient free space on /shared to collect the raw data, the operation still cannot succeed.
710314-4 : TMM may crash while processing HTML traffic
Solution Article: K94105051
710148-6 : CVE-2017-1000111 & CVE-2017-1000112
Solution Article: K60250153
708653-5 : TMM may crash while processing TCP traffic
Solution Article: K07550539
708249-6 : nitrox_diag utility generates QKView files with 5 MB maximum file size limit
Component: Local Traffic Manager
Symptoms:
When nitrox_diag generates a QKView file, the utility does not use the -s0 flag for the qkview command. That means there is a 5 MB file-size limit for the resulting QKView file nitrox_diag generates.
Conditions:
Run the nitrox_diag command.
Impact:
QKView files generated in response to running the nitrox_diag command might not contain all necessary information, for example, the result might contain truncated log files.
Workaround:
After running nitrox_diag, run the following command to generate a complete QKView file: qkview -s0
Fix:
Nitrox_diag utility now uses the -s0 command to generate QKView files, so there is no longer a 5 MB maximum file size limit, and the full QKView file is created.
707226-4 : DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations
Component: TMOS
Symptoms:
Mitigations might CVE-2017-5754 Meltdown/PTI (Page Table Isolation) can negatively impact performance.
Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.
Conditions:
Mitigations for CVE-2017-5754 Meltdown/PTI (Page Table Isolation) enabled.
Impact:
Meltdown/PTI mitigations may negatively impact performance.
Workaround:
Disable CVE-2017-5754 Meltdown/PTI mitigations.
To turn off mitigations for CVE-2017-5754 Meltdown/PTI, run the following command:
tmsh modify sys db kernel.pti value disable
Note: Turning off these mitigations renders the system vulnerable to CVE-2017-5754 Meltdown; but in order to take advantage of this vulnerability, they must already possess the ability to run arbitrary code on the system. Good access controls and keeping your system up-to-date with regards to security fixes will mitigate this risk on non-VCMP systems. vCMP systems with multiple tenants should leave these mitigations enabled.
Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.
Fix:
On releases that provide mitigations for CVE-2017-5754 Meltdown/PTI, the protection is enabled by default, but can be controlled using db variables.
Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.
706304-1 : ASU and other Update Check services overload F5 download server
Component: Application Security Manager
Symptoms:
ASM Signature Update (ASU) and other Update Check services may fail due to an overload on the F5 download server.
Conditions:
-- Automatic update attempt is initiated during specified schedule.
-- F5 download server is overloaded by Update attempts.
Impact:
ASU and other Update Check services fail.
Workaround:
To work around this issue, run manual updates instead.
To prevent this issue, change the time of the daily job run. To do so, follow these steps:
1. Open the cron job text file.
# vi /etc/crontab
2. Change this line as follows:
From: 02 4 * * * root run-parts /etc/cron.daily
To: 10 4 * * * root run-parts /etc/cron.daily
3. Save the changes, and quit vi.
This will change the automatic updates to run at 4:10 rather than 4:02.
Fix:
ASU and other Update Check services now stagger download attempts to prevent F5 download server overload.
705476-6 : Appliance Mode does not follow design best practices
Solution Article: K28003839
704490-2 : CVE-2017-5754 (Meltdown)
Solution Article: K91229003
704483-2 : CVE-2017-5753 (Spectre Variant 1)
Solution Article: K91229003
702490-6 : Windows Credential Reuse feature may not work
Component: Access Policy Manager
Symptoms:
Windows Credential Reuse feature may not work requiring that the EdgeClient end user enter credentials in the EdgeClient login window as well as at the Microsoft Windows logon screen, instead of getting Single Sign-On (SSO).
The logterminal.txt file contains messages similar to the following:
<Date and time>, 1312,1320,, 48, \certinfo.cpp, 926, CCertInfo::IsSignerTrusted(), the file is signed by 3rd party certificate
<Date and time>, 1312,1320,, 1, \certinfo.cpp, 1004, CCertInfo::IsSignerTrusted(), EXCEPTION - CertFindCertificateInStore() failed, -2146885628 (0x80092004) Cannot find object or property.
<Date and time>, 1312,1320,, 1, \certinfo.cpp, 1009, , EXCEPTION caught
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 256, IsTrustedClient, EXCEPTION - File signed by untrusted certificate
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 264, , EXCEPTION caught
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 360, GetCredentials, EXCEPTION - Access Denied - client not trusted
Conditions:
-- Using a specific combination of versions of F5 Credential Manager Service and EdgeClient on Windows systems.
-- The Reuse Credential option is enabled in the Connectivity Profile.
Impact:
The EdgeClient end user must retype credentials in EdgeClient login windows instead of having the login occur without requiring credentials, as SSO supports.
Workaround:
There is no workaround at this time.
Fix:
Previously, in some situations, Windows Credential Reuse did not work, requiring the EdgeClient end user to log in separately. This issue has been fixed.
699803 : TMM may crash while processing IPv6 traffic
Solution Article: K77671456
699455-1 : SAML export does not follow best practices
Solution Article: K50254952
697303-5 : BD crash
Component: Application Security Manager
Symptoms:
BD crashes.
Conditions:
-- The internal parameter relax_unicode_in_json is set to 1.
-- Specific traffic scenario.
Impact:
BD crash, failover, and traffic disturbance.
Workaround:
Turn off the internal parameter relax_unicode_in_json.
Fix:
BD no longer crashes under these conditions.
696265-1 : BD crash
Solution Article: K60985582
Component: Application Security Manager
Symptoms:
BD crash.
Conditions:
ecard_max_http_req_uri_len is set to a value greater than 8 KB.
Impact:
Potential traffic disturbance and failover.
Workaround:
Change the value of ecard_max_http_req_uri_len to a size lower than 8 KB.
Fix:
Fixed a BD crash scenario.
696049-5 : High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running
Component: Service Provider
Symptoms:
High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running.
Conditions:
Multiple response messages arrive on a connection while an asynchronous Tcl command is running on that connection.
Impact:
High CPU load might occur as multiple responses will be assigned the same request_sequence_number.
Workaround:
None.
Fix:
Request_sequence_numbers are not assigned to response messages until the Tcl event is executed for that message. This avoids assigning the same number to multiple events.
695901-4 : TMM may crash when processing ProxySSL data
Solution Article: K46940010
695878-1 : Signature enforcement issue on specific requests
Component: Application Security Manager
Symptoms:
Request payload does not get enforced by attack signatures on a certain policy configuration with specific traffic.
Conditions:
-- The violation 'Request exceeds max buffer size' is turned off.
-- The request is longer than the max buffer size (i.e., a request is larger than the internal long_request_buffer_size).
Impact:
Attack signatures are not enforced on the payload of this request at all.
Workaround:
Turn on the violation in blocking 'Request exceed max buffer size'.
Fix:
The operation now looks into part of the payload for the attack signatures enforcement.
694922-1 : ASM Auto-Sync Device Group Does Not Sync
Component: Application Security Manager
Symptoms:
In rare circumstances a device may enter an untrusted state and confuse the device group.
Conditions:
1) ASM sync is enabled on an autosync device group
2) A new ASM entity is created on a device
Impact:
ASM configuration is not correctly synchronized between devices
Workaround:
1) Remove ASM sync from the device group (Under Security ›› Options : Application Security : Synchronization : Application Security Synchronization)
2) Restart asm_config_server.pl on both devices and wait until they come back up
3) Change the device group to a manual sync group
4) On the device with the good configuration re-enable ASM sync for the device group
5) Make a spurious ASM change, and push the configuration.
6) Change the sync type back to automatic
Fix:
Devices no longer spuriously enter an untrusted state
694901 : CVE-2015-8710: Libxml2 Vulnerability
Solution Article: K45439210
693744-1 : CVE-2018-5531: vCMP vulnerability
Solution Article: K64721111
693739-4 : VPN cannot be established on macOS High Sierra 10.13.1 if full tunneling configuration is enabled
Component: Access Policy Manager
Symptoms:
For some Network Access configurations, VPN cannot establish a connection with client systems running macOS High Sierra 10.13.1 using F5 Edge client or Browser helper apps.
Conditions:
The following conditions must be true:
-- The Network Access resource Traffic Options setting is configured for Force all Traffic Through Tunnel.
-- The Network Access resource Allow Local Subnet setting is disabled.
(Both of these options are defaults.)
-- Client running macOS High Sierra 10.13.1.
Impact:
The Edge Client unsuccessfully tries to connect, resulting in a loop. The client cannot establish VPN.
Workaround:
1. Navigate to the Network Access resource.
2. Set the Network Access resource Allow Local Subnet checkbox to Enabled.
3. Save the setting, and apply the Access Policy.
Fix:
Edge Client operation does not go into a reconnect loop and is able to establish and maintain connection successfully on macOS High Sierra 10.13.1.
692369-1 : TMM crash caused by SSOv2 form based due to null config
Component: Access Policy Manager
Symptoms:
Service outage because of tmm restart.
Conditions:
-- SSOv2 client initiated is configured.
-- Sending a small POST request with a small payload (smaller than 4 KB).
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
TMM no longer crashes when executing with an invalid client-initiated forms SSO configuration.
691806-5 : RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state
Solution Article: K61815412
Component: Local Traffic Manager
Symptoms:
The BIG-IP system resets connection with RST if it receives FIN/ACK in SYN-RECEIVED state.
Conditions:
The BIG-IP system receives FIN/ACK when it is in SYN-RECEIVED state.
Impact:
The BIG-IP system resets connection with RST.
Workaround:
None.
Fix:
The BIG-IP system now responds with FIN/ACK to early FIN/ACK.
691670-1 : Rare BD crash in a specific scenario
Component: Application Security Manager
Symptoms:
BD crash or False reporting of signature ID 200023003.
Conditions:
JSON/XML/parameters traffic (should not happen with the enforce value signature).
Impact:
Failover, traffic disturbance in the core case. False positive violation or blocking in the other scenario.
Workaround:
Removing attack signature 200023003 from the security policy stops the issue.
Fix:
Fix a bug in the signatures engine that causes a false positive reporting of a signature. In some rare cases, this false reporting may cause a crash.
A newly released attack signature update changes the signature in a way that it no longer causes the issue to happen.
689826-4 : Proxy/PAC file generated during VPN tunnel is not updated for Windows 10 (unicode languages like: Japanese/Korean/Chinese)
Solution Article: K95422068
Component: Access Policy Manager
Symptoms:
On a Microsoft Windows 10 system configured for a Unicode language (Japanese, Korean, or Chinese, for example) the client proxy autoconfig file is not assigned in the Microsoft Internet Explorer browser after the VPN connection is established.
Conditions:
- Client proxy settings provided in Network Access settings, or client is configured with proxy prior to establishing VPN tunnel.
- Windows 10 configured for a unicode-language (Japanese/Korean/Chinese/etc.).
- VPN tunnel is established using either a browser or the Edge Client.
Impact:
Proxy settings are not applied on client side after VPN is established.
Workaround:
There are two possible workarounds:
Workaround A
============
-- Change the language to English from Control panel :: Region :: Administrative :: Language for non-Unicode programs :: Change System locale.
Workaround B
============
-- Add a variable assign agent in the access policy, after the logon item and before the resource is assigned. To do so, follow this procedure:
1. Set the custom variable name to the following value:
config.connectivity_resource_network_access./Common/<network_access_resource_name>.client.ConnectionTrayIcon
Note: <network access resource name> is the name of the network access resource.
2. Set the value to be of the type 'custom expression' and populate it with the following value (including the quotation marks):
return "</ConnectionTrayIcon><connection_name_txt>F5VPN</connection_name_txt><ConnectionTrayIcon>"
Note: The <connection_name_txt> tag contains the name of the adapter that the client will create.
3. After making these two changes, apply the access policy. The next time the VPN is established, a new virtual adapter entry will be created with the name provided in <connection_name_txt> tag.
Fix:
Previously, on a Windows 10 system configured for a Unicode language (for example, Japanese, Korean, or Chinese) the client proxy autoconfig file was not assigned with Internet Explorer after the VPN connection was established. This issue has been fixed.
688625-4 : PHP Vulnerability CVE-2017-11628
Solution Article: K75543432
687193-2 : TMM may leak memory when processing SSL Forward Proxy traffic
Solution Article: K45325728
686305-4 : TMM may crash while processing SSL forward proxy traffic
Solution Article: K64552448
685615-1 : Incorrect source mac for TCP Reset with vlangroup for host traffic
Solution Article: K24447043
Component: Local Traffic Manager
Symptoms:
BIG-IP outbound host TCP RST packets have incorrect source-mac-address.
Conditions:
BIG-IP host traffic is exiting via VLANs in a VLAN group.
Impact:
TCP Reset for traffic exiting the BIG-IP system with incorrect source-mac-address, which could include monitor traffic.
Workaround:
Use transparent mode on the VLAN group.
Fix:
source-mac-address for host traffic is correctly set.
685207-4 : DoS client side challenge does not encode the Referer header.
Component: Application Security Manager
Symptoms:
XSS reflection when DoS client side is enabled as a mitigation, or a proactive bot defense is enabled.
Conditions:
1. Login to the client IP address and send the ab request.
2. Once the DoS attack starts, sends the curl request
hl=en&q=drpdrp'-alert(1)-'drpdrp".
3. Unencoded Referer header is visible.
Impact:
The XSS reflection occurs after triggering the DoS attack.
Workaround:
None.
Fix:
DoS client side challenge now encodes the Referer header.
684937-4 : [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users
Solution Article: K26451305
Component: Access Policy Manager
Symptoms:
APM performance of handling HTTP request drops gradually when Kerberos SSO is being used over period of time.
Websso process CPU usage is very high during this time. The latency can vary between APM end users.
Conditions:
-- A large number of APM end users have logged on and are using Kerberos SSO.
-- Running APM.
Impact:
Increased latency of HTTP request processing.
Workaround:
Reduce the number of cached Kerberos user tickets by lowering the cache lifetime.
Fix:
LRU cache performance no longer drops linearly with the number of caches Kerberos tickets, the latency of HTTP request processing has been significantly improved.
684879-4 : Malformed TLS1.2 records may result in TMM segmentation fault.
Solution Article: K02714910
683241-5 : Improve CSRF token handling
Solution Article: K70517410
Component: Application Security Manager
Symptoms:
Under certain conditions, CSRF token handling does not follow current best practices.
Conditions:
CSRF is configured.
Impact:
CSRF token handling does not follow current best practices.
Workaround:
None.
Fix:
CSRF token handling now follows current best practices.
683113-4 : [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users
Solution Article: K22904904
Component: Access Policy Manager
Symptoms:
APM performance of handling HTTP request drops gradually when Kerberos SSO is being used over a period of time.
Websso CPU usage is very high.
The BIG-IP system response can rate drop to the point that the clients disconnect after waiting for a response. The system logs error messages similar to the following: Failure occurred when processing the work item.
Conditions:
-- Running APM.
-- A large number of APM end users (~20 KB) have logged on and are using Kerberos SSO.
Impact:
Increased latency of HTTP request processing.
Workaround:
Reduce the number of cached Kerberos user tickets by lowering the cache lifetime.
Fix:
Improvements to the krb5 library have been implemented for better scalability, so the latency of HTTP request processing has been significantly improved.
682682-4 : tmm asserts on a virtual server-to-virtual server connection
Component: Local Traffic Manager
Symptoms:
tmm might crash when using a virtual server-to-virtual server connection, and that connection has a TCP profile with keepalive configured.
Conditions:
-- L7 virtual server-to-virtual server connection (Virtual command, cpm rule, etc.).
-- TCP profile with keepalive configured.
-- (Deflate profile.)
-- At the beginning of the connection, there is a stall for longer than the specified keepalive timer interval.
-- The received response decompresses to a size that is greater than the advertised window size on the first virtual server's TCP stack.
Impact:
Shortly after the keepalive packet is received, which then is decompressed, the assert is triggered, and tmm restarts. Traffic disrupted while tmm restarts.
Workaround:
Remove keepalive from the TCP profiles of the two virtual servers involved.
Fix:
The system now honors the current receive window size when sending keepalives, so the tmm crash no longer occurs.
681710-6 : Malformed HTTP/2 requests may cause TMM to crash
Solution Article: K10930474
680755-3 : max-request enforcement no longer works outside of OneConnect
Solution Article: K27015502
Component: Local Traffic Manager
Symptoms:
max-request enforcement does not work when OneConnect is not configured.
Conditions:
-- The max-request enforcement option is configured.
-- OneConnect is not configured.
Impact:
max-request enforcement does not work.
Workaround:
Always use OneConnect.
Fix:
max-request enforcement now works when OneConnect is not configured.
679603-4 : bd core upon request, when profile has sensitive element configured.
Solution Article: K15460886
Component: Application Security Manager
Symptoms:
bd crash, system goes offline.
Conditions:
ASM provisioned.
-- ASM policy attached on a virtual server.
-- json profile configured with sensitive element.
Impact:
System goes offline/fails over.
Workaround:
Remove sensitive elements from the json profile in the ASM policy.
Fix:
ASM now handles this condition so the crash no longer occurs.
679235-3 : Inspection Host NPAPI Plugin for Safari can not be installed
Component: Access Policy Manager
Symptoms:
Inspection Host NPAPI Plugin for Safari on macOS High Sierra can not be installed.
Conditions:
macOS High Sierra, Inspection Host Plugin package installation triggered.
Impact:
Inspection Host plugin cannot be installed, therefore, endpoint checks will not work.
Workaround:
There is no workaround at this time.
Fix:
Previously, the Inspection Host NPAPI Plugin for Safari on macOS High Sierra could not be successfully installed. This plugin can now be successfully installed.
678976-4 : Do not print all HTTP headers to avoid printing user credentials to /var/log/apm.
Solution Article: K24756214
Component: Access Policy Manager
Symptoms:
VDI debug logs print user credentials to /var/log/apm.
Conditions:
VDI debug logs are enabled and VDI functionality is used on the virtual server.
Impact:
User credentials are written to /var/log/apm.
Workaround:
Set VDI debug level to Notice.
Fix:
The system no longer prints user credentials to VDI debug logs.
677525-4 : Translucent VLAN group may use unexpected source MAC address
Component: Local Traffic Manager
Symptoms:
When a VLAN group is configured in translucent mode, IPv6 neighbor discovery packets sent from the BIG-IP system may have the locally unique bit flipped in the source MAC address.
Conditions:
VLAN group in translucent mode.
Impact:
In an HA configuration, switches in the network may have FDB entries for the standby system assigned to the port of the active system.
Workaround:
No workaround at this time.
Fix:
Translucent VLAN group no longer send neighbor discovery packets whose source MAC has the locally unique bit flipped.
677088-6 : BIG-IP tmsh vulnerability CVE-2018-15321
Solution Article: K01067037
676457-1 : TMM may consume excessive resource when processing compressed data
Solution Article: K52167636
676355-4 : DTLS retransmission does not comply with RFC in certain resumed SSL session
Component: Local Traffic Manager
Symptoms:
The DTLS FINISHED message is not retransmitted if it is lost in the Cavium SSL offloading platform. Specifically, it is the CCS plus FINISHED messages that are not retransmitted.
Conditions:
-- In the Cavium SSL offloading platform.
-- DTLS FINISHED Message is lost.
Impact:
When the DTLS FINISHED Message is lost in the Cavium SSL offloading platform, the CCS and FINISHED messages do not get retransmitted.
Workaround:
None.
Fix:
The FINISHED messages are saved before transmitting the Cavium encrypted FINISHED message, and starting the DTLS re-transmit timer. When the re-transmit timer expires, the CCS plus FINISHED messages will be retransmitted.
674486-2 : Expat Vulnerability: CVE-2017-9233
Component: TMOS
Symptoms:
An infinite loop vulnerability due to malformed XML in external entity was found in entityValueInitProcessor function affecting versions of Expat 2.2.0 and earlier.
Conditions:
Version of expat in use on BIG-IP is v2.2.0 or earlier.
Impact:
BIG-IP is vulnerable to CVE-2017-9233 via the administrative interface.
Fix:
Expat updated to v2.2.0 or later
674320-4 : Syncing a large number of folders can prevent the configuration getting saved on the peer systems
Solution Article: K11357182
Component: TMOS
Symptoms:
When syncing a large number of folders (more than 56), the configuration on the peer systems fails to save. An error similar to the following appears in the audit log, possibly followed by garbage characters:
notice tmsh[15819]: 01420002:5: AUDIT - pid=15819 user=root folder=/Common module=(tmos)# status=[Syntax Error: "}" is missing] cmd_data=save / sys config partitions { tf01 tf02 tf03 tf04 tf05 tf06 tf07 tf08 tf09 tf10 tf11 tf12 tf13 tf14 tf15 tf16 tf17 tf18 tf19 tf20 tf21 tf22 tf23 tf24 tf25 tf26 tf27 tf28 tf29 tf30 tf31 tf32 tf33 tf34 tf35 tf36 tf37 tf38 tf39 tf40 tf41 tf42 tf43 tf44 tf45 tf46 tf47 tf48 tf49 tf50 tf51 tf52 tf53 tf54 tf55 tf56 tf57 tf58 tf59
Note: These 'tfnn' folder names are examples. The audit log will contain a list of the actual folder names. (Folders are also called 'partitions'.)
Conditions:
-- System is in a device group.
-- Sync operation occurs on the device group.
-- There are a large number of folders (more than 56).
Impact:
Configuration on peer systems in a device group does not get saved after a sync.
Workaround:
Manually save the configuration on peer systems after a sync.
Fix:
The configuration on peer systems is now saved when a large number of folders are involved in the sync.
674189-5 : iControl-SOAP exposed to CVE-2016-0718 in Expat 2.2.0
Solution Article: K52320548
673165-3 : CVE-2017-7895: Linux Kernel Vulnerability
Solution Article: K15004519
672988-4 : MCP memory leak when performing incremental ConfigSync
Solution Article: K03433341
Component: TMOS
Symptoms:
MCP will leak memory when performing incremental ConfigSync operations to peers in its device group. The memory leak can be seen tmctl utility to watch the umem_alloc_80 cache over time.
This leak occurs on the device that is sending the configuration.
Conditions:
A device group that has incremental sync enabled. In versions prior to BIG-IP v13.0.0, this is controlled by the 'Full Sync' checkbox. When unchecked, the system attempts to perform incremental sync operations.
Impact:
MCP leaks a small amount of memory during each sync operation, and after an extended period of time, might eventually crash.
Workaround:
None.
Fix:
MCPD no longer leaks when performing incremental ConfigSync operations.
672480-1 : WebSSO plugin process may become unresponsive in rare situations for Kerberos SSO
Component: Access Policy Manager
Symptoms:
HTTP requests that are being processed by Kerberos SSO never leaves APM, and connections simply time out.
Conditions:
There is an issue in MIT krb5 library for calculating wait time for responses from KDC, which ends up with a negative value. This translates to infinite timeout by poll() syscall. At the same time, if all Kerberos requests to KDC are dropped (e.g., by a misconfigured firewall), Kerberos SSO never receives the responses, and Kerberos SSO never gives up on waiting for the KDC response (this is an issue in the library).
Impact:
A deadlock occurs within the Kerberos SSO. Eventually there will be a global deadlock, which causes this particular WebSSO process to be completely unresponsive for Kerberos SSO functionality. APM end users cannot access the backend.
Workaround:
For this issue to have a real impact, there must be an unresponded-to Kerberos request. To eliminate this possibility, make sure there is no firewall blockage, incorrect routing, etc., so that WebSSO always receives responses, even negative ones.
Note: WebSSO will never use infinite timeout when waiting for Kerberos responses, so even if a firewall blocks the Kerberos request, although Kerberos SSO does not function, it does not cause global unresponsiveness from the WebSSO process.
672124-5 : Excessive resource usage when BD is processing requests
Solution Article: K12403422
671497-3 : TSIG authentication bypass in AXFR requests
Solution Article: K59448931
670822-5 : TMM may crash when processing SOCKS data
Solution Article: K55225440
670804 : Hardware syncookies, verified-accept, and OneConnect can result in 'verify_accept' assert in server-side TCP
Solution Article: K03163260
Component: Local Traffic Manager
Symptoms:
The system experiences a 'verify_accept' assert in server-side TCP.
Conditions:
-- Verified Accept enabled in TCP profile.
-- Hardware syncookies enabled.
-- OneConnect profile on virtual servers.
-- Syncookie threshold crossed.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
Disable verified accept when used with OneConnect on a virtual server.
Fix:
Verified accept, OneConnect, and hardware syncookies now work together correctly.
667278-6 : DSC connections between BIG-IP units may fail to establish
Component: TMOS
Symptoms:
The device service clustering (DSC) connection between two BIG-IP units may fail to establish. One unit will log messages similar to the following example:
-- err mcpd[7912]: 01071af4:3: Inbound CMI connection from IP (192.168.100.1) denied because it came from VLAN (v1542), not from expected VLAN (tmm).
While the unit at the other end of the connection will log messages similar to the following example:
-- notice mcpd[5730]: 01071432:5: CMI peer connection established to 192.168.200.1 port 6699 after 0 retries
May 31 20:58:04 BIG-IP-c-sea notice mcpd[5730]: 0107143c:5: Connection to CMI peer 192.168.200.1 has been removed
Conditions:
This issue occurs when the Self-IP addresses used for Config-Sync by the two BIG-IP units are not in the same IP subnet, and special routing is configured between the BIG-IP units. Examples of special routing include a gateway pool or dynamic routing configurations with multiple routes to the same destination (i.e., ECMP routing).
Impact:
Config-Sync and device discovery operations will fail between affected units.
Workaround:
You can work around this issue by using Self-IP addresses for Config-Sync that are on the same IP subnet or rely on simpler routing to achieve connectivity (i.e., a single route).
Fix:
Config-Sync and device discovery operations no longer fail.
666454-4 : Edge client on Macbook Pro with touch bar cannot connect to VPN after OS X v10.12.5 update
Solution Article: K05520115
Component: Access Policy Manager
Symptoms:
Edge client running on Macbook Pro 2016 with a touch bar interface cannot connect to VPN in a full tunneling configuration with 'Prohibit routing table modification' option selected.
Edge client's svpn.log shows an error entry similar to
2017-05-18,13:55:17:000, 16637,16638,svpn, 1, , 870, CMacOSXRouteTable::UpdateIpForwardEntry2(), EXCEPTION - write failed, 22, Invalid argument.
Conditions:
This occurs when all of the following conditions are met:
1) Edge client is running on Macbook Pro that has the iBridge interface (e.g., one with the touch bar).
2) VPN is configured in full tunneling configuration
3) Mac OS X version is v10.12.5.
Note: You can find the interface on the Macbook Pro in the Network Utility under the Info tab.
Impact:
VPN connection will fail.
Workaround:
Use one of the following workarounds:
- Disable 'Prohibit Routing table change' in the network access configuration.
- Enable 'Allow access to local subnets'.
- Enable a split tunneling configuration.
664769-3 : TMM may restart when using SOCKS profile and an iRule
Component: Local Traffic Manager
Symptoms:
TMM restarts when sending traffic through a SOCKS virtual server that has an attached iRule that uses certain blocking commands.
Conditions:
Virtual server has a SOCKS profile, and an iRule which triggers on the SERVER_CONNECTED event. If the iRule uses commands that block, tmm might restart.
Impact:
Unexpected tmm restart. Traffic disrupted while tmm restarts.
Workaround:
Avoid adding iRule on the SERVER_CONNECTED event, or avoid using certain iRule commands which do not complete immediately, such as 'after', 'table', 'session', and others.
Fix:
TMM no longer crashes when using SOCKS profile and serverside iRule parks.
663924-4 : Qkview archives includes Kerberos keytab files
Component: TMOS
Symptoms:
Qkview captures Kerberos keytab files used for APM dataplane services.
Conditions:
APM provisioned with Kerberos authentication.
Impact:
Private security key exposure.
Workaround:
There is no workaround.
Fix:
Qkview no longer collects 'kerberos_keytab_file_d' directory containing keytab files when creating qkview archive.
663310-1 : named reports "file format mismatch" when upgrading to versions with Bind 9.9.X versions for text slave zone files★
Component: Global Traffic Manager (DNS)
Symptoms:
named reports "file format mismatch", zone files are renamed randomly to db-XXXX files, and zone cannot be loaded.
Conditions:
-- Upgrade from BIG-IP containing pre-9.9.X versions of Bind, to BIG-IP versions with Bind versions later than 9.9.x.
-- Slave zone files are in text format.
-- No options set for masterfile-format text.
Impact:
Zones cannot be loaded.
Workaround:
Before upgrading, add the following line to the named.conf options:
masterfile-format text;
Fix:
BIND 9.9.x changes the default behavior governing the storage format of slave zone files to "raw" from "text".
On upgrade, the config needs to be parsed looking for slave zones that do not specify the masterfile-format and set them to "text".
662881-4 : L7 mirrored packets from standby to active might cause tmm core when it goes active.
Solution Article: K10443875
Component: Local Traffic Manager
Symptoms:
L7 mirrored packets from standby to active might cause tmm core when it goes active.
Conditions:
-- Spurious ACK sent to the standby unit that is mirrored over to the active unit for processing.
-- Matching connection on the active has not been fully initialized.
Impact:
tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Spurious ACK no longer causes outage, instead the packet is dropped.
662850-4 : Expat XML library vulnerability CVE-2015-2716
Solution Article: K50459349
662663-5 : Decryption failure Nitrox platforms in vCMP mode
Solution Article: K52521791
660239-4 : When accessing the dashboard, invalid HTTP headers may be present
Component: TMOS
Symptoms:
When accessing parts of the BIG-IP dashboard via the GUI, there might be invalid HTTP headers in the responses.
Conditions:
Access the dashboard via Statistics :: Dashboard.
Impact:
The invalid HTTP headers might cause issues with the dashboard if there are intervening proxies between the browser and the BIG-IP.
You may see such errors in the http error logs
Feb 20 08:47:58 myBIG-IP err httpd[13777]: [error] [client 10.20.30.40] Response header name '<PostData><![CDATA[table=log%5Fstat]]></PostData>Cache-Control' contains invalid characters, aborting request, referer: https://mybigip.com/tmui/dashboard/MonitorDashboardModule.swf
Workaround:
There is no workaround at this time.
Fix:
Eliminated invalid header data.
659899-4 : Rare, intermittent system instability observed in dynamic load-balancing modes
Solution Article: K10589537
Component: Local Traffic Manager
Symptoms:
The dynamic pool member load-balancing modes require a precision measurement of active connection counts and/or rates. Rare, intermittent system instability has been observed in dynamic pool member selection when a new connection arrives. TMM may restart, leaving a core file.
Conditions:
LTM pool configured to use a dynamic load-balancing mode ('ltm pool NAME load-balancing-mode MODE' where MODE is one of the dynamic load-balancing modes, such as dynamic-ratio-member, least-connections-node, predictive-node, etc.). The dynamic modes use the session database to share data among all TMM instances, and under extremely rare conditions, the session database may become unreliable.
Impact:
TMM restarts and leaves a core file. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The dynamic load-balancing modes are now more tolerant of errors from the underlying session database.
658214-4 : TCP connection fail intermittently for mirrored fastl4 virtual server
Solution Article: K20228504
Component: Local Traffic Manager
Symptoms:
In some cases, a mirrored FastL4 virtual server may fail to forward the SYN on the server-side after receiving the context-ack from the peer. Note: This is a connection-failure through the active system, not simply a failure to mirror to the peer.
Symptoms include:
-- TCP connection failures.
-- Possibly other packets lost.
Conditions:
-- FastL4 virtual server.
-- Mirroring is enabled.
-- Certain traffic interleaving might be necessary for this intermittent problem to occur.
Impact:
FastL4 mirroring does not always forward SYN to server after receiving context ACK. Connections fail.
Workaround:
Set the tm.fastl4_ack_mirror dv variable using the following command: tmsh modify sys db tm.fastl4_ack_mirror value disable.
Fix:
In this release, mirrored FastL4 virtual server now forward the SYN on the server-side after receiving the context-ack from the peer as expected.
657961 : The edit button on the GSLB Wide IP create page does not place the pool name back into the select dropdown
Solution Article: K44031930
Component: Global Traffic Manager (DNS)
Symptoms:
The edit button in the Pools section of a Wide IP create page does not place the pool name entry back into the select dropdown.
Conditions:
There must be a pool in the selected list, that pool must be highlighted when the edit button is clicked.
Impact:
The edit button does not work as intended.
Workaround:
Use the delete button and find the pool in the select dropdown to edit its ratio.
Fix:
Fixed issue that caused the edit button on the Wide IP create page to not place the pool name back into the select dropdown.
656902 : Upgrade to 11.5.4 HF3 may remove valid cipher suite configuration from SSL profile
Component: Local Traffic Manager
Symptoms:
During the upgrade to 11.5.4 HF3, the upgrade will remove the DHE-DSS from cipher suite, which will cause the cipher suites configured beginning with the characters '@', '+', '-', or '!' will be removed from the configuration.
Conditions:
clientssl/serverssl profile ciphers configuration contains keywords beginning with the characters '@', '+', '-', or '!'.
Impact:
Cipher suites are configured using keywords such as AES, AES-GCM, !DES, -ADH, @STRENGTH, etc. The issue causes keywords beginning with the characters '@', '+', '-', or '!' to be removed from the configuration.
For example, if the cipher suite configuration before installing 11.5.4 HF3 was: 'NATIVE:!SSLV2:!SSLV3:!MD5:!EXPORT:!LOW:ECDHE+AES-GCM:ECDHE+AES:DHE+AES-GCM:DHE+AES:AES-GCM+RSA:RSA+AES:RSA+3DES:!RC4:!ADH:!ECDHE_ECDSA:!ECDH_ECDSA:!ECDH_RSA:!DHE-RSA-DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!DHE-RSA-AES128-SHA:+DES-CBC3-SHA'
After installing 11.5.4 HF3 it would be reduced to: 'NATIVE:ECDHE+AES-GCM:ECDHE+AES:DHE+AES-GCM:DHE+AES:AES-GCM+RSA:RSA+AES:RSA+3DES'
Workaround:
Manually restore the clientssl/serverssl profile cipher configuration.
Fix:
Fixed an issue that causes the cipher suites configured beginning with the characters '@', '+', '-', or '!' to be removed from the configuration on upgrade.
655756 : TMM might crash while using SSL profiles on BIG-IP 2000/4000 platforms.
Component: Local Traffic Manager
Symptoms:
TMM might crash while using SSL profiles on BIG-IP 2000/4000 platforms.
Conditions:
-- TMOS v11.5.4 HF3.
-- SSL profile active.
-- BIG-IP 2000/4000 platform.
Impact:
TMM may crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The cause of the crash was identified and removed.
655649-5 : BGP last update timer incorrectly resets to 0
Solution Article: K88627152
Component: TMOS
Symptoms:
In ZebOS, every time the scan timer resets it also incorrectly resets the BGP last update timer as shown under the imish command 'sh ip route'.
Output from 'sh ip route':
4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:32
[20/0] via 10.10.1.6, eno33554952, 00:00:32
...
4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:33
[20/0] via 10.10.1.6, eno33554952, 00:00:33
...
4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:00 <<<< shouldn't reset
[20/0] via 10.10.1.6, eno33554952, 00:00:00
Conditions:
Once ZebOS has learned a route from a BGP peer the route will show up under 'sh ip route' and the BGP last update timer will incorrectly reset.
Impact:
If BGP routes are being redistributed into other protocols, the route may flap in the destination process.
Workaround:
None.
Fix:
BIG-IP no longer resets the last update time of learned routes via BGP and BGP routes redistributed into other protocols no longer flap.
655059-1 : TMM Crash
Solution Article: K37404773
655021-4 : BIND vulnerability CVE-2017-3138
Solution Article: K23598445
654599-3 : The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed
Solution Article: K74132601
Component: Global Traffic Manager (DNS)
Symptoms:
Tomcat can potentially drop requests made by the client via the Web GUI on the GSLB Pool Members Manage page.
Conditions:
The config contains a large amount (in the thousands) of GSLB virtual servers or wide IP's, resulting in the action not being completed.
Impact:
The "Finished" button on that page does not save the changes made on that page.
Workaround:
Use TMSH.
Fix:
Fixed an issue with saving GSLB data via the GUI in large configurations.
653993-1 : A specific sequence of packets to the HA listener may cause tmm to produce a core file
Solution Article: K12044607
653880-2 : Kernel Vulnerability: CVE-2017-6214
Solution Article: K81211720
652516-2 : Multiple Linux Kernel Vulnerabilities
Solution Article: K31603170
651772-6 : IPv6 host traffic may use incorrect IPv6 and MAC address after route updates
Component: Local Traffic Manager
Symptoms:
IPv6 traffic generated from the host, either from a host daemon, monitors, or from the command line, may use an MAC and IPv6 source address from a different VLAN.
Conditions:
- Multiple vlans with IPv6 configured addresses.
- Multiple routes to the same destination, either the same or more specific, default routes, etc. that cover the traffic destination.
- Changes in routes that will cause the traffic to the destination to shift from one vlan and gateway to another. This can be typically observed with dynamic routing updates.
Impact:
Traffic to the destination may fail due to using incorrect source IPv6/MAC address.
This may cause monitor traffic to fail.
Workaround:
Continuous traffic to the IPv6 link-local nexthops can avoid this issue.
This may be achieved by a script or an external monitor pinging the nexthop link-local address using the specific vlan.
Fix:
IPv6 host traffic no longer use incorrect IPv6 and MAC address after route updates.
Behavior Change:
Introduction of sys db ipv6.host.router_probe_interval, to control sysctl net.ipv6.conf.default.router_probe_interval value. This value is default to 5s.
649933-5 : Fragmented RADIUS messages may be dropped
Component: Service Provider
Symptoms:
Large RADIUS messages may be dropped when processed by iRules.
Conditions:
This occurs when a RADIUS message that exceeds 2048 bytes is processed by an iRule containing the RADIUS::avp command.
Impact:
The RADIUS message will be dropped, and an error will be logged that resembles:
Illegal argument (line 1) (line 1) invoked from within "RADIUS::avp 61 "integer""
Workaround:
Remove RADIUS::avp commands from iRules processing large messages, or ensure that no RADIUS client or server will send large messages.
649907-4 : BIND vulnerability CVE-2017-3137
Solution Article: K30164784
649904-4 : BIND vulnerability CVE-2017-3136
Solution Article: K23598445
648865-3 : Linux kernel vulnerability: CVE-2017-6074
Solution Article: K82508682
648217-2 : CVE-2017-6074: Linux Kernel Vulnerability
Solution Article: K82508682
646643-4 : HA standby virtual server with non-default lasthop settings may crash.
Solution Article: K43005132
Component: Local Traffic Manager
Symptoms:
A long-running high availability (HA) Standby Virtual Server with non-default lasthop settings may crash TMM.
Conditions:
-- HA standby virtual server is configured on the system with non-default lasthop configurations (e.g., lasthop pools or autolasthop disabled, etc).
-- That virtual server receives more than 2 billion connections (2 billion is the maximum value of a 32-bit integer).
Impact:
TMM on the next-active device crashes. The Active device is not affected. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
HA standby virtual server configured with non-default lasthop configurations no longer crashes.
646604-4 : Client connection may hang when NTLM and OneConnect profiles used together
Solution Article: K21005334
Component: Local Traffic Manager
Symptoms:
In deployments where a NT LanManager (NTLM) authentication profile and a OneConnect profile are used together in a LTM virtual server to label an authenticated connection to a Domain Controller (DC); if the persisted connection to the DC is re-used, the connection may hang. A connection in this state may not be cleaned up by the sweeper, resulting in a memory leak.
Conditions:
The NTLM and OneConnect profiles are associated with a LTM virtual server.
Impact:
A client connection won't be serviced and TMM memory will leak. Over a long time period, this may result in more widespread service disruptions.
Workaround:
Avoid the use of OneConnect profiles on virtual servers that use NTLM profiles. The connections to the Domain Controller won't be pooled, but all other features will be retained.
Fix:
Fixed a problem that prevented NTLM and OneConnect profiles from working properly on the same LTM virtual server.
645615-4 : zxfrd may fail and restart after multiple failovers between blades in a chassis.
Solution Article: K70543226
Component: Global Traffic Manager (DNS)
Symptoms:
zxfrd may fail and restart after multiple failovers between blades in a single chassis.
Conditions:
DNS Express must be configured in a multi-blade chassis. If a blade transitions from active to backup to active states and the DNS Express (tmmdns.bin) database has been re-created while the blade was in backup status, zxfrd may fail when attempting to reference old data.
Impact:
zxfrd will create a core file and restart, picking up where it left off.
Workaround:
None.
Fix:
The cause of the failure is now addressed.
645589 : Password-less ssh access lost for non-admin users after tmsh load sys ucs
Component: TMOS
Symptoms:
During the load of ucs, the $HOME/.ssh/authorized_keys file is moved to /etc/ssh/<user> and then a symbolic link is pointed to that file in the $HOME/.ssh such that the ucs load modification of ownership won't break the password-less ssh access to the BIG-IP. The problem is that the /etc/ssh/<user> directory has no other-group read permissions and non-admin users can't read the file and hence the password-less access is denied and a password is requested.
Conditions:
Always happens as the permissions for /etc/ssh/<user> are 0700 (user read-write-execute only) and it is owned by root.
Impact:
Non-admin users lose password-less access to their BIG-IP after tmsh load sys ucs.
Workaround:
An admin user needs to manually change the permissions of the /etc/ssh and /etc/ssh/<user> permissions to be 0755.
A non-admin user has no such capability and thus has no workaround.
Fix:
By simply setting the umask to 0022 prior to the call to mkpath (with 0755 permissions) makes the /usr/local/bin/install_ucs.pm script behave as expected.
The override of the umask is then set back to previous value as to not affect the script elsewhere.
645179-4 : Traffic group becomes active on more than one BIG-IP after a long uptime
Component: TMOS
Symptoms:
Traffic-groups become active/active for 30 seconds after a long uptime interval.
Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime.
For example:
-- For 7 traffic groups, the interval is ~710 days.
-- For 15 traffic groups, the interval is ~331 days.
Conditions:
-- Two or more BIG-IP systems defined in a device group for sync/failover.
-- There is one or more traffic groups configured.
-- The BIG-IP systems have a long uptime.
Impact:
Outage due to traffic-group members being active on both systems at the same time.
Workaround:
There is no workaround.
The only option is to reboot all the BIG-IP units in the device group on a regular interval. The interval is directly dependent on the number of traffic groups.
Fix:
Traffic groups no longer becomes active on more than one BIG-IP system in a device group after a long uptime interval.
645101-3 : OpenSSL vulnerability CVE-2017-3732
Solution Article: K44512851
644904-3 : tcpdump 4.9
Solution Article: K55129614
644693-6 : Fix for multiple CVE for openjdk-1.7.0
Solution Article: K15518610
644220-1 : Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page
Component: Global Traffic Manager (DNS)
Symptoms:
Under LTM :: Virtual Servers :: Properties, the "Link" value sometimes displays "none" when it should display an actual link name.
Conditions:
This happens under certain configuration of Self IP / GTM Servers / GTM Links / LTM Virtual Servers.
Impact:
When conditions are met, the Virtual Server's link information displayed is not correct.
Workaround:
None.
Fix:
Virtual Server's assigned Link on the LTM Virtual Server Properties page is now displayed correctly.
644184-6 : ZebOS daemons hang while AgentX SNMP daemon is waiting.
Solution Article: K36427438
Component: TMOS
Symptoms:
ZebOS daemons hang while AgentX SNMP daemon is unresponsive.
Conditions:
- Dynamic routing is enabled.
- SNMP is enabled.
- SNMP is unresponsive which could be caused by several issues such as snmpd calling an external script that takes several moments to return or mcpd is slow to respond to snmpd queries.
Impact:
Dynamic routing may be halted for the duration of AgentX daemon being busy.
Workaround:
If snmpd is calling external scripts that take several moments to return, then stop using the external script.
Fix:
ZebOS daemons no longer hangs while AgentX is waiting.
643375-3 : TMM may crash when processing compressed data
Solution Article: K10329515
643187-4 : BIND vulnerability CVE-2017-3135
Solution Article: K80533167
642330-4 : GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.★
Component: Global Traffic Manager (DNS)
Symptoms:
When you upgrade from an affected version, the config gets saved before moving to the new version, thus dropping the enclosing quotes and causing a load failure when booting into the new version.
Conditions:
Configuration where monitor string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.
Impact:
Configuration fails to load.
