Applies To:
Show Versions
BIG-IP AAM
- 11.6.3
BIG-IP APM
- 11.6.3
BIG-IP GTM
- 11.6.3
BIG-IP Link Controller
- 11.6.3
BIG-IP Analytics
- 11.6.3
BIG-IP LTM
- 11.6.3
BIG-IP AFM
- 11.6.3
BIG-IP PEM
- 11.6.3
BIG-IP ASM
- 11.6.3
BIG-IP Release Information
Version: 11.6.3.3
Build: 3.0
NOTE: This release includes fixes for the Spectre Variant 1 and Meltdown vulnerabilities (CVE-2017-5753, CVE-2017-5754).
In some configurations, installing software containing these fixes might impact performance. You can disable these fixes to recover performance. Please see K91229003 for additional Spectre and Meltdown information.
Cumulative fixes from BIG-IP v11.6.3.2 that are included in this release
Cumulative fixes from BIG-IP v11.6.3.1 that are included in this release
Cumulative fixes from BIG-IP v11.6.3 that are included in this release
Cumulative fixes from BIG-IP v11.6.2 Hotfix 1 that are included in this release
Cumulative fixes from BIG-IP v11.6.2 that are included in this release
Cumulative fixes from BIG-IP v11.6.1 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v11.6.1 Hotfix 1 that are included in this release
Cumulative fixes from BIG-IP v11.6.1 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 8 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 7 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 6 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 5 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 4 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 3 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 1 that are included in this release
Known Issues in BIG-IP v11.6.x
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
704184-4 | CVE-2018-5529 | K52171282 | Create files with owner only read write permissions |
693810-4 | CVE-2018-5529 | K52171282 | CVE-2018-5529: APM linux client vunlerability |
724680-2 | CVE-2018-0732 | K21665601 | OpenSSL Vulnerability: CVE-2018-0732 |
719554-4 | CVE-2018-8897 | K17403481 | Linux Kernel Vulnerability: CVE-2018-8897 |
710148-5 | CVE-2017-1000111 CVE-2017-1000112 |
K60250153 | CVE-2017-1000111 & CVE-2017-1000112 |
694901-1 | CVE-2015-8710 | K45439210 | CVE-2015-8710: Libxml2 Vulnerability |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
590122-3 | 3-Major | Standard TLS version rollback detection for TLSv1 or earlier might need to be relaxed to interoperate with clients that violate TLS specification. | |
587107-2 | 3-Major | Allow iQuery to negotiate up to version TLS1.2 | |
493250-2 | 3-Major | K36428111 | BGP disabling graceful-restart in ZebOS does not persist and is automatically enabled |
246726-4 | 3-Major | K8940 | System continues to process virtual server traffic after disabling virtual address |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
723130-5 | 2-Critical | Invalid-certificate warning displayed when deploying BIG-IP VE OVA file | |
721924-4 | 2-Critical | bgpd may crash processing extended ASNs | |
705476-5 | 2-Critical | Appliance Mode does not follow design best practices | |
690819-2 | 2-Critical | Using an iRule module after a 'session lookup' may result in crash | |
624826-3 | 2-Critical | mgmt bridge takes HWADDR of guest vm's tap interface | |
563661-3 | 2-Critical | Datastor may crash | |
724319 | 3-Major | BIG-IP versions 11.6.3.x show 'Edition' as 'Final', not 'Point Release' | |
710827-5 | 3-Major | TMUI dashboard daemon stability issue | |
707445-1 | 3-Major | K47025244 | Nitrox 3 compression hangs/unable to recover |
701626-4 | 3-Major | K16465222 | GUI resets custom Certificate Key Chain in child client SSL profile |
687658-3 | 3-Major | Monitor operations in transaction will cause it to stay unchecked | |
677088-5 | 3-Major | Qkview does not follow current best practices | |
672988-3 | 3-Major | K03433341 | MCP memory leak when performing incremental ConfigSync |