Workaround:
Manually edit each string in the BIG-IP_gtm.conf to include enclosing quotes in order to get the config to load the first time.
Fix:
Configs load successfully after upgrade. Surrounding quotes, if missing, are added to strings in the BIG-IP_gtm.conf file after upgrade. For example:
\"service_status\":\"on\".+\"maintenance\":\"off\" in the recv, send recv-disable and username fields. Output of list gtm monitor and bigip.conf match. Reloading the same config via tmsh does not cause unintentional changes, such as losing a level of escape in monitor strings.
642039-4 : TMM core when persist is enabled for wideip with certain iRule commands triggered.
Component: Global Traffic Manager (DNS)
Symptoms:
tmm cores with SIGSEGV.
Conditions:
This occurs when persist is enabled for wideip, and an iRule with the following commands triggered:
forward
reject
drop
discard
noerror
host
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable persist on wideip.
Note: Although this is not an ideal workaround, it provides a way that to use those iRule commands without causing a tmm core.
Fix:
TMM no longer coreswhen persist is enabled for wideip with certain iRule commands triggered.
641512-2 : DNSSEC key generations fail with lots of invalid SSL traffic
Solution Article: K51064420
Component: Local Traffic Manager
Symptoms:
DNSSEC keys can rollover periodically. This will fail, leading to no keys to sign DNSSEC queries (no RRSIG records) when the BIG-IP is handling a lot of SSL traffic with invalid certificates.
The system posts the following log signature in /var/log/ltm:
err tmm1[12393]: 01010228:3: DNSSEC: Could not initialize cipher context for key /Common/x1-zsk.
Conditions:
DNSSEC keys configured with periodic rollover. The certificate path queues an error (situations include but not limited to lots of SSL traffic with invalid certificates).
Impact:
DNSSEC key generations fail to be accepted by the TMM so that when the prior generation expires there is no valid certificate to sign DNSSEC queries.
Workaround:
Restart the TMM after the new key generation is created.
Fix:
DNSSEC key generations now complete successfully, even with a lot of SSL traffic with invalid certificates.
641360-4 : SOCKS proxy protocol error
Solution Article: K30201296
641013-4 : GRE tunnel traffic pinned to one TMM
Component: TMOS
Symptoms:
GRE tunnel traffic can be sent to one TMM if BIG-IP doesn't proxy the GRE tunnel and uses forwarding virtual to handle GRE tunnel traffic.
Conditions:
Use forwarding virtual to handle GRE tunnel traffic.
Impact:
GRE tunnel traffic can overwhelm the one TMM and cause performance degradation.
Workaround:
None.
Fix:
Improved GRE tunnel traffic handling so traffic does not overwhelm one TMM and cause performance degradation.
639575-3 : Using libtar with files larger than 2 GB will create an unusable tarball
Solution Article: K63042400
Component: TMOS
Symptoms:
Programs such as qkview create a .tar file (tarball) using libtar. If any of the files collected are greater than 2 GB, the output tar file cannot be read by /bin/tar.
This occurs due to a limitation of the file compression library employed by qkview command; the system cannot collect files larger than 2 GB in size in a Qkview.
The qkview command may generate output that iHealth cannot parse, and that the tar command cannot extract.
Conditions:
-- The file collected via libtar (e.g., by qkview or other program dynamically linking with /usr/lib/libtar-1.2.11) is greater than 2 GB.
-- A 2 GB or larger file exists in a directory that qkview normally collects.
Impact:
No qkview diagnostics file is created. Although you can extract the qkview tarball using /usr/bin/libtar, the file will be a zero-length file. Cannot submit a qkview to iHealth for analysis. Other applications using libtar will produce invalid tar files.
Workaround:
Remove the file larger than 2 GB from the system prior to running qkview or other program that uses libtar.
Fix:
With the fix to third party software, libtar, programs using libtar no longer create an unusable tarball when dealing with files larger than 2 GB.
638935-1 : Monitor with send/receive string containing double-quote may cause upgrade to fail.★
Component: TMOS
Symptoms:
When you upgrade from an affected version, the config gets saved before moving to the new version, thus dropping the enclosing quotes and causing a load failure when booting into the new version.
Conditions:
Configuration where monitor string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.
Impact:
Configuration fails to load.
Workaround:
Manually edit each string in the bigip.conf to include enclosing quotes in order to get the config to load the first time.
Fix:
Configs load successfully after upgrade. Surrounding quotes, if missing, are added to strings in the bigip.conf file after upgrade. For example:
\"service_status\":\"on\".+\"maintenance\":\"off\" in the recv, send recv-disable and username fields. Output of list ltm monitor and bigip.conf match. Reloading the same config via tmsh does not cause unintentional changes, such as losing a level of escape in monitor strings.
If you have an escaped quote in your configuration, and are moving to a configuration with this the dependency of this fix, you cannot reload the configuration or the license which also reloads the configuration. Doing so, will cause the config load to fail.
638137-3 : CVE-2016-7117 CVE-2016-4998 CVE-2016-6828
Solution Article: K51201255
637181-2 : VIP-on-VIP traffic may stall after routing updates
Component: Local Traffic Manager
Symptoms:
After a routing update traffic for an existing connection sent to a VIP-on-VIP virtual server may be sent directly to the destination address instead of to the inner virtual server.
Conditions:
VIP-on-VIP configuration and static or dynamic routing changes.
Impact:
Existing connections to the outer VIP may stall.
Workaround:
None.
Fix:
Connections to VIP-on-VIP virtual servers no longer stall after routing updates.
636702-1 : BIND vulnerability CVE-2016-9444
Solution Article: K40181790
636700-2 : BIND vulnerability CVE-2016-9147
Solution Article: K02138183
636699-3 : BIND vulnerability CVE-2016-9131
Solution Article: K86272821
635933-2 : The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable
Solution Article: K23440942
635412-1 : Invalid mss with fast flow forwarding and software syn cookies
Solution Article: K82851041
635314-3 : vim Vulnerability: CVE-2016-1248
Solution Article: K22183127
633723-1 : New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot
Component: Local Traffic Manager
Symptoms:
A new db variable has been added to print diagnostic information when Cavium Nitrox devices encounter a 'request queue stuck' error. When this occurs, the system posts a log message such as:
crit tmm1[19936]: 01010260:2: Hardware Error(Co-Processor): cn1 request queue stuck.
Conditions:
-- A Cavium Nitrox 'request queue stuck' error occurs.
-- The db variable 'crypto.ha.action' is set to reboot.
Impact:
The system will automatically run 'nitrox_diag' to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.
The system immediately fails over to the standby system, but will then spend approximately one minute gathering diagnostic information before rebooting.
See https://support.f5.com/csp/article/K95944198 for more information about nitrox_diag.
Workaround:
None.
Fix:
The system now automatically gathers nitrox data collection when request queue stuck errors occur.
Behavior Change:
Under rare conditions, the system will take approximately one additional minute to reboot.
If a Cavium Nitrox 'request queue stuck' error occurs and the db variable 'crypto.ha.action' is set to reboot, the system will automatically run 'nitrox_diag' to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.
When the error happens, failover to the standby system will still happen immediately. The delay occurs only on rebooting the system that has already gone to standby mode.
633691-2 : HTTP transaction may not finish gracefully due to TCP connection is closed by RST
Component: Local Traffic Manager
Symptoms:
HTTP or other higher layer protocol transactions may not finish gracefully due to TCP connection is closed by RST.
Conditions:
1. There is ClientSSL or ServerSSL configured on the Virtual Server.
2. HTTP or other higher layer protocol has not finished the translations yet.
3. Client or Server sends out the TCP FIN packet.
Impact:
Application-level responses may not be received at all by the client.
Workaround:
No Workaround.
Fix:
TMM should try to use the TCP FIN to close the connection gracefully as much as possible instead of using RST which will abandon the data which has not been sent out to the wire.
633465-1 : Curl cannot be forced to use TLSv1.0 or TLSv1.1
Solution Article: K09748643
Component: TMOS
Symptoms:
Curl fails when connecting to server that does not accept TLSv1.1 or TLSv1.2 handshakes. This occurs even if the "--tlsv1.0" or "--tlsv1.1" options to the curl command are used.
Conditions:
Curl is used to attempt to connect to a server that does not understand TLSv1.1 and/or TLSv1.2 handshakes. This occurs when using software v11.5.4 HF2 through 11.5.6 or v11.6.1 HF1 through 11.6.3.
Impact:
Curl will fail.
Workaround:
Use "curl-apd" rather than "curl". curl-apd does not currently implement TLSv1.1 or TLSv1.2.
Fix:
Curl now honors the tlsv version flag, so the system correctly uses TLSv1.0, TLSv1.1, or TLSv1.2, as specified.
632798-3 : Double-free may occur if Access initialization fails
Solution Article: K30710317
Component: Access Policy Manager
Symptoms:
Double-free may occur if Access initialization fails.
Conditions:
Access initialization failure occurs, possibly due to license issues.
Impact:
tmm crashes and cores. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This release fixes a double free condition so that the associated tmm crash no longer occurs.
632618 : ImageMagick vulnerability CVE-2016-3717
Solution Article: K29154575
632423-1 : DNS::query can cause tmm crash if AXFR/IXFR types specified.
Solution Article: K40256229
Component: Global Traffic Manager (DNS)
Symptoms:
Passing "AXFR" or "IXFR" as the type to the DNS::query iRule command can cause a tmm crash.
Conditions:
DNS Express must be enabled when one of the XFR types is used in the DNS::query iRule command.
Impact:
tmm will crash and restart every time this command is issued. Traffic disrupted while tmm restarts.
Workaround:
Do not explicitly use AXFR or IXFR query types.
If the [DNS::question type] command is being used to dynamically pass in the type, add a preceding check similar to the following:
if { not [DNS::question type] ends_with "XFR" } {
set rrs [DNS::query dnsx [DNS::question name] [DNS::question type]]
}
Fix:
The iRule now provides an error message in /var/log/ltm indicating that AXFR and IXFR are not valid types to use with the DNS::query command, and no tmm crash occurs as a result.
631688-3 : Multiple NTP vulnerabilities
Solution Article: K55405388 K87922456 K63326092 K51444934 K80996302
631627-3 : Applying BWC over route domain sometimes results in tmm not becoming ready on system start
Component: TMOS
Symptoms:
Rebooting after applying BWC to route domain stops vlan traffic on VCMP guest. You will experience connection failures when bandwidth Controller (bwc) and Web Accelerator are enabled.
Running the tmsh show sys ha-status all-properties command will indicate that tmm is in "ready-for-world", but the Fail status will read "Yes" when this is triggered.
Conditions:
BWC enabled and associated with a route domain, Web Accelerator is enabled, and the system is rebooted.
Impact:
The system does not comes up fully. TMM does not reach a ready state and will not pass traffic.
Workaround:
Remove BWC from route domain and then reapply the BWC back.
Fix:
BWC enabled and associated with a route domain, Web Accelerator enabled, and the system is rebooted, now results in the system and TMM coming up fully and passing traffic.
631582-3 : Administrative interface enhancement
Solution Article: K55792317
631530 : TAI offset not adjusted immediately during leap second
Solution Article: K32246335
Component: TMOS
Symptoms:
When repeating a UTC time value during a leap second (when UTC time should be 23:59:60), the International Atomic Time (TAI) timescale should not stop, the kernel increments the TAI offset one second too late.
Conditions:
This occurs during an NTP leap second event, for example an event occurs on December 31, 2016, at 23:59:60 UTC
Impact:
Impact to applications unknown, system will stay stable and a timer may be fired off later than expected.
Workaround:
None.
Fix:
International Atomic Time (TAI) offset during leap second has been corrected.
631204-3 : GeoIP lookups incorrectly parse IP addresses
Solution Article: K23124150
631172-2 : GUI user logged off when idle for 30 minutes, even when longer timeout is set
Solution Article: K54071336
Component: TMOS
Symptoms:
GUI user is auto-logged off when idle for 30 minutes, even though the configured idle timeout is longer.
Conditions:
User logged in to gui and idle for 20-30 minutes
Impact:
User is logged out of the GUI.
Workaround:
None.
Fix:
GUI user is no longer auto-logged off when idle for 30 minutes when the configured idle timeout is longer.
630475-3 : TMM Crash
Solution Article: K13421245
630446-3 : Expat vulnerability CVE-2016-0718
Solution Article: K52320548
629771 : the TCP::unused_port does erroneous accept IPV4_COMPAT addresses
Component: Local Traffic Manager
Symptoms:
when calling TCP::unused_port command with a tcl ip addr object which represents the IPv4 address as IPv4-Compatible IPv6 address,
the function searches for existing flows related to this address.
IPv4-Compatible IPv6 addresses are deprecated, the flow table uses IPv4-Mapped IPv6 address
Conditions:
the IP::Addr object has been crafted with the following command
[IP::addr <addr> mask ::ffff:ffff]
Impact:
The TCP::unused_port command is unable to return an unused port
Workaround:
use the string representation by forcing the object to be a string
e.g.
set ipv6_addr "fe80::250:56ff:0a1e:0101"
set ipv4_from_ipv6 [ string tolower [IP::addr $ipv6_addr mask ::ffff:ffff] ]
set free [TCP::unused_port $ipv4_from_ipv6 [TCP::local_port] 10.30.1.64 [TCP::client_port] 48000 48255]
Fix:
ID598860-5 fixes the IP::addr command to return IPV4 MAPPED addr
629530-8 : Under certain conditions, monitors do not time out.
Solution Article: K53675033
Component: Global Traffic Manager (DNS)
Symptoms:
Some monitored resources are marked as "Unknown" when the actual status is "offline".
Conditions:
This can rarely occur when the monitor timeout period elapses when either no response has been received, or a response has been received indicating that the resource is "down" and the monitor is configured to ignore down responses. It is more likely to occur when many monitor timeout periods elapse at the same time, and the monitor timeout value is evenly divisible by the monitor's monitor interval.
Impact:
The status of the monitored resource is incorrect. This does not materially affect the operation of the system since resources marked "Unknown" will not be used.
Workaround:
Disable the affected resources, and then enable them again.
Fix:
The resource status is now correct under all monitor timeout conditions.
629033-1 : BIG-IP should send SHA1 in supported signature hash algorithm last (clientside / Server Hello).
Component: Local Traffic Manager
Symptoms:
BIG-IP should send SHA1 in supported signature hash algorithm last (clientside / Server Hello). Instead, the BIG-IP system is sending SHA1 signature algorithms in the Server Hello first.
Conditions:
clientside / Server Hello.
Impact:
Minimal. SHA1 algorithms are listed first and they should be last.
Workaround:
None.
Fix:
The system now reorders signature hash algorithms such that SHA1 is last.
628164-1 : OSPF with multiple processes may incorrectly redistribute routes
Solution Article: K20766432
Component: TMOS
Symptoms:
When OSPF is configured with multiple processes that each redistribute different type routes, LSAs may be created in a process for a route of the type other than the one configured for redistribution into that process.
Conditions:
OSPF routing with multiple processes configured. Each OSPF process configured with a different route type redistributed.
Impact:
Incorrect routing information in the network when OSPF converges.
Workaround:
Redistribute the leaked route type into the affected OSPF process and use a route map that filters out all routes.
Fix:
OSPF no longer leaks LSAs between processes redistributing different types of routes.
OSPF routes are now created synchronously when the LSA database is updated. If routes are rapidly deleted and re-added, OSPF will send maxage LSAs followed by new LSAs. This is potentially a behavior change where, previously, only a single updated LSA would have been sent.
627907-4 : Improve cURL usage
Solution Article: K11464209
626360-4 : TMM may crash when processing HTTP2 traffic
Solution Article: K22541983
625824-4 : iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory
Component: TMOS
Symptoms:
iControl calls related to Management::KeyCertificate might leak memory slowly, which causes swap space to increase continuously and might lead to exhaustion of swap space
Conditions:
This occurs with the iControl command bigip.Management.KeyCertificate.certificate_export_to_pem
Impact:
iControlPortal.cgi memory increases.
Workaround:
Restart httpd to reload the iControl daemon.
Fix:
Fixed a memory leak associated with iControl.
625671-1 : The diagnostic tool dnsxdump may crash with non-standard DNS RR types.
Component: Global Traffic Manager (DNS)
Symptoms:
If the dnsxdump diagnostic tool is run when the DNS Express database has a DNS resource record using a non-standard type, the process may crash providing incomplete diagnostic output.
Conditions:
Running dnsxdump with a DNS Express database containing non-standard resource record types.
Impact:
dnsxdump provide incomplete diagnostic output, stopping on the zone containing the resource record with the non-standard type.
Workaround:
This is primarily known to be caused by non-standard RR types created for WINS records. Removing the WINS records from the master nameserver, will allow dnsxdump to work again after the next zone transfer.
Fix:
dnsxdump handles non-standard resource record types.
625376-2 : In some cases, download of PAC file by edge client may fail
Component: Access Policy Manager
Symptoms:
Edge client may fail to download PAC file and incorrectly apply proxy configuration after VPN connection.
Conditions:
- User machine proxy configuration points to a proxy auto configuration file.
- Network access proxy configuration points to a proxy auto configuration file.
- PAC file URI in either case has uppercase characters.
- PAC file is hosted on a server where resource names are case sensitive.
Impact:
PAC file download will fail and client will use incorrect proxy settings due to unavailability of PAC file.
Workaround:
Use only lowercase characters in PAC file URI.
Fix:
Now Edge client can download PAC files from URIs that have uppercase as well as lowercase characters.
625372-1 : OpenSSL vulnerability CVE-2016-2179
Solution Article: K23512141
625198-4 : TMM might crash when TCP DSACK is enabled
Component: Local Traffic Manager
Symptoms:
TMM crashes
Conditions:
All of the below are required to see this behavior:
DSACK is enabled
MPTCP, rate-pace, tail-loss-probe, and fast-open are disabled.
cmetrics-cache-timeout is set to zero; congestion control is high-speed, new-reno, reno, or scalable; AND Nagle is not set to 'auto'.
an iRule exists that changes any of the conditions above besides DSACK.
various client packet combinations interact in certain ways with the iRule logic.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Change any of the conditions above.
Fix:
TCP maintains state appropriately to avoid crash.
624931 : getLopSensorData "sensor data reply too short" errors with FND300 DC PSU
Component: TMOS
Symptoms:
On a BIG-IP 2000-/4000-series or 5000-/7000-series appliances with FND300 DC power supplies running BIG-IP v11.5.4-HF2, errors similar to the following are logged every 30+ seconds:
warning chmand[8220]: 012a0004:4: getLopSensorData: LopHlprDev: sensor data reply too short, objId: 16d size: 39
warning chmand[8220]: 012a0004:4: getLopSensorData: LopHlprDev: sensor data reply too short, objId: 16e size: 39
In addition, the PSU status is reported as Not Present by the "tmsh show sys hardware" and "tmctl chassis_power_supply_status_stat" commands.
tmsh show sys hardware:
Chassis Power Supply Status
Index Status Current
1 not-present NA
2 not-present NA
tmctl chassis_power_supply_status_stat:
name index status input_status output_status fan_status current_status
==============================================================================
pwr1 1 2 2 2 2 0
pwr2 2 2 2 2 2 0
Totals 3 4 4 4 4 0
------------------------------------------------------------------------------
(Where a status value of 2 == Not Present)
Conditions:
This problem occurs when all of the following conditions are true:
1. BIG-IP 2000-/4000-series or 5000-/7000-series appliance
2. One or more FND300 DC power supplies installed
3. Running BIG-IP v11.5.4-HF2
Impact:
1. Errors logged every 30+ seconds
2. PSU status is reported as Not Present
Fix:
The status of FND300 DC power supplies is reported correctly on BIG-IP 2000-/4000-series and 5000-/7000-series appliances.
624903-2 : Improved handling of crypto hardware decrypt failures on 2000s/2200s or 4000s/4200v platforms.
Solution Article: K55102452
624692-1 : Certificates with ISO/IEC 10646 encoded strings may prevent certificate list page from displaying
Component: TMOS
Symptoms:
SSL Certificate List page displays "An error has occurred while trying to process your request." or unable to view certificate information via iControl/REST.
Conditions:
Certificate with multi-byte encoded strings.
Impact:
Unable to view certificate list page or view certificate information via iControl/REST.
624570-4 : BIND vulnerability CVE-2016-8864
Solution Article: K35322517
624457-2 : Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195
Solution Article: K10558632
624263-1 : iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response
Component: TMOS
Symptoms:
For profiles, iControl REST does not provide visibility for profile property override when "none" is specified, including references, passwords, and array of strings.
Conditions:
-- Use iControl REST API.
-- string, enum, or vector of enum/string property explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf.
Impact:
The iControl REST API response skips these elements. iControl REST does not provide visibility for profile property overrides.
Workaround:
None.
Fix:
iControl REST API now returns elements (i.e., string, enum, or vector of enum/string property that is explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf) with a value "none". The exclusion to this policy is the secured attributes. Secured attributes are always excluded from the iControl REST API response.
624193 : Topology load balancing not working as expected
Component: Global Traffic Manager (DNS)
Symptoms:
Under certain conditions, load balancing decisions can result in an unequal or unexpected distribution.
Conditions:
Occurs when topology load balancing is used for a wide IP and more than one pool share the highest assigned score for a particular load balancing decision.
Impact:
The resulting load balancing decisions can lead to an unequal or unexpected distribution of pool selections.
Workaround:
Topology records and pools can be configured to avoid the conditions which cause the condition.
Fix:
A system DB variable, gtm.wideiptoporandom, has been added. When this system DB variable is assigned the value of "enable" and more than one pool shares the highest assigned score for a given load balancing decision, a random pool is selected.
623930-1 : vCMP guests with vlangroups may loop packets internally
Component: TMOS
Symptoms:
If a vlangroup is configured within a vCMP guest, under some circumstances unicast packets may be looped between the switchboard and the BIG-IP guest. This is most likely to occur when the guest is part of an HA pair.
Conditions:
vCMP guest, vlangroups.
Impact:
High CPU utilization and potentially undelivered packets.
Workaround:
Correctly configure proxy ARP excludes on the vlangroup and increase the FDB timeout by setting the vlan.fdb.timeout database key to a larger value such as 3600.
Fix:
Packets are no longer looped between vlangroup children on vCMP guests.
623119-3 : Linux kernel vulnerability CVE-2016-4470
Solution Article: K55672042
622856-2 : BIG-IP may enter SYN cookie mode later than expected
Component: Local Traffic Manager
Symptoms:
BIG-IP entry to SYN cookie mode may not occur even though traffic pattern would dictate that it should.
Conditions:
Verified accept enabled on a Virtual IP.
Large volume of traffic being processed by BIG-IP.
Impact:
BIG-IP does not enter SYN cookie mode at the expected time.
Workaround:
Disable verified accept on all VIP TCP profiles.
Fix:
BIG-IP correctly enters SYN cookie mode when traffic pattern
dictates that it should.
622662-4 : OpenSSL vulnerability CVE-2016-6306
Solution Article: K90492697
622496-3 : Linux kernel vulnerability CVE-2016-5829
Solution Article: K28056114
622178-4 : Improve flow handling when Autolasthop is disabled
Solution Article: K19361245
622166-1 : HTTP GET requests with HTTP::cookie iRule command receive no response
Component: Local Traffic Manager
Symptoms:
HTTP GET requests to virtual servers using the command "HTTP::cookie <name> <value>" in HTTP_REQUEST iRule event handlers do not get a response.
Conditions:
An LTM virtual server with an iRule including the HTTP::cookie command.
Impact:
No response is received by the client.
Workaround:
None.
Fix:
HTTP GET requests to virtual servers using the command "HTTP::cookie <name> <value>" in HTTP_REQUEST iRule event handlers now get a response as expected.
621935-4 : OpenSSL vulnerability CVE-2016-6304
Solution Article: K54211024
621465 : The minimum IP packet fragment size is now 1 and not 24
Component: Local Traffic Manager
Symptoms:
The minimum IP packet fragment size, set via DB Var [TM.MinIPfragSize], is 24 and that causes problems if you need to use smaller fragments in your network.
Conditions:
You are trying to configure TM.MinIPfragSize and need it to be set to a value smaller than 24.
Impact:
You are unable to configure fragment sizes smaller than 24 in your network.
Workaround:
NA
Fix:
Changed DB Var [TM.MinIPfragSize] minimum value from 24 to 1.
621452-4 : Connections can stall with TCP::collect iRule
Solution Article: K58146172
Component: Local Traffic Manager
Symptoms:
Connection does not complete.
Conditions:
-- A TCP::collect command is in use.
-- The first packet received after the SYN carries data.
The Initial Sequence number in the SYN, plus the length of the data in the first packet, plus 1, is greater than-or equal to 2^31.
Note: APM VDI profiles internally use TCP::collect, so virtual servers with VDI profiles may be affected as well.
Impact:
-- Connection fails.
-- This issue can also cause the Configuration Utility's Device Management :: Overview page to stop responding.
Workaround:
There is no workaround at this time.
Fix:
The system now properly sets state variables associated with TCP::collect, so this issue no longer occurs.
621417-2 : sys-icheck error for /usr/share/defaults/bigip_base.conf in AWS.
Component: TMOS
Symptoms:
On a BIG-IP deployed in AWS cloud, sys-icheck reports size an md5 errors for /usr/share/defaults/BIG-IP_base.conf file as following:
ERROR: S.5...... c /usr/share/defaults/BIG-IP_base.conf (no backup)
Conditions:
BIG-IP deployed in AWS cloud.
Impact:
sys-icheck reports "rpm --verify" size and md5 errors for /usr/share/defaults/BIG-IP_base.conf. This doesn't have any functional impact on the product but looks like factory config file was modified incorrectly by a user/application.
Workaround:
No workaround exists for this issue.
Fix:
sys-icheck error for /usr/share/defaults/BIG-IP_base.conf in AWS.
621337-4 : XSS vulnerability in the BIG-IP and Enterprise Manager Configuration utilities CVE-2016-7469
Solution Article: K97285349
621314-1 : SCTP virtual server with mirroring may cause excessive memory use on standby device
Solution Article: K55358710
Component: TMOS
Symptoms:
If a SCTP virtual server has high availability (HA) mirroring enabled, the send buffer on the standby may have extremely high memory usage until the connections close.
Conditions:
SCTP virtual server has mirroring enabled.
Impact:
TMMs will have high memory usage on standby device.
Workaround:
Disable mirroring on the SCTP virtual server.
Fix:
SCTP virtual server with mirroring no longer causes excessive memory use on standby device.
621273-5 : DSR tunnels with transparent monitors may cause TMM crash.
Component: TMOS
Symptoms:
The TMM may crash if the BIG-IP system is configured with a DSR tunnel with a transparent monitor.
Conditions:
The BIG-IP system is configured with a DSR tunnel with a transparent monitor and the DB variable tm.monitorencap is set to "enable".
Impact:
Traffic disrupted while tmm restarts.
Fix:
The TMM does not crash.
621242-2 : Reserve enough space in the image for future upgrades.
Component: TMOS
Symptoms:
Increased the reserved free space in VM image from 15% to 30% to accommodate upgrades to future versions. Each next version tends to be bigger and require more disk space to install. The increased reserved space will allow upgrading to at least next 2 versions.
Conditions:
VE in local hypervisors and VE in the Cloud (AWS, Azure).
Impact:
Extends the disk image to reserve more disk space for upgrades.
Workaround:
N/A
Fix:
Increased the reserved free space on VE images.
620829-5 : Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
Component: Access Policy Manager
Symptoms:
JavaScript code with literal object definition containing field names equal to reserved keywords is not handled correctly by Portal Access.
Conditions:
JavaScript code with literal object definition containing fields with reserved keywords as a name, for example:
var a = { default: 1, continue: 2 };
Impact:
JavaScript code is not rewritten and may not work correctly.
Workaround:
None.
Fix:
Now JavaScript with literal object definition containing reserved keywords as field names is handled correctly by Portal Access.
620712 : Added better search capabilities on the Pool Members Manage & Pool Create page.
Component: Global Traffic Manager (DNS)
Symptoms:
Large amount of virtual servers were hard to manage on the GSLB Pool Member Manage page.
Conditions:
Having large amount of virtual servers/wide ips
Impact:
Poor usability.
Workaround:
No workaround.
Fix:
The GSLB Pool Member Manage page now has a new search feature in the form of a combo box to allow for better management of large amount of virtual servers.
Behavior Change:
The GSLB Pool Member Manage page now has the new search feature to allow for better management of large amount of virtual servers.
620659-1 : The BIG-IP system may unecessarily run provisioning on successive reboots
Component: TMOS
Symptoms:
After the first boot, the system runs provisioning and boots successfully, but there is a file left on the system /mprov_firstboot. This will appear in /var/log/ltm:
info mprov:4614:: \'\'provision.initialized\' indicates force TMOS only provisioning - forcing.\'
During a subsequent boot, provisioning will run again, potentially unnecessarily, due to the existence of this file. The following will appear in /var/log/ltm during the second boot:
info mprov:4609:: \'Existence of file \'/mprov_firstboot\' indicates force TMOS only provisioning - forcing.\'
Conditions:
The memory size of the host changes and there is some other need for reprovisioning (for example a new configuration load).
Impact:
On a vCMP host, the second provisioning may not complete properly and guest systems will not pass traffic.
The vCMP host will continually try to start more than one tmm and fail when there should only be one tmm running. The /var/log/tmm logfile on the vCMP host will contain:
<13> Sep 25 01:33:28 vcmphost1 notice Too small memsize (60) -- need at least 136 MB
The /var/log/tmm logfile on the vCMP guest will contain:
<13> Sep 25 01:38:21 bigip1 notice Failed to write /var/run/libdag.so_2, err: -30
<13> Sep 25 01:38:21 bigip1 notice panic: vdag failed to attach
<13> Sep 25 01:38:21 bigip1 notice ** SIGFPE **
Workaround:
If the vCMP host is in a tmm restart loop due to this issue, reboot the vCMP host to allow the system to come up properly.
Fix:
The BIG-IP software now always removes the /mprov_firstboot file when the system is reprovisioned.
619849-1 : In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled.
Component: Local Traffic Manager
Symptoms:
TMM crashes with a SIGABRT (killed by sod)
Conditions:
TCP (full proxy) virtual servers with verified-accept enabled in the TCP profiles, that must be handling traffic.
This issue occurs extremely rarely.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
disable verify accept.
Fix:
the loop is fixed.
619757-4 : iSession causes routing entry to be prematurely freed
Component: Wan Optimization Manager
Symptoms:
iSession may cause TMM to prematurely free a routing entry resulting in memory corruption and TMM restarting.
Conditions:
iSession-enabled virtual.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
No reasonable workaround short of not using iSession functionality.
Fix:
iSession no longer causes routing entries to be prematurely freed.
619398-3 : TMM out of memory causes core in DNS cache
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM crashes and service is lost until it restarts. You may see several "aggressive mode sweeper" messages in /var/log/ltm prior to the crash.
Conditions:
This can occur when the TMM memory is exhausted.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Provision sufficient memory for the TMM or reduce load.
Fix:
The fix was to properly handle the failure allocating memory.
619071-1 : OneConnect with verified accept issues
Component: Local Traffic Manager
Symptoms:
System may experience an outage.
Conditions:
Verified Accept enabled in TCP profile
hardware syncookies enabled
OneConnect profile on VIP
Syncookie threshold crossed
Impact:
System outage.
Workaround:
Disabled verified accept when used with OneConnect on a VIP.
Fix:
Verified accept, OneConnect and hardware syncookies work
correctly together.
618905-2 : tmm core while installing Safenet 6.2 client
Component: Local Traffic Manager
Symptoms:
tmm core while installing Safenet 6.2 client.
Conditions:
Safenet 6.2 client installation
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed a tmm core related to Safenet 6.2 client installation.
618324-3 : Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor
Component: Access Policy Manager
Symptoms:
When upgrading from OPSWAT SDK V3 to V4, opening Access Policy in VPE if one of the opswat checker (e.g. Anti-Virus checker) contains an Undefined (i.e. previously defined but out of support) ID it will display as "Any." The correct display should be "Unsupported" or "Invalid" product.
Conditions:
Wrongful information displayed.
Impact:
Wrongful information displayed.
Workaround:
N/A
Fix:
Correct (*** Invalid ***) information displayed.
618261-4 : OpenSSL vulnerability CVE-2016-2182
Solution Article: K01276005
618258-4 : OpenSSL vulnerability CVE-2016-2182
Solution Article: K01276005
617901-4 : GUI to handle file path manipulation to prevent GUI instability.
Solution Article: K00363258
617862-3 : Fastl4 handshake timeout is absolute instead of relative
Component: Local Traffic Manager
Symptoms:
TCP connections that are pending completion of the three-way handshake are expired based on the absolute value of handshake timeout. For example, if handshake timeout is 5 seconds, then the connection is reset after 5 seconds of receiving the initial SYN from the client.
Conditions:
A TCP connection in three-way handshake.
Impact:
Connections are expired prematurely if they are still in three-way handshake.
Workaround:
Disable handshake timeout.
Impact of workaround: Your TCP handshake will not prematurely timeout and connections remains open until the Idle Timeout expires.
Fix:
The handshake timeout now expires based on idleness of the connection, taking into consideration of any SYN retransmissions, etc., that might occur.
617824-1 : "SSL::disable/enable serverside" + oneconnect reuse is broken
Component: Local Traffic Manager
Symptoms:
If "SSL::disable/enable serverside" is configured in an iRule and oneConnect is configured in the iRule or in the Virtual Server profile, BIG-IP may not receive the backend server's HTTP response for every client's HTTP Request.
Conditions:
1. "SSL::disable/enable serverside" exists in the iRule
2. OneConnect is configured in the iRule or in the VS profile
3. apply the iRule and oneConnect Profile to the VS.
Impact:
The oneConnect behavior is unexpected, and may not get the backend Server's HTTP response for every client's HTTP Request.
Workaround:
You can work around the problem by disabling oneConnect.
617628-3 : SNMP reports incorrect value for sysBladeTempTemperature OID
Component: TMOS
Symptoms:
SNMP reports incorrect value for sysBladeTempTemperature OID, while TMSH reports the corresponding value correctly.
# snmpwalk -v2c -c public localhost .1.3.6.1.4.1.3375.2.1.3.2.4.2.1.2.8.1
F5-BIGIP-SYSTEM-MIB::sysBladeTempTemperature.8.1 = Gauge32: 4294967245
# tmsh show sys hardware
Sys::Hardware
Blade Temperature Status
Slot Index Lo Limit(C) Temp(degC) Hi Limit(C) Location
...
1 8 0 -48 0 Blade CPU #1 TControl Delta tem
...
The negative "Blade CPU #1 TControl Delta" temperature is being incorrectly reported as a large positive temperature by SNMP.
Impact:
A negative temperature may be incorrectly reported by SNMP as an impossibly high positive value.
Workaround:
Use tmsh show sys hardware to view blade temperatures. Negative temperatures are properly reported.
config # tmsh show /sys hardware
Sys::Hardware
Blade Temperature Status
Slot Index Lo Limit(C) Temp(degC) Hi Limit(C) Location
1 1 0 19 49 Blade air outlet temperature 1
1 2 0 14 41 Blade air inlet temperature 1
1 3 0 21 57 Blade air outlet temperature 2
1 4 0 16 41 Blade air inlet temperature 2
1 5 0 25 60 Mezzanine air outlet temperatur
1 6 0 27 72 Mezzanine HSB temperature 1
1 7 0 17 63 Blade PECI-Bridge local tempera
1 8 0 -48 0 Blade CPU #1 TControl Delta tem
1 9 0 25 68 Mezzanine BCM56846 proximity te
1 10 0 22 69 Mezzanine BCM5718 proximity tem
1 11 0 19 57 Mezzanine Nitrox3 proximity tem
1 12 0 16 46 Mezzanine SHT21 Temperature
617273-4 : Expat XML library vulnerability CVE-2016-5300
Solution Article: K70938105
616864-4 : BIND vulnerability CVE-2016-2776
Solution Article: K18829561
616772-3 : CVE-2014-3568 : OpenSSL Vulnerability (Oracle Access Manager)
Solution Article: K15724
616765-3 : CVE-2013-6449 : OpenSSL Vulnerability (Oracle Access Manager)
Solution Article: K15147
616498-3 : CVE-2009-3245 : OpenSSL Vulnerability (Oracle Access Manager)
Solution Article: K15404
616491-3 : CVE-2006-3738 : OpenSSL Vulnerability (Oracle Access Manager)
Solution Article: K6734
616382 : OpenSSL Vulnerability (TMM)
Solution Article: K93122894
616242-1 : basic_string::compare error in encrypted SSL key file if the first line of the file is blank★
Solution Article: K39944245
Component: TMOS
Symptoms:
Trying to load a configuration that references an encrypted SSL key file may fail if the first line of the SSL key file is blank. When this occurs, the system will report a vague error message:
01070711:3: basic_string::compare
If this happens during an upgrade, the system will not load the configuration under the new software version, and will remain inoperative.
Conditions:
This can occur if an affected configuration is present on a system running BIG-IP v11.3.0 or earlier, and is upgraded to BIG-IP v11.4.0 through v12.1.1.
Impact:
Configuration fails to load on upgrade with extremely unhelpful error message, and absolutely no indication as to what file was being processed at the time (or that this relates to a filestore file).
Workaround:
Remove the newlines at the beginning of any SSL key files that begin with a newline. During an upgrade scenario, edit the files in the filestore.
616215-1 : TMM can core when using LB::detach and TCP::notify commands in an iRule
Component: Local Traffic Manager
Symptoms:
TMM cores when running an iRule that has the LB::detach command before the TCP::notify command.
Conditions:
A virtual server with an iRule that has the LB::detach command executed before the TCP::notify command.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid the combination of the TCP::notify and LB::detach commands.
Fix:
TMM no longer cores in this instance.
616169-1 : ASM Policy Export returns HTML error file
Component: Application Security Manager
Symptoms:
When attempting to export an ASM Policy the resulting file contains an HTML error page.
Conditions:
It is not known what triggers this condition.
Impact:
Unable to export ASM Policies.
Workaround:
Delete all files in /ts/dms/policy/upload_files/. All files are transient and can safely be deleted.
Fix:
Permissions are now explicitly set on exported ASM Policies so the GUI PHP process can successfully download it.
615934 : Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.
Component: TMOS
Symptoms:
Overwrite flag in key/certificate management iControl functions is ignored and might result in errors.
Conditions:
If there is an existing key/certificate, and the key/certificate management iControl functions are used to overwrite the key/certificate by setting the overwrite flag, the flag is ignored, and an error is returned.
Impact:
Key/certificate overwrite using iControl operations might fail.
Fix:
The fix honors the overwrite flag, so that the key/certificate is overwritten when the flag is set to true.
615695 : Fixes to bd and iprepd components not included in BIG-IP v11.5.4-HF2
Component: Application Security Manager
Symptoms:
The following bugs were documented as fixed in BIG-IP v11.5.4-HF2:
ID 531809: FTP/SMTP traffic related bd crash
ID 559541: ICAP anti virus tests are not initiated on XML with when should
ID 562775: Memory leak in iprepd
However, the packages containing these fixes were not actually included in the BIG-IP v11.5.4-HF2 ISO.
Therefore, these bugs are not actually fixed in BIG-IP v11.5.4-HF2.
Conditions:
BIG-IP v11.5.4-HF2
Impact:
Referenced bugs are not actually fixed in BIG-IP v11.5.4-HF2.
Fix:
[BIG-IP v11.5.4 Hotfix Rollup containing this fix] includes the packages which contain the fixes for the following bugs:
ID 531809: FTP/SMTP traffic related bd crash
ID 559541: ICAP anti virus tests are not initiated on XML with when should
ID 562775: Memory leak in iprepd
615187 : Missing hyperlink to GSLB virtual servers and servers on the pool member page.
Component: Global Traffic Manager (DNS)
Symptoms:
Hyperlinks to to GSLB virtual servers and servers on the pool member page were removed in 11.x.
Conditions:
Have a GSLB pool with pool members set up.
Impact:
Must manually note of the member's virtual or server.
Workaround:
Manually take note of virtual or server and search for it.
Fix:
Added hyperlink to GSLB virtuals and servers on the pool member page.
614865 : Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.
Component: TMOS
Symptoms:
Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.
Specifically, the functions are:
key_import_from_pem()
certificate_import_from_pem()
key_import_from_pem_v2()
certificate_import_from_pem_v2()
Conditions:
When there is an existing key or certificate on the BIG-IP system, and you want to overwrite them using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls, it results in errors stating that the key or certificate already exists on the BIG-IP system.
Impact:
Cannot overwrite the key/certificate file-objects using these iControl calls.
Workaround:
There are two workarounds:
- Delete and import the key/certificate using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls.
- Use key_import_from_file and certificate_import_from_file iControl calls as an alternative to import key/certificate from a file.
Fix:
Overwrite flag in iControl functions key/certificate_import_from_pem_v2() functions are now processed correctly and no longer produce errors.
614675 : GUI or iControl SOAP API call 'LocalLB::ProfileClientSSL::create_v2' creates invalid profile
Component: TMOS
Symptoms:
1. Using the GUI or an iControl SOAP call can create invalid client SSL profile containing an empty cert-key-chain. This might occur after following these steps:
-- Create new client-ssl cert from the GUI (the web-based UI).
-- Check 'Custom' in 'Certificate Key Chain', but do not add anything.
-- Click Finished. The system creates the following:
ltm profile client-ssl /Common/cssl {
app-service none
cert none
cert-key-chain {
"" { }
defualt_rsa_ckc { <=== a typo "defualt"
cert /Common/default.crt
key /Common/default.key
}
}
<snip>
}
2. Using the iControl function 'LocalLB::ProfileClientSSL::create_v2' creates a profile with two cert-key-chain objects containing identical cert and key values, but with different names:
ltm profile client-ssl my_prof {
app-service none
cert mycert.crt
cert-key-chain {
"" {
cert mycert.crt
key mycert.key
}
defualt_rsa_ckc { <=== a typo "defualt"
cert mycert.crt
key mycert.key
}
}
chain none
inherit-certkeychain false
key mycert.key
passphrase none
}
Conditions:
Creating client SSL profiles using the GUI or the iControl function create_v2().
Impact:
Cannot add the invalid client SSL profile to a virtual server.
Workaround:
Remove the invalid client SSL profile and re-create the profile using TMSH or the GUI.
Fix:
GUI or iControl SOAP API call 'LocalLB::ProfileClientSSL::create_v2' no longer creates an invalid profile when creating client SSL profiles using the iControl function create_v2(). In addition, 'defualt' has been changed to 'default', as expected.
614441-1 : False Positive for illegal method (GET)
Solution Article: K04950182
Component: Application Security Manager
Symptoms:
False Positive for illegal method (GET) and errors in BD log on Apply Policy:
----
ECARD|ERR |Sep 04 07:38:47.992|23835|table.h:0287|KEY_REMOVE: Failed to REMOVE data
----
Conditions:
This was seen after upgrade and/or failover.
Impact:
-- False positives.
-- BD has the incorrect security configuration.
Workaround:
Run the following command: restart asm.
614147-4 : SOCKS proxy defect resolution
Solution Article: K02692210
614097-4 : HTTP Explicit proxy defect resolution
Solution Article: K02692210
613613 : Incorrect handling of form that contains a tag with id=action
Component: Access Policy Manager
Symptoms:
In some cases, a form with an absolute path in the action is handled incorrectly in Internet Explorer (IE) versions 7, 8, and 9. The resulting action path is wrong and the form cannot be submitted.
Conditions:
This issue occurs under these conditions:
-- HTML Form with absolute action path.
-- A tag with id=action inside this form.
-- A submit button in the form.
-- IE versions 7 through 9.
Impact:
The impact of this issue is that the web application can not work as expected.
Workaround:
This issue has no workaround at this time.
Fix:
Forms with absolute action paths and tag with id=action inside are handled correctly.
613576-9 : QOS load balancing links display as gray
Component: Global Traffic Manager (DNS)
Symptoms:
All links in all data centers appear gray. After this patch all link appear to be green and the functional of load balancing to the first available link in each pool is restored.
Conditions:
This bug only affects devices licensed after 9/1/2016 which contain the gtm_lc: disabled field.
Impact:
Any GTM/LC devices licensed after 9/1/2016 and using links as part of their configuration will have the links reported as gray.
Workaround:
Remove all ilnks from configuration or install this hotfix.
613524-1 : TMM crash when call HTTP::respond twice in LB_FAILED
Component: Local Traffic Manager
Symptoms:
TMM core-dumps when these conditions are met:
- LB_FAILED event
- irule script must use a "delay" (parked) statement together with two HTTP::respond statements.