669818-3 | 3-Major | Higher CPU usage for syslog-ng when a syslog server is down | |
663924-3 | 3-Major | Qkview archives includes Kerberos keytab files | |
633465 | 3-Major | K09748643 | Curl cannot be forced to use TLSv1.0 or TLSv1.1 |
631172-3 | 3-Major | GUI user logged off when idle for 30 minutes, even when longer timeout is set | |
614486-3 | 3-Major | BGP community lower bytes of zero is not allowed to be set in route-map | |
612721-3 | 3-Major | FIPS: .exp keys cannot be imported when the local source directory contains .key file | |
527206-3 | 3-Major | Management interface may flap due to LOP sync error | |
488180-3 | 3-Major | Mcpd may restart continuously when a new blade is inserted into a chassis running vCMP | |
424542-3 | 3-Major | tmsh modify net interface with invalid interface name or attributes will create an interface in cluster or VE environments | |
674145-4 | 4-Minor | chmand error log message missing data | |
660239-2 | 4-Minor | When accessing the dashboard, invalid HTTP headers may be present | |
556616-2 | 4-Minor | K75634982 | Unable to install from hotfix on platform with SSD via the GUI |
530775-5 | 4-Minor | Login page may generate unexpected HTML output | |
530530-2 | 4-Minor | K07298903 | tmsh sys log filter is displayed in UTC time |
477785-1 | 4-Minor | GUI LTM Profile ClientSSL Passphrase does not accept semicolons | |
464650-3 | 4-Minor | Failure of mcpd with invalid authentication context. |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
726239-2 | 2-Critical | interruption of traffic handling as sod daemon restarts TMM | |
722387-1 | 2-Critical | TMM may crash when processing APM DTLS traffic | |
716900-5 | 2-Critical | TMM core when using MPTCP | |
715923-2 | 2-Critical | When processing TLS traffic TMM may reset connections | |
708382 | 2-Critical | Multiple TMM cores in http_cookie_decrypt | |
700393-5 | 2-Critical | Under certain circumstances a stale http2 stream can cause a tmm crash | |
609199-4 | 2-Critical | Debug TMM produces core when an MPTCP connection times out while a subflow is trying to join | |
536868-3 | 2-Critical | Packet Sizing Issues after Receipt of PMTU | |
452283-3 | 2-Critical | An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows | |
722363-4 | 3-Major | Client fails to connect to server when using PVA offload at Established | |
710028-5 | 3-Major | LTM SQL monitors may stop monitoring if multiple monitors querying same database | |
708653-4 | 3-Major | TMM may crash while processing TCP traffic | |
705794-4 | 3-Major | Under certain circumstances a stale http2 stream can cause a tmm crash | |
702443 | 3-Major | K22510506 | A pool can be deleted despite being referenced as a clone-pool by an LTM policy action |
702151-3 | 3-Major | HTTP/2 can garble large headers | |
700889-1 | 3-Major | K07330445 | Software syncookies without TCP TS improperly include TCP options that are not encoded |
691806-4 | 3-Major | K61815412 | RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state |
676355-3 | 3-Major | DTLS retransmission does not comply with RFC in certain resumed SSL session | |
670816-3 | 3-Major | K44519487 | HTTP/HTTPS/TCP Monitor response code for 'last fail reason' can include extra characters |
668521-1 | 3-Major | Bigd might stall while waiting for an external monitor process to exit | |
668196-3 | 3-Major | Connection limit continues to be enforced with least-connections and pool member flap, member remains down | |
657795-2 | 3-Major | K51498984 | Possible performance impact on some SSL connections |
655432-4 | 3-Major | K85522235 | SSL renegotiation failed intermittently with AES-GCM cipher |
651541-3 | 3-Major | K83955631 | Changes to the HTTP profile do not trigger validation for virtual servers using that profile |
645058-1 | 3-Major | Modifying SSL profiles in GUI may fail when key is protected by passphrase | |
619849-2 | 3-Major | In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled. | |
611691-3 | 3-Major | Packet payload ignored when DSS option contains DATA_FIN | |
611482-1 | 3-Major | Local persistence record kept alive after owner persistence record times out (when using pool command in an iRule) . | |
607803-2 | 3-Major | K33954223 | DTLS client (serverssl profile) fails to complete resumed handshake. |
603609-4 | 3-Major | Policy unable to match initial path segment when request-URI starts with "//" | |
593390-2 | 3-Major | K34153031 | Profile lookup when selected via iRule ('SSL::profile') might cause memory issues. |
589400-3 | 3-Major | K33191529 | With Nagle disabled, TCP does not send all of xfrags with size greater than MSS. |
584471-2 | 3-Major | Priority order of clientssl profile selection of virtual server. | |
572234-3 | 3-Major | When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10. | |
563933-2 | 3-Major | [DNS] dns64-additional-section-rewrite v4-only does not rewrite v4 RRs | |
523973-1 | 3-Major | K69614227 | Deletion of key/cert/csr fails to update bigip.conf. |
513202-2 | 3-Major | RPZ may not work as expected | |
507554-1 | 3-Major | K13741128 | Uneven egress traffic distribution on trunk with odd number of members |
466875-4 | 3-Major | K15586 | SNAT automap may select source address that is not attached to egress VLAN/interface |
393647-2 | 3-Major | K17287 | Objects configured with a connection rate-limit and yellow status |
367226-1 | 3-Major | Outgoing RIP advertisements may have incorrect source port | |
716922-5 | 4-Minor | Reduction in PUSH flags when Nagle Enabled | |
701253-2 | 4-Minor | TMM core when using MPTCP | |
692095-4 | 4-Minor | K65311501 | bigd logs monitor status unknown for FQDN Node/Pool Member |
604272-2 | 4-Minor | SMTPS profile connections_current stat does not reflect actual connection count. | |
589039-2 | 4-Minor | Clearing masquerade MAC results in unexpected link-local self IP addresses. | |
560909-2 | 4-Minor | LTM policy is unable to disable SNAT | |
222034-7 | 4-Minor | HTTP::respond in LB_FAILED with large header/body might result in truncated response |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
649564-3 | 2-Critical | Crash related to GTM monitors with long RECV strings | |
671326-3 | 3-Major | K81052338 | DNS Cache debug logging might cause tmm to crash. |
655807-3 | 3-Major | K40341291 | With QoS LB, packet rate score is calculated incorrectly and dominates the QoS score |
632423-2 | 3-Major | K40256229 | DNS::query can cause tmm crash if AXFR/IXFR types specified. |
628180-2 | 3-Major | DNS Express may fail after upgrade★ | |
624876-3 | 3-Major | Response Policy Zones can trigger even after entry removed from zone | |
605260-3 | 3-Major | [GUI] Changes can not be made to GTM listener in partition with default route domain <> 0 | |
595293-3 | 3-Major | Deleting GTM links could cause gtm_add to fail on new devices. | |
370131-2 | 3-Major | Loading UCS with low GTM Autoconf Delay drops pool Members from config | |
366695-7 | 3-Major | Remove managers create/modify/delete ability from TMSH on GTM datacenters, links, servers, prober-pools, and topology errors incorrectly, and receive a database error when performed | |
657961-1 | 4-Minor | K44031930 | The edit button on the GSLB Wide IP create page does not place the pool name back into the select dropdown |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
714879-5 | 2-Critical | APM CRLDP Auth passes all certs | |
701944-6 | 2-Critical | K42284762 | machine certificate check crash for 'match issuer' configuration on macOS Sierra 10.12.6 |