Conditions:
- LB_FAILED event must be triggered by good IP address and bad port so that the serverside connflow is establish. you will not see this bug if no pool member is used or invalid IP address is used.
- irule script must use a "delay" (parked) statement. the delay together with http response creates the right timing for the client side connflow to go away while proxy is pushing Abort event down to both clientside and serverside.
Impact:
Traffic disrupted while tmm restarts.
Fix:
This fix rectifies the problem.
613369-5 : Half-Open TCP Connections Not Discoverable
Component: Local Traffic Manager
Symptoms:
New TCP connection requests are reset after a specific sequence of TCP packets.
Conditions:
A TCP connection in half-open state.
Impact:
Half-open TCP connections are not discoverable
Fix:
Properly acknowledge half-open TCP connections.
613225-4 : OpenSSL vulnerability CVE-2016-6306
Solution Article: K90492697
613127-5 : Linux TCP Stack vulnerability CVE-2016-5696
Solution Article: K46514822
612721 : FIPS: .exp keys cannot be imported when the local source directory contains .key file
Component: TMOS
Symptoms:
*.exp exported FIPS keys cannot be imported from local directory when the directory contains any file named *.key with matching name. For example, if the directory /shared/abc/ contains an exported FIPS key named xyz.exp and another file named xyz.key, the user will fail to import xyz.exp as a FIPS key into the system.
Conditions:
When the local source directory of the exported FIPS key (xyz.exp) also contains a file with matching name (xyz.key).
Impact:
Unable to import the FIPS key
Workaround:
Remove the same name *.key file from the local directory before importing the FIPS exported key *.exp.
612419-3 : APM 11.4.1 HF10 - suspected memory leak (umem_alloc_32/network access (variable))
Component: Access Policy Manager
Symptoms:
When there are multiple network access resources, and users switch between them within the same connection, a small memory leak happens.
Conditions:
Network access; full webtop, multiple Network Access resources.
Impact:
Memory usage increases over time.
Workaround:
There is no workaround. It is a relatively slow leak though. In the case where it was observed, the leak was about 130MB per month.
Fix:
Fixed a memory leak related to network access.
612128-2 : OpenSSH vulnerability CVE-2016-6515
Solution Article: K31510510
611830 : TMM may crash when processing TCP traffic
Solution Article: K13053402
611704-1 : tmm crash with TCP::close in CLIENTSSL_CLIENTCERT iRule event
Component: Local Traffic Manager
Symptoms:
A tmm crash was discovered during internal testing.
Conditions:
HTTPS virtual server configured with an iRule that uses TCP::close in the CLIENTSSL_CLIENTCERT iRule event.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed a tmm crash related to TCP::close in CLIENTSSL_CLIENTCERT
611469-6 : Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector
Solution Article: K95444512
611278-1 : Connections to a BIG-IP system's Self-IP address may fail when the VLAN cmp-hash is altered
Component: Local Traffic Manager
Symptoms:
On a BIG-IP system belonging to a Sync or Sync-Failover Device Group, you encounter intermittent Device Group errors during normal operation. This can include the device status flipping from Offline to In Sync, or actual sync errors on a manual or automatic config sync. You may also see iQuery errors in the logs of BIG-IP GTM systems.
Conditions:
This issue is known to occur on BIG-IP systems belonging to a Sync or Sync-Failover Device Group where the config sync VLAN cmp-hash mode is set to something other than default.
Impact:
Intermittent sync status or occasional config sync failures.
Workaround:
Ensure that the config sync IP is on a VLAN that has the cmp-hash mode set to default.
610609-4 : Total connections in bigtop, SNMP are incorrect
Component: Local Traffic Manager
Symptoms:
While looking at total connections for the active BIG-IP using bigtop or SNMP, the connections are reported too high. For example if you sent a single connection through BIG-IP it is reported as 2 connections. Meanwhile, the standby device with mirroring configured accurately shows the number of connections.
Conditions:
This occurs on PVA-enabled hardware platforms.
Impact:
The total connection count statistic is incorrect.
610582-8 : Device Guard prevents Edge Client connections
Component: Access Policy Manager
Symptoms:
When Device Guard is enabled, BIG-IP Edge Client cannot establish a VPN connection.
Conditions:
-- Clients running Windows 10.
-- Device Guard enabled.
-- Attempting to connect using the Edge client.
Impact:
Clients are unable to establish a VPN connection.
Workaround:
As a workaround, have the affected Edge Client users disable Device Guard.
Note: Previously, Device Guard was disabled by default. Starting with the Windows 10 Creators Update, however, Device Guard is enabled by default.
Fix:
The F5 VPN Driver is recertified and is now compliant with Microsoft Device Guard, so that Edge Client users can now establish a VPN connection as expected.
610429-2 : X509::cert_fields iRule command may memory with subpubkey argument
Component: Local Traffic Manager
Symptoms:
The X509::cert_fields iRule command can leak memory in the 'method' memory subsystem if called with the 'subpubkey' argument, when the 'subpubkey' argument is not the last argument.
Conditions:
Create an iRule using X509::cert_fields where the subpubkey is not the last argument.
Example/signature to look for:
ltm rule rule_leak {
when HTTP_REQUEST {
if { [SSL::cert 0] ne "" } {
HTTP::respond 200 content "[X509::cert_fields [SSL::cert 0] 0 subpubkey hash]\n"
} else {
HTTP::respond 200 content "no client cert (WRONG!)"
}
}
}
Impact:
Memory will leak, eventually impacting the operation of tmm.
Workaround:
Ensure that 'subpubkey' is the last argument to X509::cert_fields
610417-4 : Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported.
Solution Article: K54511423
Component: TMOS
Symptoms:
When adding a device to the trust, the SSL connection can use insecure ciphers. Also it will use the undesirable TLSv1 protocol instead of negotiating to the highest safest protocol available which is TLSv1.2
If the peer device is configured to use TLSv1.1 or TLSv1.2 only, device trust will not be established
Conditions:
This exists when configuring devices in a device cluster.
Impact:
Unable to configure stronger ciphers for device trust.
If the peer device is modified to not use TLSv1.0, it is impossible to establish Device Trust.
Workaround:
None.
Fix:
Advertised client ciphers reduced to what the common criteria compliance standard approves.
Changed the initial OpenSSL call to use the correct one to negotiate to the highest available TLS protocol (1.2).
610354-3 : TMM crash on invalid memory access to loopback interface stats object
Component: TMOS
Symptoms:
TMM can crash with segmentation fault when TMM drops packets on its internal loopback interface. TMM needs to update interface stats associated with the loopback interface when dropping packets on that interface. The interface stats object for loopback interface is not allocated yet. That results in segmentation fault.
Conditions:
TMM drops packets on its internal loopback interfaces.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No Workaround.
610255-3 : CMI improvement
Solution Article: K62279530
610243-1 : HTML5 access fails for Citrix Storefront integration mode with gateway pass through authentication
Component: Access Policy Manager
Symptoms:
HTML5 client can not be used to access the published applications or desktops.
HTML5 client access displays returns blank/black screen and displays "Can not connect to the server".
Conditions:
APM is configured Citrix Storefront integration mode. And in Storefront html5 client access is enabled.
Impact:
HTML5 client can not be used to access the published resources
Workaround:
None
Fix:
HTML5 client can be used to access the published resources.
610180-5 : SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin.
Component: Access Policy Manager
Symptoms:
When BIG-IP is used as SAML SP, and SLO is not properly configured on associated saml-idp-connector objects, IdP initiated SAML SLO may result in memory leak in SSO plugin.
Conditions:
- BIG-IP is used as SP.
- Associated saml-idp-connector object has 'single-logout-uri' property configured, but 'single-logout-response-uri' property is empty.
- User performs IdP initiated SAML SLO
Impact:
SSO plugin leaks memory
Workaround:
There are two possible workarounds:
- Fix misconfiguration: Configure SLO correctly by adding value to 'single-logout-response-uri' property of IdP connector object.
- Disable SLO by removing single-logout-uri' property of IdP connector object.
Fix:
When fixed, memory will no longer leak in SSO plugin even when SLO is misconfigured.
609691-5 : GnuPG vulnerability CVE-2014-4617
Solution Article: K21284031
608551-2 : Half-closed congested SSL connections with unclean shutdown might stall.
Component: Local Traffic Manager
Symptoms:
Half-closed congested SSL connections with unclean shutdown might stall.
Conditions:
If SSL egress is congested and the client FINs with no Close Notify, connection might stall as SSL does not request more egress data from HTTP.
Impact:
Possible stalled flow.
Workaround:
Use SSL client that sends clean shutdown.
Fix:
Resolved half-closed congested SSL connections with unclean shutdown, so connections no longer stall.
608320-2 : iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response
Component: TMOS
Symptoms:
For persistence profiles, iControl REST does not provide visibility for property override when "none" is specified, including references, passwords, and array of strings.
Conditions:
-- Use iControl REST API with persistence profiles.
-- string, enum, or vector of enum/string property explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf.
Impact:
The iControl REST API response skips these elements. iControl REST does not provide visibility for persistence profile property overrides.
Workaround:
None.
Fix:
iControl REST API now returns persistence profile elements (i.e., string, enum , or vector of enum/string property that is explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf) with a value "none". The exclusion to this policy is the secured attributes. Secured attributes are always excluded from the iControl REST API response.
608024-2 : Unnecessary DTLS retransmissions occur during handshake.
Component: Local Traffic Manager
Symptoms:
Unnecessary DTLS retransmissions occur during handshake.
Conditions:
During DTLS handshake, unnecessary retransmissions of handshake message may occur on VE platform.
Impact:
Possible DTLS handshake failure on VE platform.
Workaround:
None.
Fix:
This release fixes a possible failed DTLS handshake on VE platforms.
607304-1 : TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.
Component: Local Traffic Manager
Symptoms:
TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.
Conditions:
This can occur under normal operation, while running the geo_update command.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Running the geo_update command no longer causes this error.
606575-2 : Request-oriented OneConnect load balancing ends when the server returns an error status code.
Component: Local Traffic Manager
Symptoms:
Request-oriented OneConnect load balancing ends when the server returns an error status code.
Conditions:
OneConnect is enabled and the server responds with a HTTP error status code.
Impact:
The client remains connected to the server, and no further load-balancing decisions are made.
Workaround:
It may be possible to detect the HTTP status code in the response, and manually detach the client-side.
To do so, use an iRule similar to the following:
when HTTP_RESPONSE {
if { [HTTP::status] == 200 } { return }
if { [HTTP::status] == 401 } {
set auth_header [string tolower [HTTP::header values "WWW-Authenticate"]]
if { $auth_header contains "negotiate" || $auth_header contains "ntlm" } {
# Connection-oriented auth. System should already be doing the right thing
unset auth_header
return
}
unset auth_header
}
catch { ONECONNECT::detach enable }
}.
Note: These workarounds should not be used when the backend server is using connection-oriented HTTP authentication (e.g., NTLM or Negotiate authentication).
Fix:
With OneConnect, the client-side remains detachable when the server-side returns an HTTP error status code.
605865-1 : Debug TMM produces core on certain ICMP PMTUD packets
Component: Local Traffic Manager
Symptoms:
The debug TMM will produce a core on the assert "cwnd or ssthresh too low" when receiving an ICMP PMTUD packet with an MTU larger than the current MTU. This does not affect the default TMM.
Conditions:
While using the debug TMM, an ICMP PMTUD packet is received with an MTU larger than the current MTU.
Impact:
Debug TMM crashes on assert "cwnd or ssthresh too low." Traffic disrupted while tmm restarts.
Workaround:
Block incoming ICMP PMTUD packets. Note that this will cause Path MTU Discovery to fail, and IP packets sent by the BIG-IP system with the Don't Fragment (DF) bit set may be dropped silently if the MTUs of the devices on the path are configured incorrectly.
Fix:
The system now always updates TCP MSS after an ICMP PMTUD packet, so there is no debug TMM core.
605661-1 : Update TZ data
Component: TMOS
Symptoms:
Prior to this update, the data files provided by the tzdata package reflected the Egyptian government's plan to transition to daylight saving time (DST) on July 7, but the Egyptian government canceled the planned transition. This update provides tzdata data files that reflect the change of plans, and will thus provide correct time zone information.
This update also includes a time zone transition for Asia/Novosibirsk from +06 to +07 on 2016-07-24 at 02:00.
Conditions:
Egyptian or Asia/Novosibirsk time zone active
Impact:
Timezone calculations do not reflect current standards
Fix:
Timezone data files updated to reflect current standards
605579-9 : iControl-SOAP expat client library is subjected to entropy attack
Solution Article: K65460334
605476 : statsd can core when reading corrupt stats files.
Component: TMOS
Symptoms:
-- The istatsd process produces a core file in the /shared/core directory.
Conditions:
This issue occurs when the following condition is met:
The istatsd process attempts to read a corrupt iStats segment file with duplicate FIDs.
Under these conditions, the istatsd process continually consumes memory which produces a core causing the istatsd process to restart.
Impact:
iStatsd process will restart due to resource exhaustion.
Workaround:
To work around this issue, you can remove the iStats files and restart the istatsd processes. To do so, perform the following procedure:
Impact of workaround: This workaround will cause all statistics in the iStats files to reset.
1. Log in to the BIG-IP command line.
2. To stop the istatsd and related processes, type the following command:
tmsh stop sys service istatsd avrd merged.
3. To delete the iStats files, type the following command:
find /var/tmstat2/ -depth -type f -delete.
4. To start the istatsd and related processes, type the following command:
tmsh start sys service istatsd avrd merged.
Fix:
Added a fix to protect against a continually reading a segment file that is corrupted and has Duplicate Fids.
605270-3 : On some platforms the SYN-Cookie status report is not accurate
Component: TMOS
Symptoms:
On a vCMP guest, after a ePVA-enabled virtual server enters SYN Cookie mode, the FPGA will never leave SYN Cookie mode even though BIG-IP has returned to normal mode.
Conditions:
This occurs intermittently on virtual servers with ePVA enabled on a vCMP instance where SYN Protection is triggered.
Impact:
Since this occurs very intermittently, the entire impact is not known. Initially this is an incorrect SYN Cookie status reporting issue for LTM Virtual statistics, but it is possible that if SYN Cookie mode is triggered again, hardware SYN might not be enabled properly.
Workaround:
Upgrade with new fixes for this.
Fix:
BIG-IP FPGAs now correctly report hardware SYN Cookie mode.
605039-1 : lwresd and bind vulnerability CVE-2016-2775
Solution Article: K92991044
604977-4 : Wrong alert when DTLS cookie size is 32
Solution Article: K08905542
Component: Local Traffic Manager
Symptoms:
When ServerSSL profile using DTLS receives a cookie with length of 32 bytes, the system reports a fatal alert.
Conditions:
Another LTM with ClientSSL profile issues 32-byte long cookie.
Impact:
DTLS with cookie size 32-byte fails.
Workaround:
None.
Fix:
DTLS now accepts cookies with a length of 32 bytes.
604880-1 : tmm assert "valid pcb" in tcp.c
Component: Local Traffic Manager
Symptoms:
tmm panic tcp.c:2435: Assertion "valid pcb" failed
Conditions:
Unknown.
Impact:
Traffic disrupted while tmm restarts.
604767-6 : Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object.
Component: Access Policy Manager
Symptoms:
When importing SAML IdP's metadata, certificate object might not be assigned as 'idp-certificate' value of saml-idp-connector object.
Conditions:
BIG-IP is used as SAML SP.
Impact:
Described behavior will result in misconfiguration. SAML WebSSO will subsequently fail.
Workaround:
Manually assign imported certificate as a 'idp-certificate' value of saml-idp-connector object.
604496-1 : SQL (Oracle) monitor daemon might hang.
Component: Local Traffic Manager
Symptoms:
SQL (Oracle) monitor daemon might hang with high monitoring load (hundreds of monitors). DBDaemon debug log contains messages indicating hung connection aborting and that the address in use, unable to connect.
Conditions:
High number of SQL (Oracle, MSSQL, MySQL, PostgresSQL) monitors. Slow SQL responses might make the condition worse.
Impact:
Flapping pool members connected to SQL monitors. Frequent aborts and restarts of SQL monitor daemon.
Workaround:
You can mitigate this issue in the following ways:
-- Reduce number of monitored pool members.
-- Reduce frequency of monitor interval.
-- Split monitors among multiple devices.
-- Run monitors on bladed systems.
Fix:
This release fixes the address-in-use issue, and contains multiple monitor improvements to handle aborts and restarts of the SQL monitor daemon as well so that the system handles hung connections without aborting.
604442-3 : iControl log
Solution Article: K12685114
604272-3 : SMTPS profile connections_current stat does not reflect actual connection count.
Component: Local Traffic Manager
Symptoms:
SMTPS profile connections_current stat does not reflect actual connection count.
Conditions:
This occurs if you have an SMTPS virtual server configured.
Impact:
profile_smtps_stat.connections_current rises over time and doesn't reflect actual number of SMTPS connections active.
604237-1 : Vlan allowed mismatch found error in VCMP guest
Component: TMOS
Symptoms:
Your vCMP guests are unable to reach the network. You see in /var/log/ltm "mcpd[5503]: 01071322:4: Vlan allowed mismatch found: hypervisor "
Conditions:
When a VLAN exists in the vlan-allowed list contains a VLAN which matches the suffix of another VLAN in the list and both VLANs are configured on the VCMP guest. For example, xyz and abc_xyz will produce the error "warning mcpd[6374]: 01071322:4: Vlan allowed mismatch found: hypervisor (abc_xyz:1860), guest (/Common/xyz:1850)."
Impact:
Unable to use VLAN.
Workaround:
Rename the VLANs such that no VLAN matches suffix of any other VLAN.
603945-3 : BD config update should be considered as config addition in case of update failure
Component: Application Security Manager
Symptoms:
A configuration update fails when the system cannot find the item to update. Configuration failures are shown in bd.log.
Conditions:
The condition that leads to this scenario is not clear and is still under investigation.
Impact:
The update fails and the entity is not added.
Workaround:
Delete the faulty entity and re-add, and then issue the following command: restart asm.
This fixes the issue in the cases in which it is a single entity.
Fix:
A configuration update no longer fails when the system cannot find the item to update. Now, the system adds the item with its updated value if the entity does not already exist. Otherwise, the operation updates the value of the existing entry.
603758-4 : Big3D security hardening
Solution Article: K82038789
603723-1 : TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
Component: Local Traffic Manager
Symptoms:
HTTPS monitors mark a TLS v1.2-configured pool member down and never mark it back up again, even if the pool member is up. The monitor works normally until the SSL handshake fails for any reason. After the handshake fails, the monitor falls back to TLS v1.1, which the pool members reject, and the node remains marked down.
Conditions:
This might occur when the following conditions are met:
-- Using HTTPS monitors.
-- Pool members are configured to use TLS v1.2 only.
Impact:
Once the handshake fails, the monitor remains in fallback mode and sends TLS v1.0 or TLS v1.1 requests to the pool member. The pool member remains marked down.
Workaround:
None.
Fix:
The system now successfully handles TLS v1.0 fallback when pool members are configured to use TLS v1.2 only, so pool members are correctly marked as being up.
603667-1 : TMM may leak or corrupt memory when configuration changes occur with plugins in use
Component: Local Traffic Manager
Symptoms:
TMM may leak memory when plugins are in use and the plugin is re-initialized (typically due to configuration changes). In rare cases, memory corruption may occur causing TMM to restart.
Conditions:
Plugin-based functionality configured (ASM, APM, etc.) and configuration changes occur.
Impact:
The memory leakage generally occurs infrequently and at a rate that TMM operations are not affected. However, when memory corruption occurs, a traffic interruption may occur due to TMM restarting.
Workaround:
No workaround except disabling plugin-based functionality (such as ASM, APM, etc.).
Fix:
TMM now properly manages plugin memory, and no longer leaks or corrupts this memory.
603609-5 : Policy unable to match initial path segment when request-URI starts with "//"
Component: Local Traffic Manager
Symptoms:
HTTP URI path policy does not match when request-URI starts with "//".
Conditions:
Policy unable to catch request when HTTP URI path configured to match value anywhere in path or in initial path segment when the request-URI starts with "//".
Impact:
The policy does not match in this case.
Workaround:
The policy could be modified to scan the full URI instead of just the path element however care should be taken to correctly handle potential matches with absolute URIs or in the query string.
603606-1 : tmm core
Component: Local Traffic Manager
Symptoms:
A tmm core occurrs with the following log message: notice panic: ../kern/page_alloc.c:521: Assertion "vmem_hashlist_remove not found" failed.
Conditions:
It is not known exactly what triggers this condition.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
603598-1 : big3d memory under extreme load conditions
Component: Global Traffic Manager (DNS)
Symptoms:
big3d memory consumption can grow if big3d is unable to process monitor requests in a timely fashion.
This can be seen by monitoring the memory consumption of big3d using standard OS tools such as top.
Conditions:
big3d maintains a queue for monitor requests.
Incoming monitor requests are first placed in the Pending queue.
Requests are moved from the Pending queue to the Active queue, if there is room in the Active queue.
When the Pending queue is full, there is no room for the Monitor Request. big3d attempts to clean up the Monitor request, but fails to completely free the memory.
This might result in a significant memory leak.
For this to happen, the Active queue must be full as well as the Pending queue.
One possible condition that might cause this is if multiple Monitors time out. This results in Monitors having long life times, which keeps the Active queue full.
Thus the Pending queue might become full and the memory leak can occur.
In BIG-IP 11.1.0 versions of big3d,
the Active queue has 256 slots and
the Pending queue has 4096 slots.
In BIG-IP 11.1.0-hf3, the queue sizes were expanded to
2048 for the Active queue and 16384 for the Pending queue.
Since the queues were smaller n versions prior to
11.1.0-hf3, this leaks is more likely to manifest itself.
In later versions, the leak is still possible, but is less likely to occur.
Impact:
big3d memory consumption grows unbounded. This might result in a big3d restart or memory starvation of other processes.
Workaround:
This can be partially mitigated by ensuring that monitors
settings are reasonable and that big3d is not overloaded.
This will minimize the chances that the Pending queue
does not become full.
There is no mechanism to resize the queues.
Fix:
When a monitor request is unable to be placed in the queue, the memory for the request is freed properly.
603550-4 : Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats.
Solution Article: K63164073
Component: Local Traffic Manager
Symptoms:
Virtual server remains in syncookie mode even after the syn flood stops.
As a result of this issue, you might see the following symptoms:
-- Virtual servers that use both FastL4 and HTTP profiles might show incorrect 'Current SYN Cache' stats.
-- Virtual stats 'Current SYN Cache' does not decrease.
Conditions:
This issue occurs when the configuration contains a virtual server that uses FastL4 as a filter (for example, has both the FastL4 profile and layer 7 profile (HTTP) syn flood to the virtual server).
Impact:
The virtual server stays stuck in syncookie mode after the synflood is over, and does not recover.
Workaround:
None.
Fix:
Virtual servers that use both FastL4 and HTTP profiles will have correct syn cache stats.
602749 : Memory exhaustion when asking for missing page of learning suggestion occurrences
Component: Application Security Manager
Symptoms:
High CPU Utilization: event code I706 Bypassing ASM
Conditions:
Open occurrences for some suggestion, there should be multiple pages, clear requests (on real machine that'll be because of traffic, but can be done directly in database by cleaning LRN_REQUESTS table), then change to the second page.
Impact:
memory exhaustion
Workaround:
None
601938-5 : MCPD stores certain data incorrectly
Solution Article: K52180214
601927-4 : Security hardening of control plane
Solution Article: K52180214
Component: TMOS
Symptoms:
File permissions changes needed as found by internal testing
Conditions:
N/A
Impact:
N/A
Fix:
Apply latest security practices to control plane files.
601709-4 : I2C error recovery for BIG-IP 4340N/4300 blades
Solution Article: K02314881
Component: TMOS
Symptoms:
The I2C internal bus for the front switch on BIG-IP 4340N/4300 blades may not work.
Conditions:
This rarely happens.
Impact:
Corrupted serial number information from SFPs, and fiber SFPs may not come up.
Workaround:
bigstart restart bcm56xxd
Fix:
The system now ensures that the I2C internal bus can recover from occasional errors.
601527-1 : mcpd memory leak and core
Component: TMOS
Symptoms:
Mcpd can leak memory during config update or config sync.
Conditions:
All of the conditions that trigger this are not known but it seems to occur during full configuration sync and is most severe on the config sync peers. It was triggered making a single change on the primary by configuring a monitor rule, e.g., tmsh create ltm pool p members { 1.2.3.4:80 } monitor http
Impact:
Loss of memory over time, which may result in out-of-memory and mcpd core.
Fix:
Fixed a memory lean in mcpd
601407 : Legacy PNAgent access does not work from Citrix Receiver 4.3 onwards
Component: Access Policy Manager
Symptoms:
While adding a new account from Citrix Receiver, it does not prompt for the credentials
Conditions:
APM is in integration mode with Storefront or web interface and APM uses only pnagent protocol for the integration.
Impact:
Could not access the published applications.
Workaround:
None
Fix:
APM supports new user agent string from Citrix Receiver 4.3 onwards.
601268-2 : PHP vulnerability CVE-2016-5766
Solution Article: K43267483
600982-7 : TMM crashes at ssl_cache_sid() with "prf->cache.sid == 0"
Component: Local Traffic Manager
Symptoms:
When SSL is configured, the TMM might rarely crash, logging the following error in /var/log/ltm: notice panic: ../modules/hudfilter/ssl/ssl_session.c:538: Assertion "cached" failed.
Conditions:
No conditions to be set, however this is a very rare occurrence in which a random number generator can technically generate the number Zero ( 0 ) which would trigger this.
Impact:
Traffic disrupted while TMM restarts, and failover occurs if high availability is configured. Mirroring and LB may be lost with renegotiation for certain types of traffic.
Workaround:
None.
Fix:
When SSL is configured, the TMM no longer intermittently crashes with the message: Assertion "cached" failed.
600827-3 : Stuck Nitrox crypto queue can erroneously be reported
Solution Article: K21220807
Component: Local Traffic Manager
Symptoms:
In some cases, a stuck crypto queue can be erroneously detected on Cavium Nitrox-based (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The following message appears in the ltm log: Hardware Error(Co-Processor): n3-crypto0 request queue stuck.
Conditions:
This issue occurs when all of the following conditions are met:
- Your BIG-IP system uses Nitrox PX or Nitrox 3 encryption hardware.
- You are making use of hardware-based SSL encryption.
- The BIG-IP system is under heavy load.
Impact:
The system reports device errors in logs, and takes crypto high availability (HA) action, possibly resulting in failover.
Workaround:
None.
Fix:
The Nitrox crypto driver uses a proper timeout value for crypto requests.
600662-5 : NAT64 vulnerability CVE-2016-5745
Solution Article: K64743453
600558-10 : Errors logged after deleting user in GUI
Component: TMOS
Symptoms:
After deleting a user in the BIG-IP GUI (under Access Policy :: Local User DB : Manage Users), the following symptoms may be observed:
1. After approximately 10 minutes, an error similar to the following appears in the LTM log (/var/log/ltm):
mcpd[25939]: 01070418:5: connection 0x5dde19c8 (user admin) was closed with active requests
This message may also appear in /var/log/webui.log and /var/log/tomcat/catalina.out.
2. After clicking Refresh, the GUI may not show the correct web page.
Conditions:
This has been reported most frequently when deleting local users (Access Policy :: Local User DB : Manage Users), but has been encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.
Impact:
Error messages logged.
GUI may not show the correct web page.
Workaround:
Use the CLI (tmsh) to delete local users.
Fix:
Errors are no longer logged after deleting user in GUI.
600396-1 : iControl REST may return 404 for all requests in AWS
Component: TMOS
Symptoms:
iControl REST queries may fail against specific versions of BIG-IP in AWS. When this issue is encountered, all queries fail for the entirety of the BIG-IP uptime. An error message mentioning "RestWorkerUriNotFoundException" will be returned. For instance, this basic query will always return 404:
curl -k -u admin:ADMINPASSWORD -sv -X GET https://1.2.3.4/mgmt/tm/ltm
* Trying 1.2.3.4...
* Connected to 1.2.3.4 (1.2.3.4) port 443 (#0)
* TLS 1.2 connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
* Server certificate: localhost.localdomain
* Server auth using Basic with user 'admin'
> GET /mgmt/tm/ltm HTTP/1.1
> Host: 1.2.3.4
> Authorization: Basic ....
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Date: 20 Jun 2016 17:49:39 UTC
< Server: com.f5.rest.common.RestRequestSender
...
{ [1093 bytes data]
* Connection #0 to host 1.2.3.4 left intact
{
"errorStack" : [
"com.f5.rest.common.RestWorkerUriNotFoundException: http://localhost:8100/mgmt/tm/ltm",
"at com.f5.rest.workers.ForwarderPassThroughWorker.cloneAndForwardRequest(ForwarderPassThroughWorker.java:293)",
"at com.f5.rest.workers.ForwarderPassThroughWorker.onForward(ForwarderPassThroughWorker.java:211)",
"at com.f5.rest.workers.ForwarderPassThroughWorker.onGet(ForwarderPassThroughWorker.java:370)",
"at com.f5.rest.common.RestWorker.callDerivedRestMethod(RestWorker.java:1009)",
"at com.f5.rest.common.RestWorker.callRestMethodHandler(RestWorker.java:976)",
"at com.f5.rest.common.RestServer.processQueuedRequests(RestServer.java:850)",
"at com.f5.rest.common.RestServer.access$000(RestServer.java:43)",
"at com.f5.rest.common.RestServer$1.run(RestServer.java:147)",
"at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)",
"at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)",
"at java.lang.Thread.run(Thread.java:722)\n"
],
"restOperationId" : 8827,
"code" : 404,
"referer" : "4.3.2.1",
"message" : "http://localhost:8100/mgmt/tm/ltm"
}
Conditions:
It is not known what triggers this, it intermittently affects new BIG-IP instances running in Amazon Web Services (AWS EC2) cloud environments.
Impact:
All iControl REST queries (GETs, PUTs, POSTs, DELETEs) will fail always until the BIG-IP is restarted.
Workaround:
Restart the BIG-IP.
600248-5 : OpenSSL vulnerability CVE-2016-2177
Solution Article: K23873366
600232-5 : OpenSSL vulnerability CVE-2016-2177
Solution Article: K23873366
600223-5 : OpenSSL vulnerability CVE-2016-2177
Solution Article: K23873366
600205-5 : OpenSSL Vulnerability: CVE-2016-2178
Solution Article: K53084033
600198-5 : OpenSSL vulnerability CVE-2016-2178
Solution Article: K53084033
600116 : DNS resolution request may take a long time in some cases
Component: Access Policy Manager
Symptoms:
DNS resolution may appear slow in some cases
Conditions:
All of following conditions should be met
1) DNS Relay proxy is installed on user's machine
2) User's machine has multiple network adapters and some of them are in disconnected state.
Impact:
DNS resolution will be slow
Workaround:
Disable network adapters that are not connected.
Fix:
Now DNS Relay proxy server doesn't proxy DNS servers on non-connected interfaces. This fixes slow resolution DNS issue.
600069-4 : Portal Access: Requests handled incorrectly
Solution Article: K54358225
599536-5 : IPsec peer with wildcard selector brings up wrong phase2 SAs
Solution Article: K05263202
599285-5 : PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095
Solution Article: K51390683
599191-1 : One of the config-sync scenarios causes old FIPS keys to be left in the FIPS card
Component: TMOS
Symptoms:
When running the tmsh show sys crypto fips command, you notice stale keys that you have previously deleted are left behind on the FIPS card.
Conditions:
This occurs when you have BIG-IPs with FIPS HSMs, configured in manual sync mode, under the following set of actions:
- Create a key-cert pair
- Associate the new key-cert pair with a clientssl profile
- Config sync to the peers
- Associate the clientssl profile with the default key and cert
- Delete the key and cert
- Manual sync
Impact:
A stale key is left on the FIPS card. There is no impact to functionality.
Workaround:
Check for the handles/key-ids of the keys in configuration using tmsh. Then remove the key that is not in use using the command tmsh delete sys crypto key <keyname>
599168-5 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
Solution Article: K35520031
598983-5 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
Solution Article: K35520031
598981-1 : APM ACL does not get enforced all the time under certain conditions
Solution Article: K06913155
Component: Access Policy Manager
Symptoms:
APM ACL does not get enforced all the time under certain conditions
Conditions:
The following conditions individually increase the chances for this problem to occur:
1. The device is very busy. (Construction of ACL windows is prolonged.)
2. Concentration of connections into one TMM. (e.g., VPN feature.)
3. Small number of TMMs (e.g., BIG-IP low-end platform, Virtual Edition (VE) configurations.)
4. Application starts with a high number of concurrent connections.
Impact:
ACL is not applied for subsequent connections for that TMM. This issue does not consistently reproduce.
Workaround:
Mitigation:
Administrator can kill the affected session, which forces the user to re-login, and ultimately restarts the ACL construction process.
Fix:
Switching context when applying ACL is properly processed, and no longer cause ACL to be not enforced.
598874-1 : GTM Resolver sends FIN after SYN retransmission timeout
Component: Local Traffic Manager
Symptoms:
If a DNS server is not responding to TCP SYN, GTM Resolver sends a FIN after a retransmission timeout (RTO) of the SYN.
Conditions:
GTM Resolver tries to open a TCP connection to a server that does not respond.
Impact:
Firewalls may log the FIN as a possible attack.
Fix:
Do not send anything in response to a SYN retransmission timeout.
598860-5 : IP::addr iRule with an IPv6 address and netmask fails to return an IPv4 address
Component: Local Traffic Manager
Symptoms:
The IP::addr iRule can be used to translate an IPv6 address containing an IPv4 address, but instead it converts it into an IPv4 compatible IPv6 address.
Example:
ltm rule test_bug {
when CLIENT_DATA {
log local0. "[IP::addr 2A01:CB09:8000:46F5::A38:1 mask ::ffff:ffff]"
}
Expected result:
Rule /Common/test_bug <CLIENT_DATA>: 10.56.0.1
Actual result:
Rule /Common/test_bug <CLIENT_DATA>: ::10.56.0.1
Conditions:
using IP::addr to convert an IPv6 to an IPv4 address
Impact:
Address is converted into an IPv4-compatible IPv6 address.
598211-3 : Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode.
Component: Access Policy Manager
Symptoms:
During the logon to Citrix StoreFront through an APM virtual server, after the login page, the BIG-IP system sends the client the following error: Error 404 file or directory not found.
Conditions:
This occurs when the following conditions are met:
- Citrix Android receiver 3.9.
- APM is in integration mode with Citrix StoreFront.
- Storefront unified experience mode is enabled.
Impact:
Cannot access Citrix StoreFront unified UI through Android Receiver 3.9.
Workaround:
For StoreFront integration mode, there is an iRule that is created by the iApp that redirects the root page to the store's URI. The workaround is to add an additional redirect for the receiver_uri ending with receiver.html. The iRule below contains this workaround.
It is also recommended to delete and recreate the existing store account.
when HTTP_REQUEST {
if { [regexp -nocase {/citrix/(.+)/receiver\.html} [HTTP::path] dummy store_name] } {
log -noname accesscontrol.local1.debug "01490000:7: setting http path to /Citrix/$store_name/"
HTTP::path "/Citrix/$store_name/"
}
}
Fix:
Citrix Android Receiver 3.9 now works through APM in StoreFront integration mode.
598039-8 : MCP memory may leak when performing a wildcard query
Component: TMOS
Symptoms:
MCP's umem_alloc_80 cache (visible using tmctl -a) increases in size after certain wildcard queries. Accordingly, the MCP process shows increased memory usage.
Conditions:
Folders must be in use, and the user must execute a wildcard query for objects that are in the upper levels of the folder hierarchy (i.e. not at the very bottom of the folder tree).
Impact:
MCP loses available memory with each query. MCP could eventually run out of memory and core, resulting in an outage or failover (depending on whether or not the customer is running in a device cluster).
Workaround:
Do not perform wildcard queries.
Fix:
Stopped MCP leaking when wildcard queries are performed.
598002-4 : OpenSSL vulnerability CVE-2016-2178
Solution Article: K53084033
597978-5 : GARPs may be transmitted by active going offline
Component: Local Traffic Manager
Symptoms:
GARPs may be transmitted by the active when going offline. As the standby which takes over for the active will also transmit GARPs, it is not expected that this will cause impact.
Conditions:
Multiple traffic-groups configured and active goes offline.
Impact:
It is not expected that this will cause any impact.
Workaround:
Make the unit standby before forcing offline.
597966-1 : ARP/neighbor cache nexthop object can be freed while still referenced by another structure
Component: Local Traffic Manager
Symptoms:
Use after free or double-free of the nexthop object may cause memory corruption or TMM core.
Conditions:
This can happen if the server-side connection establishment takes some time to complete, creating a large enough time window where the nexthop object might be freed.
Impact:
The BIG-IP dataplane might crash. This is a very timing/memory-usage-dependent issue.
Workaround:
None.
Fix:
Management of nexthop object reference counting is more consistent.
597652-1 : CVE-2015-3217 pcre: stack overflow caused by mishandled group empty match
Solution Article: K20225390
597431-6 : VPN establishment may fail when computer wakes up from sleep
Component: Access Policy Manager
Symptoms:
EdgeClient doesn't cleanup routing table before windows goes to hibernate. This may result in establishment of VPN when computer wakes up. It may also result in other network connectivity issues
Conditions:
-VPN connection is not disconnected
-Computer goes in hibernation
Impact:
Issues with Network connectivity
Workaround:
Renew DHCP lease by running
ipconfig/renew.
or
reboot the machine.
597429 : eam maintains lock on /var/log/apm.1 after logrotate
Component: Access Policy Manager
Symptoms:
/var/log fills up and eventually runs out of disk space. Old log files are not being deleted from the rotation, and they are locked and unable to be removed.
Conditions:
This occurs when eam is configured. eam provides external access management for 3rd party identity integration such as Oracle Access Manager (OAM) SSO.
Impact:
/var/log consumes an unusually high amount of disk space, and logrotate does not work correctly.
597394-5 : Improper handling of IP options
Solution Article: K46535047
597214-6 : Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
Component: Access Policy Manager
Symptoms:
JavaScript code with literal object definition containing field names equal to reserved keywords is not handled correctly by Portal Access.
Conditions:
JavaScript code with literal object definition containing fields with reserved keywords as a name, for example:
var a = { default: 1, continue: 2 };
Impact:
JavaScript code is not rewritten and may not work correctly.
Workaround:
You can use an iRule to rename field names in the original code.
Fix:
Now JavaScript with literal object definition containing reserved keywords as field names is handled correctly by Portal Access.
597089-3 : Connections are terminated after 5 seconds when using ePVA full acceleration
Component: Local Traffic Manager
Symptoms:
When using a fast L4 profile with ePVA full acceleration configured, the 5-second TCP 3WHS handshake timeout is not being updated to the TCP idle timeout after the handshake is completed. The symptom is an unusually high number of connections getting reset in a short period of time.
Conditions:
It is not known all of the conditions that trigger this, but it is seen when using the fast L4 profile with pva-acceleration set to full.
Impact:
High number of connections get reset, longer than expected idling TCP connections, and potential performance issues.
Workaround:
Disabling the PVA resolves the issue.
597023-5 : NTP vulnerability CVE-2016-4954
Solution Article: K82644737
597010-5 : NTP vulnerability CVE-2016-4955
Solution Article: K03331206
596997-5 : NTP vulnerability CVE-2016-4956
Solution Article: K64505405
596814-2 : HA Failover fails in certain valid AWS configurations
Component: TMOS
Symptoms:
Some of the floating object's IPs might not be reattached to the instance acting as the new active device.
Conditions:
AWS deployments where there are multiple coincidences for the provided IP address (corresponding to other Amazon VPCs in the same Availability Zone containing unrelated instances but having the same IP address as the BIG-IP's floating IP address.
Impact:
Potential traffic disruption. Some of the floating object's IPs might not be reattached to the instance acting as the new active device.
Workaround:
Do not have AWS deployments with multiple VPCs sharing the same IP address as the BIG-IP's floating IP address.
Fix:
Failover now narrows network description by filtering with VPC id.
596603-5 : AWS: BIG-IP VE doesn't work with c4.8xlarge instance type.
Component: TMOS
Symptoms:
When deploying BIG-IP VE in AWS with c4.8xlarge instance type, the system never boots and remains in "Stopped" state after briefly trying to start-up.
Conditions:
BIG-IP VE is deployed with c4.8xlarge instance type in AWS.
Impact:
c4.8xlarge instance type are not supported for BIG-IP VE in AWS.
Workaround:
Choose c4.4xlarge or other instance types in AWS.
Fix:
Issue corrected so that BIG-IP VE will work with c4.8xlarge instance type AWS.
596488-5 : GraphicsMagick vulnerability CVE-2016-5118.
Solution Article: K82747025
596433-1 : Virtual with lasthop configured rejects request with no route to client.
Component: Local Traffic Manager
Symptoms:
Virtual with lasthop pool configured rejects requests which are sourced from MAC address which is not configured in the lasthop pool.
Conditions:
This issue occurs when the following conditions are meet:
- Virtual with lasthop pool.
- Connection sourced from MAC address which is not configured in the lasthop pool.
- Lasthop pool member is local to TMM.
- tm.lhpnomemberaction db key is set to 2.
Impact:
Connection is erroneously reset with no route to client.
Workaround:
- Change tm.lhpnomemberaction db key to 0 or 1 (behavior change).
- Add IP address for lasthop member which client is originating from to lasthop pool.
596340-4 : F5 TLS vulnerability CVE-2016-9244
Solution Article: K05121675
596134-1 : TMM core with PEM virtual server
Component: Policy Enforcement Manager
Symptoms:
TMM cores, this signature is contained in /var/log/ltm:
err tmm1[7822]: 011f0007:3: http_process_state_prepend - Invalid action:0x109010
Conditions:
A core may occur if a PEM virtual has a parked flow (through an iRule, persistence profile, or other mechanism), where an internal control event occurs while the flow is parked.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Check for the processing of a HUDCTL_ABORT message prior processing other HUD messages in PEM.
595874-3 : Upgrading 11.5.x/11.6.x hourly billing instances to 12.1.0 fails due to license SCD.★
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) instances that use the Amazon Web Services (AWS) hourly billing license model may fail when upgrading to version 12.1.0.
As a result of this issue, you may encounter the following symptom:
After upgrading to version 12.1.0, the BIG-IP VE instance license is invalid.
Conditions:
This issue occurs when all of the following conditions are met:
-- You have BIG-IP VE instances that use the hourly billing licensing model.
-- Your BIG-IP VE instances are running 11.5.x or 11.6.x software versions.
-- Your BIG-IP VE instances are running within the AWS EC2 environment.
-- You upgrade the BIG-IP VE instance using the liveinstall method.
Impact:
BIG-IP VE instance licenses are not valid after upgrading to software version 12.1.0.
Workaround:
To work around this issue, you can use the liveinstall method on the hotfix image directly (instead of installing the base software image and then the hotfix image). To do so, perform the following procedure:
Impact of workaround: Performing the following procedure requires rebooting the system and should be performed only during a maintenance window.
Download the BIGIP-12.1.0.0.0.1434.iso and Hotfix-BIGIP-12.1.0.1.1.1447-HF1-ENG.iso files to your workstation. For more information about downloading software, refer to SOL167: Downloading software and firmware from F5.
Copy the downloaded files from your workstation to the /shared/images directory on the VE instance.
To perform the installation by using the liveinstall method, and reboot the BIG-IP VE instance to the volume running the new software, use the following command syntax:
tmsh install sys software hotfix Hotfix-BIGIP-12.1.0.1.1.1447-HF1-ENG.iso volume <volume-number> reboot
For example, to install the hotfix to volume HD1.3 and reboot to the volume running the newly installed software, type the following command:
tmsh install sys software hotfix Hotfix-BIGIP-12.1.0.1.1.1447-HF1-ENG.iso volume HD1.3 reboot
Verify the installation progress by typing the following command:
tmsh show sys software
Output appears similar to the following example:
Sys::Software Status
Volume Product Version Build Active Status
----------------------------------------------------------------
HD1.1 BIG-IP 12.0.0 0.0.606 yes complete
HD1.2 BIG-IP 12.1.0 0.0.1434 no complete
HD1.3 BIG-IP 12.1.0 0.0.1434 no installing 6.000 pct
Fix:
BIG-IP VE instances that use the AWS hourly billing license model now complete successfully when upgrading to version 12.1.0.