699267-3 | 3-Major | LDAP Query may fail to resolve nested groups |
WebAccelerator Fixes
ID Number | Severity | Solution Article(s) | Description |
603658-3 | 4-Minor | AAM security hardening |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
556031-1 | 3-Major | iRule execution error under virtual server with adaptation profile can crash tmm |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
591828-5 | 3-Major | K52750813 | For unmatched connection, TCP RST may not be sent for data packet |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
471835-1 | 2-Critical | K95135255 | Invalid port blocks are incorrectly counted as active zombie blocks. |
Cumulative fixes from BIG-IP v11.6.3.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
716992-4 | CVE-2018-5539 | K75432956 | The ASM bd process may crash |
695901-3 | CVE-2018-5513 | K46940010 | TMM may crash when processing ProxySSL data |
693744-2 | CVE-2018-5531 | K64721111 | CVE-2018-5531: vCMP vulnerability |
687193-3 | CVE-2018-5533 | K45325728 | TMM may leak memory when processing SSL Forward Proxy traffic |
686305-5 | CVE-2018-5534 | K64552448 | TMM may crash while processing SSL forward proxy traffic |
674189-2 | CVE-2016-0718 | K52320548 | iControl-SOAP exposed to CVE-2016-0718 in Expat 2.2.0 |
630446-2 | CVE-2016-0718 | K52320548 | Expat vulnerability CVE-2016-0718 |
710314-3 | CVE-2018-5537 | K94105051 | TMM may crash while processing HTML traffic |
704580-4 | CVE-2018-5549 | K05018525 | apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP |
703940-4 | CVE-2018-5530 | K45611803 | Malformed HTTP/2 frame consumes excessive system resources |
701359-3 | CVE-2017-3145 | K08613310 | BIND vulnerability CVE-2017-3145 |
699455-2 | CVE-2018-5523 | K50254952 | SAML export does not follow best practices |
699346-1 | CVE-2018-5524 | K53931245 | NetHSM capacity reduces when handling errors |
688625-3 | CVE-2017-11628 | K75543432 | PHP Vulnerability CVE-2017-11628 |
676457-2 | CVE-2017-6153 | K52167636 | TMM may consume excessive resource when processing compressed data |
672124-2 | CVE-2018-5541 | K12403422 | Excessive resource usage when BD is processing requests |
662850-3 | CVE-2015-2716 | K50459349 | Expat XML library vulnerability CVE-2015-2716 |
631204-2 | CVE-2018-5521 | K23124150 | GeoIP lookups incorrectly parse IP addresses |
617273-5 | CVE-2016-5300 | K70938105 | Expat XML library vulnerability CVE-2016-5300 |
606710-15 | CVE-2016-2834 CVE-2016-5285 CVE-2016-8635 | K15479471 | Mozilla NSS vulnerability CVE-2016-2834 |
582773-4 | CVE-2018-5532 | K48224824 | DNS server for child zone can continue to resolve domain names after revoked from parent |
524279-6 | CVE-2015-4000 | K16674 | CVE-2015-4000: TLS vulnerability |
353229-6 | CVE-2018-5522 | K54130510 | Buffer overflows in DIAMETER |
617901-3 | CVE-2018-5525 | K00363258 | GUI to handle file path manipulation to prevent GUI instability. |
605579-10 | CVE-2012-6702 | K65460334 | iControl-SOAP expat client library is subjected to entropy attack |
603758-3 | CVE-2018-5540 | K82038789 | Big3D security hardening |
673165-2 | CVE-2017-7895 | K15004519 | CVE-2017-7895: Linux Kernel Vulnerability |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
613415-4 | 2-Critical | K22750357 | Memory leak in ospfd when distribute-list is used |
581851-4 | 2-Critical | K16234725 | mcpd process on secondary blades unexpectedly restarts when the system processes multiple tmsh commands |
675188-4 | 3-Major | CVE-2017-9233: Expat vulnerability | |
674486-3 | 3-Major | Expat Vulnerability: CVE-2017-9233 | |
671447-3 | 3-Major | ZebOS 7 Byte SystemID in IS-IS Restart TLV may cause adjacencies to not form | |
631316-4 | 3-Major | K62532020 | Unable to load config with client-SSL profile error★ |
622619-3 | 3-Major | BIG-IP 11.6.1 - "tmsh show sys log <item> range" can kill MCPD | |