595773-6 : Cancellation requests for chunked stats queries do not propagate to secondary blades
Component: TMOS
Symptoms:
Canceling a request for a chunked stats query (e.g. hitting ctrl-c during "tmsh show sys connection") does not stop data flowing from secondary blades.
Conditions:
A chassis-based system with multiple blades. Users must execute a chunked stats query (e.g. "tmsh show sys connection") and then cancel it before it finishes (e.g. with ctrl-c in tmsh).
Impact:
Unnecessary data will be sent from TMM to secondary mcpd instances, as well as from secondary mcpd instances to the primary mcpd instance. This could cause mcpd to restart unexpectedly.
Fix:
Cancellations for chunked stats queries are now propagated to secondary blades.
594496-4 : PHP Vulnerability CVE-2016-4539
Solution Article: K35240323
593447-3 : BIG-IP TMM iRules vulnerability CVE-2016-5024
Solution Article: K92859602
593390-1 : Profile lookup when selected via iRule ('SSL::profile') might cause memory issues.
Component: Local Traffic Manager
Symptoms:
If an iRule selects a profile using just its name, not the full path, the internal lookup might fail. This might cause a new version of the profile to be instantiated, leading to memory issues.
Conditions:
An iRule calls SSL::profile but does not supply the complete path (e.g., /Common/clientssl); rather, the iRule uses only the profile name.
Impact:
Higher memory usage than necessary.
Workaround:
Always have iRules select profiles using the complete path.
Fix:
If an iRule attempts to select a profile using only its name, the system now prepends the /Common path prior to looking it up, so there is no potential of instantiating another version of the profile, so no memory issue occurs.
592871-1 : Cavium Nitrox PX/III stuck queue diagnostics missing.
Component: Local Traffic Manager
Symptoms:
Diagnostics tool to investigate rare issue where the Cavium Nitrox PX/III crypto chip gets into a "request queue stuck" situation.
Conditions:
System with Cavium Nitrox PX/III chip(s) which includes the BIG-IP 5xxx, 7xxx, 10xxx, and 12xxx platforms as well as the VIPRIOn B2200 blade, that hits a rare issue which logs a "request queue stuck" message in /var/log/ltm.
Impact:
This tool enables F5 engineers to obtain more data about this problem to help diagnose the issue.
Workaround:
None.
Fix:
Provides a diagnostics tool. Does not directly mitigate the problem.
592869 : Syntax Error when reimporting exported content containing acl-order 0
Component: Access Policy Manager
Symptoms:
Syntax Error when reimporting exported content containing acl-order 0. The error message is similar to the following.
Syntax Error: ... 'acl-order' may not be specified more than once; Validating configuration...
Conditions:
Exported config has apm resource with acl-order 0.
Impact:
Unable to import exported .conf.tar.gz.
Workaround:
None.
Fix:
It is now possible to export and then import config that contains apm resource with acl-order 0.
592868-1 : Rewrite may crash processing HTML tag with HTML entity in attribute value
Component: Access Policy Manager
Symptoms:
If HTML page contains HTML entities in attribute values, rewrite may crash processing this page.
Conditions:
HTML tag like this:
<script src=" " type="text/javascript"></script>
Impact:
Web application may not work correctly.
Workaround:
In most cases HTML entities can be replaced by appropriate characters by iRule.
Fix:
Now rewrite correctly handles HTML entities in attribute values.
592854-2 : Protocol version set incorrectly on serverssl renegotiation
Component: Local Traffic Manager
Symptoms:
If the BIG-IP serverssl profile sends a new ClientHello request to renegotiate SSL, the protocol version will be set to 0. This will cause renegotiation to fail.
Conditions:
ServerSSL profile configured on a virtual server, and BIG-IP initiates a renegotiation.
Impact:
Protocol field is invalid (0), and the server will reset the connection.
Fix:
Fixed a reset issue with SSL renegotiation in the serverssl profile.
592784 : Compression stalls, does not recover, and compression facilities cease.
Component: Local Traffic Manager
Symptoms:
Compression stalls, does not recover, and compression facilities may cease.
Conditions:
A device error of any kind, or requests that result in the device reporting an error (for example, attempting to decompress an invalid compression stream).
Impact:
In general, compression stops altogether. Under some circumstances, compression requests may end up routed to zlib (software compression), but generally the SSL hardware accelerator card does not correctly report that it is unavailable when it stalls.
Workaround:
Select the softwareonly compression provider by running the following tmsh command: tmsh modify sys db compression.strategy value softwareonly.
Fix:
The compression device driver now attempts to recover after a failure. If it still cannot recover, new compression requests will be assigned to zlib (software) for compression.
592485-1 : Linux kernel vulnerability CVE-2015-5157
Solution Article: K17326
592414-3 : IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed
Component: Access Policy Manager
Symptoms:
IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed from dynamically generated child.
Conditions:
Browsers: IE11 and Chrome
When: After document.write() into its parent has been performed from dynamically generated child.
Impact:
Web application malfunction.
Workaround:
None.
Fix:
Fixed.
591918-6 : ImageMagick vulnerability CVE-2016-3718
Solution Article: K61974123
591908-6 : ImageMagick vulnerability CVE-2016-3717
Solution Article: K29154575
591894-6 : ImageMagick vulnerability CVE-2016-3715
Solution Article: K10550253
591881-5 : ImageMagick vulnerability CVE-2016-3716
Solution Article: K25102203
591828-3 : For unmatched connection, TCP RST may not be sent for data packet
Solution Article: K52750813
Component: Advanced Firewall Manager
Symptoms:
When TCP connection times out (no entry in 'show sys conn'), and subsequent data packet comes in (not SYN), The BIG-IP system does not send a RST to the client to reset the connection.
Conditions:
This issue occurs if AFM is provisioned. Additionally, in BIG-IP v12.1.0 and above, it occurs if ASM is provisioned (regardless of AFM provisioning).
-- Packets other than SYN with no entry in the connection table arrive.
This can occur either after a failover (when mirroring is disabled) when traffic arrives at the newly-active system, or can occur if the relevant virtual server has 'reset-on-timeout' disabled.
Impact:
Client retransmits several times and then terminates TCP connection. There is no RST sent from BIG-IP to client for unmatched connection.
Workaround:
Enable the reset on timeout option to send TCP RST to client when connection times out.
Note: This workaround does not address the circumstances where a newly-active BIG-IP system receives traffic (e.g. after a failover or system reboot).
Fix:
The BIG-IP system now sends a TCP RST for unknown connections so the clients and backend servers can start a new connection.
591806-4 : ImageMagick vulnerability CVE-2016-3714
Solution Article: K03151140
591789 : IPv4 fragments are dropped when packet filtering is enabled.
Component: Local Traffic Manager
Symptoms:
IPv4 fragments are dropped when packet filtering is enabled.
Conditions:
Packet filtering is enabled on version 11.5.4, 11.6.0 HF6, or 11.6.1.
Impact:
IPv4 fragments with a non-zero offset are lost.
Workaround:
Disable packet filtering.
Fix:
IPv4 fragments are no longer incorrectly dropped when packet filtering is enabled.
591767-4 : NTP vulnerability CVE-2016-1547
Solution Article: K11251130
591666-1 : TMM crash in DNS processing on TCP virtual with no available pool members
Component: Local Traffic Manager
Symptoms:
TMM crash when processing requests to a DNS virtual server.
Conditions:
The issue can occur if a TCP DNS virtual receives a request when no pool members are available to service the request and a DNS iRule is suspended due to previous requests.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Mitigation is to ensure at least one pool member is available whenever the DNS virtual is processing traffic, or to avoid iRule commands that can suspend processing.
Ensure datagram LB mode is enabled on UDP DNS virtuals.
Fix:
Product corrected to prevent crash when there are no available members.
591659-2 : Server shutdown is propagated to client after X-Cnection: close transformation.
Solution Article: K47203554
Component: Local Traffic Manager
Symptoms:
Server shutdown is propagated to client after X-Cnection: close transformation.
Conditions:
In OneConnect configurations, when a server's maximum number of keep-alives is exceeded, the server closes the connection between itself and the BIG-IP system. This Connection: Close is transformed to an X-Cnection: close and sent to the Client along with a TCP FIN.
Impact:
Client side connections are closed by the BIG-IP system too early, causing subsequent requests to be dropped.
Workaround:
Set the OneConnect profile "Maximum Reuse" value to 2 below the value of the pool members max keep-alive setting. This forces OneConnect to close the connection before the pool member.
Fix:
Server shutdown is no longer propagated to client after X-Cnection: close transformation, so client side connections are now kept open by the BIG-IP system as expected, and subsequent requests are no longer dropped.
591476-6 : Stuck crypto queue can erroneously be reported
Solution Article: K53220379
Component: Local Traffic Manager
Symptoms:
In some cases, a stuck crypto queue can be erroneously detected on Cavium Nitrox-based (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The following message appears in the ltm log: Device error: crypto codec cn-crypto-0 queue is stuck. tmm crash
Conditions:
-- Running on one of the following platforms:
+ BIG-IP 800, 1600, 3600, 3900, 6900, 89xx, 2xxx, 4xxx, 5xxx, 7xxx, 10xxx, 11xxx, 12xxx, i2xxx, and i4xxx
+ VIPRION B41xx-B43xx, B21xx, and B22xx blades.
-- Performing SSL.
-- Under heavy load.
Impact:
The system reports device errors in logs, and takes crypto high availability (HA) action, possibly resulting in failover. Traffic disrupted while tmm restarts.
Workaround:
Modify the crypto queue timeout value to 0 to prevent timeouts using the following command:
tmsh modify sys db crypto.queue.timeout value 0
To clear erroneously stuck queues, you must restart tmm or reboot the BIG-IP system.
Note: Traffic is disrupted while during restarts.
Fix:
The crypto driver now only examines requests in the hardware DMA ring to detect a stuck queue on Nitrox devices.
591455-3 : NTP vulnerability CVE-2016-2516
Solution Article: K24613253
591447-4 : PHP vulnerability CVE-2016-4070
Solution Article: K42065024
591438-3 : PHP vulnerability CVE-2015-8865
Solution Article: K54924436
591328-3 : OpenSSL vulnerability CVE-2016-2106
Solution Article: K36488941
591327-3 : OpenSSL vulnerability CVE-2016-2106
Solution Article: K36488941
591325-3 : OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109
Solution Article: K75152412
591117-2 : APM ACL construction may cause TMM to core if TMM is out of memory
Component: Access Policy Manager
Symptoms:
During ACL construction, TMM send queries regarding assigned ACL information. If the reply message contains error message of out-of-memory, TMM was not handling this error message properly, and cause TMM to core.
Conditions:
BIG-IP is extremely loaded and out of memory.
Impact:
Traffic disrupted while tmm restarts.
Fix:
When handling the error reply message of out-of-memory during ACL construction, TMM can handle it without causing TMM to crash.
591042-6 : OpenSSL vulnerabilities
Solution Article: K23230229
590820-5 : Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.
Component: Access Policy Manager
Symptoms:
Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.
Conditions:
Intense usage of JavaScript methods such as: appendChild(), insertBefore(), and other, similar JavaScript methods, in a customer's web application code.
Impact:
Very low web application performance when using Microsoft Internet Explorer.
Workaround:
None.
Fix:
Applications that use appendChild() or similar JavaScript functions to build UI now experience expected performance in Microsoft Internet Explorer browser.
590345-4 : ACCESS policy running iRule event agent intermittently hangs
Component: Access Policy Manager
Symptoms:
If you are using iRule event agent on the 12.1.0 release, you may see an intermittent Access Policy execution hang. The hang occurs during the execution of ACCESS::policy agent_id.
Conditions:
iRule event agent is configured.
iRule uses ACCESS_POLICY_EVENT_AGENT event
Within this event, ACCESS::policy agent_id command is used.
Impact:
Policy execution intermittently hangs.
Workaround:
Please use this command:
ACCESS::session data get {session.custom_event.id}
Fix:
A hang related to the use of ACCESS::policy agent_id has been fixed.
589856 : iControl REST : possible to get duplicate transaction ids when transactions are created by multiple clients
Component: TMOS
Symptoms:
When 2 iControl REST clients using the same username create transactions simultaneously, they can potentially get the same transaction id. This completely messes up both the client code execution.
Conditions:
Client requests to create transaction are close to each other in time.
Impact:
Transaction semantics are not followed, and unintended errors may occur
589400-5 : With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.
Solution Article: K33191529
Component: Local Traffic Manager
Symptoms:
With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.
Conditions:
Congestion window is small relative to message size; abc is enabled; also might manifest when serverside MTU is greater than clientside MTU.
Impact:
Additional connection latency.
Workaround:
Enabling proxy-mss on the serverside TCP profile significantly reduces incidence of this problem in observed cases.
If init-cwnd is low, raising it might also help.
Disabling abc can also reduce the problem, but might have other negative network implications.
Fix:
Incoming packets are now pulled more aggressively into the send buffer, if there are no negative implications for CPU performance.
589379-1 : ZebOS adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route.
Solution Article: K20937139
Component: TMOS
Symptoms:
In a configuration with a summary route that is added to ZebOS and configured with 'not-advertise', when deleting the exactly matching route, ospfd sends LSA route with age 1, then immediately sends update with age 3600.
Conditions:
OSPF using route health injection for default route.
Impact:
No functional impact. The extraneous LSA is immediately aged out.
Workaround:
Configure a static default route in imish instead of using RHI for the default route.
Fix:
ZebOS no longer adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route.
589338-2 : Linux host may lose dynamic routes on secondary blades
Component: TMOS
Symptoms:
The Linux host residing on a secondary blade might lose dynamic routes previously learned via a dynamic routing protocol.
Conditions:
- Multibladed chassis or vCMP guest.
- Routes learned via dynamic routing.
- Restart of services or reboot of secondary blade.
Impact:
Routes on Linux host of secondary blade are lost. This might affect host traffic, such as monitoring, remote logging, etc., due to the lack of routing information.
Workaround:
Modify the ZebOS maximum-paths setting on the primary blade to trigger a route update to the non-primary blades.
Add a custom alert to the user_alert.conf to auto-mitigate this issue whenever a blade joins the cluster.
# 11.5.x workaround for user_alert.conf
alert BLADE_JOINED_CLUSTER "010719fc:5: Mate cluster member (.*) turned Green." {
exec command="/usr/sbin/zebos -a cmd 'enable,conf t,maximum-paths 5,maximum-paths 4,exit,exit'"
}
Note: The Mate cluster log is not present in 11.6.x, so this an 11.5.x only workaround.
Fix:
This issue no longer occurs, so there is consistency among blades.
589298 : TMM crash with a core dump
Component: Application Security Manager
Symptoms:
TMM crash with a core dump
Conditions:
ASM provisioned
Session Awareness enabled
Mirroring is enabled
HA (CMI) setup
Impact:
Traffic disrupted while tmm restarts.
Workaround:
none
Fix:
We've fixed the handling of Session Awareness in HA (CMI) setup to prevent TMM crashes
589256-4 : DNSSEC NSEC3 records with different type bitmap for same name.
Solution Article: K71283501
Component: Global Traffic Manager (DNS)
Symptoms:
For a delegation from a secure zone to an insecure zone, the BIG-IP system returns different type of bitmaps in the NSEC3 record depending on the query type. This causes BIND9's validator to reject the secure delegation to the insecure zone.
Conditions:
For insecure delegations, the DNSSEC implementation does not support the DS record. Those queries are forwarded to the backend, BIND, if selected as fallback. Without ZSK/KSK for an insecure child zone, BIND responds SOA which the system dynamically signs.
Impact:
DNS lookups may fail if BIND9's validator rejects the delegation.
Workaround:
None.
Fix:
If response is a NODATA from either the proxy or a transparent cache, and the query is a DS, set the types bitmap to NS.
589039-3 : Clearing masquerade MAC results in unexpected link-local self IP addresses.
Component: Local Traffic Manager
Symptoms:
The BIG-IP system advertises fe80::200:ff:fe00:0 as a self IP address.
Conditions:
Masquerade MAC changes from non-zero to zero.
Impact:
This might cause IP address conflicts between devices in a high availability (HA) configuration.
Workaround:
Restart tmm after setting masquerade MAC to zero.
Fix:
The system does not advertise invalid self IP addresses on clearing masquerade MAC.
588572-2 : Unnecessary re-transmission of packets on higher ICMP PMTU.
Component: Local Traffic Manager
Symptoms:
LTM re-transmits TCP segments even when ICMP Path maximum transmission unit (PMTU) is higher than existing MTU.
Conditions:
ICMP PMTU is higher than existing MTU. User enables MPTCP, Rate Pacing, or any of the following congestion controls:
Vegas, Illinois, Woodside, CHD, CHG
Impact:
Burst traffic generated.
Workaround:
Disable Path MTU Discovery by entering the command: tmsh modify sys db tm.enforcepathmtu value disable.
Fix:
Fixed unnecessary re-transmission of packets on higher ICMP Path maximum transmission unit (PMTU) in the advanced TCP implementation.
588569-2 : Don't include maximum TCP options length in calculating MSS on ICMP PMTU.
Component: Local Traffic Manager
Symptoms:
TCP segment size is 40 bytes less.
Conditions:
ICMP implementation using Path MTU (PMTU). User enables MPTCP, Rate Pacing, or any of the following congestion controls:
Vegas, Illinois, Woodside, CHD, CHG
Impact:
The impact of this issue is less data per TCP segment.
Workaround:
Disable Path MTU Discovery by doing the following,
"tmsh modify sys db tm.enforcepathmtu value disable"
Fix:
Don't include maximum TCP options length in calculating MSS on ICMP PMTU in the advanced TCP implementation.
588351-3 : IPv6 fragments are dropped when packet filtering is enabled.
Component: Local Traffic Manager
Symptoms:
IPv6 fragments are dropped when packet filtering is enabled.
Conditions:
Packet filtering is enabled and the system is processing IPv6 fragments.
Impact:
IPv6 fragments with a non-zero offset are lost.
Workaround:
Disable packet filtering.
Fix:
IPv6 fragments are no longer dropped when packet filtering is enabled.
588115-4 : TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw
Component: Local Traffic Manager
Symptoms:
As a result of a known issue TMM may crash in some specific scenarios if there is an overlapping and more specific route to the floating self-IP range configured on the unit.
Conditions:
- Unit configured with a floating self-IP and allow-service != none.
- More specific route exists via GW to the self-IP.
- Configured gateway for the overlapping route is unreachable.
- Ingress traffic to the floating self-IP.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid the use of routes overlapping with configured floating self-IPs.
Fix:
TMM no longer crashes when floating self IPs are configured with more specific overlapping routes.
587966-5 : LTM FastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port
Solution Article: K77283304
Component: Local Traffic Manager
Symptoms:
LTM FastL4 DNS virtual server or SNAT: first A query dropped when A and AAAA requested at the same time with same source IP:port.
Conditions:
A and AAAA DNS Query requested at the same time with the same source IP and Port.
Impact:
A Type DNS Query dropped intermittently.
Workaround:
Configure a standard virtual server with a UDP profile for the traffic instead of using FastL4 or SNAT.
Fix:
Type A requests no longer dropped when A and AAAA DNS Query requested at the same time with the same source IP and Port.
587892 : Multiple iRule proc names might clash, causing the wrong rule to be executed.
Component: Local Traffic Manager
Symptoms:
Multiple iRule proc names might clash, causing the wrong rule to be executed.
Conditions:
This occurs when there is an iRule configured with more than one proc, which might cause the wrong proc to get executed.
Impact:
The call proc might execute the wrong proc.
Workaround:
None.
Fix:
Multiple iRules configured with more than one proc no longer cause the wrong proc to get executed.
587705-6 : Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools.
Solution Article: K98547701
Component: Local Traffic Manager
Symptoms:
Persist lookups fail for source_addr with match-across-virtual servers when multiple entries exist for the client, but pointing to different pools.
Conditions:
'Match_across_virtual' enabled. Multiple persistence entries for a client address exist, and some of these persistence entries point to poolmembers from different pools. Some of these poolmembers do not belong to any of the current virtual server's pools.
Impact:
Source address persistence fails for this client, even though there is a valid persistence entry that can be used.
Workaround:
None.
Fix:
Persist lookups now succeed for source_addr with match-across-virtual servers when multiple entries exist with different pools.
587691-2 : TMM crashes upon SSL handshake cancellation.
Solution Article: K41679973
Component: Local Traffic Manager
Symptoms:
TMM crashes upon SSL handshake cancellation.
Conditions:
SSL handshake cancellation.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes when SSL handshake is canceled.
587617-4 : While adding GTM server, failure to configure new IP on existing server leads to gtmd core
Component: Global Traffic Manager (DNS)
Symptoms:
gtmd core with SIGSEGV in selfip_needs_xlation.
Conditions:
No GTM server object configured with existent selfip.
Impact:
gtmd cores. GTM unable to respond to DNS queries. DNS traffic disrupted while gtmd restarts.
Workaround:
Configure the GTM server object with an existent selfip. For more information, see K15671: The BIG-IP GTM system must use a local self IP address to define a server to represent the BIG-IP GTM system at https://support.f5.com/csp/#/article/K15671
Fix:
gtmd will not core.
587077-4 : Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118
Solution Article: K37603172
586878-1 : During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.★
Component: TMOS
Symptoms:
During upgrade, configuration fails to load due to invalid clientssl profile cert/key configuration. The validation to verify whether at least one valid key/cert pair exists in clientssl profiles was enforced in software versions through 11.5.0. This validation was not in effect in versions 11.5.1, 11.5.2, and 11.5.3.
The lack of validation resulted in invalid clientssl profiles (those containing empty key/certs or a cert/key of 'default'). When you upgrade such a configuration to 11.5.4 or later, you will receive a validation error, and the configuration will fail to load after upgrade.
Conditions:
The issue occurs when all the below conditions are met.
1. You have a clientssl profile in a configuration from a version without validation (that is, 11.5.1, 11.5.2, or 11.5.3).
2. The clientssl profile in the configuration has an empty cert/key, or a cert/key of 'default'.
3. You upgrade to a version that has the cert/key validation (specifically, 11.5.4, 11.6.0, 11.6.1, and versions 12.1.0 and later).
Impact:
Configuration fails to load. The system posts an error message that might appear similar to one of the following:
-- 01070315:3: profile /Common/my_client_ssl requires a key Unexpected Error: Loading configuration process failed.
-- 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file.
Unexpected Error: Loading configuration process failed.
Workaround:
To workaround this situation, modify the configuration file before upgrading:
1. Check the config file /config/bigip.conf.
2. Identify the clientssl profile without a cert/key.
For example, it might look similar to the following:
ltm profile client-ssl /Common/cssl_no-cert-key2 {
app-service none
cert none
cert-key-chain {
"" { }
}
chain none
defaults-from /Common/clientssl
inherit-certkeychain false
key none
passphrase none
}
Note: The profile might have cert-key-chain name but not the cert/key. In other words, it could also appear similar to the following example:
ltm profile client-ssl /Common/cssl_no-cert-key2 {
app-service none
cert none
cert-key-chain {
default { }
}
chain none
defaults-from /Common/clientssl
inherit-certkeychain false
key none
passphrase none
}
3. Remove the clientssl profile from /config/bigip.conf.
4. Run the command: tmsh load sys conf.
5. Re-create the clientssl profiles you need.
586738-3 : The tmm might crash with a segfault.
Component: Local Traffic Manager
Symptoms:
The tmm might crash with a segfault.
Conditions:
Using IPsec with hardware encryption.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
IPsec is configured with hardware encryption error now returns an error code when appropriate, and manages the error as expected, so tmm no longer crashes with a segfault.
586718-5 : Session variable substitutions are logged
Component: Access Policy Manager
Symptoms:
With the log level set to debug, session variable substitutions are logged, including the encrypted password if you are substituting the password variable. You may see the following logs: debug apmd[3531]: 01490000:7: Util.cpp func: "ScanReplaceSessionVar()" line: 608 Msg: data: '%{session.logon.last.password}' start_pos: 0, count: 30 on 'session.logon.last.password' with the encrypted password logged
Conditions:
APM Access Policy log level set to debug, and session variable substitution is performed.
Impact:
Session variable substitution should not be logged, even if it is secure.
Workaround:
Set log level to informational or notice for normal operations. Logging at debug level is not recommended unless absolutely needed for specific troubleshooting as it adversely affects system performance.
Fix:
Session variable substitutions are no longer logged.
586056 : Machine cert checker doesn't work as expected if issuer or AltName is specified
Component: Access Policy Manager
Symptoms:
Windows Machine cert checker doesn't work as expected if issuer or AltName is specified. User cannot pass access policy even with valid machine cert.
Logs in client PC can be produced, such as:
EXCEPTION - CCertCheckCtrl::Verify FindCertificateInStore failed with error code:
and
CCertCheckCtrl::Verify, Store name:"MY", Store location:"LocalMachine", Subject match FQDN:"1", Allow elevation UI:"0", Serial number(HEX):"", Issuer:"??????????????????????", SubjectAltName:""
Conditions:
Issuer or Subject AltName fields are populated.
Site recently upgraded to 11.5.4.
Impact:
User may not pass policy as expected
Workaround:
N/A
Fix:
Now Machine Cert checker correctly processes issuer and SAN fields.
586006-5 : Failed to retrieve CRLDP list from client certificate if DirName type is present
Component: Access Policy Manager
Symptoms:
Client certification revocation check will fail.
Conditions:
Two conditions will trigger this problem:
1. A CRLDP agent is configured in the access policy without server hostname and port, which is needed for DirName type processing. AND
2. At least one DirName type CRLDP is present in the client certification and it is the first in the list.
Impact:
Users may fail access policy evaluation when client certification is used.
Workaround:
Configure an LDAP server for the CRLDP object. It need not return a valid CRL.
585547-4 : NTP configuration items are no longer collected by qkview★
Component: TMOS
Symptoms:
qkview was collecting the file "/etc/ntp/keys" which in some cases, contains secret keys used for integrity verification of NTP messages.
Conditions:
Execute qkview to collect diagnostic information.
Impact:
Possibility for keys to be exposed.
Workaround:
1. Do not execute qkview.
2. If executing qkview, do not share this file with untrusted parties.
Fix:
With this release, qkview no longer collects this file.
585424-4 : Mozilla NSS vulnerability CVE-2016-1979
Solution Article: K20145801
585412-1 : SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines
Component: Local Traffic Manager
Symptoms:
Connections to a virtual server that uses an SMTPS profile may be reset with a reset cause of 'Out of memory.'
Conditions:
This might occur under the following conditions:
-- A virtual server that uses an SMTPS profile with activation-mode set to allow.
-- A client connection which does not use TLS that sends a DATA section with a text line that is longer than approximately 8192 characters.
8192 characters is an approximation for the maximum line length. The actual problem length can be affected by the MSS value and the particular way that the TCP traffic is segmented.
Impact:
The TCP connection is reset with a reset-cause of Out of memory' and the email will not be delivered.
Workaround:
None.
Fix:
A virtual server that uses an SMTPS profile with activation-mode set to allow no longer resets connections when the client does not use STARTTLS and the email body contains very long lines.
585045 : ASM REST: Missing 'gwt' support for urlContentProfiles
Component: Application Security Manager
Symptoms:
A URL's header content profile cannot be set to 'gwt' via REST, and if such a configuration exists on the device, then REST will fail to retrieve the collection.
Conditions:
ASM REST is used to configure or inspect URLs on a Security Policy, and GWT profiles are used.
Impact:
Unusable REST for the collection.
Workaround:
None.
Fix:
GWT profiles on URLs are now correctly supported via REST.
584717 : TCP window scaling is not applied when SYN cookies are active
Component: Local Traffic Manager
Symptoms:
TCP window scaling is not applied, which can be observed in transmitted packets containing small segments that are about the size of the unscaled window.
Conditions:
SYN cookies have been activated.
Impact:
Poor performance / throughput.
Workaround:
None
Fix:
The tmm now properly scales the TCP window upon SYN cookie activation.
584583-2 : Timeout error when using the REST API to retrieve large amount of data
Solution Article: K18410170
Component: TMOS
Symptoms:
The Rest API might time out when attempting to retrieve large dataset, such as a large GTM pool list. The error signature when using the Rest API appears as follows: errorStack":["java.util.concurrent.TimeoutException: remoteSender:127.0.0.1, uri:http://localhost:8110/tm/gtm/pool, method:GET
Conditions:
Configuration containing a large number of GTM pools and pool members (numbering in the thousands).
Impact:
If using the Rest API to retrieve the pool list, you may receive timeout errors.
Workaround:
There is no workaround at this time.
Fix:
TMSH performance has been improved for this GTM case (improvement ~5-10 times), which is root case for REST failure. Timeout is no longer triggered for this amount of data.
584373-1 : AD/LDAP resource group mapping table controls are not accessible sometimes
Component: Access Policy Manager
Symptoms:
AD/LDAP resource group mapping
In case of both lengthy group names and resource names edit link and control buttons could disapper under dialogue bounds
Conditions:
very long group names and resource names
Impact:
Impossible to delete and move rows in table - still possible to edit tho.
Workaround:
Spread one assign thru multiple rows
Fix:
Scroll bar is appearing when needed
584310 : TCP:Collect ignores the 'skip' parameter when used in serverside events
Solution Article: K83393638
Component: Local Traffic Manager
Symptoms:
When TCP::Collect is used with 'skip' and 'length' arguments in SERVER_CONNECTED, the "skip' argument does not take effect and is ignored. The Collect works, but collects only the length bytes from start.
Conditions:
TCP:Collect on server side events like SERVER_CONNECTED used with the 'skip' parameter. This is an intermittent issue that have happen only with IIS server.
Impact:
TCP:Collect collects bytes without taking into account the skip, so the bytes collected are not the correct ones.
Workaround:
None.
Fix:
The settings for TCP::Collect command skip and length arguments are now honored during packet processing.
584029-7 : Fragmented packets may cause tmm to core under heavy load
Component: Local Traffic Manager
Symptoms:
In rare circumstances, the Traffic Management Microkernel (TMM) process may produce a core file while processing fragmented packets.
As a result of this issue, you may encounter one or more of the following symptoms:
-- TMM generates a core file in the /shared/core directory.
-- In one of the /var/log/tmm log files, you observe an error message similar to the following example:
notice panic: ../base/flow_fwd.c:255: Assertion "ffwd flag set" failed.
panic: ../net/packet.c:168: Assertion "packet is locked by a driver" failed.
notice ** SIGFPE **
Conditions:
This issue occurs when all of the following conditions are met:
-- The TMM process offloads a fragmented packet by way of an ffwd operation.
-- Your BIG-IP system is under heavy load.
Impact:
The BIG-IP system temporarily fails to process traffic while the TMM process restarts. If the BIG-IP system is configured for high availability (HA), the system fails over to a peer system.
Workaround:
None.
Fix:
Fragmented packets no longer cause tmm to core under heavy load.
583957-3 : The TMM may hang handling pipelined HTTP requests with certain iRule commands.
Component: Local Traffic Manager
Symptoms:
Rarely, the TMM may hang during a HTTP::respond or HTTP::redirect iRule command if it is part of a pipelined HTTP request.
Conditions:
A HTTP::respond or HTTP::redirect iRule is used.
The iRule command is in an event triggered on the client-side.
A pipelined HTTP request is being handled.
Impact:
The TMM will be restarted by SOD.
Fix:
The TMM no longer hangs in rare situations when processing a pipelined HTTP request and invoking a HTTP::respond or HTTP::redirect iRule command.
583936-1 : Removing ECMP route from BGP does not clear route from NSM
Component: TMOS
Symptoms:
When configured to install multiple routes into the routing table, ZebOS does not withdraw BGP routes when a neighbor is shut down and it has more than two routes already installed for the same route prefix.
Conditions:
ECMP routing must be enabled and in-use.
Impact:
ECMP routes are not properly removed from the main routing table.
Fix:
Now properly removing ECMP routes from the routing table.
583631-1 : ServerSSL ClientHello does not encode lowest supported TLS version, which might result in alerts and closed connections on older Servers.
Component: Local Traffic Manager
Symptoms:
Server SSL ClientHello does not encode lowest supported TLS version. The outer record for a ClientHello contains the same version as the ClientHello. If, for example, the ClientHello is TLS1.2, the outer record will contain TLS1.2. Older servers that do not support later TLS versions might generate an alert and close the connection.
Conditions:
A BIG-IP system with a server SSL profile that supports a TLS version higher than that of the server to which it is connecting.
Impact:
The connection fails. The system might generate an alert.
Workaround:
Force the server SSL profile to use a lower TLS version number by selecting 'No TLSv1.2' or 'No TLSv1.1' in the `options' section of the Server SSL Profile.
Fix:
When enabled by setting the db variable, 'SSL.OuterRecordTls1_0,' to, 'enable,' the outer SSL record will always contain TLS1.0. This is the default. You can use this db variable to prevent an issue in older servers that do not support TLS versions later than 1.0, in which an alert might be generated closing the connection.
Behavior Change:
Formerly, the version present in the ClientHello and the version present in the outer record would match. Now, if the sys db variable, 'SSL.OuterRecordTls1_0,' is set to 'enable' the version present in the outer record will be TLS 1.0 regardless of the version in the ClientHello. This is the default.
583502-3 : Considerations for transferring files from F5 devices
Solution Article: K58243048
Component: TMOS
Symptoms:
For more information, see K58243048: Considerations for transferring files from F5 devices, available at https://support.f5.com/csp/article/K58243048
Conditions:
For more information, see K58243048: Considerations for transferring files from F5 devices, available at https://support.f5.com/csp/article/K58243048
Impact:
For more information, see K58243048: Considerations for transferring files from F5 devices, available at https://support.f5.com/csp/article/K58243048
Fix:
For more information, see K58243048: Considerations for transferring files from F5 devices, available at https://support.f5.com/csp/article/K58243048
583285-2 : BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
Solution Article: K24331010
Component: TMOS
Symptoms:
The BIG-IP system logs INVALID-SPI messages but does not remove the associated Security Associations (SAs) corresponding to the message.
Note: There are three parts to this issue, as recorded in the following bugs: 569236, 583285, and 662331.
Conditions:
This can occur if an IPsec peer deletes a phase2 (IPsec) SA and does not send a 'notify delete' message to the other peer. The INVALID-SPI message is most likely to be seen when the peer deletes an SA before the SA's agreed lifetime.
Impact:
If the BIG-IP is always the Initiator, the Responder will not initiate a new tunnel if the Responder only handles responses to the BIG-IP clients' traffic. The BIG-IP system continues to use the IPsec SA it believes to be still up. When an SA expires prematurely, some IPsec peers will reject an inbound SPI packet with an ISAKMP INVALID-SPI notify message. If the INVALID-SPI message does not cause new SAs to be created, there will be a tunnel outage until the SA lifetime expires on the defunct SA held on the BIG-IP system.
Workaround:
Manually remove the invalid SA on the BIG-IP system by running the following command:
delete /net ipsec ipsec-sa spi <invalid_spi>
Fix:
Now, when the BIG-IP system receives INVALID-SPI messages, it deletes the invalid Security Association as well as logging the INVALID-SPI message, so the tunnel can initiate again.
Note: There is a three-part fix provided for this issue, as provided in the following bugs: 569236, 583285, and 662331.
582952 : Linux kernel vulnerability CVE-2013-4483
Solution Article: K31300371
582813-4 : Linux Kernel CVE-2016-0774
Solution Article: K08440897
582773-3 : DNS server for child zone can continue to resolve domain names after revoked from parent
Solution Article: K48224824
582683-1 : xpath parser doesn't reset a namespace hash value between each and every scan
Component: Application Security Manager
Symptoms:
After a while the iRule event stops firing until the cbrd daemon is restarted.
Conditions:
The customer has a virtual server configured with an XML, along with an iRule that triggers on the XML_CONTENT_BASED_ROUTING event.
Impact:
XML content based routing does not work dependably.
Workaround:
N/A
Fix:
fixing xpath parer -- Restoring namespace declaration each time the xpath parser finishes to parse the document.
582440-1 : Linux client does not restore route to the default GW on Ubuntu 15.10
Component: Access Policy Manager
Symptoms:
Default route may be deleted after network access connection is deleted on Linux Ubuntu 15.10 distribution.
Conditions:
Ubuntu 15.10, network access tunnel connect and then disconnect
Impact:
User will not be able to reach internet after disconnecting from network access.
Workaround:
If Wifi is in use then turn off and on again.
If Ethernet is used then unplugging and plugging cable again should solve the problem.
582295 : ospfd core dump when redistributing NSSA routes in a HA failover
Solution Article: K62302950
Component: TMOS
Symptoms:
The ospfd is dumping a core when nssa routes are redistributed.
Conditions:
When a failover is initiated through the GUI on a BIG-IP high availability (HA) configuration, and a standby BIG-IP system cannot take the active role due to low HA score. The original active BIG-IP system takes back the active role.
Impact:
ospfd terminates on the BIG-IP system leading to connectivity issues until the ospfd comes up.
Workaround:
None.
Fix:
ospfd no longer crashes when redistributing NSSA routes in a HA failover event.
581834-3 : Firefox signed plugin for VPN, Endpoint Check, etc
Component: Access Policy Manager
Symptoms:
clients are unable to use the Firefox plugin on Firefox version 47 and above
Conditions:
Clients using Firefox v47 and above attempting to use the Firefox plugin
Impact:
Clients will be unable to use the plugin if they are using Firefox version 47 and above
Fix:
The Firefox plugin now supports all versions.
581770-1 : Network Access traffic does not pass IPv6 traffic if a Network Access resource contains IPv4&IPv6
Component: Access Policy Manager
Symptoms:
Network Access clients are unable to pass IPv6 traffic
Conditions:
Network Access resource configured with IPv4&IPv6
Client attempts to pass IPv6 traffic
Impact:
IPv6 traffic is dropped
Fix:
APM will now pass IPv6 traffic through the tunnel if an IPv4&IPv6 resource is configured.
581746-4 : MPTCP or SSL traffic handling may cause a BIG-IP outage
Solution Article: K42175594
Component: Local Traffic Manager
Symptoms:
Occasional BIG-IP outages may occur when MPTCP or SSL traffic is being handled by a virtual server.
Conditions:
MPTCP has been enabled on a TCP profile on a virtual server, or SSL is in use.
Impact:
A system outage may occur.
Workaround:
None.
Fix:
An issue with handling of MPTCP and SSL traffic has been corrected.
580817-4 : Edge Client may crash after upgrade★
Component: Access Policy Manager
Symptoms:
The Edge client may crash after upgrading to 11.4.1 through 12.0.0.
Conditions:
Access Policy with Firewall Checker
Update BIG-IP to 12.1.0
Impact:
Users are unable to use the Edge client
Fix:
Fixed a crash in the Edge client
580596-5 : TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907
Solution Article: K14190 K39508724
580429-3 : CTU does not show second Class ID for InstallerControll.dll
Component: Access Policy Manager
Symptoms:
Client troubleshooting utility does not display the registered class id of Installer control.dll.
Conditions:
Client troubleshooting utility is used to display all installed edge client components.
Impact:
No impact to end user or administrator. Impacts F5 support.
Workaround:
None.
Fix:
CTU now shows the class id of installer control.dll.
580421-4 : Edge Client may not register DLLs correctly
Component: Access Policy Manager
Symptoms:
After an end-user confirms that they want to install InstallerControll.cab, the browser gets stuck in 'Checking client'.
Conditions:
Client is using Internet Explorer
Impact:
Clients are unable to install the Edge client components
Fix:
Edge client components are now getting properly registered.
580340-4 : OpenSSL vulnerability CVE-2016-2842
Solution Article: K52349521
580313-4 : OpenSSL vulnerability CVE-2016-0799
Solution Article: K22334603
580303-2 : When going from active to offline, tmm might send a GARP for a floating address.
Component: Local Traffic Manager
Symptoms:
When moving from active to offline, tmm might send one final GARP for a floating address from the device that is moving offline.
Conditions:
Using high availability, and switching a device from active to offline.
Impact:
The GARP from the offline device can arrive on upstream devices after the GARP from the newly active device, which might poison the address cache of the upstream device. The result is that failover takes longer, since the upstream devices must rediscover the active device.
Workaround:
Use MAC masquerading along with the floating address; the system sends a GARP for the MAC masqueraded address, which prevents the issue.
Fix:
tmm no longer sends a final GARP for a floating address immediately before going offline.
580026-4 : HSM logging error
Solution Article: K74759095
579975-4 : OpenSSL vulnerability
Solution Article: K79215841
579955-4 : BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475
Solution Article: K01587042
579926-2 : HTTP starts dropping traffic for a half-closed connection when in passthrough mode
Component: Local Traffic Manager
Symptoms:
HTTP starts dropping traffic for a half-closed connection when in passthrough mode.
Conditions:
HTTP is in passthrough mode. Traffic is flowing for a half-closed connection.
Impact:
Incomplete data transfer to end-point, when the connection is half-closed and HTTP is in passthrough mode.
Workaround:
No workaround.
579919 : TMM may core when LSN translation is enabled
Component: Local Traffic Manager
Symptoms:
tmm core
Conditions:
Virtual uses LSN translation with a destination matching a pool-based route
Impact:
Traffic disrupted while tmm restarts.
Fix:
Virtual with LSN translation no longer leads tmm coring when destination matches a pool-based route.
579909-3 : Secondary MCPD exits for APM Sandbox warning improperly treated as configuration error
Component: Access Policy Manager
Symptoms:
Secondary blade MCPD exits if APM Sandbox intends to log a warning message when it fails to remove the corresponding sandbox directory /var/sam/www/webtop/sandbox/files_d/<partition_name>_d while the user is removing the partition.
There are multiple cases that can potentially log such kind of Sandbox warning message and cause an mcpd crash and/or tmm crash. APM can log the warning if it encounters a directory which is not empty, or if the directory does not exist. You will see this error signature in /var/log/ltm:
Mar 11 11:36:49 slot2/viprion-3 warning mcpd[6022]: 010717ac:4: Configuration Warning: Cannot remove directory with symlink to sandbox for partition (p1). Error: Directory not empty. If you have access to bash shell, try to run command: rmdir /var/sam/www/webtop/sandbox/files_d/p1_d/
Conditions:
The sandbox directory corresponding to the partition that you are deleting cannot be removed due to any reason such as Not Existing, Not Empty, etc. on the secondary blade. This can occur on the secondary blades if you create a partition before provisioning APM, then delete the partition on the primary blade, and auto-sync is enabled in the device group.
Impact:
Secondary MCPD exits and blade restarts. Tmm can core. Traffic disrupted while tmm restarts.
Workaround:
N/A
Fix:
Fixed such that Secondary MCP will not exit but only log the warning message as the partition is successfully deleted.
579843-4 : tmrouted may not re-announce routes after a specific succession of failover states
Component: Local Traffic Manager
Symptoms:
tmrouted does not re-announce RHI routes in a specific transition of failover states within a HA pair using dynamic routing and HA pair.
Conditions:
- Active/Standby HA pair set up
- Both units configured with a dynamic routing protocol and Route Health Injection enabled on one or more Virtual-Addresses.
- Active unit has the following succession of failover states:
Active->Offline->Online->Standby->Active
Impact:
Tmrouted may not announce the Virtual addresses when coming back to Active state after the mention succession.
Workaround:
A failover to Standby and back to Active works around the issue.
Restarting tmrouted is also an alternative option.
Fix:
tmrouted now re-announces RHI routes in a specific transition of failover states within a HA pair using dynamic routing and HA pair.
579829-4 : OpenSSL vulnerability CVE-2016-0702
Solution Article: K79215841
579559-4 : DTLS Networks Access may not work with some hardware platforms with Nitrox hardware acceleration
Component: Access Policy Manager
Symptoms:
Network Access always fallbacks to TLS connection even if DTLS is configured when connecting to some hardware platforms.
Conditions:
Network Access is configured to use DTLS
Hardware BIG-IP with DTLS Nitrox acceleration is used,
Impact:
Network Access connection always fallbacks to TLS connection
Workaround:
N/A
Fix:
Previously, Network Access always fell back to a TLS connection even if DTLS was configured when connecting to some hardware platforms. Network Access no longer falls back to TLS.
579371-1 : BIG-IP may generate ARPs after transition to standby
Solution Article: K70126130
Component: Local Traffic Manager
Symptoms:
tmm generates unexpected ARPs after entering standby.