622183-3 | 3-Major | The alert daemon should remove old log files but it does not. | |
615107-3 | 3-Major | Cannot SSH from AOM/SCCP to host without password (host-based authentication). | |
589338 | 3-Major | Linux host may lose dynamic routes on secondary blades | |
583502-1 | 3-Major | K58243048 | Considerations for transferring files from F5 devices |
553776-2 | 3-Major | K03365920 | BGP may advertise default route with bad parameters |
539832-3 | 3-Major | Zebos: extended community attributes are exchanged incorrectly in BGP updates. |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
708114-2 | 2-Critical | K33319853 | TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed |
682682-5 | 2-Critical | tmm asserts on a virtual server-to-virtual server connection | |
676982-1 | 2-Critical | K21958352 | Active connection count increases over time, long after connections expire |
670804-1 | 2-Critical | K03163260 | Hardware syncookies, verified-accept, and OneConnect can result in 'verify_accept' assert in server-side TCP |
666401-1 | 2-Critical | K03294104 | Memory might become corrupted when a Standby device transitions to Active during failover |
657463 | 2-Critical | SSL sends HUDEVT_SENT to TCP in wrong state which causes HTTP disconnect the handshake. | |
655211-2 | 2-Critical | bigd crash (SIGSEGV) when running FQDN node monitors | |
648320-1 | 2-Critical | K38159538 | Downloading via APM tunnels could experience performance downgrade. |
647757-1 | 2-Critical | K96395052 | RATE-SHAPER:Fred not properly initialized may halt traffic |
622856-3 | 2-Critical | BIG-IP may enter SYN cookie mode later than expected | |
619071-2 | 2-Critical | OneConnect with verified accept issues | |
613524-2 | 2-Critical | TMM crash when call HTTP::respond twice in LB_FAILED | |
571651-1 | 2-Critical | K66544028 | Reset Nitrox3 crypto accelerator queue if it becomes stuck. |
537072-1 | 2-Critical | Fix ssl_session memory corruption when many sessions and heavy traffic. | |
491789-2 | 2-Critical | Better retransmit recovery in a lossy network. | |
713951-2 | 3-Major | tmm core files produced by nitrox_diag may be missing data | |
711281-2 | 3-Major | nitrox_diag may run out of space on /shared | |
677525-5 | 3-Major | Translucent VLAN group may use unexpected source MAC address | |
677119-1 | 3-Major | HTTP2 implementation incorrectly treats SETTINGS_MAX_HEADER_LIST_SIZE | |
664769-2 | 3-Major | TMM may restart when using SOCKS profile and an iRule | |
646443-3 | 3-Major | K54432535 | Ephemeral Node may be errantly created in bigd, causing crash |
615143-4 | 3-Major | VDI plugin-initiated connections may select inappropriate SNAT address | |
604880-2 | 3-Major | tmm assert "valid pcb" in tcp.c | |
604811-1 | 3-Major | Under certain conditions TMM may crash while processing OneConnect traffic | |
603550-3 | 3-Major | K63164073 | Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats. |
602136-3 | 3-Major | K89647578 | iRule drop command causes tmm segfault or still sends 3-way handshake to the server. |
596433-4 | 3-Major | Virtual with lasthop configured rejects request with no route to client. | |
590156-2 | 3-Major | Connections to an APM virtual server may be reset and fail on appliance and VE platforms. | |
584310-2 | 3-Major | K83393638 | TCP:Collect ignores the 'skip' parameter when used in serverside events |
572895 | 3-Major | TCP forwarded flows are reset when time wait recycle of port happens | |
553521-1 | 3-Major | TMM crash when executing route lookup in tmsh for multicast destination | |
517456 | 3-Major | K00254480 | Resetting virtual server stat increments cur_conns stat in clientssl profile |
516432-6 | 3-Major | K21467711 | DTLS may send corrupted records when the DB variable tmm.ssl.dtlsmaxcrs is not the default value 1. |
248914-6 | 3-Major | K00612197 | ARP replies from BIG-IP on a translucent vlangroup use the wrong source MAC address |
225634-5 | 3-Major | K12947 | The rate class feature does not honor the Burst Size setting. |
708249-5 | 4-Minor | nitrox_diag utility generates QKView files with 5 MB maximum file size limit | |
517202-4 | 4-Minor | Applications including Internet Explorer using Microsoft's Secure Channel (Schannel) may fail SSL/TLS handshakes |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
642039-3 | 2-Critical | TMM core when persist is enabled for wideip with certain iRule commands triggered. | |
562921-3 | 2-Critical | Cipher 3DES and iQuery encrypting traffic between BIG-IP systems | |
663310-4 | 3-Major | named reports "file format mismatch" when upgrading to versions with Bind 9.9.X versions for text slave zone files★ | |
654599-2 | 3-Major | K74132601 | The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed |
487144-3 | 3-Major | tmm intermittently reports that it cannot find FIPS key |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
691670-2 | 2-Critical | Rare BD crash in a specific scenario | |
684312-3 | 2-Critical | K54140729 | During Apply Policy action, bd agent crashes, causing the machine to go Offline |
679603-3 | 2-Critical | K15460886 | bd core upon request, when profile has sensitive element configured. |
678462-1 | 2-Critical | after chassis failover: asmlogd CPU 100% on secondary | |
676416-3 | 2-Critical | BD restart when switching FTP profiles | |
675232-2 | 2-Critical | Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction | |
636669-2 | 2-Critical | K37300224 | bd log are full of 'Can't run patterns' messages |
611154-2 | 2-Critical | BD crash | |
576123-2 | 2-Critical | K23221623 | ASM policies are created as inactive policies on the peer device |
706304 | 3-Major | ASU and other Update Check services overload F5 download server | |
697303-4 | 3-Major | BD crash | |
696265-2 | 3-Major | K60985582 | BD crash |
694922-2 | 3-Major | ASM Auto-Sync Device Group Does Not Sync | |
685207-3 | 3-Major | DoS client side challenge does not encode the Referer header. | |
683241-4 | 3-Major | K70517410 | Improve CSRF token handling |
571593-1 | 3-Major | A BD core on specific server behavior with a specific configuration | |
504917-1 | 3-Major | In ASM Manual Sync Only group, policies do not stay deleted or inactive on secondary after sync is pushed | |
447319-5 | 3-Major | K57527347 | Requests Export: Japanese characters (SHIFT-JIS) unreadable in PDF |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
707738-5 | 1-Blocking | K84747528 | Network Access cannot be established on Windows 10 RS4 |
714716-4 | 2-Critical | Apmd logs password for acp messages when in debug mode | |
693739-5 | 2-Critical | VPN cannot be established on macOS High Sierra 10.13.1 if full tunneling configuration is enabled | |
672480 | 2-Critical | WebSSO plugin process may become unresponsive in rare situations for Kerberos SSO | |
666454-6 | 2-Critical | K05520115 | Edge client on Macbook Pro with touch bar cannot connect to VPN after OS X v10.12.5 update |
702490-5 | 3-Major | Windows Credential Reuse feature may not work | |
684937-5 | 3-Major | K26451305 | [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users |
683113-5 | 3-Major | K22904904 | [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users |
668623-2 | 3-Major | K85991425 | macOS Edge client fails to detect correct system language for regions other than USA |
640924-6 | 3-Major | On macOS Sierra (10.12) LED icons on Edge client's main UI buttons (connect, disconnect and auto-connect) are scaled incorrectly | |
632646-2 | 3-Major | APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server. | |