Conditions:
-- High availability configuration with a vlangroup with bridge-in-standby disabled.
-- ARP is received just before transition to standby.
Impact:
Unexpected ARP requests that might result in packet loops.
Workaround:
None.
Fix:
ARPs will no longer be proxied on vlangroups with bridge-in-standby disabled after entering standby.
579284-5 : Potential memory corruption in MCPd
Component: TMOS
Symptoms:
Memory in mcpd could get corrupted. The effect of this is unpredictable.
Conditions:
Varies. One way (but not the only way) this could be seen is by cancelling a chunked stats query (e.g. hitting ctrl-c during "show sys connection").
Impact:
Varies. Sometimes nothing will happen; other times MCP could start acting unpredictably. In one case it closed its connection to TMM, which caused all TMMs to restart.
Fix:
Identified and fixed areas of potential memory corruption in MCP.
579237-4 : OpenSSL Vulnerability CVE-2016-0705
Solution Article: K93122894
579220-2 : Mozilla NSS vulnerability CVE-2016-1950
Solution Article: K91100352
579085-3 : OpenSSL vulnerability CVE-2016-0797
Solution Article: K40524634
579047 : Unable to update the default http-explicit profile using the GUI.
Component: TMOS
Symptoms:
Trying to update default Local Traffic :: Profiles : Services : HTTP :: http-explicit profile, the system posts the following error: 'Some fields below contain errors. Correct them before continuing.' Under the 'Explicit Proxy' section for 'DNS Resolver' option, the system posts the following error: '010717e8:3: Invalid 'dns-resolver' value for profile /Common/http-explicit. The dns-resolver does not exist.'
Conditions:
Updating default http-explicit profile using the GUI.
Impact:
Error messages. Unable to update the default http-explicit profile using the GUI.
Workaround:
Use tmsh to update the default http-explicit profile.
Fix:
You can now update the default http-explicit profile without error using the GUI.
578844-3 : tmm cores when switching to IPv6 virtual server while connected to IPv4 virtual server with Edge Client.
Component: Access Policy Manager
Symptoms:
tmm cores when switching to IPv6 virtual server while connected to IPv4 virtual server with Edge Client.
Conditions:
NA resource with IPv4&IPv6 is used (SNAT pool in NA resource is set to None). User is connected to IPv4 Virtual server.
While connected user clicks on 'Change server' and chooses an IPv6 virtual server.
Impact:
Traffic disrupted while tmm restarts.
578570-3 : OpenSSL Vulnerability CVE-2016-0705
Solution Article: K93122894
578353-1 : Statistics data aggregation process is not optimized
Component: Application Visibility and Reporting
Symptoms:
CPU spikes may occur every 5 minutes
Conditions:
Occurs all the time
Impact:
High CPU usage may be observed every 5 minutes
Workaround:
For versions based on 11.5.4 and 11.6.0 take the following steps:
1. Edit the entry 'AggregationMode' under the /etc/avr/monpd/monpd.cfg file and set it to be 'low' instead of 'medium' or 'high'.
2.Restart Monpd afterwards.
For 12.0.0 and on:
tmsh modify sys db avr.stats.aggregation value low
Fix:
The aggregation process of statistics in DB which is done using monpd should be optimized, and skip redundant updates of tables.
578045-5 : The HTTP_PROXY_REQUEST iRule event can cause the TMM to crash if pipelined ingress occurs when the iRule parks
Component: Local Traffic Manager
Symptoms:
The TMM crashes while resuming from a HTTP_PROXY_REQUEST event.
Conditions:
A HTTP_PROXY_REQUEST iRule event parks. Pipelined ingress occurs.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Don't use parking iRule commands within the HTTP_PROXY_REQUEST event.
If a parking command must be used, the following may work:
Try using TCP::collect to disable ingress while a potentially parking iRule command executes. TCP::release can be used after the command completes to restore normal behavior.
Another work-around is to set max-requests to 1. (Disabling pipelining.)
577828-4 : BIND vulnerability CVE-2016-2088
Solution Article: K59692558
577826-3 : BIND vulnerability CVE-2016-1286
Solution Article: K62012529
577823-3 : BIND vulnerability CVE-2016-1285
Solution Article: K46264120
577814 : MCPd might leak memory in PEM stats queries.
Component: Policy Enforcement Manager
Symptoms:
Memory leak may result in an "Out of Memory" condition causing functional issues in the BIG-IP.
Conditions:
Occurs when a valid PEM stats query is issued by a UI (GUI TMSH, REST, etc.) and PEM is configured on the BIG-IP.
Impact:
System may be unresponsive or crash due to being out of memory.
Workaround:
None.
Fix:
Fixed the potential MCPd memory leak in PEM stats queries.
577811 : SNMP sysObjectID OID reports ID of blade on VIPRION 2xxx-series platforms
Component: TMOS
Symptoms:
In BIG-IP v11.5.4, the behavior of the SNMP sysObjectID changed for VIPRION 2xxx-series platforms.
On other BIG-IP 10.x and 11.x versions running on VIPRION 2xxx-series platforms, the SNMP sysObjectID reports the ID of the Chassis (BIG-IPVprC2400 or BIG-IPVprC2200).
In BIG-IP v11.5.4 and v12.0.0 and later running on VIPRION 2xxx-series platforms, the SNMP sysObjectID reports the ID of the Blade (BIG-IPVprB2100, BIG-IPVprB2150, or BIG-IPVprB2250).
In all versions of BIG-IP running on VIPRION 4xxx-series platforms, the SNMP sysObjectID reports the ID of the Blade (BIG-IPPb100, BIG-IPPb100n, BIG-IPPb200, BIG-IPPb200N, BIG-IPVprB4300 or BIG-IPVprB4300N).
In BIG-IP v12.0.0 and later running on VIPRION 2xxx-series platforms, the BIG-IP design is changed such that the SNMP sysObjectID reports the ID of the Blade (BIG-IPVprB2100, BIG-IPVprB2150, or BIG-IPVprB2250), consistent with VIPRION 4xxx-series platforms.
[See Solution article for ID 425331, when published.]
Conditions:
VIPRION C2400 and C2200 chassis
VIPRION B2100, B2150 and B2250 blades
BIG-IP v11.5.4 (release)
Impact:
SNMP queries to identify VIPRION 2xxx-series platforms return the Blade ID instead of the Chassis ID, requiring changes in how the returned sysObjectID is interpreted.
Workaround:
Identify a VIPRION 2xxx-series platform by the appropriate Blade ID (BIG-IPVprB2100, BIG-IPVprB2150, or BIG-IPVprB2250), instead of by the Chassis ID (BIG-IPVprC2400 or BIG-IPVprC2200).
Fix:
On VIPRION 2xxx-series platforms, the SNMP sysObjectID OID reports the ID of the Chassis, to match the behavior on VIPRION 2xxx-series platforms with previous BIG-IP versions 10.2.x and 11.x.
Behavior Change:
On VIPRION 2xxx-series platforms, the SNMP sysObjectID OID now reports the ID of the Chassis, to match the behavior on VIPRION 2xxx-series platforms with previous BIG-IP versions 10.2.x and 11.x.
Previously, SNMP sysObjectID reported the ID of the Blade on VIPRION 2xxx-series platforms, to match the behavior on VIPRION 4xxx-series platforms.
577668-2 : ASM Remote logger doesn't log 64 KB request.
Component: Application Security Manager
Symptoms:
A request longer than 10 KB is truncated to 10 KB in the ASM remote logger although the remote logger is configured to log up to 64 KB requests.
Conditions:
The remote logger is configured to max request size 64k .
A request is longer than 10 KB.
Impact:
Incorrect request size in the log.
Workaround:
N/A
Fix:
ASM can now logs up to 64 KB requests. (Actual size depends on the total message size and the other fields in the message.)
576897-2 : Using snat/snatpool in related-rule results in crash
Component: Local Traffic Manager
Symptoms:
TMM crash resulting in failover.
Conditions:
Using snat/snatpool command in related-rule.
Impact:
TMM crash resulting in failover.
Workaround:
Do not use snat/snatpool commands in related rule.
576591-3 : Support for some future credit card number ranges
Component: Application Security Manager
Symptoms:
ASM does not block or mask when a specific credit card number range appears in the response.
Conditions:
The Data Guard feature is turned on and set to Block, Alarm or Mask. The responses contains credit card number with specific ranges.
Impact:
The traffic passes unmasked or unblocked to the end client.
Workaround:
A custom pattern is possible for these cases, but should be adjusted to each configuration specifically.
576314 : SNMP traps for FIPS device fault inconsistent among versions.
Component: Local Traffic Manager
Symptoms:
The snmp traps bigipFipsDeviceError and bigipFipsFault are inconsistent among versions.
Conditions:
This trap is raised if the FIPS device firmware has stopped responding to requests and is no longer functional. The trap is different on the BIG-IP 10350 FIPS platform.
Impact:
The meaning of the trap is that the system is not able to perform any FIPS operations and process FIPS related traffic. You will need to be mindful of which version you are on to interpret the OIDs correctly.
Fix:
An SNMP trap is generated when the system has detected a FIPS device fault indicating that said device can no longer service FIPS operations. The OIDs are different across versions and one specific platform. Here is the OIDs and versions:
BIGIP-COMMON-MIB::bigipFipsDeviceError .1.3.6.1.4.1.3375.2.4.0.152
This trap means "Encountered error in the FIPS card operation" on all FIPS platforms
BIGIP-COMMON-MIB::bigipFipsFault .1.3.6.1.4.1.3375.2.4.0.156 (from v11.5.4-hf1 and 11.6.1, not 12.0.0)
BIGIP-COMMON-MIB::bigipFipsFault .1.3.6.1.4.1.3375.2.4.0.166 (from v12.1.0)
These traps mean "The FIPS card is currently in faulty state" for the specific FIPS hardware included on the BIG-IP 10350
576305-1 : Potential MCPd leak in IPSEC SPD stats query code
Component: TMOS
Symptoms:
MCPd leaks memory.
Conditions:
In some cases, querying IPSEC SPD stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying IPSEC SPD stats.
576296-1 : MCPd might leak memory in SCTP profile stats query.
Component: Local Traffic Manager
Symptoms:
The memory allocation for mcpd might grow by a small amount if SCTP profile stats are queried. In order to begin to impact the performance of the system, the stats would have to be queried many thousands of times.
Conditions:
An SCTP profile is configured, and the stats are displayed in TMSH or the GUI.
Impact:
Performance may be degraded.
Workaround:
None.
Fix:
Resolved a memory leak in mcpd resulting from a query of SCTP profile stats.
576069-1 : Rewrite can crash in some rare corner cases
Component: Access Policy Manager
Symptoms:
Rewrite can crash in some rare corner cases when some specific erroneous elements are present in an HTML content.
Conditions:
Any of the strings:
<meta http-equiv="refresh" />
<meta http-equiv="location" />
<param name="general_servername" />
<param name="wmode" />
triggers guaranteed rewrite crash.
Impact:
Web application malfunction.
Workaround:
iRule or direct fix of improper HTML tag.
Fix:
Fixed.
575735-1 : Potential MCPd leak in global CPU info stats code
Component: TMOS
Symptoms:
MCPd leaks memory; the umem_alloc_8 cache will grow.
Conditions:
In some cases, querying global CPU information stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying global CPU information stats.
575726-1 : MCPd might leak memory in vCMP interface stats.
Component: TMOS
Symptoms:
MCPd might leak memory in vCMP interface stats.
Conditions:
The memory leak occurs when viewing VCMP interface statistics.
Impact:
Over time this can cause MCPd to run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying vCMP interface stats.
575716-1 : MCPd might leak memory in VCMP base stats.
Component: TMOS
Symptoms:
MCPd might leak memory in VCMP base stats.
Conditions:
This occurs when looking at VCMP base statistics.
Impact:
Over time this might cause MCPd to run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying VCMP base stats.
575708-1 : MCPd might leak memory in CPU info stats.
Component: TMOS
Symptoms:
MCPd might leak memory in CPU info stats.
Conditions:
In some cases, querying CPU information stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying CPU information stats.
575671-1 : MCPd might leak memory in host info stats.
Component: TMOS
Symptoms:
MCPd might leak memory in host info stats.
Conditions:
In some cases, querying host information stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying host information stats.
575631-2 : Potential MCPd leak in WAM stats query code
Component: WebAccelerator
Symptoms:
MCPd leaks memory.
Conditions:
In some cases, querying WAM stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying WAM stats.
575626-6 : Minor memory leak in DNS Express stats error conditions
Solution Article: K04672803
Component: Local Traffic Manager
Symptoms:
A minor memory leak might occur in certain error conditions relating to DNS Express statistics.
Conditions:
There are no known DNS Express configurations that lead to this issue. The problem was detected through standard code review practices.
Impact:
Memory leaks might eventually lead to system reboots.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur in certain error conditions relating to DNS Express statistics.
575619-1 : Potential MCPd leak in pool member stats query code
Component: TMOS
Symptoms:
MCPd leaks memory; the umem_alloc_8 cache will grow.
Conditions:
In some cases, querying pool member stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying pool member stats.
575612-4 : Potential MCPd leak in policy action stats query code
Component: Local Traffic Manager
Symptoms:
MCPd leaks memory.
Conditions:
In some cases, querying policy action stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying policy action stats.
575609-4 : Zlib accelerated compression can result in a dropped flow.
Component: Access Policy Manager
Symptoms:
Some compression requests would fail when the estimated compression output block was too small. Such errors deposit an error in the log similar to: Device error: n3-compress0 Zip engine ctx eviction (comp_code=2): ctx dropped.
Conditions:
A block that will not compress can generate a compression output that exceeds the estimated output block size.
Impact:
The flow that encounters the error is dropped.
Workaround:
Disable hardware accelerated compression.
Fix:
Difficult to compress requests may be dropped.
575608-1 : MCPd might leak memory in virtual server stats query.
Component: TMOS
Symptoms:
MCPd might leak memory in virtual server stats query.
Conditions:
In some cases, querying virtual server stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying virtual server stats.
575587-1 : Potential MCPd leak in BWC policy class stats query code
Component: TMOS
Symptoms:
MCPd leaks memory.
Conditions:
In some cases, querying BWC policy stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying BWC policy stats.
575582-1 : MCPd might leak memory in FW network attack stats.
Component: Advanced Firewall Manager
Symptoms:
MCPd might leak memory in FW network attack stats.
Conditions:
This occurs when looking at firewall network attack statistics.
Impact:
Over time this can cause MCPd to run out of memory and core.
575571-1 : MCPd might leak memory in FW DOS SIP attack stats query.
Component: Advanced Firewall Manager
Symptoms:
MCPd might leak memory in FW DOS SIP attack stats query.
Conditions:
This occurs when looking at firewall DOS SIP stats.
Impact:
Over time this can cause MCPd to run out of memory and core.
575569-1 : MCPd might leak memory in FW DOS DNS stats query.
Component: Advanced Firewall Manager
Symptoms:
MCPd might leak memory in FW DOS DNS stats query.
Conditions:
This occurs when looking at firewall DOS DNS statistics.
Impact:
Over time this can cause MCPd to run out of memory and core.
575565-1 : MCPd might leak memory in FW policy rule stats query.
Component: Advanced Firewall Manager
Symptoms:
MCPd might leak memory in FW policy rule stats query.
Conditions:
This occurs when looking at firewall policy rule stats.
Impact:
Over time this can cause MCPd to run out of memory and core.
575564-1 : MCPd might leak memory in FW rule stats query.
Component: Advanced Firewall Manager
Symptoms:
MCPd might leak memory in FW rule stats query.
Conditions:
This occurs when looking at firewall rule statistics.
Impact:
Over time this can cause MCPd to run out of memory and core.
575557-2 : MCPd might leak memory in FW rule stats.
Component: Advanced Firewall Manager
Symptoms:
MCPd might leak memory in FW rule stats.
Conditions:
This occurs when looking at firewall rule statistics.
Impact:
Over time this can cause MCPd to run out of memory and core.
575499-3 : VPN filter may leave renew_lease timer active after teardown
Component: Access Policy Manager
Symptoms:
TMM core making the system unavailable for a period of time until it comes back up.
Conditions:
When using both IPv4 & IPv6 network access resources with static IP address for IPv4 and dynamic address assignment for IPv6 tmm will core while NA tunnel is running or on NA's disconnect time.
Impact:
TMM core and bring down the system.
Workaround:
N/A
Fix:
No more stale renew_lease timer in vpn_ctx to cause TMM core.
575321-1 : MCPd might leak memory in firewall stats.
Component: Advanced Firewall Manager
Symptoms:
MCPd might leak memory in firewall stats.
Conditions:
This occurs when looking at firewall stats.
Impact:
Over time this can cause MCPd to run out of memory and core.
575292-2 : DNS Relay proxy service does not respond to SCM commands in timely manner
Component: Access Policy Manager
Symptoms:
DNS relay proxy service may appear unresponsive when stopped/started through Service control manager and user may see a system dialog box saying "Service did not respond in a timely manner"
Conditions:
DNS relay services component of edge client is installed on user's machine
Impact:
Usability, User may think that service has failed.
Workaround:
Wait for service to respond proper status
Fix:
Service now reports correct status to service control manager immediately.
575027-3 : Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.
Component: TMOS
Symptoms:
Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.
Conditions:
This occurs when the following conditions are met:
1. Use of tagged VLANs in the configuration.
2. Change cmp-hash of the tagged VLAN.
Impact:
Throughput is lower than expected. Packets are not being hashed using the hash set in config. (This can be verified by looking at 'tmm/flow_redir_stat'.)
Workaround:
Use untagged VLANs and hypervisor side tagging.
Fix:
You can now use tagged VLAN configurations along with a cmp-hash setting for the VLAN, without compromising performance.
575011-9 : Memory leak. Nitrox3 Hang Detected.
Solution Article: K21137299
Component: Local Traffic Manager
Symptoms:
System exhausts available memory due to compression memory leak. Prior to running out of memory, repeatedly logs "Nitrox3 Hang Detected".
Conditions:
Compression device unavailable during creation of a new context.
Impact:
System can run out of memory.
Workaround:
Disable hardware compression using tmsh:
% tmsh modify sys db compression.strategy softwareonly
Fix:
Repaired memory leak.
574781-3 : APM Network Access IPV4/IPV6 virtual may leak memory
Component: Access Policy Manager
Symptoms:
Observation of performance graphs shows increasing TMM memory usage over time. Specifically, xhead and xdata caches grow over time. Additionally, the ppp_npmode_errors in the ppp stat table will increment with each leak.
Conditions:
APM virtual with Network Access configured with IPV4 and IPv6.
Impact:
Memory leakage over time leads to performance degradation and possible traffic outage.
Workaround:
No workaround short of not enabling IPv6.
Fix:
APM Network Access now correctly manages its memory resources.
574318-4 : Unable to resume session when switching to Protected Workspace
Component: Access Policy Manager
Symptoms:
Clients logging into Protected Workspace are unable to view the page. The client's log file may have the following signature: HandlePwsCmd, detoured.dll signature validation error
Conditions:
This occurs infrequently on certain Windows clients logging into Protected Workspace
Impact:
Client browser cannot render the protected workspace
Fix:
Fixed an issue preventing Windows clients from using Protected Workspace
574262 : Rarely encountered lockup for N3FIPS module when processing key management requests.
Component: Local Traffic Manager
Symptoms:
The N3FIPS module does not respond to key management requests.
Conditions:
No specific condition has been identified for this failure.
Impact:
Existing data continues to forward, but new traffic keys fail. MGMT locks up. This is a rarely encountered issue.
Workaround:
A SNMP trap is generated when N3FIPS is locked up. The trap informs the user that the BIG-IP system must be rebooted. Rebooting clears the condition.
Fix:
The N3FIPS module no longer experiences occasional lockups when processing key management requests.
574214-2 : Content Based Routing daemon (cbrd) logging control
Component: Application Security Manager
Symptoms:
The cbrd logger might not produce enough useful output for troubleshooting purposes, and debug logging is not available.
Conditions:
Using xml profile, and you would like to see the xpath prints to a log file.
Impact:
Unable to see the xpath information
Fix:
It is now possible to enable xpath logging by adding these lines to /etc/cbr/logger.cfg:
MODULE=CBR_PLUGIN;
LOG_LEVEL=TS_INFO | TS_DEBUG;
FILE = 2;
Then:
bigstart restart cbrd
574153-3 : If an SSL client disconnects while data is being sent to SSL client, the connection may stall until TCP timeout.
Component: Local Traffic Manager
Symptoms:
If an SSL connection gracefully begins to disconnect at the same time as data is being encrypted by SSL acceleration hardware, the connection will remain open until the TCP profile timeout occurs instead of being closed immediately. This can cause unwanted higher memory usage, possibly causing crashes elsewhere.
Conditions:
* A virtual server with ClientSSL or ServerSSL profile.
* BIG-IP SSL acceleration hardware.
* While an SSL record is being encrypted by SSL accelerator hardware, the SSL connection begins to close by client TCP FIN or by any iRule command that closes the connection.
Impact:
There is a potential for higher memory usage, which in turn may cause TMM crash due to memory exhaustion resulting in service disruption.
Workaround:
If the affected SSL traffic does not include any long idle periods, memory consumption can be mitigated by reducing the idle timeout of the TCP or SCTP profile.
Fix:
SSL connections now disconnect normally if a disconnect attempt occurs while data is being encrypted by SSL acceleration hardware.
574116-3 : MCP may crash when syncing configuration between device groups
Component: TMOS
Symptoms:
mcpd on the sync target crashes when syncing configuration.
Conditions:
This can occur when a local non-synced object references an object that is synced (such as a local-only virtual server referencing a synced iRule), and a non-synced object on the target machine happens to be referencing the same synced object. In this condition, mcpd could crash if objects in a sync group are deleted and synced.
Impact:
Outage due to mcp crash which causes tmm to restart.
Workaround:
When you have devices with local-only resources that are referencing objects contained in a sync/failover group, avoid deleting any objects (such as iRules) that might be referenced by other local-only resources on other devices. Instead of a "this object is in use error", mcpd on the target machine will crash.
Fix:
Verify existence of rule objects when validating configuration.
574073 : Support for New Platform: BIG-IP 10350 FIPS with NEBS support
Component: Local Traffic Manager
Symptoms:
New platform introduction
Conditions:
New platform introduction
Impact:
New platform introduction
574045-3 : BGP may not accept attributes using extended length
Component: TMOS
Symptoms:
If a BGP peer sends a path attribute using the "extended length" flag and field, the attribute may be rejected and the BGP connection terminated.
Conditions:
Neighbor sends path attributes using extended length.
Impact:
The BGP adacency will repeatedly bounce and the RIB will never converge.
Fix:
Received BGP attributes using extended length are no longer rejected.
573778-5 : QEMU vulnerability CVE-2016-1714
Solution Article: K75248350
573581-2 : DNS Search suffix are not restored properly in some cases after VPN establishment
Component: Access Policy Manager
Symptoms:
Modified DNS suffix after VPN establishment and closure may result in failure to resolve some DNS names
Conditions:
DNS Relay proxy service is stopped in the middle of VPN session.
User's machine is rebooted.
Impact:
DNS suffixes are not restored properly which may lead to incorrect resolution of certain DNS names.
Workaround:
Any of the following workarounds
1) Do not stop DNS relay proxy service in the middle of a VPN session
2)Restore DNS search suffixes manually.
573529 : F-bit is not set in IPv6 OSPF Type-7 LSAs
Component: TMOS
Symptoms:
The forwarding address and the F-bit are not set in Type-7 LSAs sent out by the ASBR.
Conditions:
Virtual IP from a virtual server is redistributed as a Type-7 route by the ASBR.
Impact:
ABR routers are not able to propagate NSSA routes to other OSPF areas as External Type-5 routes. As a result, OSPF areas cannot reach external networks.
Fix:
ASBR sets the F-bit and forwarding address correctly.
573429-2 : APM Network Access IPv4/IPv6 virtual may leak memory
Component: Access Policy Manager
Symptoms:
Observation of performance graphs shows increasing TMM memory usage over time. Specifically, connflow and tunnel_nexthop caches grow over time.
Conditions:
APM virtual with Network Access configured with no SNAT and both IPV4 and IPV6 enabled.
Impact:
Memory leakage over time leads to performance degradation and possible traffic outage.
Workaround:
No workaround short of not enabling IPv6 support.
Fix:
Network Access now correctly manages its memory resources.
573406-2 : ASU cannot be completed if license was last activated more than 18 months before
Component: Application Security Manager
Symptoms:
Attack Signature Update (ASU) if license was last activated more than 18 months before.
Conditions:
The license was last activated more than 18 months before.
Impact:
Attack SIgnature Update (ASU) cannot be performed.
Workaround:
The license must be re-activated.
Fix:
Attack Signature Update (ASU) can now be completed based on a license retrieved from server.
573343-4 : NTP vulnerability CVE-2015-8158
Solution Article: K01324833
573124-5 : TMM vulnerability CVE-2016-5022
Solution Article: K06045217
572922-3 : Upgrade causes an ASM subsystem error of PL_PARAM_ATTRIBUTES.★
Component: Application Security Manager
Symptoms:
The following error is produced in ASM log during upgrade:
-----------
ASM subsystem error (ts_configsync.pl,F5::DbUtils::insert_data_to_table): Row <some_row_id> of table <some_db_table_name> is missing <some_field_name> (DDD) -- skipping F5::<some_package_name>
-----------
Conditions:
-- ASM provisioned.
-- Upgrade performed.
Impact:
Different portions of the security policy may be incorrectly upgraded.
Workaround:
N/A
Fix:
This release fixes the root cause so that the security policy upgrades correctly, and the following error does not reproduce upon upgrading:
ASM subsystem error (ts_configsync.pl,F5::DbUtils::insert_data_to_table): Row <some_row_id> of table <some_db_table_name> is missing <some_field_name> (DDD) -- skipping F5::<some_package_name>
572893-5 : error "The modem (or other connecting device) is already in use or is not configured properly"
Component: Access Policy Manager
Symptoms:
Clients get an error: error "The modem (or other connecting device) is already in use or is not configured properly"
Conditions:
The exact reproduction steps are not known, but it was seen to occur on certain Windows 10 clients where the access components were removed and login was attempted afterward.
Impact:
Clients will be unable to connect to the VPN
Workaround:
Rebooting might correct the issue on the client machine.
Fix:
Network Access will no longer fail on client machines that first uninstall the components and then attempt to reconnect.
572600 : mcpd can run out of file descriptors
Component: TMOS
Symptoms:
Mcpd crashes with the log message err mcpd[8835]: 01071070:3: Failed to open file /config/BigDB.dat.tmp with error 24
Conditions:
This can happen in multiple ways, in this case it was detected while running BIG-IQ policy sync.
Impact:
Mcpd can crash, rendering the system instable
Fix:
A crash related to mcpd running out of file descriptors has been fixed.
572563-4 : PWS session does not launch on Internet Explorer after upgrade
Component: Access Policy Manager
Symptoms:
Internet Explorer (IE) gets stuck entering Protected Work Space (PWS).
Conditions:
One of the DLLs provided by APM, vdeskctrl.dll, provides COM services. IE consumes the COM services. The DLL is loaded by IE during upgrade of PWS components. Intermittently, (especially on slow systems), IE does not unload the old DLL promptly after upgrading PWS. When COM services are invoked to initialize PWS after upgrade, the old DLL provides the service.
Impact:
Due to the recent renewal of the signing certificate, the old DLL cannot certify the integrity of the new PWS components. PWS session does not launch.
Workaround:
After upgrade, if IE does not enter into PWS within 60 seconds, close IE and start a new session. This is a one-time event.
Fix:
Internet Explorer can now launch a Protected Workspace session.
572543-4 : User is prompted to install components repeatedly after client components are updated.
Component: Access Policy Manager
Symptoms:
After auto-update of client components from internet explorer, user will be prompted to install components again if he goes to VPN site again.
Conditions:
Administrator upgrades big-ip to 12.1.
User has client components from a release older than 12.1
Impact:
User is prompted to install components again and again
Workaround:
Restart browser after components are updated the first time.
572495-4 : TMM may crash if it receives a malformed packet CVE-2016-5023
Solution Article: K19784568
572281-3 : Variable value in the nesting script of foreach command get reset when there is parking command in the script
Component: Local Traffic Manager
Symptoms:
When there is something like the following script:
foreach a [list 1 2 3 4] {
set a 10
after 100
}
There is parking command, after, in the script and it runs after "set a 10", when after command returns, the value of a goes back to the initial value set in the foreach, value of 10 is lost.
Conditions:
There is parking command in the nesting script of foreach. For more information on commands that park, see K12962: Some iRule commands temporarily suspend iRule processing at https://support.f5.com/csp/#/article/K12962
Impact:
Variable values get reset.
Workaround:
Set(or set again) the variable value after the parking command.
Fix:
Will fix in later release.
572272-3 : BIG-IP - Anonymous Certificate ID Enumeration
Solution Article: K65355492
572234-4 : When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10.
Component: Local Traffic Manager
Symptoms:
When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10. This is the MAC address of Linux's tmm0 or tmm interface.
Conditions:
The traffic destination is the BIG-IP Linux host, e.g. big3d iQuery server.
The traffic is proxied via fastL4, e.g. ConfigSync "Local Address" is set to None.
The return route is a pool route.
The traffic is interrupted, e.g. a router between the iQuery server and the client is switched off for several seconds.
Impact:
The traffic is sourced from invalid ethernet MAC 00:98:76:54:32:10.
The iQuery connection cannot continue.
Workaround:
Increase the lasthop module's TCP idle timeout.
echo 121 > /proc/sys/net/lasthop/idle_timeout/tcp
Fix:
TCP connections no longer emit packets that have a source MAC address of 00:98:76:54:32:10.
572224 : Buffer error due to RADIUS::avp command when vendor IDs do not match
Component: Service Provider
Symptoms:
Errors similar to the following in the ltm log:
err tmm3[21915]: 01220001:3: TCL error: /Common/RadiusTest CLIENT_DATA - Buffer error (line 1) (line 1) invoked from within 'RADIUS::avp 26 ip4 index 0 vendor-id 12345 vendor-type 6'.
Conditions:
The issue happens when there is a RADIUS::avp command for a vendor specific AVP and there's a RADIUS request that contains a different vendor-id than what was specified in the iRule command.
Impact:
You are unable to use vendor-specific RADIUS AVP commands
Workaround:
None.
Fix:
Vendor-specific RADIUS AVP commands no longer generate errors.
572133-3 : tmsh save /sys ucs command sends status messages to stderr
Component: TMOS
Symptoms:
When you run the tmsh save /sys ucs command, some normal status messages are being sent to stderr instead of stdout. This will be seen if a you are watching stderr for error messages.
Conditions:
There are no conditions, every time the command is run, it will send some status type messages to stderr.
Impact:
If a script runs the command it may report that the save failed because messages were send to stderr.
Workaround:
You can ignore the message "Saving active configuration..." being sent to stderr. It is not an error.
Fix:
The command will send the status messages to stdout.
571573-3 : Persistence may override node/pmbr connection limit
Solution Article: K20320811
Component: Local Traffic Manager
Symptoms:
In certain circumstances the BIG-IP system may load balance connections to a node or poolmember over the configured connection limit.
Conditions:
- Node or pool member configured with connection limit.
- L4 or L7 virtual server.
- Persistence configured on the Virtual Server.
- Very high load on unit.
Impact:
BIG-IP system may load balance connections to a node or pool member over the configured connection limit.
Workaround:
Remove persistence or use another method of limiting the connections (rate limiting or connection limit on the Virtual Server).
Fix:
The BIG-IP system now correctly enforces the pool member/node connection limit.
571344-2 : SSL Certificate with special characters might cause exception when GUI retrieves items list page.★
Component: TMOS
Symptoms:
After upgrading, unable to view certain certs from gui. Catalina.out file could contain the signature MalformedByteSequenceException: Invalid byte 2 of 3-byte UTF-8 sequence.
iControl SOAP methods
====================
Management::KeyCertificate::get_certificate_list and get_certificate_list_v2 will return an exception if returning a certificate with special characters.
Conditions:
SSL Certificate with special characters might cause exception when GUI retrieves items list page. This has been observed on upgrades to BIG-IP version 11.5.4 through 12.0.0.
Impact:
The GUI does not display the page containing certificate information. iControl SOAP cannot return a list of certificates if they contain information with special characters.
Workaround:
None.
Fix:
The GUI now correctly displays certificates with special characters, and iControl SOAP methods Management::KeyCertificate::get_certificate_list and get_certificate_list_v2 no longer return exceptions.
571210-3 : Upgrade, load config, or sync might fail on large configs with large objects.
Component: TMOS
Symptoms:
Attempting to load a large config with large objects may result in the following error message:
err mcpd[7366]: 01070710:3: Database error (52), Can't write blob data, attribute:implementation status:52 - EdbBlobData.cpp, line 57
Attempting to synchronize a large change may result in the following error messages and a crash of the MCPD process:
err mcpd[8210]: 01071693:3: Incremental sync: Caught an exception while adding a transaction to the incremental config sync cache: unexpected exception.
err mcpd[8210]: 01070734:3: Configuration error: MCPProcessor::processRequestNow: Can't write blob data, attribute:msgs status:52
err mcpd[8210]: 01070596:3: An unexpected failure has occurred, request_group destroyed while processing, exiting...
Conditions:
The config must be approximately 19.75 MB (slightly less) prior to processing a large object in the config that exceeds 256 KB.
Or, once config exceeds 19.75 MB and 2 MB of additional memory has been allocated, processing config objects that exceed 256 KB (the larger, the more likely to occur) lead to the error.
Impact:
Upgrade, load config, or sync might fail, and a system crash and restart might occur.
Workaround:
Stagger the load, or reduce the size of particularly large objects within a config.
Fix:
Memory handling is improved so that large configs with large objects now successfully complete upon upgrade, load config, or sync.
571183-3 : Bundle-certificates Not Accessible via iControl REST.
Component: Local Traffic Manager
Symptoms:
Bundle-certificates Not Accessible via iControl REST.
Conditions:
This occurs when using iControl REST to look at bundle certificates via /mgmt/tm/sys/file/ssl-cert/~Common~ca-bundle.crt/bundle-certificates
Impact:
Unable to get data from the command.
Workaround:
If you do not need to do it via iControl REST, you can view bundle certificates using the tmsh command tmsh list sys file ssl-cert ca-bundle.crt bundle-certificates
Fix:
The iControl rest command for viewing bundle-certificates now displays all of the certificates.
571090-1 : When BIG-IP is used as SAML IdP, tmm may restart under certain conditions
Component: Access Policy Manager
Symptoms:
tmm restarts.
Conditions:
It is not known exactly what the conditions are, but this occurs when BIG-IP is configured as SAML IdP.
Impact:
Tmm may restart.
Workaround:
None
571019-2 : Topology records can be ordered incorrectly.
Component: TMOS
Symptoms:
Topology records can contain missing order numbers, duplicate order numbers, and differences in the ordering of topology records on BIG-IP's in a sync group.
Conditions:
When adding or deleting topology records or modifying the order of existing topology records, the resulting ordering of the topology records can be inconsistent. This can lead to ordering issues including differences in the ordering of topology records on BIG-IP's in a sync group.
Impact:
It is difficult to manage the order of topology records. Topology records are evaluated in different orders on different BIG-IP's in a sync group.
Workaround:
None.
Fix:
Topology records are now ordered consistently.
571003-4 : TMM Restarts After Failover
Component: Access Policy Manager
Symptoms:
TMM generates core file and restarts.
Conditions:
1. In a HA pair running pre 11.5.3-HF2 or 11.6.0-HF6, the standby is upgraded to 11.6.0-HF6 EHF 186, 241, 243, or 247.
2. Force failover.
3. A new session is established or an existing session terminated.
Impact:
Serivce is disrupted. All existing sessions are terminated.
Workaround:
None.
Fix:
TMM no longer generates core file and restarts upon upgrade.
570716-1 : BIG-IP IPsec IKE peer listener vulnerability CVE-2016-5736
Solution Article: K10133477
570667-10 : OpenSSL vulnerabilities
Solution Article: K64009378
570663-2 : Using iControl get_certificate_bundle_v2 causes a memory leak
Component: TMOS
Symptoms:
Using iControl call get_certificate_bundle_v2() causes a memory leak. iControlPortal memory use grows unbounded every time the method is called.
Conditions:
This occurs anytime the method is invoked; BIG-IP devices managed by Enterprise Manager can be especially impacted.
Impact:
Eventually iControlPortal will run out of memory and crash.
Fix:
The memory leak issue has been fixed.
570640-4 : APM Cannot create symbolic link to sandbox. Error: No such file or directory
Component: Access Policy Manager
Symptoms:
The user may encounter the following configuration error when adding a new APM sandbox-contained object in a non-default partition (other than /Common) if the user has ever attempted (but failed) to delete this partition (for example, couldn't delete it because it was not empty).
01070734:3: Configuration error: Cannot create symbolic link to sandbox. Error: No such file or directory. If you have access to bash shell, try to run command: ln -s /config/filestore/files_d/p1_d/sandbox_file_d /var/sam/www/webtop/sandbox/files_d/p1_d/sandbox_file_d. Then try to upload file again.
Unexpected Error: Validating configuration process failed.
Conditions:
The user has ever attempted (but failed) to delete the partition.
Impact:
No more APM sandbox object such as Hosted-Content can be added to the partition.
Upgrade may fail to install configuration with the impacted sandbox object.
Workaround:
Manually use the shell command 'mkdir -p' to re-create the missing folder where the symbolic link is suppsed to be created as shown in the error message.
Directories are: {to do mkdir -p)
/config/filestore/files_d/OUTSIDE_PROD_d/sandbox_file_d
/var/sam/www/webtop/sandbox/files_d/OUTSIDE_PROD_d/sandbox_file_d
After creating the directors sync to active unit.
570617-5 : HTTP parses fragmented response versions incorrectly
Component: Local Traffic Manager
Symptoms:
When a fragmented response is parsed by HTTP, the version field may be incorrectly bounded. HTTP correctly determines the version of the response. However, other filters that re-scan the version field might see a truncated value. The filters then miss-parse the HTTP version.
Conditions:
A fragmented response where the HTTP version field appears in multiple packets. Another filter, for example VDI, re-scans the HTTP version field.
Impact:
The detected version of HTTP may be incorrect. Typically, the response is detected as a HTTP/0.9 response rather than the 1.0 or 1.1 response it actually uses.
Workaround:
None.
Fix:
HTTP correctly bounds the response version for other filters to parse.
570570-2 : Default crypto failure action is now 'go-offline-downlinks'.
Component: Local Traffic Manager
Symptoms:
Previously, if a crypto accelerator encountered a failure, the default action was "none" or "failover". Now, the default behavior is "go-offline-downlinks".
(Note: You can find information on crypto accelerator fail-safe behavior in K16951: Overview of SSL hardware acceleration fail-safe :: https://support.f5.com/csp/article/K16951.)
Conditions:
Crypto accelerator encounters a failure and crypto.ha.action has not been changed from its default.
Impact:
If a hardware accelerator failed on a blade in a chassis, the system would failover, but if there was a second failover back to the chassis with the failed blade, SSL traffic might get dropped.
Workaround:
Set the db variable crypto.ha.action to your desired value.
Fix:
Previously, if a crypto accelerator encountered a failure, the default action was either 'none' or 'failover'. Now, the default behavior is 'go-offline-downlinks'.
Behavior Change:
The default value of the db variable crypto.ha.action has changed to 'go-offline-downlinks'. The only time this has an effect on the system is when a crypto accelerator fails. For a chassis, this value will cause the blade that had the failed crypto device to go offline, leaving the other blades to handle the load, while an appliance will failover to its standby peer. See https://support.f5.com/csp/article/K16951 for more details.
570064-4 : IE gives a security warning asking: "Do you want to run ... InstallerControll.cab"
Component: Access Policy Manager
Symptoms:
When logging into a VPN connection using Internet Explorer, Internet Explorer may prompt "Do you want to run ... InstallerControll.cab"
Conditions:
BIG-IP APM configured and is accessed by Internet Explorer. This can happen after an upgrade of BIG-IP.
Impact:
The prompt should not occur.
Fix:
Internet Explorer will no longer prompt to run InstallerControll.cab
570053-1 : HA peer's certkeychain of clientssl profile is unexpectedly either removed or re-named after config sync.
Solution Article: K78448635
Component: TMOS
Symptoms:
HA peer's certkeychain of clientssl profile is unexpectedly either removed or re-named after config sync.
Conditions:
The issue is seen when all the below conditions are met.
1. When more than one certkeychains are configured in the clientSSL profile.
2. When the content of a certkeychain of the clientSSL profile is modified. For example, "modify ltm profile client-ssl a4 cert-key-chain modify { default { cert rsa.crt key rsa.key } }".
3. Performs config sync in HA setup.
Impact:
Missing certkeychain of a clientSSL profile can result in its inability to handle some kind of SSL traffic. For example, if the clientSSL originally has EC key/cert but loses it, then it is no longer able to handle SSL connection using EC cipher suites.
Workaround:
Basically reconfigure certkeychain but avoid modifying the content.
1. On any BIG-IP system, leave only the RSA certkeychain in the clientSSL profile, just like the default configuration.
2. Config sync, so that both systems have only the RSA certkeychain.
3. In any BIG-IP system, add certkeychains for other types (EC or DSA) you need. You can "add" or "delete" but do not "modify" any existing certkeychain.
4. Do config sync, so that both systems have the same certkeychains in the clientSSL profile.
569972-3 : Unable to create gtm topology records using iControl REST
Component: Global Traffic Manager (DNS)
Symptoms:
The user is unable to create gtm topology records using iControl REST.
Conditions:
This occurs when a user issues an iControl REST POST command for a gtm topology record.
Impact:
The iControl REST POST command fails with the following error: 'Topologies must specify both regions: ldns: server:'.
Workaround:
Use TMSH, iControl SOAP, or the GUI to create gtm topology records.
Fix:
You can now create gtm topology records using iControl REST.
Please be sure to format the gtm topology oid string using the following rules:
1) Use only a single space between each item in the topology string.
2) Use a fully-pathed name for datacenter, isp, region, and pool objects.
For example:
"ldns: subnet 11.11.11.0/24 server: datacenter /Common/DC".
569958-3 : Upgrade for application security anomalies
Component: Application Visibility and Reporting
Symptoms:
If upgrading to newer version, old statistics for application security anomalies are not shown.
Conditions:
Upgrade from BIG-IP version older than 12.1.0 to newer version
Impact:
Losing old statistics for application security anomalies
Fix:
Upgrade to newer version and verify that old statistics are shown.
569718-3 : Traffic not sent to default pool after pool selection from rule
Component: Local Traffic Manager
Symptoms:
If you have an iRule configured to match a pattern in the HTTP::uri and send it to a non-default pool, subsequent requests in the HTTP keep-alive session will also be sent to the non-default pool even though they do not match the iRule.
Conditions:
This occurs after upgrading from 11.5.3 HF1 to 11.5.3 HF2.
Impact:
If the pool members are not configured to accept traffic that doesn't match the uri criterial, the server will not respond properly.
Fix:
Reverted a change that caused subsequent HTTP requests to go to the non-default pool after it was selected in an iRule.
569642-3 : Deleting all routes on a unit with a mirroring fastL4 Virtual may cause TMM to core
Component: Local Traffic Manager
Symptoms:
In certain circumstances TMM may core if an HA pair configured with mirroring has all the routes to the server pool removed.
Conditions:
- HA pair.
- FastL4 VIP with mirroring.
- default route to pool via an intermediate router.
- The active unit is handling traffic.
- Active unit fails over and loses its mirroring connection.
- Prior active unit comes back and HA connection is reestablished.
- During the loss of HA and its recovery the now active unit loses its only route to the pool member.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not remove all routes to poolmembers. If this is needed please create other backup routes prior to the deletion.
Fix:
TMM no longer cores on deleting all routes on a unit with a mirroring fastL4 Virtual during HA connection loss and recovery.
569521-2 : Invalid WideIP name without dots crashes gtmd.
Component: Global Traffic Manager (DNS)
Symptoms:
If a user creates a WideIP or WideIP Alias with a name that does not contain a dot, gtmd crashes.
The symptom is a crash and core dump from gtmd.
Conditions:
This occurs when the following conditions are met:
-- FQDN validation is suppressed by the following setting: gtm global-settings general domain-name-check == 'none'.
-- User attempts to create a WideIP with a name that does not contain a dot.
Impact:
gtmd crashes and WideIPs do not function.
Workaround:
When creating a WideIP or WideIP Alias while FQDN validation has been disabled (by setting gtm global-settings general domain-name-check == 'none'), make sure that the WideIP or WideIP Alias name contains at least one dot, and follows these rules:
-- The name must not end with a dot.
-- The name must not begin with a dot, unless '.' is the entire name.
-- The name contains no consecutive dots.
Fix:
FQDN now validates to confirm that a WideIP or WideIP Alias name has at least one dot in an appropriate position, and has no consecutive dots, so there is no crash and core dump from gtmd. This validation occurs even when other FQDN validation has been suppressed by setting
gtm globlal-settings general domain name check == 'none'.
569472-3 : TMM segfault in lb_why_pmbr_str after GTM/BIG-IP DNS disables a GTM pool and LB why log is enabled
Component: Global Traffic Manager (DNS)
Symptoms:
tmm cores with sigsegv within lb_why_pmbr_str.
Conditions:
1. Disable a GTM/BIG-IP DNS pool or pool member;
2. pool-member-selection is enabled for load-balancing-decision-log-verbosity.
Impact:
tmm cores.
Workaround:
Disable pool-member-selection for load-balancing-decision-log-verbosity.
Fix:
tmm no longer cores when disabling pool-member-selection for load-balancing-decision-log-verbosity.
569467-2 : BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.
Solution Article: K11772107
569356-5 : BGP ECMP learned routes may use incorrect VLAN for nexthop
Solution Article: K91428939
Component: TMOS
Symptoms:
Border Gateway Protocol (BGP) with Equal Cost Multipath (ECMP) may result in learned routes that use an incorrect nexthop Virtual Local Area Network (VLAN).
As a result of this issue, you may encounter one or more of the following symptoms:
The system may randomly send the traffic using the incorrect nexthop.
Conditions:
-- BIG-IP configuration with two or more VLANs configured with IPv6 global addresses.
-- BGP with ECMP is peered with an active IPv6 BGP neighbor. -- BGP is configured with max-paths.
Impact:
The traffic randomly gets sent using the incorrect nexthop.
Workaround:
None.
Fix:
Routes learned from the peer now have the correct nexthop VLANs.
569349-3 : Packet's vlan priority is not preserved for CMP redirected flows when net cos feature is enabled
Component: Local Traffic Manager
Symptoms:
When net cos (class of Service) feature is enabled, vlan priority for those cmp redirected packets are not being preserved from ingress to egress.
Conditions:
1. net cos feature is enabled
2. packet is being cmp redirected from one tmm to another tmm for processing.
Impact:
Egress packets are not being processed according to the ingress vlan priority by BIG-IP and down stream router. Certain packets will be dropped by downstream router due to the wrong mark of vlan priority.
Workaround:
None.
569337-4 : TCP events are logged twice in a HA setup
Component: Advanced Firewall Manager
Symptoms:
TCP log events are logged twice (if enabled in security log profile) with connection mirroring enabled on the virtual server in a HA setup (Active/Standby).
Conditions:
When there's a HA setup (Active/Standby) or both client side and server side connection flow.
Impact:
TCP log events are logged twice (duplicate events from active unit and standby unit or from both client side and server side of the connection flow).
Workaround:
N/A
Fix:
TCP log events are no longer logged twice when enabled in the security log profile with connection mirroring enabled on the virtual server in a HA setup (Active/Standby).
569306-5 : Edge client does not use logon credentials even when "Reuse Windows Logon Credentials" is selected
Component: Access Policy Manager
Symptoms:
User is shown the logon page to connect to VPN after he logs on. Windows logon credentials are not used for VPN automatically.
Conditions:
Connectivity profile has "Reuse Windows Logon Credentials" selected
Impact:
User has to retype his credentials to connect to VPN
Workaround:
Enter the credentials again to connect to VPN
Fix:
Now logged on credentials are used automatically to connect to VPN
569288-4 : Different LACP key may be used in different blades in a chassis system causing trunking failures
Component: Local Traffic Manager
Symptoms:
In rare conditions, different blades in a chassis system may use different LACP keys for the same trunk in the LACP control frames. This will cause some of the LACP trunk members not able to aggregate successfully with peer switch.
Conditions:
This only happens in a chassis based system when certain race condition causes trunk id being modified after initial trunk creation.
Impact:
Non aggregated trunk members won't be able to pass traffic.
Workaround:
Restart lacpd in all the blades in the chassis by running command "clsh bigstart restart lacpd"
569255-5 : Network Access incorrectly manipulates routing table when second adapter being connected if "Allow Local subnet access' is set to ON
Solution Article: K81130213
Component: Access Policy Manager
Symptoms:
When Network Access is already established and a second network interface is being connected to client system, VPN quickly reconnects, which breaks existing TCP connections. Because reconnect occurs very quickly, it might appear to the user that nothing happened.
Conditions:
-- 'Allow Local subnet access' enabled.
-- Client system is getting second network interface connected.
Impact:
Long-standing TCP connection may break, for example, VPN over Network Access.
Workaround:
Disable 'Allow Local subnet access'.
Fix:
Now Network Access remains stable when a second network interface is being connected, so any long-standing TCP connections (such as VPN over Network Access) continue as expected.
569236-2 : BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
Solution Article: K24331010
Component: TMOS
Symptoms:
The BIG-IP system logs INVALID-SPI messages but does not remove the associated Security Associations (SAs) corresponding to the message.
Note: There are three parts to this issue, as recorded in the following bugs: 569236, 583285, and 662331.
Conditions:
This can occur if an IPsec peer deletes a phase2 (IPsec) SA and does not send a 'notify delete' message to the other peer. The INVALID-SPI message is most likely to be seen when the peer deletes an SA before the SA's agreed lifetime.
Impact:
If the BIG-IP is always the Initiator, the Responder will not initiate a new tunnel if the Responder only handles responses to the BIG-IP clients' traffic. The BIG-IP system continues to use the IPsec SA it believes to be still up. When an SA expires prematurely, some IPsec peers will reject an inbound SPI packet with an ISAKMP INVALID-SPI notify message. If the INVALID-SPI message does not cause new SAs to be created, there will be a tunnel outage until the SA lifetime expires on the defunct SA held on the BIG-IP system.
Workaround:
Manually remove the invalid SA on the BIG-IP system by running the following command:
delete /net ipsec ipsec-sa spi <invalid_spi>
Fix:
Now, when the BIG-IP system receives INVALID-SPI messages, it deletes the invalid Security Association as well as logging the INVALID-SPI message, so the tunnel can initiate again.
Note: There is a three-part fix provided for this issue, as provided in the following bugs: 569236, 583285, and 662331.
568889-5 : Some ZebOS daemons do not start on blade transition secondary to primary.
Solution Article: K22989000
Component: TMOS
Symptoms:
In some specific cases the standby unit's secondary blade ZebOS daemons might not get started when it becomes active.
Conditions:
If the failover occurs as a result of the primary blade's mcpd restarting
Impact:
The new primary blade does not start some ZebOS daemons resulting in ospf not working as expected on the standby unit.
Workaround:
Run the following tmsh command on the new active unit: bigstart restart tmrouted.
Fix:
The BIG_IP system now correctly starts ZebOS daemons on the standby unit on a new blade that is starting up as a primary.
568743-2 : TMM core when dnssec queries to dns-express zone exceed nethsm capacity
Component: Local Traffic Manager
Symptoms:
tmm crashes, and in /var/log/ltm you see entries indicating "Signature failed":
err tmm1[16816]: 01010216:3: DNSSEC: Signature failed (signature creation) for RRSET (host0530.f5test.net, 1) with key /Common/myZSK2, generation 1.
Conditions:
This can occur when a dns-express zone generates more responses than the Thales can sign. The excess requests are queued and tmm can core.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer core when dnssec queries to dns-express zone exceed nethsm capacity.
568543-2 : Syncookie mode is activated on wildcard virtuals
Component: Local Traffic Manager
Symptoms:
Syncookie mode can be activated with a wildcard virtual, even in the case where there is no SYN flood.
Conditions:
The default number of connections per second before activating syncookie mode is 1993. This value can be increased to a max of 4093. After this threshold is reached, then syncookie mode is activated. This is an insufficient maximum for wildcard virtuals, since they can have 30k+ connections per second.
Impact:
Syncookie mode is activated with high connection rates to a wildcard virtual.
Workaround:
Break up the wildcard virtual into multiple virtuals to reduce the number of connections per virtual.
Fix:
It is now possible to set the PvaSynCookies.Virtual.MaxSynCache DB variable to 64K (previous max was 4093)
568445-7 : User cannot perform endpoint check or launch VPN from Firefox on Windows 10
Component: Access Policy Manager
Symptoms:
If Firefox is used on Windows 10 to connect to APM, access policy may fail, or system fails to launch VPN.
Conditions:
Firefox is used to connect to APM on Windows 10. The following conditions are exclusive and have different impact:
1) Access policy requires client side inspection.
2) Attempt to launch VPN from WebTop.
Impact:
1) Access policy will fail.
2) VPN cannot be launched from WebTop.
Workaround:
None.
Fix:
User can now perform endpoint check or launch VPN from Firefox on Windows 10.
568347-3 : BD Memory corruption
Component: Application Security Manager
Symptoms:
An Enforcer crash occurs and UMU errors may appear in the bd.log file.
Conditions:
N/A
Impact:
Traffic goes down while the Enforcer goes back up.
Fix:
Fixed a memory corruption issue.
567484-4 : BIND Vulnerability CVE-2015-8705
Solution Article: K86533083
567475-4 : BIND vulnerability CVE-2015-8704
Solution Article: K53445000
567379-2 : libtar vulnerability CVE-2013-4397
Solution Article: K16015326
566908-3 : Webserver listening on local Wifi or ethernet IP cannot be accessed after VPN with proxy.pac file
Solution Article: K54435973
Component: Access Policy Manager
Symptoms:
Webserver listening on local Wifi or ethernet IP cannot be accessed after VPN if proxy.pac is defined in a way that forwards all web traffic over VPN.
Conditions:
proxy.pac, network access, OS X system.
Impact:
Local web server is inaccessible if proxy.pac is defined in a way that forwards all traffic over VPN to corporate proxy server.
Workaround:
None.
Fix:
Webserver listening on local Wifi or Ethernet IP can be accessed after VPN even if proxy.pac is defined in a way that forwards all web traffic over VPN to corporate proxy server.
566758-3 : Manual changes to policy imported as XML may introduce corruption for Login Pages
Component: Application Security Manager
Symptoms:
Manual changes to policy imported as XML may introduce corruption for Login Pages. If the expiration period is omitted, the Login Page will be inaccessible.
Conditions:
Expiration period is omitted in hand-crafted XML policy file.
Impact:
The Login Page created as a result is inaccessible in GUI and REST.
Workaround:
Ensure that expiration period exists in XML policy file before import.
Fix:
A policy file, with a missing expiration field, imported as XML is now handled correctly.
566646-2 : Portal Access could respond very slowly for large text files when using IE < 11
Component: Access Policy Manager
Symptoms:
When accessing a large 'text/plain' file from server with Internet Explorer versions 7 through 10 client browsers, Portal Access sometimes holds the response until it fetches and processes the entire file contents. This can take several dozen seconds, or even minutes.
Conditions:
Internet Explorer version 7 through 10 with Portal Access
Impact:
Large text files can't be accessed or downloaded through Portal Access.
Workaround:
Irule that does any of following:
a) Preferred: append F5CH=I to request uri in HTTP_REQUEST for affected requests.
b) Call REWRITE::disable for affected requests.
Fix:
Fixed the issue where Portal Access could try to buffer contents of some large files and respond with significant delay.
566361-2 : RAM Cache Key Collision
Solution Article: K11543589
Component: Local Traffic Manager
Symptoms:
Intermittent tmm SIGSEGV when RAM Cache is enabled
Conditions:
This occurs when RAM cache is enabled in certain circumstances.
Impact:
Invalid response format, and/or serving the wrong object from cache, and/or tmm crash, interruption of service.
Workaround:
None.
Fix:
The system now avoids RAM Cache Key collisions, the correct object and response format are delivered from the cache, and tmm no longer cores.
565895-3 : Multiple PCRE Vulnerabilities
Solution Article: K17235
565810-5 : OneConnect profile with an idle or strict limit-type might lead to tmm core.
Solution Article: K93065637
Component: Local Traffic Manager
Symptoms:
OneConnect profile with an idle or strict limit-type might lead to tmm core.
Conditions:
OneConnect profile with a limit-type value of idle or strict.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use a limit-type of 'none'.
Fix:
A OneConnect profile using an idle or strict limit-type no longer causes the tmm to core when attempting to shutdown idle connections.
565534-3 : Some failover configuration items may fail to take effect
Solution Article: K40254066
Component: TMOS
Symptoms:
These symptoms apply to version 12.0.0 and later:
When only multicast failover is configured, traffic-groups are active on all devices in the device-group. If unicast failover is also configured, the traffic-group unexpectedly switches to a different device.
These symptoms can occur on all versions:
When the unicast address list is changed at the same time as other device properties, sod (the failover daemon) may fail to recognize one of the other changes.
Conditions:
For version 12.0.0 and later:
Multicast failover is configured and the system loads the configuration from the configuration files. For example during the first boot of a new boot location, or after performing the procedure in K13030: Forcing the mcpd process to reload the BIG-IP configuration https://support.f5.com/csp/article/K13030.
For all versions:
A change is made to the cm device configuration that includes a unicast-address change along with something else.
Impact:
When only multicast failover is configured, traffic-groups may become active on all devices in the device-group. If unicast failover is also configured, the traffic-group might switch to a different device.
Workaround:
Mitigation for v12.0.0 (and later) symptom:
To restore multicast failover, disable and re-enable multicast failover.
To do so, perform the following procedure on the the local device.
1. Determine which interface is being used for multicast failover by running the following tmsh command:
list cm device device1 multicast-interface.
3. Disable and re-enable multicast failover by running the following tmsh commands:
modify cm device device1 { multicast-interface none }.
modify cm device device1 { multicast-interface eth0 }.
Mitigation for all versions symptoms:
Do not make cm device unicast-address changes simultaneously with changes to other cm device properties.
Fix:
With the fix, sod now sends out multicast FO heartbeat datagrams under the same condition.
565409-3 : Invalid MSS with HW syncookies and flow forwarding
Component: Local Traffic Manager
Symptoms:
A packet may have an MSS set to 65536 when using HW syncookies and flow forwarding.
Conditions:
The conditions which cause this are not fully known.
Impact:
TMM core/reboot.
Workaround:
Disable HW syncookies or TSO.
565231-1 : Importing a previously exported policy which had two object names may fail
Component: Access Policy Manager
Symptoms:
If an exported access policy includes two object names profile_name-aaa and aaa, import that policy may fail or be incorrect.
Conditions:
For example:
access policy name "test"
access policy item name "test-empty"
access policy item name "empty"
For example:
access policy name "test"
access policy item name "test-empty"
macro name "empty"
Impact:
Rare case, but the import of such a policy may fail.
Workaround:
One of the objects could be renamed in the bigip.conf file to avoid such a naming pattern.
Fix:
Objects are being exported correctly without error.
565169-1 : Multiple Java Vulnerabilities
Solution Article: K48802597
565167-3 : Additional garbage data being logged on user name and domain name for NTLM authentication
Component: Access Policy Manager
Symptoms:
ECA logs an error message in this format:
Could not verify user (<Domain Name>\<User Name>) credential (<Reason>)
Example:
Could not verify user (mv4\test1) credential (STATUS_NO_LOGON_SERVERS)
However, due to missing NUL termination, the user name and domain name may include garbage data such as follwing example:
Could not verify user (mv413abfee\test1ewq12dsasd) credential (STATUS_NO_LOGON_SERVERS)
Conditions:
When NTLM front end authentication could not send the verification of the user's credential (e.g. ActiveDirectory server is down)
Impact:
BIG-IP could not send the verification to ActiveDirectory server for any reasons such as down ActiveDirectory server, incorrect machine account information between BIG-IP, and ActiveDirectory server, etc.
Workaround:
No workaround
Fix:
Now it properly logs the message with correct domain name and user name.
565085-4 : Analytics profile allows invalid combination of entities for Alerts setup
Component: Application Visibility and Reporting
Symptoms:
When non cumulative metrics are selected for an Alert on a dimension that's other than a Virtual Server, errors appear in the log.
Conditions:
Analytics in use, and non-cumulative metrics such as the following are used on a time dimension:
- Maximum TPS
- Maximum Server Latency
- Maximum Page Load Time
- Maximum Request Throughput
- Maximum Response Throughput
Impact:
You are able to configure invalid alerts but no warning is given and the metric does not work and generates errors in the /var/log/monpd.log file.
Workaround:
None needed. This is Cosmetic.
Fix:
Invalid combination of entities for Alerts setup is no longer allowed. Validation is present both on UI side and the backend.
565056-5 : Fail to update VPN correctly for non-admin user.
Solution Article: K87617654
Component: Access Policy Manager
Symptoms:
VPN is not updated correctly for non-admin users.
Conditions:
Steps to Reproduce:
1. In BIG-IP 12.0, create Access Policy containing (Firewall Check, Machine Info, Machine Cert Auth, Cache and Session Control, Protected Workspace, VPN Resources with Optimized Applications.)
2. Login with a User without admin privileges
3. Run FF
4. Login to VS and install components
5. Click on NA resource on the webtop to start VPN tunnel => a user is asked for an admin password and VPN is successfully installed and established
6. Close FF and exit PWD
Impact:
VPN is not updated. A user is not asked to enter admin credentials and an error is given: "Error downloading required files (-1)"
Workaround:
None.
Fix:
VPN is now updated as expected for non-admin users.
564521-2 : JavaScript passed to ExternalInterface.call() may be erroneously unescaped
Component: Access Policy Manager
Symptoms:
JavaScript passed to ExternalInterface.call() may be erroneously unescaped.
Conditions:
Adobe ActionScript 3.0 version 24 or less.
Impact:
Adobe Flash application may crash.
Workaround:
None
Fix:
Completely fixed.
564496-2 : Applying APM Add-on License Does Not Change Effective License Limit
Component: Access Policy Manager
Symptoms:
When an add-on license is applied on the active node, the effective license limit is not updated, even though telnet output shows that it is.
Conditions:
1. Set up a high availability (HA) configuration with a base APM license.
2. Apply an APM add-on license to increase Access and CCU license limits.
Impact:
The actual number of sessions that can be established remains unchanged after adding an add-on license.
Workaround:
To make the add-on license effective, run the following command:
bigstart restart tmm.
For systems running v11.5.3, v11.5.4, and v11.6.0, use the following workaround:
- Take one unit Offline.
- Remove the HA configuration.
- Reactivate license on the offline unit.
- Take a peer unit Offline.
- Release the first unit from Offline.
- Reactivate license on the peer unit.
- Rebuild HA configuration.
- Release the peer unit from Offline.
Fix:
Applying APM add-on license now increases Access and CCU license limits, as expected.
564482-3 : Kerberos SSO does not support AES256 encryption
Component: Access Policy Manager
Symptoms:
If the delegation account is enforced to use AES256 encryption, then APM Kerberos SSO will fail. Example error message: Dec 18 19:22:19 bigip8910mgmt err websso.7[31499]: 014d0005:3: Kerberos: can't decrypt S4U2Self ticket for user 'username' - Decrypt integrity check failed (-1765328353).
Conditions:
Delegation account is enforced to use AES256 encryption.
Impact:
Kerberos SSO will fail and user will be prompted to enter credential.
Workaround:
Disable the option to enforce AES256 encryption for the delegation account.
Fix:
Delegation account can be enforced to use AES256 encryption, provided the delegation account is configured as SPN format on the Kerberos SSO configuration.
564427-1 : Use of iControl call get_certificate_list_v2() causes a memory leak.
Component: TMOS
Symptoms:
Use of iControl call get_certificate_list_v2() causes a memory leak.
Conditions:
This occurs when using the Management::KeyCertificate::get_certificate_list_v2 method in iControl.
Impact:
memory leak.
Workaround:
Restarting httpd helps reduce memory, but it must be restarted periodically to clear up the memory issues.
Fix:
Use of Management::KeyCertificate::get_certificate_list_v2 method in iControl no longer causes a memory leak.
564262-3 : Network Access does not work if DNS cannot be resolved on client and PAC file contains DNS resolution code
Solution Article: K21518043
Component: Access Policy Manager
Symptoms:
Tunnel server component of Edge client crashes, and user cannot establish VPN.
Conditions:
-DNS names cannot be resolved on client system.
-PAC file used to determine proxy server uses JavaScript DNS resolution function.
Impact:
Tunnel server crashes and user cannot establish VPN.
Workaround:
Enable DNS resolution on client or do not use DNS resolution JavaScript functions in PAC file.
Fix:
Network Access now works as expected even when DNS cannot be resolved on client and PAC file contains DNS resolution code.
564253-6 : Firefox signed plugin for VPN, Endpoint Check, etc
Component: Access Policy Manager
Symptoms:
Firefox v44.0 and later does not allow loading of Netscape Plugin Application Programming Interface (NPAPI) plugins, which are not signed by Firefox.
Conditions:
Using APM with Firefox v44.0 and later.
Impact:
Firefox v44.0 and later cannot establish network access or perform endpoint checking.
Workaround:
- Use Firefox v43.0 and earlier on all platforms.
- Use Safari on Mac systems and Microsoft Internet Explorer on Microsoft Windows systems.
Fix:
Firefox v44.0 through v46.0 can now install F5 Network plugins, perform endpoint checking, and establish network access connections.
564111-2 : Multiple PCRE vulnerabilities
Solution Article: K05428062
563905 : vCMP guest fails to go Active after the host system is rebooted
Solution Article: K62975642
Component: TMOS
Symptoms:
A vCMP guest fails to go Active after the host system is rebooted. When this occurs, the system posts the following message: confpp[9184]: rollback FAILED for 'unix_config_syslog'
Conditions:
The host of a vCMP guest is rebooted.
Impact:
The guest will not become active.
Workaround:
None.
Fix:
vCMP guest now correctly goes Active after the host system is rebooted
563670-5 : OpenSSL vulnerabilities
Solution Article: K86772626
563591-3 : reference to freed loop_nexthop may cause tmm crash.
Component: Local Traffic Manager
Symptoms:
tmm may crash intermittently when there are cmp directed VIP (Virtual IP) to VIP traffic.
Conditions:
When CMP directed VIP to VIP traffic exists.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
none.
Fix:
tmm should not crash on this condition any more
563475-1 : ePVA dynamic offloading can result in immediate eviction and re-offloading of flows.
Solution Article: K00301400
Component: TMOS
Symptoms:
ePVA dynamic offloading can result in immediate eviction and re-offloading of flows. If dynamic offloading is enabled in the fastl4 profile, flows that collide in the ePVA will ping/pong in and out of the ePVA due to immediate eviction and re-offloading. Flows that are evicted due to collisions are reported in the epva_flowstat stats, tot.hash_evict.
Conditions:
A fastl4 profile with PVA Offload Dynamic enabled and two flows that result in a hash collision, resulting in an evicted flow.
Impact:
Flows that collide will be re-offloaded, evicted, and then re-offloaded again within a short time span. It is unknown if there is a direct impact, but in some cases a delay in processing packets on a connection may occur.
Workaround:
Disable PVA Offload Dynamic in the fastl4 profile. Another option would be to disable PVA Flow Evict in the fastl4 profile.
Fix:
The system now handles flows involved in hash collisions such that ePVA dynamic offloading no longer results in immediate eviction and re-offloading of flows.
563443-3 : WebSSO plugin core dumps under very rare conditions.
Component: Access Policy Manager
Symptoms:
WebSSO plugin core dumps under very rare conditions.
Conditions:
This occurs rarely when the WebSSO plugin is enabled.
Impact:
WebSSO plugin core dumps.
Workaround:
None.
Fix:
This release fixes a rare core dump related to the Websso plugin.
563419-3 : IPv6 packets containing extended trailer are dropped
Component: Local Traffic Manager
Symptoms:
Some IPv6 packets are dropped
Conditions:
IPv6 packet contains trailing bytes after payload
Impact:
Packet loss
Fix:
IPv6 packets that exceed the size of the 'Payload Length' header will be trimmed and processed instead of being dropped.
563349-2 : On MAC, Network Access proxy settings are not applied to tun adapter after VPN is established
Component: Access Policy Manager
Symptoms:
In some cases, user may not be able to browse to external or internal web sites, Because the proxy settings won't be used.
Conditions:
User's machine has local proxy settings configured
NA settings specify a proxy configuration
Impact:
User may not be able to browse some sites, or the connection would not take the proxy settings into account.
Workaround:
None
563227-4 : When a pool member goes down, persistence entries may vary among tmms
Solution Article: K31104342
Component: Local Traffic Manager
Symptoms:
When a pool member goes down, persistence entries may vary among tmms. The result will be that rather than persisting to a single pool member, the new connections may arrive on different pool members based on the number of tmms on the BIG-IP platform in use.
Conditions:
Using persistence with some connections persisted to a pool member that goes down, either administratively or due to a monitor. During this time, the client is issuing several new connections to the BIG-IP system.
Impact:
Inconsistent persistence entries.
Workaround:
None.
Fix:
The race conditions that involved dropping an offline pool member have been resolved.
563154-3 : Multiple Linux Kernel vulnerabilities
Solution Article: K31026324 K94105604 K90230486
563135-2 : SWG Explicit Proxy uses incorrect port after a 407 Authentication Attempt
Component: Access Policy Manager
Symptoms:
When the SWG Explicit Proxy is configured to perform a 407 Authentication Request, if the client accesses a non-standard HTTP port (e.g. http://www.example.com:8080) the first request after authentication will fail.
Conditions:
SWG Explicit Proxy configured
HTTP 407 Authorization configured in Per-Request Policy for authentication
Client requests a non-standard HTTP port in request
Impact:
The first request after authentication will fail.
Workaround:
If the user refreshes their browser request, subsequent requests will work as expected.
563064-5 : Bringing up and tearing down an IPsec tunnel will slowly leak tmm memory
Component: TMOS
Symptoms:
Cipher memory initialized when an IPsec tunnel is created is not cleaned up when IPsec tunnel is removed.
Conditions:
Every time an IPsec tunnel is established and then removed will leave the allocated cipher memory in the system.
Impact:
Slowly leak TMM memory
Fix:
Cipher memory is freed when an IPsec tunnel is removed
562959-3 : In some error scenarios, IPsec might send packets not intended for the IPsec over the tunnel.
Component: TMOS
Symptoms:
In some error scenarios, IPsec might send packets not intended for the IPsec over the tunnel.
Conditions:
This occurs when there is some issue processing the packet going through IPsec tunnel.
Impact:
Tmm restart without core due to internal connection timeout.
Workaround:
None.
Fix:
IPsec now only sends packets intended for IPsec over the tunnel.
562921-2 : Cipher 3DES and iQuery encrypting traffic between BIG-IP systems
Component: Global Traffic Manager (DNS)
Symptoms:
BIG-IP systems use the iQuery protocol to securely communicate with other BIG-IP systems. The BIG-IP system supports the AES/3DES ciphers for encrypting iQuery traffic. Some of these ciphers are now considered unsecure.
Conditions:
The value is hardcoded into the product.
Note: This is completely independent of the TMM profiles or the httpd cipher values.
Impact:
There is no way to configure this; the value is hardcoded. Scanner operations performed on your configuration will report this as an unsecure cipher.
Workaround:
If you do not need iQuery at all, you can block port 4353 completely. For those who do need it, there is no workaround.
Fix:
The cipher list in use is now
"AESGCM:AES:!ADH:!AECDH:!PSK:!aECDH:!DSS:!ECDSA:!AES128:-SHA1:AES256-SHA"
562919-1 : TMM cores in renew lease timer handler
Component: Access Policy Manager
Symptoms:
TMM generates core.
Conditions:
All three following conditions have to be met for this to trigger :
1) Both IPv4 and IPv6 network access connection has to be enabled for the same network access resource.
2) IPv4 address have to be statically assigned.
3) IPv6 address have to be dynamically assigned from the leasepool.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Workaround 1) Use IPv4 only network access connection.
Workaround 2) While using both IPv4 and IPv6 network access connection, assign both IPv4 and IPv6 endpoint addresses from IPv4 and IPv6 leasepool respectively.
Workaround 3) While using both IPv4 and IPv6 network access connection, assign both IPv4 and IPv6 endpoint statically.
Fix:
TMM no longer cores in renew lease timer handler
562775-3 : Memory leak in iprepd
Component: Application Security Manager
Symptoms:
The IP reputation daemon (iprepd) has a small leak of around ~8 to ~16 bytes every 5 minutes.
Conditions:
This occurs when the BIG-IP box is licensed with IPI Subscription, and iprepd is running.
Impact:
Memory increases slowly until the kernel out-of-memory kills the iprepd process.
Workaround:
None.
Fix:
This release fixes a memory leak in the IP reputation daemon (iprepd).
562566-3 : Mirrored persistence entries retained after expiration
Solution Article: K39483533
Component: Local Traffic Manager
Symptoms:
Prior to expiration, the age of persistence entries is reset to 0, thus retaining the persistence entries forever.
Conditions:
-- Persistence is configured.
-- A mirroring IP address is configured.
Impact:
Retention of persistence entries leads to eventual low memory conditions, performance degradation, and traffic outage or restarting of some daemons.
Workaround:
Although no reasonable workaround exists, you can clear the persistence table to reclaim leaked memory.
Fix:
Persistence entries are no longer retained beyond their expiration.
562427 : Trust domain changes do not persist on reboot.
Component: TMOS
Symptoms:
Some earlier releases saved only the internal binary database for trust domain changes (generally, changes to device group objects and device objects), rather than saving the text-based authoritative configuration in '/config/bigip*.conf'.
Conditions:
This occurs when making changes to devices via the Device Management UI.
Impact:
Device Group configuration may not be correct after a reboot.
Workaround:
Explicitly run a command to save the configuration before rebooting devices.
Fix:
Trust domain changes do not persist on reboot.
562044-1 : Statistics slow_merge option does not work
Component: TMOS
Symptoms:
When the statistics DB variable option 'merged.method' is set to 'slow_merge' then the merging of statistics stops working. This causes statistics to no longer appear to be updated.
Conditions:
The DB variable 'merged.method' is set to 'slow_merge'.
Impact:
Statistics no longer appear to be updated.
Workaround:
1) Set "merged.method" to "fast_merge" which is the default.
-or-
2) Create the /var/tmstat/cluster directory using mkdir. Please note the directory must be created on every blade in a chassis. Additionally, this directory needs to be re-created after reboots, so something like "/bin/mkdir /var/tmstat/cluster" should be added to "/config/startup"
Fix:
Statistics are now updated as expected when the statistics DB variable option 'merged.method' is set to 'slow_merge'.
561814-4 : TMM Core on Multi-Blade Chassis
Component: TMOS
Symptoms:
TMM core.
Conditions:
On a multi-blade chassis with WAM caching in use, where the datastor daemon is stopped and restarted, and where traffic is being cached by datastor.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The software defect has been found and fixed.
561798-3 : Windows edge client may show scripting error on certain 3rd party authentication sites
Component: Access Policy Manager
Symptoms:
User sees JavaScript error on third party IDP sites.
Conditions:
Windows Edge client is used
Access policy requires user to authenticate on a third party site
Impact:
Usability of Edge Client
Fix:
Edge Client now runs embedded browser in Internet Explorer 10 emulation mode, which has support for modern JavaScript.
561539-1 : [Upgrade] GTM pool member ratio setting to 0 is not honored when upgrading from v10.2.4 to v11.5.3.★
Component: Global Traffic Manager (DNS)
Symptoms:
When upgrading from 10.x to 11.x Wide IP pool member ratio value is changed from 0 to 1.
Conditions:
1. Upgrade from v10.x to v11.x through 12.0.0
2. Have a Wide IP pool member ratio set to 0.
Impact:
Wide IP pool member ratio is changed to 1 (the default) from 0 after upgrading, potentially enabling selection of members that had been "disabled" with a ratio of 0.
Workaround:
Manually change ratio back to 0 after upgrade.
561433-6 : TMM Packets can be dropped indiscriminately while under DoS attack
Component: Advanced Firewall Manager
Symptoms:
When there is a loaded tmm that cannot consume packets fast enough, packets might be dropped while when AFM DoS flood mitigation is taking place.
Conditions:
-- Loaded tmm that cannot consume packets fast enough.
-- AFM DoS flood mitigation is taking place.
Impact:
Packets will be dropped indiscriminately.
Workaround:
None.
Fix:
There is now a sys db tunable (sys db dos.scrubtime) which can be set to drop DoS attack packets in hardware more aggressively. This will prevent other non-attack packets from being dropped indiscriminately.
561348-2 : krb5.conf file is not synchronized between blades and not backed up
Component: Access Policy Manager
Symptoms:
krb5.conf file is not in sync across all blades.
this may cause a feature (Kerberos SSO / Kerberos Auth) to not work as expected.
Conditions:
When administrator made changes to krb5.conf file manually, the configuration file is not synchronized to all blades or is lost upon upgrade.
Impact:
Kerberos Auth / Kerberos SSO does not work properly on all blades.
Workaround:
None.
Fix:
The APM code now automatically synchronizes the changes to /etc/krb5.conf file to all devices in the Failover Device group. Any change made to this file either in Active Device or Standby device will be automatically synced to other device.
In Chassis, all the Secondary blades will mirror the file on the Primary blade. Any manual change done on the Secondary blade(s) will be lost. The admin has to do the changes on Primary blade only and it will be synchronized with all others blades.
Behavior Change:
When admin modifies /etc/krb5.conf file, the changes are automatically updated on other devices in the same Failover Device group.
When admin modifies the /etc/krb5.conf file on the primary blade of the chassis, the changes are automatically updated on all secondary blades.
560975-1 : iControl can remove hardware SSL keys while in use
Component: TMOS
Symptoms:
When deleting SSL keys via iControl it is possible to delete keys from the Hardware Security Module even while they are configured in an active profile.
Conditions:
Using iControl to delete SSL key installed in hardware.
Impact:
Key is removed from HSM and must be reloaded.
Workaround:
Verify that keys are not in use before using iControl to delete them.
560948-3 : OpenSSL vulnerability CVE-2015-3195
Solution Article: K12824341
560910-3 : OpenSSL Vulnerability fix
Solution Article: K86772626
560748 : BIG-IQ discovery fails
Component: Application Security Manager
Symptoms:
After updating attack signatures, a Signature-system called "IBM WebSphere" may be created that does not contain a REST ID, and BIG-IQ will fail discovery.
If you look at the REST output for this item at https://bigip_address/mgmt/tm/asm/signature-systems/
and look for "IBM WebSphere", you will see that the id field is empty.
Conditions:
This can occur when updating attack signatures, and when using BIG-IQ discovery.
Impact:
BIG-IQ discovery fails.
Workaround:
On the affected device run the following:
perl -MF5::Utils::Rest -MF5::DbUtils -MF5::ASMConfig::Entity::SignatureSystem -e "F5::Utils::Rest::populate_uuids(dbh => F5::DbUtils::get_dbh(), rest_entities => ['F5::ASMConfig::Entity::SignatureSystem'])"
Fix:
Fixed an issue with attack signature updates causing BIG-IQ discovery to fail.
560510-4 : Invalid /etc/resolv.conf when more than one DNS servers are set and MCPD is down.
Component: TMOS
Symptoms:
When MCPD is not in the running state, dhclient directly writes domain-name-server information into /etc/resolv.conf. If multiple domain-name-servers are given by DHCP server, they are written in the incorrect format with multiple domain-name-servers in a single line comma-separated. Each domain-name-servers entry should be written in a single line with "nameserver" prefix.
Conditions:
- MCPD is not in the running state.
- DHCP is enabled.
- DHCP server has provided multiple domain-name-server entries in the lease.
Impact:
Domain name resolution doesn't work.
Workaround:
Bring up MCPD which would write the resolv.conf in the correct format. Alternatively, user can manually modify /etc/resolv.conf to write multiple nameserver entry one per line.
Fix:
DHCP will now write a single nameserver per line in /etc/resolv.conf when multiple nameservers are configured in DHCP.
560405-5 : Optional target IP address and port in the 'virtual' iRule API is not supported.
Component: Local Traffic Manager
Symptoms:
In certain scenarios there is a need to redirect an HTTP request through a given virtual server to a another virtual server (or remote endpoint). Such an operation is also known as 'vip-to-vip' forwarding. The available iRule API (specifically, the 'virtual' command) does not currently support this functionality.
Conditions:
Using an iRule to forward a request through a given virtual server to another virtual server or remote endpoint.
Impact:
Cannot implement HTTP Forward Proxy plus Transparent redirection to Web-Cache Pool.
Workaround:
None.
Behavior Change:
The 'virtual' iRule API has been changed to support a secondary target IP address and port to redirect the connection to, from a given virtual server. The new signature of the 'virtual' iRule API is:
virtual [<name>] [<ipaddr> [<port>]]
where:
-- <name> = the name of the virtual server to redirect the connection from.
-- <ipaddr> = the target IP address of the remote endpoint to route the connection to, through the specified virtual server; <ipaddr> can also have a route-domain (%).
-- <port> = the port of the remote endpoint to route the connection to, through the specified virtual server.
560180-3 : BIND Vulnerability CVE-2015-8000
Solution Article: K34250741
560114-2 : Monpd is being affected by an I/O issue which makes some of its threads freeze
Component: Application Visibility and Reporting
Symptoms:
When Monpd is restarted, it starts printing non-stop error message to logs. Analytics statistics may be lost, and new data cannot be loaded. The ltm log contains this error signature - err stat_bridge_thread[8278]: monpd`ERR`date`11285` [stat_bridge_thread::validateCorrectNumberOfPartitions, ] Too many partitions (44) defined for DB table AVR_STAT_DISK_T
Conditions:
A system I/O issue (maybe caused by /var/log being full).
Impact:
AVR statistics are lost.
Monpd thread cannot load new data, and it prints non-stop error messages to the logs.
Workaround:
Run the following:
find /var/avr/loader/ -mindepth 1 -name "*" -print0 | xargs -0 rm
touch /var/avr/init_avrdb
bigstart restart monpd
560109-4 : Client capabilities failure
Solution Article: K19430431
559980 : Change console baud rate requires reboot to take effect
Component: TMOS
Symptoms:
When you change the console baud rate, you will see garbage characters.
Conditions:
When you make modification to the console baud rate.
Impact:
The console display has garbage characters.
Workaround:
Reboot the system.
Fix:
Console baud rate change now works.
559975-4 : Changing the username or password used for HTTP monitor basic auth may break HTTP basic auth
Component: Global Traffic Manager (DNS)
Symptoms:
HTTP basic authentication uses a base64 encoded string. When an HTTP monitor username or password is changed, the b64 string is regenerated and may become malformed.
Conditions:
When an http monitor username or password is changed, e.g. shortened, then the HTTP basic auth string may be mangled.
Impact:
An HTTP monitor may show its resource as unavailable after changing the username or password.
Workaround:
Restart big3d, or delete then recreate the monitor instead of modifying the existing monitor.
Fix:
HTTP monitors will now correctly handle a username or password change.
559973-5 : Nitrox can hang on RSA verification
Component: Local Traffic Manager
Symptoms:
With certain signatures, RSA verification can hang the Nitrox crypto accelerator chip. Errors in the ltm log show crit tmm[11041]: 01010260:2: Hardware Error(Co-Processor): n3-crypto2 request queue stuck
Conditions:
RSA verification with certain signatures.
Impact:
Nitrox crypto accelerator can hang.
Fix:
The Nitrox crypto accelerator will no longer hang when performing RSA verification.
559953-3 : tmm core on long DIAMETER::host value
Component: Service Provider
Symptoms:
tmm crashes and restarts when an iRule is accessed that contains a large DIAMETER::host value.
Conditions:
This occurs with a DIAMETER::host iRule parameter set to a very large value (2000 characters).
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Limit the length of the DIAMETER::host parameter to less than 1000 characters.
Fix:
BIG-IP now limits the DIAMETER::host parameter to 1000 characters.
559939-3 : Changing hostname on host sometimes causes blade to go RED / HA TABLE offline
Solution Article: K30040319
Component: TMOS
Symptoms:
If the UI System::Platform screen is used to change the hostname on a Standalone VIPRION, the non-primary blades in the chassis may temporarily report an offline state.
Conditions:
This affects only multi-blade chassis systems in Standalone mode.
Impact:
If the system is hosting vCMP guests, it may cause unexpected failovers, and interruption of traffic.
Workaround:
To change the hostname on the VIPRION, use the tmsh command:
'modify sys global-settings hostname new-host-name'.
Fix:
Changing hostname on Standalone VIPRION no longer causes the non-primary blade to go RED / HA TABLE offline.
559541-3 : ICAP anti virus tests are not initiated on XML with when should
Component: Application Security Manager
Symptoms:
ICAP anti virus tests are not performed on XML with sensitive data.
Conditions:
ICAP and XML profile are configured on the policy, the ICAP configured to inspect the XML.
The XML has sensitive data configured.
The XML request contained sensitive data.
The expectation was that XML with sensitive data would initiate ICAP tests.
Impact:
Virus tests will not be enabled on this request if the only reason for testing the ICAP was the existence of the sensitive XML data.
Fix:
ICAP tests are performed on XML with sensitive data.
559138-4 : Linux CLI VPN client fails to establish VPN connection on Ubuntu
Component: Access Policy Manager
Symptoms:
Linux client is unable to establish a VPN connection. An error is displayed which says that server certificate verification has failed.
Conditions:
CLI client used on Ubuntu to establish VPN connection.
Impact:
User cannot connect to VPN
Workaround:
Use web client.
Fix:
Fixed bug in certificate verification code.
559055 : Staging is not disabled on wildcard parameter "*" when Learn New Parameters is set to "Add All"
Component: Application Security Manager
Symptoms:
Staging is not disabled on wildcard parameter "*" when Learn New Parameters is set to "Add All Entities".
Conditions:
Learn New Parameters is set to "Add All Entities".
Impact:
Staging on wildcard parameter "*" remains unchanged.
Workaround:
Disable staging on wildcard parameter "*" manually.
Fix:
Staging is now disabled correctly on wildcard parameter "*" when Learn New Parameters is set to "Add All Entities".
559034-3 : Mcpd core dump in the sync secondary during config sync
Component: TMOS
Symptoms:
mcpd will crash if certain files are missing from the file store during sync operations.
Conditions:
This can happen when files associated with file objects are removed from the file store. Users are not permitted to directly modify the contents of the file store.
Impact:
mcpd will crash
Workaround:
Users are not permitted to directly modify the contents of the file store. Use tmsh or the Configuration Utility to manage BIG-IP objects such certificates.
Fix:
Mcpd will no longer crash during a config sync if a file store object is missing.
558946-3 : TMM may core when APM is provisioned and access profile is attached to the virtual
Component: Access Policy Manager
Symptoms:
TMM may core when APM is provisioned and access profile is attached to the virtual.
Conditions:
This crash is most likely to occur when there are more than 1 ABORT events sent to a connection on a virtual with attached access profile.
Impact:
Traffic disrupted while tmm restarts.
Fix:
APM virtual server that can have multiple ABORTs events to a connection will no longer cause TMM to crash and restart.
558870-4 : Protected workspace does not work correctly with third party products
Solution Article: K12012384
Component: Access Policy Manager
Symptoms:
1) Internet Explorer and Firefox cannot be launched in Windows protected workspace if Norton Internet Security 22.x is present on user's machines.
2) Microsoft OneDrive does not work correctly inside protected workspace.
Conditions:
Norton Internet Security 22.x is installed on user's desktop.
Protected workspace is used.
Impact:
User cannot launch Internet Explorer or Firefox inside protected workspace.
Files cannot be synced to OneDrive.
Workaround:
There is no workaround.
Fix:
User can now launch Internet Explorer or Firefox inside protected workspace.
558859 : Control insertion to log_session_details table by Access policy logging level.
Component: Access Policy Manager
Symptoms:
Session records are always written to log_session_details table upon new session creation, regardless of access log level.
Conditions:
New sessions created
Impact:
CPU hogged when large numbers of sessions are created within short time period
Fix:
Control insertion to log_session_details table by Access policy logging level.
558858-1 : Unexpected loss of communication between slots of a vCMP Guest
Solution Article: K80079953
Component: TMOS
Symptoms:
1. Within the vCMP guest, the affected slot shows the other slot(s) to be offline. When logged into any other "offline" slot, the slot shows itself to be online.
2. Within the vCMP guest, on the affected slot, the log files (such as /var/log/ltm) have stopped recording log entries from the other slot(s).
3. Within the vCMP guest, on the affected slot, the eth1 interface shows TX increasing but RX not increasing. The eth1 interface on other slots shows both TX and RX increasing.
Conditions:
Only affects vCMP guests with 2 or more slots on VIPRION C2000-series chassis.
Impact:
The number of working slots in a vCMP guest is reduced to 1 slot. The effect on traffic may range from none to severe.
Workaround:
Within the vCMP guest, login to the command line (vconsole or SSH) of the affected slot and run the following:
ifconfig eth1 down ; ifconfig eth1 up
Alternatively, from the hypervisor, modify the vCMP guest to the Configured state, and wait to confirm the vCMP guest has stopped on all slots. Then return the vCMP guest to the Deployed state.
Fix:
This release no long exhibits loss of communication between slots of a vCMP Guest.
558779-5 : SNMP dot3 stats occassionally unavailable
Component: TMOS
Symptoms:
SNMP would not provide values for some dot3 stats.
Conditions:
Always under affected version
Impact:
SNMP would not provide values for some dot3 stats.
This is no impact actual traffic.
Workaround:
None
Fix:
The dot3 stats are now available.
558631-6 : APM Network Access VPN feature may leak memory
Solution Article: K81306414
Component: Access Policy Manager
Symptoms:
VPN connections may cause memory usage to increase with the memory never being reclaimed.
Conditions:
-- APM Network Access feature is configured.
-- VPN connections are being established.
Impact:
Slow memory leak over time with eventual out-of-memory condition, performance degradation, and traffic outage.
Workaround:
No workaround short of not using the APM Network Access feature.
Fix:
The APM Network Access VPN feature no longer leaks memory.
558612-3 : System may fail when syncookie mode is activated
Component: Local Traffic Manager
Symptoms:
TMM may core when syncookie mode has been activated when under extreme memory pressure.
Conditions:
L7 VIP with certain TCP profile attributes enabled.
Syncookies have been activated.
System under memory pressure due to heavy load.
Impact:
tmm may core.
Workaround:
Use the default TCP profile for all L7 VIPs.
Fix:
The BIG-IP will not encounter a system failure when syncookie mode has been activated.
558602-2 : Active mode FTP data channel issue when using lasthop pool
Component: Local Traffic Manager
Symptoms:
The data channel for active mode FTP may fail.
Conditions:
Active mode FTP through a virtual with ftp profile with port set to zero and configured to use a lasthop pool.
Impact:
Active mode FTP does not work.
Workaround:
Use auto-lasthop instead of lasthop pool.
Use passive mode FTP.
Fix:
Active mode FTP now works correctly.
558573-3 : MCPD restart on secondary blade after updating Pool via GUI
Solution Article: K65352421
Component: TMOS
Symptoms:
If you use the LTM GUI in a clustered environment to add an IP Encapsulation profile to a Pool, then click Update, mcpd and other daemons may restart on secondary blades in the cluster.
When this occurs, errors similar to the following will be logging from the secondary blades:
-- err mcpd[22537]: 01020036:3: The requested pool profile (49825) was not found.
-- err mcpd[22537]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested pool profile (49825) was not found.
Conditions:
This problem may occur when operating BIG-IP in a clustered environment (VIPRION), and using the GUI to update the properties of an LTM pool with an IP Encapsulation profile defined.
Impact:
Daemon restarts, disruption of traffic passing on secondary blades.
Workaround:
Perform pool updates via the tmsh command-line utility.
Fix:
Pool profile update is performed by name rather than object ID, so MCPD no longer restarts on secondary blade after updating a pool using the GUI.
557783-3 : TMM generated traffic to external IPv6 global-addr via ECMP routes might use link-local addr
Solution Article: K14147369
Component: Local Traffic Manager
Symptoms:
TMM might use a link-local IPv6 address when attempting to reach an external global address for traffic generated from TMM (for example, dns resolver, sideband connections, etc.).
Conditions:
- ECMP IPv6 routes to a remote destination where the next hop is a link local address. Typically this occurs with dynamic routing.
- Have configured a virtual server that generates traffic from TMM (for example, dns resolver, sideband connections, etc.).
Impact:
Traffic might fail as its egresses from a link-local address instead of a global address.
Workaround:
It might be possible to work around if the dynamic routing peer can announce the route from a global address instead of a link local.
Use of static routes might also work around the issue.
Fix:
TMM now uses the correct IPv6 global address when generating traffic to a remote address using ECMP routes via link-local next-hops.
557645-1 : Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms.
Component: Local Traffic Manager
Symptoms:
Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms.
Conditions:
VIPRION 2200 and 2400 platforms with more than one blade.
Multiple devices in an HA configuration.
TMM incorrectly identifies which TMM should handle host connections from an HA peer.
The host connection will be reset after the SYN retransmits are exceeded between TMM and the host process.
Impact:
Periodic reported failures in host-to-host communication. This could affect config sync, and other HA related communication.
Workaround:
None.
Fix:
Host communication on VIPRION 2200 and 2400 platforms behaves the same as host communication on non-VIPRION 2200 and 2400 platforms, as expected.
557281-3 : The audit_forwarder process fails to exit normally causing the process to consume CPU to near 100%
Component: TMOS
Symptoms:
audit_forwarder and mcpd consume almost 100% CPU. When syslog-ng restarts, it starts another audit_forwarder process, but it is the orphaned audit_forwarder process that will consume almost 100% CPU. When syslog-ng is restarted and audit_forwarder does not exit cleanly, the mcpd process will also begin consuming high CPU.
Conditions:
syslog-ng is stopped manually or sometimes (rarely) during a normal restart of syslog-ng.
Impact:
The audit_forwarder and mcpd processes consume excessive CPU.
Workaround:
Stop audit_forwarder manually (kill -9), once the orphaned audit_forwarder process is stopped, mcpd will return to normal CPU consumption.
Fix:
When syslog-ng is stopped manually (or when expected), audit_forwarder also exits, so the audit_forward process no longer consumes increasing CPU.
557221 : Inbound ISP link load balancing will use pool members for only one ISP link per data center
Component: Global Traffic Manager (DNS)
Symptoms:
In BIG-IP Link Controller and GTM 11.5.3, 11.6.0 and prior versions, and BIG-IP DNS 12.0.0, the inbound ISP link load balancing functionality uses pool members for more than one ISP link per data center.
Conditions:
Using the inbound ISP link load balancing functionality in BIG-IP Link Controller and GTM 11.5.3, 11.6.0 and prior versions, and BIG-IP DNS 12.0.0.
Impact:
If a pool has multiple members that use different ISP links within a data center, the system uses only pool members associated with the ISP link of the first available pool member. The system marks pool members associated with subsequent ISP links as unavailable (grey).
Fix:
The inbound ISP link load balancing functionality will use pool members for only one ISP link per data center for each pool.
Behavior Change:
Beginning in BIG-IP Link Controller and GTM 11.5.4, 11.6.1, and BIG-IP DNS 12.1.0, the ISP link load balancing functionality will use pool members for only one ISP link per data center for each pool.
The link that is associated with the first configured and available pool member within each data center will determine the link that will be used for the data center. The system will use only pool members associated with that link.
557144-1 : Dynamic route flapping may lead to tmm crash
Component: TMOS
Symptoms:
When dynamic routing is in use and routes are being actively added and removed, tmm may crash.
Conditions:
Virtual Server configured with Dynamic Routing
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Flapping dynamic routes no longer trigger a tmm crash.
557062-3 : The BIG-IP ASM configuration fails to load after an upgrade.★
Component: Application Visibility and Reporting
Symptoms:
A configuration load failure occurs after creating an ASM predefined report in a previous version - (11.3 or 11.4) and upgrading to a version prior to 12.1.0.
Conditions:
Define scheduled report with 'predefined-report-name: '/Common/Top alerted URLs' on version 11.3 or 11.4 upgrade the version.
Impact:
Version upgrade fails (the BIG-IP system becomes unusable).
Workaround:
Manually change predefined-report-name '/Common/Top alerted URLs' to predefined-report-name '/Common/Top alarmed URLs'.
Fix:
If an ASM predefined report was created in a previous version and the system was updated, it could have caused the configuration upgrade to fail. This failure no longer occurs.
556774-1 : EdgeClient cannot connect through captive portal
Component: Access Policy Manager
Symptoms:
EdgeClient cannot connect through captive portal.
Conditions:
1) Install EdgeClient on a PC that connects to the APM through a captive portal.
2) Launch EdgeClient and try to connect to the APM.
3) System posts certificate warnings. Accept them.
4) Captive portal is not shown to the user.
5) EdgeClient just toggles between 'Waiting to connect to server' and 'Downloading server settings' messages.
Impact:
No captive portal displayed to the user. EdgeClient UI shows he user.
5) EdgeClient just toggles between 'Waiting to connect to server' and 'Downloading server settings' messages.
Workaround:
None.
Fix:
Install EdgeClient on a PC that connects to the APM through a captive portal now opens as expected.
556694-6 : DoS Whitelist IPv6 addresses may "overmatch"
Component: Advanced Firewall Manager
Symptoms:
When using the 8-entry "rich" DoS whitelist with IPv6 addresses, the HW matches only 32 bits of an incoming IPv6 address against the whitelist entry, meaning that if an incoming IPv6 address matches those 32 bits, the whitelist will result in "match", even if other bits of the IPv6 address do not match.
Note that the configuration can select which set of bits (there are 4 choices -- 127:96, 95:64, 63:32, 31:0) to match against, via the db.tunable dos.wlipv6addrsel.
Also, note that IPv4 matches are always perfect, and are not affected by this issue.
Conditions:
Occurs when the 8-entry AFM DoS Whitelist is used to match against IPv6 addresses.
Impact:
In some cases, the Whitelist may overmatch, meaning some IPv6 addresses will be considered whitelist matches, when they do not match the whitelist.
556597-3 : CertHelper may crash when performing Machine Cert Inspection
Component: Access Policy Manager
Symptoms:
CertHelper may crash while checking of machine certificate.
Conditions:
APM installed
Impact:
Authentication may fail.
Fix:
Fixed crash cause in CertHelper.
556560-1 : DNS messages may become malformed if the Additional section contains an OPT record followed by multiple records.
Solution Article: K80741043
Component: Local Traffic Manager
Symptoms:
A DNS message may become malformed when its Additional records section contains an OPT record followed by multiple other DNS records.
As a result of this issue, you may encounter the following symptom:
The BIG-IP system receives properly formed DNS packets but after processing them sends them as malformed DNS packets.
Conditions:
This issue occurs when all of the following conditions are met:
-- Your BIG-IP configuration contains a virtual server with an associated DNS profile.
-- The BIG-IP system receives a DNS message that contains an OPT record.
-- The DNS message's Additional records section contains multiple other DNS records.
Impact:
This issue impacts all DNS messages that contain an OPT record followed by more than one record. The DNS handling code expects a message containing an OPT record to have 0 or 1 TSIG record following the OPT record in the additional record section of a message.
The RFCs permit the OPT record to be placed anywhere in the additional record section of a DNS message, with the exception of a TSIG record. If a TSIG record is present, it must always be last. If no TSIG record is present, then an OPT record can be last.
The RFCs do not restrict a query from containing records in the additional record section of the message.
When a DNS query or response is passed through the TMM DNS message handler, and that message contains an OPT record followed by more than one record, and those records that follow the OPT record contain compression pointers to other records that also follow the OPT record, then the message becomes mangled.
Workaround:
Disable DNS compression on the resolver, or configure the resolver to place OPT records at the end of the additional section (except TSIG records which must always be last).
Fix:
DNS messages which contain a record other than TSIG following an OPT record in the additional record section will be transformed in the message handler and the message inspection will be restarted.
The transformation involves safely moving the OPT record to be last or second-to-last (in the presence of a TSIG record) position of the additional record section. 'Safely' means updating the relevant compression pointers.
The subsequent code paths which depend on the OPT record's position now work as expected.
556383-2 : Multiple NSS Vulnerabilities
Solution Article: K31372672
556380-3 : mcpd can assert on active connection deletion
Component: TMOS
Symptoms:
When all of the peers in an HA / DSC configuration are removed, then it is possible for the connection tear down to result in an assert.
Conditions:
Removal of all peers while a connection is handling a transaction.
Impact:
MCPD asserts and restarts.
Workaround:
No workaround is necessary. MCPD restarts.
Fix:
Connection tear down checks for active connections and does not result in an assert when removing all peers while a connection is handling a transaction.
556284-3 : iqsyncer: GTM/LC config sync failure with error from local mcpd Monitor parent not found
Solution Article: K55622762
Component: TMOS
Symptoms:
GTM/LC config sync fails with error in /var/log/gtm and /var/log/ltm similar to the following:
Monitor /Common/my_http_monitor parent not found
Conditions:
There is a customized GTM monitor on one member of a high availability configuration, but not on others.
Impact:
Config sync fails. On the device that does not have the monitor, the system logs a parent-not-found message into /var/log/gtm.
Workaround:
None.
Fix:
GTM/LC sync now completes successfully even when the configuration being sync'd contains a custom GTM/LC monitor definition.
556277-4 : Config Sync error after hotfix installation (chroot failed rsync error)★
Component: TMOS
Symptoms:
Once an installation has been booted into, applying a hotfix over that installation does not change the SELinux policy, but instead uses the previously installed SELinux policy.
Conditions:
This affects installations of a later hotfix atop an earlier hotfix, or onto a base build of the same software version. Installation onto a new volume is unaffected.
To determine whether the configuration will experience this issue, use md5sum to see whether the following have the same checksums:
-- /etc/selinux/targeted/modules/active/modules/f5_mcpd.pp
-- /usr/share/selinux/targeted/f5_mcpd.pp.
If the checksums are the same, the system will use the SELinux policy installed with the previous hotfix, and this issue will occur.
Impact:
Sync of file objects might fail with an error similar to the following:
01071488:3: Remote transaction for device group [name] to commit id [number] failed with error 01070712:3: Caught configuration exception (0), verify_sync_result:() :Failed to sync files. - sys/validation/FileObject.cpp, line 6276..
Workaround:
Instead of installing the hotfix over an existing installation of the base build of that version (or an earlier hotfix), install the base ISO (for example 11.5.4) into a volume, and then install the hotfix onto that volume, without booting the volume in between.
Fix:
Installing a hotfix over an existing base install now rebuilds the SELinux policy as expected.
556252 : sysGlobalTmmStatTmUsageRatio5s and sysGlobalTmmStatNpus in chassis
Component: TMOS
Symptoms:
The sysGlobalTmmStatTmUsageRatio5s and sysGlobalTmmStatNpus OIDs read lower than expected given the traffic on the system. The values suddenly increase when a non-running blade is powered down.
Conditions:
This occurs on a chassis where one or more of the blades are not in the cluster, but are not powered down. The usage ratios and Npus stats treat the blades as if they are in the cluster, and are factored into the calculation, making them appear lower than they actually are because non-working blades are in the calculation.
Impact:
Misleading, confusing statistics
Workaround:
You can completely power down the blade and it will be removed from the statistics calculation.
Fix:
sysGlobalTmmStatTmUsageRatio5s and sysGlobalTmmStatNpus are now calculated only against running blades.
556117-1 : client-ssl profile is case-sensitive when checking server_name extension
Component: Local Traffic Manager
Symptoms:
The client-ssl profile is Case-Sensitive when configuring server-name in the client-ssl profiles and checking server_name extension in the ClientHello Message.
Conditions:
When using mixed upper-lower case server-name in the client-ssl profile configuration and ClientHello messages.
Impact:
The system treats mixed upper-lower case server-name as different names which violate the RFC6066, which states: "Currently, the only server names supported are DNS hostnames. DNS hostnames are case-insensitive."
Workaround:
1. Configure only one client-ssl profile with same server-name.
2. Use only lower-case server-name when configure the client-ssl profile.
3. Use lower-case server-name in the Client side.
Fix:
The system now treats mixed upper-lower case server-names as the same name, so server-name is no longer case sensitive.
556103-2 : Abnormally high CPU utilization for external monitors
Component: Local Traffic Manager
Symptoms:
High CPU utilization for external monitors that use SSL.
Conditions:
External monitor using SSL.
Impact:
Abnormally high CPU utilization.
Workaround:
None.
Fix:
This release improves the handling of external monitors that use SSL so that CPU utilization no longer increases.
556088-2 : In a chassis system with APM provisioned mcpd daemon on secondary blade will restart.
Component: Access Policy Manager
Symptoms:
Uploading and installing an epsec/Opswat package on a chassis system will result in mcpd restart on the secondary blades.
Conditions:
Installing a new epsec package in a chassis system is the only condition under which this can happen.
Impact:
All daemons dependent on mcpd will restart
Fix:
Prevent validation of epsec package on secondary blades
555905-1 : sod health logging inconsistent when device removed from failover group or device trust
Component: TMOS
Symptoms:
When a device is in a failover group, sod logs the state change messages indicating the reachability of other devices in the group. For example:
Nov 2 11:34:54 BIGIP-1 notice sod[5716]: 010c007f:5: Receiving status updates from peer device /Common/BIGIP-3.localdomain (10.145.192.5) (Online).
Nov 2 11:31:19 BIGIP-1 notice sod[5716]: 010c007f:5: Receiving status updates from peer device /Common/BIGIP-3.localdomain (10.145.192.5) (Offline).
Nov 2 11:31:43 BIGIP-1 notice sod[5716]: 010c007e:5: Not receiving status updates from peer device /Common/BIGIP-3.localdomain (10.145.192.5) (Disconnected).
If a reachable device is removed from the failover group, no "Disconnected" message is issued, so the last reported status will be inaccurate.
When a device is part of a trust, sod logs messages indicating what unicast addresses it is monitoring on remote devices:
Nov 2 11:34:29 BIGIP-1 info sod[5716]: 010c007a:6: Added unicast failover address 10.145.192.5 port 1026 for device /Common/BIGIP-3.localdomain.
If devices are removed from the trust, sod does not log a message that those unicast addresses are no longer in use.
Conditions:
When a device is removed from a failover device group, or removed from a device trust.
Impact:
Inaccurate state reporting.
Fix:
When a device is removed from a failover device group, it is now reported as "Disconnected".
When a device is removed from the device trust, sod on the other devices correctly reports that the unicast addresses belonging to the other devices have been deleted.
555686-2 : Copper SFPs OPT-0015 on 10000-series appliance may cause interfaces to not come up and/or show corrupted serial numbers
Component: TMOS
Symptoms:
Some OPT-0015 copper small form-factor pluggable (SFP) transceiver might cause an internal bus to hang.
Conditions:
This happens only when the following conditions are met:
-- 10000-series appliances.
-- At reboot, at a restart of the bcm56xxd daemon, or when a copper SFP is enabled or disabled.
-- There is at least one copper SFP present in the appliance.
-- Interfaces are spread between hardware muxes. That means some SFPs are in ports 1.1-1.8 and other SFPs are in ports 1.9-1.16.
Impact:
Corrupted serial number information from SFPs, and fiber SFPs may not come up. Enable and disable of copper SFPs may not work.
Workaround:
None.
Fix:
The system now ensures that the I2C bus muxes only enable a single interface, so the issue with interfaces on Copper SFPs OPT-0015 on 10000-series appliances no longer occurs.
555549-2 : 'tmsh modify ltm node <ip_addr> state user-down' fails to bring pool member state offline.
Component: Local Traffic Manager
Symptoms:
The command to set the ltm note state to user-down fails to bring pool member state offline.
Running the command results in error messages similar to the following:
01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 1137
Conditions:
This occurs when running the command to set the ltm node state to user-down, for example: tmsh modify ltm node 10.10.10.10 state user-down.
Impact:
Session status fails to update for pool member.
Workaround:
None.
Fix:
The command to set the ltm node state to user-down now successfully brings pool member state offline.
555507-3 : Under certain conditions, SSO plugin can overrun memory not owned by the plugin.
Solution Article: K88973987
Component: Access Policy Manager
Symptoms:
Under certain conditions, SSO plugin can overrun memory not owned by the plugin. Symptoms could be different based on the owner of overrun memory.
Conditions:
This occurs when the following conditions are met:
1. The BIG-IP system is configured and used as SAML Identity Provider.
2. Single Logout (SLO) protocol is configured on an attached SP connector.
3. At least one user executed SAML WebSSO profile.
Impact:
Symptoms might differ based on the owner of overrun memory.
Potentially, tmm could restart as a result of this issue.
Workaround:
Disable SAML SLO: remove SLO request and SLO response URLs from configuration in appropriate SAML SP connectors.
Fix:
SSO plugin no longer overruns memory not owned by the plugin, so the system supports the following configuration without memory issues:
The BIG-IP system is configured and used as a SAML Identity Provider.
Single Logout (SLO) protocol is configured on the attached Service Provider (SP) connector.
At least one user executed SAML webSSO profile.
555457-4 : Reboot is required, but not prompted after F5 Networks components have been uninstalled
Solution Article: K16415235
Component: Access Policy Manager
Symptoms:
Attempt to establish a VPN connection from a Windows 10, Windows 8.1, Windows 7, or Vista desktop fails if F5 Networks components have been removed previously and the desktop was not rebooted.
Typically this issue can be identified by these log records:
<snip>
DIALER, 48, \driverstatechecker.cpp, 10, dump, WAN Miniport (SSTP)
DIALER, 48, \driverstatechecker.cpp, 10, dump, WAN Miniport (SSTP)
DIALER, 48, \driverstatechecker.cpp, 10, dump, F5 Networks VPN Adapter <--- Two F5 Devices
DIALER, 48, \driverstatechecker.cpp, 10, dump, F5 Networks VPN Adapter (7) <--- Two F5 Devices
DIALER, 48, \driverstatechecker.cpp, 155, GetVPNDriverRASDeviceName, found device, F5 Networks VPN Adapter
<snip>
DIALER, 1, \urdialer.cpp, 1573, CURDialer::OnRasCallback(), RAS error (state=RASCS_OpenPort, error=633: The modem (or other connecting device) is already in use or is not configured properly.)
Conditions:
Windows desktop.
Existing F5 components uninstalled.
Reboot was not performed after uninstall.
Impact:
End users cannot establish a VPN connection from Windows-based clients.
Workaround:
Reboot the affected Windows desktop.
Fix:
After F5 Networks components have been uninstalled, the system does not require reboot, and uses the latest installed software-device for VPN, as expected.
555432-2 : Large configuration files may go missing on secondary blades
Component: Local Traffic Manager
Symptoms:
bigip.conf or other configuration files may go missing on secondary blades once the configuration exceeds a certain size (approximately 8 MB).
Conditions:
This is only relevant on chassis.
Impact:
If the primary changes, then the configuration is at risk of being lost.
Workaround:
touch the relevant configuration file (usually bigip.conf) and the configuration file will reappear.
Fix:
bigip.conf or other configuration files would go missing on secondary blades once the configuration exceeded a certain size (approximately 8 MB). This has been fixed.
555272-3 : Endpoint Security client components (OPSWAT, EPSEC) may fail to upgrade★
Component: Access Policy Manager
Symptoms:
Previously, F5 Client components were signed using SHA1 certificate. SHA1 is now considered insecure and Windows will reject components signed using a SHA1 certificate after March 31st 2016.
To support this new requirement, F5 has changed the client component signing certificates to utilize a higher security validation algorithm.
The result of this change is that clients utilizing client components built prior to these versions:
Big-IP 12.0.0HF1 or earlier
Big-IP 11.6.0 HF8 or earlier
Big-IP 11.5.4 (base release) or earlier
cannot Endpoint Security updates build 431 or greater.
If you require updated Endpoint Security (OPSWAT / EPSEC) builds greater than 431 you must upgrade to these versions:
Big-IP 12.1.0 or later
Big-IP 12.0.0HF2 or later
Big-IP 11.6.1 or later
Big-IP 11.5.4 HF1 or later
Conditions:
Running incompatible BIG-IP version with EPSEC build 431 or later.
Impact:
User will see certificate warnings and installation of client component updates may fail. The failure may occur multiple times.
Workaround:
Upgrade BIG-IP to the correct version.
Use the BIG-IP Web GUI's Software Management :: Antivirus Check Check Updates section to install an EPSEC build prior to 431.
Fix:
Updated signing certificate to a sha256 certificate. Client components and EPSEC binaries are now signed using the new, higher security certificate. Please note that upgrade to a HF in which client is signed using updated certificate is needed to install updated EPSEC releases. Please review the information carefully.
555057-1 : ASM REST: Removing a Signature Set From One Security Policy Removes It From All Security Policies.
Component: Application Security Manager
Symptoms:
When using ASM REST to remove a signature set association from a policy (DELETE), the set is removed from all policies in the system.
Conditions:
ASM REST is used to remove a signature set association from a policy.
DELETE /mgmt/tm/asm/policies/<ID>/signature-sets/<ID>
Impact:
All policies will lose their association to that signature set. This may leave some policies not enforcing all the Attack Signatures that they are expected to.
Workaround:
A DELETE can be issued to the collection endpoint: /mgmt/tm/asm/policies/<ID>/signature-sets utilizing the $filter parameter to delete only the desired sets.
Ex. DELETE /mgmt/tm/asm/policies/<ID>/signature-sets?$filter=id eq '<ID>'
Fix:
When using ASM REST to remove a signature set association from a policy (DELETE), the signature set association is removed only from the desired policy and not from all policies in the system.
555039-1 : VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration
Solution Article: K24458124
Component: TMOS
Symptoms:
There is a high drop counts when running tmsh show net interface, and running tmctl -a drop_reason shows that a large number of drops are due to counters.rx_cosq_drop
Smaller buffering alpha values are configured for egress buffering to allow an 8 HW CoS queue feature to correctly implement weight based egress dropping. This results in busy ports dropping more aggressively, although allowing more fair buffering amongst multiple active ports.
Conditions:
Higher traffic rates, which stress switch MMU buffering resources, might result in egress CoS queue drop on busy ports.
This affects the BIG-IP 5000- and 7000 series platforms, and VIPRION B2100, B2150, and PB200 blades.
Impact:
This results in busy ports dropping more aggressively. Note that using smaller values allows more fair buffering amongst multiple active ports, whereas higher values allow better burst absorption but less fair buffering.
Workaround:
None.
Fix:
This release uses a larger alpha value for better burst absorption when the 8 hardware CoS queue feature is not enabled.
555006-1 : ASM REST: lastUpdateMicros is not updated when changing a Custom Signature
Component: Application Security Manager
Symptoms:
The lastUpdateMicros field is meant to be updated if a user changes a custom signature, but it is not.
Conditions:
REST client is used to look at/filter the signatures collection (/mgmt/tm/asm/sigantures)
Impact:
Checking for updated signatures does not return the expected result.
Workaround:
None.
Fix:
REST: The lastUpdateMicros field is now correctly updated after updating a user defined signature.
554993-1 : Profile Stats Not Updated After Standby Upgrade Followed By Failover
Component: Access Policy Manager
Symptoms:
1. The current active sessions, current pending sessions, and current established sessions counts shown in commands 'tmsh show /apm profile access' and 'tmctl profile_access_stat' become zero after failover.
2. The system posts an error message to /var/log/apm:
01490559:3: 00000000: Access stats encountered error: SessionDB operation failed (ERR_NOT_FOUND).
Conditions:
This issue happens when the following conditions are met:
1. The HA configuration is running a release prior to 11.5.3 HF2, 11.6.0 HF6, or 12.0.0.
2. A standby unit is upgraded to version 11.5.3 HF2, 11.6.0 HF6, or 12.0.0.
3. Failover is triggered.
Impact:
The current active sessions, current pending sessions, and current established sessions counts of profile access stats remain zero after failover.
Workaround:
Upgrade all devices in the HA configuration to the same release and reboot them simultaneously.
Fix:
The current active sessions, current pending sessions, and current established sessions counts of profile access stats now report correctly after failover.
554977-1 : TMM might crash on failed SSL handshake
Solution Article: K64401960
Component: Local Traffic Manager
Symptoms:
SSL handshake failures may crash in ssl_verify().
Conditions:
Certain types of failed SSL handshakes in versions 11.5.0 through 11.5.4.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Modifying serverssl cipher string to exclude ECDHE_RSA and ECDHE_ECDSA might help prevent the crash.
Fix:
This release fixes a TMM crash that might be encountered during the SSL handshake.
554967-2 : Small Client EDNS0 Limits can Sometimes Truncate DNSSEC or iRule DNS Packets
Component: Local Traffic Manager
Symptoms:
A resolver sending a query with a small EDNS0 UDP buffer limit can lead to packet truncation. These response packets are flagged as truncated in the header, but the OPT record might be cut/missing leading some resolvers to consider the packet malformed.
Conditions:
Primarily via dynamic settings such as iRules on DNS_RESPONSE events adding new records, or DNSSEC record signing with responses over UDP.
Impact:
Some resolvers regard OPT-less truncated packets as malformed and cease follow-up requests via TCP or a larger EDNS0 UDP limit.
Workaround:
none
Fix:
Truncated DNSSEC or iRule DNS packets are RFC-compliant.
554774-3 : Persist lookup across services might fail to return a matching record when multiple records exist.
Component: Local Traffic Manager
Symptoms:
Persist lookup across services might fail to return a matching record when multiple records exist.
Conditions:
Persistence profile with 'match-across-services' enabled, and the configuration contains multiple records that correspond to the same pool.
Impact:
Connection routed to unexpected pool member.
Workaround:
None.
Fix:
The operation now continues searching persistence records when 'match-across-services' is enabled until the operation finds a record that corresponds to the same pool.
554761-4 : Unexpected handling of TCP timestamps under syncookie protection.
Component: Local Traffic Manager
Symptoms:
The BIG-IP system experiences intermittent packet drops.
Despite being negotiated during TCP handshake, the BIG-IP system fails to present timestamp option in subsequent segments.
The BIG-IP system calculates invalid round trip time immediately after handshake, which might result in delayed retransmissions.
Conditions:
This occurs when the following conditions are met:
- Virtual server configured with a TCP profile with timestamps enabled.
- The syncookie mode has been activated.
- Clients that support timestamps.
Impact:
Connection might be reset by remote TCP stack (e.g., NetBSD and FreeBSD), which requires timestamps to be maintained once negotiated.
Retransmission timeout (RTO) value may be skewed. Segments that are subject to RTO might take up to 64 segments to retransmit.
Workaround:
Choose or create a TCP profile that has timestamps disabled.
Fix:
TCP Timestamps are now maintained on all negotiated flows.
554626 : Database logging truncates log values greater than 1024
Solution Article: K14263316
Component: Access Policy Manager
Symptoms:
The Logging agent truncates log values greater than 1024. If the log value size is greater than 4060, the field is empty or null.
Conditions:
Logging into local database with log values (such as session variables) greater than 1024. If this size is too high (greater than 4060), the field displays as empty or null in reports.
Impact:
The reporting UI displays null or empty fields when the logged value is too large in size, such as a huge session variable.
Workaround:
No workaround.
Fix:
This release handles large single log values.
554624-1 : NTP CVE-2015-5300 CVE-2015-7704
Solution Article: K10600056 K17566
554563-2 : Error: Egress CoS queue packet drop counted against both Drops In and Drops Out statistics.
Component: TMOS
Symptoms:
Class of Service Queues (cosq) egress drop statistics are counted against both Drops In and Drops Out interface statistics.
Conditions:
This occurs for all cosq drops in response to excess egress traffic and MMU egress congestion.
Impact:
Any CoS queue egress drop is also counted against ingress drop stats, which could be interpreted incorrectly as doubled total drop stats.
Workaround:
None.
Fix:
The Drops In interface statistics no longer includes Class of Service Queues (cosq) egress drop counts, which is correct behavior.
554340-2 : IPsec tunnels fail when connection.vlankeyed db variable is disabled
Component: TMOS
Symptoms:
When connection.vlankeyed db variable is disabled, if the data traffic coming out of IKEv1 tunnels that needs to be secured using IKEv2 tunnels lands on tmm's other than tmm0, it will be dropped. The system establishes the IKEv2 tunnel but the data traffic will not be secured.
Conditions:
This issue is seen when the interesting data traffic lands on tmm's other than tmm0. The reason for this issue is due to incorrectly creating a flow on another TMM that is the owner of the outbound SA (IKEv2 tunnel).
Impact:
The system drops the data traffic to be secured using IPsec and connections fail.
Workaround:
Disable the cmp in the virtual server configuration.
Fix:
Flow creation at the TMM that owns the outbound SA for the IKEv2 tunnel is properly handled. TMM can handle the inner traffic from IKEv1 tunnel and secure it over another IKEv2 tunnel.
554295-5 : CMP disabled flows are not properly mirrored
Component: Local Traffic Manager
Symptoms:
A client connection to a virtual server configured for 'cmp-enabled no' and 'mirror enabled' will be dropped if the standby unit is promoted to active.
Conditions:
The virtual server is configured for 'cmp-enabled no' and 'mirror enabled' on multiple BIG-IP appliances peered in a high availability configuration.
Impact:
Mirroring does not work as expected on BIG-IP appliances.
Note: CMP is required on VIPRION chassis, so this expectation applies only to appliances.
Workaround:
Do not disable CMP on virtual servers that are mirrored.
Fix:
The system now supports mirroring connections between BIG-IP appliances in a high availability configuration on CMP-disabled virtual servers.
Note: If CMP is disabled, hardware syn cookie must also be disabled for virtual servers to mirror connections. This is expected behavior.
554228-4 : OneConnect does not work when WEBSSO is enabled/configured.
Component: Access Policy Manager
Symptoms:
OneConnect is a feature that reuses server-side connections. When WEBSSO is enabled, it always creates a new server-side connection, and doesn't reuse pooled connections.
Conditions:
WEBSSO and OneConnect.
Impact:
Idle serverside connections that should be eligible for reuse by the virtual server are not used. This might lead to build-up of idle serverside connections, and may result in unexpected 'Inet port exhaustion' errors.
Workaround:
None.
Fix:
OneConnect now works when WEBSSO is enabled/configured, so that the system reuses the pooled server side connections.
554074-3 : If the user cancels a connection attempt, there may be a delay in estabilshing the next connection.
Component: Access Policy Manager
Symptoms:
Clicking on connect button does not trigger start of VPN connection immediately.
Conditions:
User cancelled previous connection attempt
Impact:
User must wait for ten seconds before attempting to reconnect.
Workaround:
None
Fix:
Fixed code to trigger VPN connection immediately even when user clicked cancel before.
554041-4 : No connectivity inside enterprise network for "Always Connected" client if Network Location Awareness is enabled
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client loses all connectivity and an option to establish VPN is not available.
Conditions:
All of the following conditions must apply.
1) Edge Client is installed in "Always Connected" mode.
2) The Connectivity profile on server has location DNS list entries.
3) One of the DNS locations matches the DNS suffix set on the local network adapter.
Impact:
Client shows "LAN Detected" in the UI and does not try to connect to VPN.
All traffic to and from the user's machine is blocked.
Workaround:
This issue has no workaround at this time.
Fix:
Edge Client now ignores DNS location settings in Always Connected mode and establishes VPN even inside enterprise networks.
553925-3 : Manual upgrade of Edge Client fails in some cases on Windows★
Component: Access Policy Manager
Symptoms:
Manual upgrade of BIG-IP Edge Client for Windows fails and this message displays "Newer version of this product is already installed."
Conditions:
Edge Client version 11.2.0. Version 12.0 is installed.
User tries to upgrade Edge Client by running a newer installer package of Edge Client.
Impact:
Edge Client cannot be upgraded.
Workaround:
Uninstall and reinstall Edge Client or use the installer service component for automatic update of Edge Client.
Fix:
Fixed installer package.
553902-3 : Multiple NTP Vulnerabilities
Solution Article: K17516
553795-3 : Differing cert/key after successful config-sync
Component: TMOS
Symptoms:
1) If you change a client-ssl profile to a different cert/key, delete the original cert/key, create a new cert/key with the same name as the original one, associate the new cert/key with the original client-ssl profile, then do a config-sync, the peer system(s)' FIPS chip retains a copy of the original key.
2) If you change a client-ssl profile to a different cert/key, then create a new cert/key with a different name from the original one, associate the new cert/key with the original client-ssl profile, then do a config-sync, the config-sync operation may fail and the peer's client-ssl profile will still use the original cert/key instead of the new one.
Conditions:
1) High Availability failover systems with FIPS configured with Manual Sync.
2) High Availability failover systems without FIPS configured with Manual Sync.
Impact:
1) An abandoned FIPS key is left behind.
2) The systems may be out-of-sync, and one system's client-ssl profile uses one cert/key pair, while the other systems' same client-ssl profile uses a different cert/key pair.
Workaround:
1) For the first scenario, you can use either of the following workarounds:
-- Run an extra config-sync before the second change of the client-ssl profile.
-- Delete the FIPS key by-handle on the peer systems.
2) For the second scenario, you can use the following workaround:
-- Perform another config-sync operation in the GUI with the 'Overwrite Configuration' checkbox checked.
Note: If you also deleted your original cert/key pair, perform the following procedure:
1. Go onto the peer systems.
2. Manually delete those cert/key files that were copied during the first config-sync operation.
3. Look for the corresponding cert/key files in these two directories: /config/filestore/files_d/Common_d/certificate_d: /config/filestore/files_d/Common_d/certificate_key_d:
4. Delete the cert/key files in those directories.
Fix:
Systems now have the same cert/key after successful config-sync of High Availability configurations.
553688-3 : TMM can core due to memory corruption when using SPDY profile.
Component: Local Traffic Manager
Symptoms:
TMM corefiles containing memory corruption within 112-byte memory cache.
Conditions:
Virtual server using a SPDY profile encounters an internal error while processing a SPDY packet.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This release contains a fix that prevents a double free on error within the SPDY component.
553649 : The SNMP daemon might lock up and fail to respond to SNMP requests.
Component: TMOS
Symptoms:
The SNMP daemon might lock up and fail to respond to SNMP requests.
Conditions:
If the SNMP configuration on the BIG-IP changes and the SNMP daemon restarts. This is a timing issue that might appear intermittently.
Impact:
The BIG-IP system stops responding to SNMP requests. You then cannot monitor the BIG-IP system via SNMP.
Workaround:
If the SNMP daemon is locked up, restart it by issuing the following command: bigstart restart snmpd.
Fix:
The SNMP daemon no longer locks up and become unresponsive when it is restarted.
553576-2 : Intermittent 'zero millivolt' reading from FND-850 PSU
Solution Article: K17356
Component: TMOS
Symptoms:
In rare instances, certain BIG-IP platforms may erroneously generate power supply error messages that indicate zero milli-voltage.
Specific symptoms include:
- SNMP alert 'BIG-IPSystemCheckAlertMilliVoltageLow' detected.
- Front panel Alarm LED is blinking amber.
- Errors such as the following are logged:
emerg system_check[<#>]: 010d0017:0: Power supply #<x> meas. main outpu: milli-voltage (0) is too low.
[where <x> is the power supply location (either 1 or 2)]
- Errors such as the following may also be logged:
-- err chmand[<#>]: 012a0003:3: Sensor read fault for Power supply #<x> meas. main outpu : File sensor/LopSensSvc.cpp Line 1453.
-- notice chmand[<#>]: 012a0005:5: reinitialize tmstat sensors (num sensors:<#>).
-- notice chmand[<#>]: 012a0005:5: reinitialize tmstat sensors (num sensors:<#>).
Note that this condition may affect either PSU 1 or PSU 2.
Conditions:
This may occur intermittently on BIG-IP 10000-/12000-series appliances (including 10000s/10200v, 10050s/10250v, 10055/10255, 10350v and 12250v models) with FND850 model DC power supplies.
Impact:
There is no impact; these error messages are benign.
Workaround:
None.
Fix:
Resolved intermittent erroneous "zero millivolt" reading from FND-850 PSU on BIG-IP 10000-/12000-series appliances.
553454-3 : Mozilla NSS vulnerability CVE-2015-2730
Solution Article: K15955144
553330-2 : Unable to create a new document with SharePoint 2010
Component: Access Policy Manager
Symptoms:
VPN users are unable to create a new document with SharePoint 2010
An error is given: "The Internet address https://ip:port/shared documents/forms/template.dotx" is not valid
Conditions:
Create a new document using the"New Document button".
Impact:
User cannot create a new document with SharePoint 2010.
Workaround:
none
Fix:
You can create a new document with Microsoft SharePoint 2010.
553311-1 : Route pool configuration may cause TMM to produce a core file
Solution Article: K13710973
Component: Local Traffic Manager
Symptoms:
TMM might produce a core file and take the action defined in configuration.
Conditions:
Client-side route pool configuration that configures a route pool to route back and has auto lasthop disabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid using any route at client side (using auto lasthop or lasthop pool).
Fix:
The tmm crash caused by the route pool configuration is fixed.
553174-2 : Unable to query admin IP via SNMP on VCMP guest
Component: TMOS
Symptoms:
The admin IP address is not returned via ipAdEntAddr.
Conditions:
Query admin IP via SNMP on VCMP guest via ipAdEntAddr.
Impact:
Unable to obtain admin IP address via SNMP for VCMP guests.
Workaround:
none
Fix:
ipAdEntAddr will now return the admin IP address on a VCMP guest.
553063-4 : Epsec version rolls back to previous version on a reboot
Component: Access Policy Manager
Symptoms:
If administrator has installed multiple EPSEC packages, after a reboot the EPSEC version rolls back to the previously installed version.
Conditions:
The BIG-IP system needs to be rebooted for this issue to be seen, and multiple EPSEC packages must have been installed on the system before the reboot.
Impact:
OPSWAT version rolls back without prompting or logging. This might open up the end-point security issues that are supposed to be fixed by the latest installed OPSWAT package.
Workaround:
The workaround is to upload a dummy file in Sandbox.
1. Go to Access Policy :: Hosted Content :: Manage Files.
2. Upload any dummy file, even a 0 byte file. Change the security level to 'session'.
After this change, even if you reboot or shutdown-restart, the EPSEC version does not revert.
Fix:
The most recently installed EPSEC version now remains configured, and does not roll back after reboot or shutdown-restart.
553037 : iOS Citrix Receiver web interface mode cannot launch the apps
Component: Access Policy Manager
Symptoms:
When a user clicks an app, a window displays with this message: "Cannot start the requested App. Select More info for further details."
Conditions:
An iOS Citrix Receiver in Web interface connection type and a BIG-IP system in Web interface configuration.
Impact:
Customer cannot launch app.
Workaround:
1. In the Citrix Receiver, you can use the native GUI with Access-Gateway Enterprise edition type with this URI:
https://<BIG-IP system virtual server FQDN>/
2. Define an LTM data-group with FQDN set to /config/<storename>/pnagent/config.xml
Fix:
LaunchICA get request to be passed through VDI.
552937-2 : HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the next pipelined request to fail.
Component: Local Traffic Manager
Symptoms:
An iRule that calls HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the TMM to core on the next pipelined request.
Conditions:
HTTP::respond or HTTP::redirect used in a non-HTTP iRule event. A pipelined request follows the request that triggers the iRule response.
Impact:
TMM core.
Workaround:
Add the close header to the HTTP::response, and the connection will be automatically closed.
Fix:
The TMM will no longer core due to not being able to handle the next pipelined request after a HTTP::respond or HTTP::redirect is used in a non-HTTP iRule event.
552931-2 : Configuration fails to load if DNS Express Zone name contains an underscore
Component: Local Traffic Manager
Symptoms:
A configuration with a DNS Express Zone with an underscore in the name does not load, even though the gtm global-settings general domain-name-check is set to any of allow-underscore, svn-compatible, or none.
Conditions:
-- Configuration setting gtm global-settings general domain-name-check is set to any of allow-underscore, svn-compatible, or none.
-- DNS Express Zone exists with an underscore in the name.
Impact:
Cannot load the LTM configuration when restarting BIG-IP system when DNS Express Zones that have an underscore character in the name.
Workaround:
Force the GTM configuration to load by sequentially running the following commands:
tmsh load sys config gtm-only.
tmsh load sys config.
Fix:
All FQDNs may now contain underscore character. The BIG-IP system now correctly load configurations that contain DNS Express Zones with underscores in the name.
552865-5 : SSL client authentication should ignore invalid signed Certificate Verify message when PCM is set to 'request'.
Solution Article: K34035224
Component: Local Traffic Manager
Symptoms:
When peer certificate mode (PCM) is set to request, and the BIG-IP system client-ssl asks for the client certificate, handshake might fail if the client sends an invalid signed Certificate Verify message.
Conditions:
When SSL client certificate mode is request, and the client sends an invalid signed Certificate Verify message to the BIG-IP system.
Impact:
The handshake does not ignore the invalid signed certificate verify message, and handshake might fail. SSL client authentication should ignore invalid signed Certificate Verify message when PCM is set to 'request'. Regardless of whether the Certificate and Certificate Verify message is valid, the handshake should ignore the Certificate Verify signature error and let the handshake continue.
Workaround:
None.
Fix:
When peer certificate mode (PCM) is set to request, and the BIG-IP system client-ssl asks for the client certificate, the handshake now ignores the Certificate Verify signature error and lets the handshake continue. This is correct behavior.
552532-3 : Oracle monitor fails with certain time zones.
Solution Article: K73453525
Component: Local Traffic Manager
Symptoms:
Occasionally, the OJDBC driver reads a time zone file that it cannot understand, which causes Oracle monitors to fail.
Conditions:
- The system uses ojdbc6.jar for Oracle monitor functionality.
- The UTC time zone is configured.
- Contents of the /usr/share/zoneinfo directory are arranged so that the 'UTC' file is not the first in the list. (Versions prior to 10.2.4 use the 1.4-compatible ojdbc14.jar driver. The objdbc6.jar OJDBC driver, as supplied by Oracle for Java 6 (aka 1.6) auto-detects the local system's time zone name by scanning and comparing files under /usr/share/zoneinfo. The filenames are created during installation, and seem to depend on the 'Directory Hash Seed' of the /usr filesystem, so there is no predictable result.)
Impact:
Cannot use direct Oracle monitoring to ensure the backend is functionally operational. OJDBC driver seems to negotiate the time zone for the session, and instead of 'UTC', it attempts to change the time zone to: 'Universal', 'Zulu', 'Etc/Universal', 'Etc/Zulu', which will cause the monitor to fail, and not execute the actual monitoring.
Note: Other time zones might be affected.For example, a similar issue might happen with the time zone set to GMT, which can become 'Greenwich' because of the same functionality.
Workaround:
Although there is no reliable workaround, reinstalling might resolve the issue, as may using another time zone.
Fix:
Oracle monitor functions now as expected with UTC and other time zones.
552498-2 : APMD basic authentication cookie domains are not processed correctly
Component: Access Policy Manager
Symptoms:
401 responses containing Set-Cookie headers might not be processed correctly. Domains that begin with a dot will be truncated and the cookies will not be sent to pool members.
Conditions:
An access policy needs to use Basic or NTLM authentication and one or more of the 401 responses must contain Set-Cookie headers. If a domain is specified and the domain begins with a dot, it will not be processed correctly.
Impact:
Cookies assigned during the authentication handshake might not be sent to pool members.
Workaround:
An iRule can be used to process the 401 responses and remove any leading dots from domain fields of Set-Cookie headers.
Fix:
Domain fields in Set-Cookie headers found in 401 responses are processed correctly.
552385 : Virtual servers using an SSL profile and two UDP profiles may not be accepted
Component: Local Traffic Manager
Symptoms:
Error message:
01070711:3: Found disallowed profile: Not Profile profile_clientssl
or
01070711:3: Found disallowed profile: Not Profile profile_serverssl
Conditions:
Create a virtual server with a client-ssl profile and/or a server-ssl profile and two different UDP profiles (one on the server side and one on the client side).
Impact:
When using either a client-ssl profile or a server-ssl profile, depending on the sort order of the UDP profiles, the configuration may not be accepted.
When using both a client-ssl profile and a server-ssl profile, the configuration is not accepted.
Workaround:
When using either a client-ssl profile or a server-ssl profile, either use a common UDP profile for both client and server side or try renaming one of the UDP profiles to alter the sort order.
When using both a client-ssl profile and a server-ssl profile, try using one UDP profile for both the client and server side.
Fix:
Virtual servers that utilize an SSL profile and a combination of UDP profiles are now accepted.
552352-3 : tmsh list display incorrectly for default values of gtm listener translate-address/translate-port
Solution Article: K18701002
Component: Global Traffic Manager (DNS)
Symptoms:
tmsh list displays incorrectly for default values of GTM listener translate-address/translate-port settings.
Conditions:
Using the tmsh list command to show translate-address/translate-port for GTM listener.
Impact:
tmsh list gtm listener does not display 'translate-address'/'translate-port' when it is set to enabled, but the command does show the values when it is set to disabled. The tmsh list gtm listener command should not show the default settings. This becomes an issue when used with the TMSH merge command, where the value gets set to the LTM virtual server default instead of maintained as the GTM Listener default. This might eventually result in failing traffic.
Workaround:
Use tmsh list with 'all-properties' instead.
Fix:
GTM Listener's translate-address and translate-port field are now always displayed in TMSH commands. This is because there are different defaults in GTM Listeners than the LTM virtual servers. When used with the TMSH merge command, the value gets set to the LTM virtual server default instead of maintained as the GTM Listener default. By always displaying this attribute, no matter what the value is, the merge will always be handled appropriately.
552198-3 : APM App Tunnel/AM iSession Connection Memory Leak
Solution Article: K27590443
Component: Wan Optimization Manager
Symptoms:
A memory leak occurs when APM application tunnels or AM iSession connections are aborted while waiting to be reused.
Conditions:
The iSession profile reuse-connection attribute is true.
A large number of iSession connections are aborted while waiting to be reused.
Impact:
Available memory might be significantly reduced when a large number of iSession connections waiting to be reused are aborted.
Workaround:
Disable the iSession profile reuse-connection attribute. Restart TMM.
Fix:
This release fixes an APM App Tunnel/AM iSession connection memory leak.
552151-1 : Continuous error report in /dev/log/ltm: Device error: n3-compress0 Nitrox 3, Hang Detected
Component: Local Traffic Manager
Symptoms:
Hardware compression slowly and progressively fails to handle compression operations. The system posts the following errors in ltm.log: crit tmm3[14130]: 01010025:2: Device error: n3-compress0 Nitrox 3.
Conditions:
This occurs when the system encounters errors during hardware compression handling. This occurs on the BIG-IP 5000-, 7000-, 10000-, and 12000-series platforms, and on VIPRION B22xx blades.
Impact:
Compression is (eventually) performed by software. This can result in high CPU utilization.
Workaround:
Disable compression if CPU usage is too high.
Fix:
Improved the device exception handling so that errors are correctly propagated to compression clients, thus preventing the progressive failure of the compression engine, and stopping the offload to software compression (which was driving up the CPU).
552139-3 : ASM limitation in the pattern matching matrix builtup
Solution Article: K61834804
Component: Application Security Manager
Symptoms:
The signature configuration is not building up upon adding new signatures. This can look like a configuration change is not finishing, or if it does, it may result in crashes when the Enforcer starts up resulting in constant startups.
Conditions:
Too many signatures are configured with custom signatures. The exact number varies (depending on the signature) but hundreds of signatures may be enough to trigger it.
Impact:
Configuration change doesn't finish or crashes in the ASM startup (which results in constant startups of the system).
Workaround:
Workarounds are possible only in a custom signature scenario, only using fewer signatures or by removing unused signatures.
Fix:
Fixed a limitation in the attack signature engine.
551927-3 : ePVA snoop header's transform vlan should be set properly under asymmetric routing condition
Component: TMOS
Symptoms:
On ePVA capable platform with fastl4 profile and asymetric routing on client side, ltm sends packets to the client with wrong vlan/correct mac address (or correct vlan and wrong mac-address) and undecremented ttl.
Conditions:
fastl4 profile and asymetric routing on client side
Impact:
Return traffic could use the wrong vlan
Workaround:
none
Fix:
Use the nexthop VLAN for ePVA transformation for offloaded flow when available, instead of the incoming VLAN
551767-2 : GTM server 'Virtual Server Score' not showing correctly in TMSH stats
Solution Article: K03432500
Component: Global Traffic Manager (DNS)
Symptoms:
GTM server 'Virtual Server Score' is not showing correct values in TMSH stats. Instead, stats shows zero value.
Conditions:
You have a virtual server configured with a non-zero score.
Impact:
tmsh show gtm server server-name detail lists 'Virtual Server Score' as zero. Note that there is no impact to actual load balancing decisions. Those decisions take into account the configured score. This is an issue only with showing the correct information and stats.
Workaround:
None.
Fix:
TMSH now shows the correct value for 'Virtual Server Score' when you have a virtual server configured with a non-zero score.
551764-1 : [APM] HTTP status 500 response of successful Access Policy in clientless mode on chassis platform
Solution Article: K14954742
Component: Access Policy Manager
Symptoms:
Successful execution of an Access Policy will result in the client receiving a HTTP status 500 error response when clientless mode is set. This error response is generated by APMD. This is a regression condition that occurs when the fix for bug 374067 is included.
Conditions:
-- The system has the fix for bug 374067.
-- Clientless mode is enabled.
-- BIG-IP platform is chassis platform.
-- The administrator does not override the Access Policy response with iRule command.
Impact:
Client receives an invalid response.
Workaround:
None.
Fix:
Upon successful execution of the Access Policy in clientless mode, the request is forwarded to the configured backend as needed.
551742-1 : Hardware parity error mitigation for the SOURCE_VP table on 10000s/10200v/10250v platforms and B4300/B4340N and B2250 blades
Component: TMOS
Symptoms:
In rare occurrences, BIG-IP hardware is susceptible to parity errors due to unknown source. This bug mitigates parity errors that occur in the SOURCE_VP table of the switch hardware, indicated with the following message in the ltm log:
Sep 15 12:12:12 info bcm56xxd[8066]: 012c0016:6: _soc_xgs3_mem_dma: SOURCE_VP.ipipe0 failed(NAK)
Conditions:
This occurs only on the BIG-IP 10000s/10200v/10250v platforms, and on the VIPRION B4300/B4340N and B2250 blades. The exact trigger of the parity error is unknown at this time.
Impact:
This impacts several series of BIG-IP products with hardware parity error mitigation capabilities.
Workaround:
Rebooting BIG-IP hardware should clear issues caused by hardware parity errors.
Fix:
A hardware parity error issue has been fixed.
551661-3 : Monitor with send/receive string containing double-quote may fail to load.
Component: TMOS
Symptoms:
When a monitor string contains contains \" (backslash double-quote) but does not contain a character that requires quoting, one level of escaping is lost at each save/load.
Note: Re-loading a config happens during licensing. If you decide to upgrade, first verify that you have an escaped quote in the monitor string. If you do, remove the re-licensing step from your MOP (Method of Procedure). The failure message for reloading the license with an escaped quote appears similar to the following example:
Monitor monitor_1 parameter contains unescaped " escape with backslash.
Conditions:
If the string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.
Impact:
Monitors are marked down due to expected string not matching or incorrect send string. Potential load failure.
Workaround:
You can use either of the following workarounds:
-- Modify the content the BIG-IP system retrieves from the web server for the purposes of health monitoring, so that double quotes are not necessary.
-- Use an external monitor instead.
Fix:
If the monitor send-recv strings contain a double-quote ", character, the system now adds quotes to the input.
If a configuration contains '/"', does not reload the license before upgrade.
551481-4 : 'tmsh show net cmetrics' reports bandwidth = 0
Component: TMOS
Symptoms:
'tmsh show net cmetrics' reports bandwidth = 0
Conditions:
tcp profile enables cmetrics-cache.
connection involves at least 4 rtt updates.
Impact:
User cannot view cmetrics data.
Workaround:
For 12.0.0 and later, you can get this data using the ROUTE::bandwidth iRule. For earlier versions, there is no workaround.
Fix:
Properly compute bandwidth with the formula cwnd/rtt.
551349-1 : Non-explicit (*) IPv4 monitor destination address is converted to IPv6 on upgrade★
Solution Article: K80203854
Component: TMOS
Symptoms:
A monitor destination address in the form of *:port (IPv4) is converted to *.port when upgrading from 10.2.4 to 11.5.x.
Conditions:
A monitor exists with a non-explicit address and explicit port on a BIG-IP system running 10.2.4. Then upgrade to 11.5.x (or install 10.2.4 ucs)
Impact:
Monitors appears to function normally but they will have the wrong format in the config file.
Workaround:
None.
Fix:
Determine if non-explicit (*) address is ipv4 or ipv6 based on next character to be parsed.
551287-3 : Multiple LibTIFF vulnerabilities
Solution Article: K16715
551260-3 : When SAML IdP-Connector Single Sign On Service URL contains ampersand, redirect URL may be truncated
Component: Access Policy Manager
Symptoms:
When BIG-IP is used as SAML Service Provider, and IdP-Connectors Single Sign On Service URL contains ampersand (&),
part of the URL may be truncated when user is redirected to IdP for authentication.
Conditions:
All conditions must be true:
- BIG-IP is used as SAML Service Provider
- Single Sign On Service URL property of IdP connector contains ampersand, e.g. https://idp.f5.com/saml/idp/profile/redirectorpost/sso?a=b&foo=bar
- User performs SP initiated SSO
Impact:
The query part of the redirect URL after ampersand will be lost when user is redirected to SSO URL with Authentication Request.
Fix:
Redirect URL is no longer truncated after ampersand sign.
551208-3 : Nokia alarms are not deleted due to the outdated alert_nokia.conf.
Component: TMOS
Symptoms:
Some of the log messages watched by alertd changed between BIG-IP software versions 10.x to versions 11.x/12.x. However, the /etc/alertd/alert_nokia.conf file has not been updated accordingly.
Conditions:
Running versions 11.x/12.x and receiving targeted messages that match the 10.x regex key fields. This occurs when the Nokia snmp alarms are enabled. See K15435 at https://support.f5.com/csp/#/article/K15435
Impact:
Matching the specific fields in the log message fails, so the corresponding alarm is not deleted from the nokia_alarm table. This might cause SNMP alerts to not be broadcast in Nokia-specific environments.
Workaround:
None.
Fix:
The log messages watched by alertd and appearing in alert_nokia.conf now match each clear event key to its corresponding error definition, so alerts are recorded correctly.
551189-2 : Modifying an HTTP cookie value via the HTTP::cookie iRule API may yield to incorrect HTTP header data
Component: Local Traffic Manager
Symptoms:
Upon repeatedly modifying the same HTTP cookie value (in the Set-Cookie header) within an iRule attached to a virtual server, the HTTP::cookie API may produce stale HTTP header data (e.g. HTTP Set-Cookie header and/or other HTTP headers).
Conditions:
LTM Virtual Server handling HTTP traffic, with iRule attached which modifies a given HTTP cookie value through the HTTP::cookie API, on ingress and/or egress traffic (through the HTTP_REQUEST and/or HTTP_RESPONSE events). An example use-case for producing the error would be encrypting and decrypting HTTP cookies via an iRule.
Impact:
Repeatedly altering the same HTTP cookie value in an iRule, via the HTTP::cookie API, may yield to an HTTP request/response with inconsistent HTTP header data, including but not limited to the Set-Cookie HTTP header.
Workaround:
None.
551010-3 : Crash on unexpected WAM storage queue state
Component: WebAccelerator
Symptoms:
In rare circumstances WAM may enter an unexpected queue state and crash.
Conditions:
WAM configured on virtual with request queuing enabled
Impact:
Crash
Workaround:
none
Fix:
Gracefully recover from unexpected WAM storage queue state
550782-2 : Cache Lookups for Validating Resolvers ignore the query's DNSSEC OK (DO) bit
Component: Local Traffic Manager
Symptoms:
RRSIG present when not asked for, and RRSIG and AD drop from response upon expiration from the cache.
Conditions:
If standard DNS requests are made against a Validating Resolver DNS cache that points to a second BIG-IP which in turn contains a wideip in a signed zone
Impact:
RRSIG present when not asked for, and RRSIG and AD drop from response upon expiration from the cache
Workaround:
N/A
Fix:
Update message encoding to depend on client DO bit.
550694 : LCD display stops updating and Status LED turns/blinks Amber
Solution Article: K60222549
Component: TMOS
Symptoms:
The LCD display may stop updating and the Status LED may turn Amber and begin blinking on BIG-IP 2000, 4000, 5000, 7000, or 10000-series appliances.
Conditions:
The Status LED turns Amber if the LED/LCD module stops receiving updates from the BIG-IP host, and begins blinking Amber if the LED/LCD module does not receive updates from the BIG-IP host for three minutes or longer.
This condition may occur if data transfers between the BIG-IP host and the LED/LCD module over the connecting USB bus becomes stalled.
Due to changes in BIG-IP v11.5.0 and later, the frequency and likelihood of this condition is greatly reduced, but may still occur under rare conditions.
Impact:
When this condition occurs, the front-panel LCD display does not display the current BIG-IP host status, and the Status LED blinks Amber. There is no impact to BIG-IP host operations, and no disruption to traffic.
Workaround:
This condition can be cleared by either of the following actions:
1. Press one of the buttons on the LCD display to navigate the LCD menus.
2. Issue the following command at the BIG-IP host console:
/sbin/lsusb -v -d 0451:3410.
Either action generates USB traffic, which triggers recovery from the USB stalled transfer condition.
Fix:
Auto-recovery from a USB stalled-transfer condition has been implemented, which prevents the Status LED from blinking Amber on BIG-IP 2000, 4000, 5000, 7000, 10000 or 12000-series appliances.
550689-3 : Resolver H.ROOT-SERVERS.NET Address Change
Component: Local Traffic Manager
Symptoms:
The IPv4 and IPv6 addresses for H.ROOT-SERVERS.NET are changing on December 1st 2015 from (128.63.2.53 / 2001:500:1::803f:235) to (198.97.190.53 / 2001:500:1::53). The old addresses will be good for 6 months after the change, and then the IPv4 address will go completely offline, and the IPv6 address is subject to go offline as well. More details http://h.root-servers.org/renumber.html
Conditions:
DNS Resolver uses hard-coded root hints for H.ROOT-SERVERS.NET.
Impact:
Incorrect address for a root-server means no response to that query.
Workaround:
There are 12 other root-servers that also provide answers to TLD queries, so this is cosmetic, but the addresses still need to be updated to respond to the change.
Fix:
Updated H.ROOT-SERVERS.NET to reflect the new IPv4 and IPv6 addresses taking effect December 1st, 2015 from (128.63.2.53 / 2001:500:1::803f:235) to (198.97.190.53 / 2001:500:1::53).
For more information, see H-Root will change its addresses on 1 December 2015, available here: http://h.root-servers.org/renumber.html.
550596-2 : RESOLV::lookup iRule command vulnerability CVE-2016-6876
Solution Article: K52638558
550536-4 : Incorrect information/text (in French) is displayed when the Edge Client is launched
Component: Access Policy Manager
Symptoms:
Incorrect information/text (in French) is displayed when the Edge Client is launched.
Conditions:
Edge client is used in French locale.
Impact:
User sees grammatically incorrect text in French. This is a cosmetic error that has no impact on system functionality.
Workaround:
None.
Fix:
The correct information/text (in French) is now displayed when the Edge Client is launched.
550434-4 : Diameter connection may stall if server closes connection before CER/CEA handshake completes
Component: Service Provider
Symptoms:
Serverside connection stalls. Connection is not torn down and packets are not forwarded to serverside.
Conditions:
Selected pool member closes (via FIN) connection before sending CEA as part of Diameter handshake.
Impact:
Connection stalls until handshake timeout and then it is reset.
Workaround:
none
Fix:
Serverside diameter connections will be immediately reset if FIN is received before CEA (Capabilities-Exchange-Answer).
549971-3 : Some changes to virtual servers' profile lists may cause secondary blades to restart
Component: TMOS
Symptoms:
If a virtual server's ip-protocol is not set, then some changes to the list of attached profiles may cause a validation error on secondary blades. This will cause those blades to restart.
Conditions:
This may happen in some cases when changing the list of profiles attached to a virtual server, but does not happen if 'ip-protocol' was explicitly set by the user.
Impact:
mcpd will restart on secondary blades. This will cause most other daemons on those blades to restart as well, including the TMM. Traffic will be lost.
Workaround:
You should explicitly set the ip-protocol when changing the profiles of a virtual server. Then this bug will not occur.
Fix:
If a virtual server's ip-protocol was not set, then some changes to the list of attached profiles would cause a validation error on secondary blades. This would cause those blades to restart. This issue has been fixed.
549868-2 : 10G interoperability issues reported following Cisco Nexus switch version upgrade.
Solution Article: K48629034
Component: Local Traffic Manager
Symptoms:
10G link issues reported with VIPRION B2250, B4300 blades and BIG-IP 10x00 appliances connected to Cisco Nexus switches.
Conditions:
Issues reported after version upgrade on Cisco switch to version 7.0(5)N1(1).
Impact:
The links might not come up.
Workaround:
Toggling the SFP+ interfaces reportedly usually restores link.
Fix:
The BIG-IP system's 10G link now consistently becomes active when it is connected to other switches.
549588-3 : EAM memory leak when cookiemap is destroyed without deleting Cookie object in it
Component: Access Policy Manager
Symptoms:
EAM memory growing and OOM kills EAM process under memory pressure.
Conditions:
This occurs when using access management such as Oracle Access Manager, when an authentication request is redirected to IDP (redirect URL is present) with cookies present, memory can grow unbounded.
Impact:
EAM memory usage increases and OOM kills EAM process if the system is under memory pressure.
Workaround:
No Workaround
Fix:
EAM memory usage no longer grows. Cookie objects are deleted prior to deleting cookieMap from obAction destructor.
549543-2 : DSR rejects return traffic for monitoring the server
Solution Article: K37436054
Component: TMOS
Symptoms:
System DB variable 'tm.monitorencap' controls whether the server monitor traffic is encapsulated inside DSR tunnel. If it is set to 'enable', monitor traffic is encapsulated, and return traffic is without the tunnel encapsulation. In such a case, the return traffic is not mapped to the original monitor flow, and gets rejected/lost.
Conditions:
System DB variable 'tm.monitorencap' is set to 'enable', and DSR server pool is monitored.
Impact:
Monitor traffic gets lost, and server pool is marked down.
Workaround:
None.
Fix:
The DSR tunnel flow now sets the correct underlying network interface, so that the return monitor flow can match the originating flow, which results in the DSR monitor working as expected.
549406-3 : Destination route-domain specified in the SOCKS profile
Solution Article: K63010180
Component: Local Traffic Manager
Symptoms:
The SOCKS profile route-domain setting is supposed to control which route domain is used for destination addresses. It is currently used to identify the listener/tunnel interface to use when forwarding the traffic, but does not set the route domain on the destination address used by the proxy to determine how to forward the traffic.
Conditions:
When the virtual server receives a SOCKS request and the route-domain is not the default (0).
Impact:
SOCKS connection fails immediately and the system returns the following message to the client: Results(V5): General SOCKS server failure (1). Traffic is forwarded correctly only when the destination is route-domain 0. Other route domains might result in error messages and possible failed traffic.
Workaround:
Use a destination route-domain of 0 when working with the SOCKS profile.
Fix:
The system now uses the destination route-domain specified in the SOCKS profile. This allows the SOCKS profile to work correctly when the destination is not in route-domain 0.
549329-2 : L7 mirrored ACK from standby to active box can cause tmm core on active
Solution Article: K02020031
Component: Local Traffic Manager
Symptoms:
A spurious ACK sent to the standby unit will be mirrored over to the active unit for processing. If a matching connection on the active has not been fully initialized, tmm will crash.
Conditions:
HA active-standby configuration setup for L7 packet mirroring.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Spurious ACK no longer causes outage, instead the packet is dropped.
549086-3 : Windows 10 is not detected when Firefox is used
Component: Access Policy Manager
Symptoms:
Windows 10 is not detected when the Firefox browser is used.
Conditions:
Windows 10 and Firefox (at least versions 40 and 41).
Impact:
The Client OS agent chooses an incorrect branch. Network Access might be disabled for such a client.
Workaround:
There is no workaround.
Fix:
Now Windows 10 is properly detected with the Firefox browser.
549023 : warning: Failed to find EUDs★
Component: TMOS
Symptoms:
There are normal circumstances where the system does not yet have a diagnostics package installed. Even though it is normal, a warning log message is emitted for this condition.
Conditions:
This occurs on newly formatted installations prior to version 11.5.4.
Impact:
Even though this is logged at the warning level, lack of an EUD can indicate a normal condition on new installations.
Workaround:
ignore the warning
Fix:
If the system cannot find the EUD it will now be logged at the info level.
548680-3 : TMM may core when reconfiguring iApps that make use of iRules with procedures.
Component: Local Traffic Manager
Symptoms:
TMM may core when reconfiguring iApps that make extensive use of iRules with procedures.
Conditions:
During the reconfiguration of more than one iApp by switching templates, prior and new templates to contain iRules with procedures of the same name.
After the second or later reconfiguration TMM may core.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Modify iApp template to generate procedures that have a unique name per iApp.
Fix:
TMM no longer cores when reconfiguring more than one iApp that contains iRule procedures of the same name.
548583-5 : TMM crashes on standby device with re-mirrored SIP monitor flows.
Component: Local Traffic Manager
Symptoms:
Occasionally, the standby system with a SIP monitor crashes in a configuration where the active system contains a forwarding virtual server with a wildcard IP address and port, with connection mirroring enabled.
Conditions:
This occurs on an active-standby setup in which there is an L4 forwarding virtual server or SNAT listener configuration with a wildcard IP address and port, and with connection mirroring enabled. Also, the standby has a SIP monitor configured.
Impact:
Packets that are sent by the SIP monitor on the standby get routed back to the active unit (possibly due to a routing loop) and are then sent to the standby because of the wildcard mirrored configuration. tmm on standby might crash. When the crash occurs, the standby system posts the following assert and crashes: tmm failed assertion, non-zero ha_unit required for mirrored flow.
Workaround:
-- If a routing or switching loop is the reason the packets come back to the active unit, then the routing issues can be eliminated.
-- The mirroring of the wildcard virtual server or SNAT listener can be disabled.
Fix:
TMM no longer crashes on standby device with re-mirrored SIP monitor flows.
548563-3 : Transparent Cache Messages Only Updated with DO-bit True
Component: Local Traffic Manager
Symptoms:
When a transparent cache stores a message with DNSSEC OK (DO) bit TRUE and its TTL expires, the message is only updated when a new message arrives with DO-bit TRUE.
Conditions:
Running a DNS transparent cache with clients requesting DNSSEC messages.
Impact:
When the DO-bit TRUE's cached message TTL expires, the general impact is DO-bit FALSE queries will be proxied until the message cache is updated with DO-bit TRUE.
Workaround:
None.
Fix:
The message cache is updated regardless of DO-bit state after TTL expiration. However, the cache prefers DO-bit TRUE messages, and will update the cached message if a newer one arrives with DNSSEC OK.
548385-1 : iControl calls that query key/cert from parent folder, and the name is missing the extension, result in incorrect results
Solution Article: K25231211
Component: TMOS
Symptoms:
If the active folder is not same as the folder in which the query is being run, and the corresponding key/cert extension is not present in the name of the key/certificate file, the query result returns incorrect results.
Conditions:
This occurs when iControl calls that query key/cert from parent folder, and the name is missing the extension.
Impact:
The query result returns incorrect results.
Workaround:
You can use one of the following workarounds:
-- Change the filename to include the extension.
-- Change to the folder containing the iControl call you are executing.
Fix:
The system now correctly loads key/cert/csr/crl files without an extension, so iControl calls that query those files from parent folder, now return correct results.
548268-3 : Disabling an interface on a blade does not change media to NONE
Component: TMOS
Symptoms:
When an interface on a blade in a chassis is disabled, it's media does not get reported as NONE and the link on the other end stays UP.
Conditions:
Disabling an interface on a blade within a chassis.
Impact:
Media on the disabled interface is not reported as NONE and link on partner end is UP.
Workaround:
none
Fix:
fixed
548053-1 : User with 'Application Editor' role set cannot modify 'Description' field using the GUI.
Solution Article: K33462128
Component: TMOS
Symptoms:
User with 'Application Editor' role set cannot modify 'Description' field using the GUI.
Conditions:
Users with a role of Application Editor.
Impact:
Cannot modify 'Description' field using the GUI.
Workaround:
User with 'Application Editor' roles can modify 'Description' fields using tmsh.
Fix:
User with 'Application Editor' role can now modify 'Description' field using the GUI.
547942 : SNMP ipAdEntAddr indicates floating vlan IP rather than local IP
Component: TMOS
Symptoms:
An SNMP query response for ipAdEntAddr would sometimes return floating IPs rather than local IPs. This was due to the supporting software returning the first found IP address for a given vlan.
Conditions:
Problem started after upgrading to v11.5.1 Eng-HF7, from v10.2.4.
The same problem can happen on freshly installed 11.5.x as well.
Impact:
No impact to BIG-IP services, but the returned information to the SNMP query is sometimes incorrect.
Workaround:
None.
547815-2 : Potential DNS Transparent Cache Memory Leak
Solution Article: K57983796
Component: Local Traffic Manager
Symptoms:
When a transparent cache is populated with messages where the DNSSEC OK-bit is true, and a query with that bit true, arrives at or after the expiration of the message TTL, the system leaks all subsequent queries with DNSSEC OK set to false, up through the TTL of that message.
Conditions:
Running a DNS transparent cache with clients requesting DNSSEC messages.
Impact:
A few hundred bytes can leak on each clientside query, leading to a massive leak over a short period of time.
Workaround:
Disable DNSSEC on all cached messages by disabling DNSSEC on pool members.
Fix:
This release fixes a potential DNS transparent cache memory leak.
547732-3 : TMM may core on using SSL::disable on an already established serverside connection
Component: Local Traffic Manager
Symptoms:
TMM process may crash if the SSL::disable iRule command is used on a serverside with a connection that has already established SSL.
Conditions:
Use of the 'SSL::disable serverside' iRule command on a serverside connection that has already established SSL
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use SSL::disable on an event where the serverside SSL connection is already established.
Fix:
TMM no longer cores on using SSL::disable on an already established serverside connection, it will now log a warning Connection error: hud_ssl_handler:605: disable profile (80)
547537-4 : TMM core due to iSession tunnel assertion failure
Component: Wan Optimization Manager
Symptoms:
TMM core due to "valid isession pcb" assertion failure in isession_dedup_admin.c.
Conditions:
Deduplication endpoint recovery occurs on a BIG-IP that has duplication is enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
none
Fix:
An iSession tunnel initialization defect has been corrected.
547532-6 : Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades
Component: TMOS
Symptoms:
Error messages similar to this are present in the ltm log:
-- err mcpd[9369]: 01020036:3: The requested monitor instance (/part10/test_mon 90.90.90.90%10 443 ltm-pool-member) was not found.
-- err mcpd[9369]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested monitor instance (/part10/test_mon 90.90.90.90%10 443 ltm-pool-member) was not found.
Conditions:
A chassis-based system with multiple blades. This can occur a few different ways:
- A monitor is attached to an object that is configured in a partition that uses a non-default route domain, but the address of the monitor is explicitly using the default route domain (e.g. %0).
- A monitor defined in the Common partition is attached to an object from a partition where the default route domain is different.
Impact:
Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades. mcpd restarts.
Workaround:
There are two possible workarounds:
-- Move the monitor to the /Common/ partition and do not specify %0 in the Alias Address.
-- Do not use monitors from other partitions where the default route domain is different.
Fix:
The complete state for addresses on the primary blade is propagated to secondary blades.
547047-1 : Older cli-tools unsupported by AWS
Solution Article: K31076445
Component: TMOS
Symptoms:
Older EC2 tools stopped working in some AWS regions.
Conditions:
This can happen in some AWS regions.
Impact:
BIG-IP high availability configurations may stop working in some AWS regions.
Workaround:
None.
Fix:
F5 Networks added the latest available version (1.7.5.1) of EC2 tools in this release/hotfix.
547000-3 : Enforcer application might crash on XML traffic when out of memory
Solution Article: K47219203
Component: Application Security Manager
Symptoms:
Enforcer application might crash on XML traffic when out of memory.
Conditions:
This occurs when the system is out of memory.
Impact:
The BIG-IP system might temporarily fail to process traffic.
Workaround:
None.
Fix:
This release fixes a scenario where the system might crash when the XML parser ran out of memory.
546747-4 : SSL connections may fail with a handshake failure when the ClientHello is sent in multiple packets
Solution Article: K72042050
Component: Local Traffic Manager
Symptoms:
Sometimes BIG-IP system responds with a fatal-handshake alert and closes the SSL session for a new connection when a ClientHello record is split between two or more packets.
If SSL debug logging is enabled, the system logs an error such as the following:
01260009:7: Connection error: ssl_hs_rxhello:6210: ClientHello contains extra data (47).
Note: For information on SSL debug logging, see SOL15292: Troubleshooting SSL/TLS handshake failures at https://support.f5.com/kb/en-us/solutions/public/15000/200/sol15292.html.
Conditions:
This occurs when a SSL ClientHello record is split across multiple TCP segments, and the last segment is relatively small.
Impact:
SSL connections fail to complete with a handshake failure.
Workaround:
No workaround.
Fix:
SSL handshakes no longer fails to complete when the ClientHello is split across multiple TCP segments, and the last segment is relatively small.
546640-1 : tmsh show gtm persist <filter option> does not filter correctly
Component: Global Traffic Manager (DNS)
Symptoms:
Following commands fail to return results even if there are matching records:
# tmsh show gtm persist level wideip
# tmsh show gtm persist target-type pool-member
Conditions:
This only happens when running the tmsh commands listed in the Symptoms.
Impact:
It is not possible to get a granular detail for persist stats.
Workaround:
Use GUI.
Fix:
Filters for the tmsh show gtm persist command now apply the filters correctly.
546410-1 : Configuration may fail to load when upgrading from version 10.x.★
Solution Article: K02151433
Component: TMOS
Symptoms:
After upgrade from 10.x to 11.5.3 HF2, configuration fails to load with the following error:
01070734:3: Configuration error: Invalid primary key on monitor_param object () - not a full path 2.
Conditions:
Configuration contains a user-created monitor (A) that inherits from user-created monitor (B). Monitor A appears first within the configuration files and monitor B does not have a 'destination' attribute.
Impact:
Configuration fails to load.
Workaround:
Re-order monitors such that Monitor B appears first, or add a 'destination' attribute (i.e., 'destination *:*') to monitor B.
Fix:
10.x upgrade now completes successfully, even when parent monitors appear later in the monitor list, or when there is no destination attribute in the child monitor.
546260-1 : TMM can crash if using the v6rd profile
Component: TMOS
Symptoms:
TMM might crash intermittently when traffic is sent through v6rd profile-configured tunnels.
Conditions:
Specific conditions required for encountering this issue are not well understood.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed root cause of TMM core related to the v6rd profile, so this issue no longer occurs.
546080-4 : Path sanitization for iControl REST worker
Solution Article: K99998454
545821 : Idle timeout changes to five seconds when using PVA full or Assisted acceleration.
Component: Local Traffic Manager
Symptoms:
When FastL4 performs hardware acceleration during the TCP handshake, the FastL4 handshake timeout is not updated to match the profile timeout value after the connection is established.
Conditions:
Accelerated, established TCP flows with no traffic for more than five seconds.
Impact:
TCP flows in the established state are dropped if they have more than five seconds of inactivity.
Workaround:
Disable embedded Packet Velocity Acceleration (ePVA) acceleration.
Fix:
Once the TCP connection reaches established state, the idle timeout is set to the value found in the associated profile. By default the profile timeout value is 300 seconds.
545786-2 : Privilege escalation vulnerability CVE-2015-7393
Solution Article: K75136237
545762-1 : CVE-2015-7394
Solution Article: K17407
545745-3 : Enabling tmm.verbose mode produces messages that can be mistaken for errors.
Component: TMOS
Symptoms:
When tmm first starts, the system logs multiple messages containing the words "error:" and "best_error:" in the tmm log files when tmm.verbose is enabled, and hardware accelerators are present.
Conditions:
Must have an accelerator device, and enable tmm.verbose logging.
Impact:
The system posts messages that could be mistaken for errors. For example: en: 1, clkf: 13, pll_MHz: 650, ddr_hertz: 650000000, error: 17000000, best_error: 667000000. These are not errors, and may be safely ignored.
Workaround:
Ignore the lines with format similar to the following:
en: 1, clkf: 13, pll_MHz: 650, ddr_hertz: 650000000, error: 17000000, best_error: 667000000
Fix:
The cosmetic messages containing 'err' and 'best err' are no longer posted on initial tmm startup when tmm.verbose logging on hardware accelerated devices.
545704-3 : TMM might core when using HTTP::header in a serverside event
Component: Local Traffic Manager
Symptoms:
In certain circumstances TMM might core when using an HTTP iRule command in a HTTP_REQUEST_SEND serverside event.
Conditions:
- iRule with an HTTP command in a serverside event prior to the serverside being completely established, such as HTTP_REQUEST_SEND.
- OneConnect configured on the virtual server.
Impact:
The command might either return invalid value or lead to a condition where TMM might core.
Workaround:
Use the {clientside} Tcl command to execute on the client side.
Alternatively, you might use the HTTP_REQUEST_RELEASE event for HTTP inspection/modification on the server-side.
Fix:
TMM no longer cores when using HTTP iRule commands on the server-side of the HTTP_REQUEST_SEND event.
545450-2 : Log activation/deactivation of TM.TCPMemoryPressure
Component: Local Traffic Manager
Symptoms:
The TCP memory pressure feature allows packets to be randomly dropped when the TMM is running low on available memory. The issue is that these packets are dropped silently.
Conditions:
TM.TCPMemoryPressure set to "enable".
Impact:
Packets are dropped, where the cause of the drop cannot be easily determined.
Fix:
Logging added in /var/log/ltm for activation and deactivation of TCP memory pressure. The deactivation message also includes the number of packets and bytes dropped.
545263-2 : Add SSL maximum aggregate active handshakes per profile and per global
Component: Local Traffic Manager
Symptoms:
There is no limit to the number of active SSL handshakes on one BIG-IP system. With many calls, memory can be exhausted and cause system problems.
Conditions:
When the BIG-IP system has too many active SSL handshakes.
Impact:
The memory and/or CPU can be exhausted.
Workaround:
None.
Fix:
Added limitation for active SSL handshakes to prevent CPU and memory exhaustion. There is a new db variable 'tmm.ssl.maxactivehandshakes' that limits the total number of active SSL handshakes. By default this variable is set to '0', which means no limit.
Behavior Change:
There is a new db variable 'tmm.ssl.maxactivehandshakes', which limits the total number of active SSL handshakes. By default this variable is set to '0', which means no limit.
544992-2 : Virtual server profile changes are ignored if it has /Common/remotedesktop and /Common/vdi assigned (Citrix/Vmware View iApp)
Component: Access Policy Manager
Symptoms:
Changes to the profiles that are assigned to a virtual server are ignored if the /Common/remotedesktop and /Common/vdi profiles are already assigned to it. Some iApps that F5 provides to create Citrix or VMware View configurations assign those profiles to a virtual server.
Conditions:
/Common/remotedesktop and /Common/vdi profiles are assigned to a virtual server.
Impact:
Changes to the profiles assigned to a virtual server (adding a new new profile, deleting a profile, changing existing profiles) have no effect until either of these occurs: The /Common/vdi profile is removed from the virtual server or tmm is restarted.
Workaround:
Use tmsh to remove /Common/vdi from the profiles for the virtual server.
(There is no option in the GUI that allows you to do this.)
Fix:
The /Common/remotedesktop and /Common/vdi profiles can be assigned to a virtual server without affecting other profiles.
544980-1 : BIG-IP Virtual Edition may have minimal disk space for the /var software partition when deploying from the OVA file for the Better or Best license bundle.
Component: TMOS
Symptoms:
The size of /var volume is 500 MB instead of 3 GB for BETTER and BEST license bundles.
Conditions:
BIG-IP VE BETTER and BEST vm_bundle images.
Impact:
Not enough space in /var.
Workaround:
In the current volume:
1. Modify global_attributes file.
* The global_attributes file is located at /shared/.tmi_config, so modify global_attributes file by using vi command.
From:
{"TMI_VOLUME_FIX_VAR_MIB":"500","TMI_VOLUME_FIX_CONFIG_MIB":"500"}
To:
{"TMI_VOLUME_FIX_VAR_MIB":"3000","TMI_VOLUME_FIX_CONFIG_MIB":"500"}
2. Install version.
3. Modify global_attributes file to back original value.
4. Switchboot to newly installed volume.
5. To change /var to 3 GB and from tmsh, run the following command:
modify /sys disk directory /var new-size 3145728
6. Reboot.
Fix:
BIG-IP Virtual Edition now has 3GB of disk space for the /var software partition when deploying from OVA for the Better or Best license bundle
544913-2 : tmm core while logging from TMM during failover
Solution Article: K17322
Component: TMOS
Symptoms:
TMM crash and coredump while logging to remote logging server when an HA failover occurs.
Conditions:
The problem might occur when:
1. A log message is created as the result of errors that can occur during log-connection establishment.
2. An error occurs while attempting to connect to the remote logging server.
3. The Primary HA member fails over. The crash occurs on the HA member which was the Primary member prior to the failover.
Impact:
TMM runs out of stack and dumps core. Stack trace shows recursion in errdefs. The system cannot function under these conditions. This is an issue that might occur anytime logs are generated when managing resources that are also used by the logging system itself.
Workaround:
Two possible workarounds are available:
1) Create a log filter specifically for message-id :1010235: that either discards or directs such messages to local syslogs.
2) If the problem occurs on TMM startup, disable and then re-enable the corresponding log source once the TMM starts up.
Fix:
Logging recursion no longer occurs in TMM during failover while the system is attempting to connect to the remote logging server.
544831 : ASM REST: PATCH to custom signature set's attackTypeReference are ignored
Component: Application Security Manager
Symptoms:
When trying to update filter/attackTypeReference for a User-Defined Filter-Based Signature Set (/mgmt/tm/asm/signature-set/<ID>), the PATCH call completes successfully, but the change never occurred.
Conditions:
Using the REST API, a user tries to update filter/attackTypeReference for a User-Defined Filter-Based Signature Set (/mgmt/tm/asm/signature-set/<ID>)
Impact:
The PATCH call completes successfully, but the change never occurred. This may result in the Signature Set not containing the expected signatures.
Workaround:
The bug only exists via the REST API, the GUI can be used to change this value.
Fix:
The attackTypeReference field is now correctly updated using a REST PATCH.
544481-4 : IPSEC Tunnel fails for more than one minute randomly.
Component: TMOS
Symptoms:
IPsec IKEv1: DPD ACK may be dropped when excessive DPD message exchange. This causes the IPsec tunnel to fail.
Conditions:
Excessive DPD message exchange.
Impact:
Connection resets.
Workaround:
None.
Fix:
Excessive DPD message exchange no longer causes the IPsec tunnel to fail.
544375-2 : Unable to load certificate/key pair
Component: Local Traffic Manager
Symptoms:
After creating SSL profile, 'could not load key/certificate file' appears in /var/log/ltm with profile name. Unable to connect to virtual with SSL profile.
Conditions:
Certificate uses sha1WithRSA or dsaWithSHA1_2 signature algorithm.
Impact:
Unable to load certificate.
Workaround:
None.
Fix:
Can now load certificates with sha1WithRSA or dsaWithSHA1_2 signature algorithm.
544325-2 : BIG-IP UDP virtual server may not send ICMP Destination Unreachable message Code 3 (port unreachable).
Solution Article: K83161025
Component: Local Traffic Manager
Symptoms:
A BIG-IP UDP virtual server may not send an ICMP Destination Unreachable message Code 3 (port unreachable). As a result of this issue, you may encounter the following symptoms:
-- Client applications may not respond or appear to hang.
-- When attempting to troubleshoot the connectivity issue from remote devices, no ICMP diagnostic data is available from the BIG-IP system.
Conditions:
This issue occurs when the following condition is met: All pool members for the UDP virtual server are unavailable.
Impact:
In versions 11.3.0 through 11.4.1, the system silently drops the request. In versions 11.5.0 and later, the system sends back the ICMP message with type 13 ('administratively filtered').
Workaround:
None.
Fix:
LTM now sends back an ICMP Destination Unreachable message Code 3 (port unreachable), which is expected behavior.
Behavior Change:
In version 11.2.1 and earlier, the system responded to a request with an ICMP packet containing the type code 'port unreach' when a UDP virtual server pool member was down due to no available pool members. For the same scenario in versions 11.3.0 through 11.4.1, the system sends no ICMP packet. In versions 11.5.0 through this hotfix/release, the system sends an ICMP pa