590345-3 | 3-Major | ACCESS policy running iRule event agent intermittently hangs | |
535131-1 | 3-Major | RelayState passed from IdP to SP is not used as a landing URI for IdP initiated SAML SSO |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
703515-6 | 2-Critical | K44933323 | MRF SIP LB - Message corruption when using custom persistence key |
685708-5 | 2-Critical | Routing via iRule to a host without providing a transport from a transport-config created connection cores | |
700571-1 | 3-Major | SIP MR profile, setting incorrect branch param for CANCEL to INVITE | |
696049-4 | 3-Major | High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running | |
629663-2 | 3-Major | K23210890 | CGNAT SIP ALG will drop SIP INVITE |
625542-4 | 3-Major | SIP ALG with Translation fails for REGISTER refresh. |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
503951-2 | 2-Critical | AFM policies not synced |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
546691-1 | 2-Critical | URLCAT stats cause crash without PEM URLCAT license |
Cumulative fixes from BIG-IP v11.6.3.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
704490-1 | CVE-2017-5754 | K91229003 | CVE-2017-5754 (Meltdown) |
704483-1 | CVE-2017-5753 CVE-2017-9074 CVE-2017-7542 CVE-2017-11176 |
K91229003 | CVE-2017-5753 (Spectre Variant 1) |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
707226-3 | 1-Blocking | DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
601828-2 | 2-Critical | K13338433 | An untrusted certificate can cause tmm to crash. |
Cumulative fixes from BIG-IP v11.6.3 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
681710-5 | CVE-2017-6155 | K10930474 | Malformed HTTP/2 requests may cause TMM to crash |
677193-4 | CVE-2017-6154 | K38243073 | ASM BD Daemon Crash. |
671498-2 | CVE-2017-3143 | K02230327 | BIND zone contents may be manipulated |
670822-4 | CVE-2017-6148 | K55225440 | TMM may crash when processing SOCKS data |
648786-2 | CVE-2017-6169 | K31404801 | TMM crashes when categorizing long URLs |
671638-3 | CVE-2018-5500 | K33211839 | TMM crash when load-balancing mptcp traffic |
671497-2 | CVE-2017-3142 | K59448931 | TSIG authentication bypass in AXFR requests |
662663-3 | CVE-2018-5507 | K52521791 | Decryption failure Nitrox platforms in vCMP mode |
643375-2 | CVE-2018-5508 | K10329515 | TMM may crash when processing compressed data |
627907-3 | CVE-2017-6143 | K11464209 | Improve cURL usage |
627747-3 | CVE-2017-6142 | K20682450 | Improve cURL Usage |
621337-3 | CVE-2016-7469 | K97285349 | XSS vulnerability in the BIG-IP and Enterprise Manager Configuration utilities CVE-2016-7469 |
605039-2 | CVE-2016-2775 | K92991044 | lwresd and bind vulnerability CVE-2016-2775 |
572272-4 | CVE-2018-5506 | K65355492 | BIG-IP - Anonymous Certificate ID Enumeration |
609691-3 | CVE-2014-4617 | K21284031 | GnuPG vulnerability CVE-2014-4617 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
686389-4 | 3-Major | APM does not honor per-farm HTML5 client disabling at the View Connection Server | |
651772-5 | 3-Major | IPv6 host traffic may use incorrect IPv6 and MAC address after route updates | |
620445-5 | 3-Major | New SIP::persist keyword to set the timeout without changing key | |
613023-6 | 3-Major | Update SIP::Persist to support resetting timeout value. | |
599839-7 | 3-Major | Add new keyords to SIP::persist command to specify how Persistence table is updated | |
441079-5 | 3-Major | K55242686 | BIG-IP 2000/4000: Source port on NAT connections are modified when they should be preserved |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
667173-2 | 2-Critical | 13.1.0 cannot join a device group with 13.1.0.1 | |
448409-4 | 2-Critical | K15491 | 'load sys config verify' commands cause loss of sync configuration and initiates a provisioning cycle |
697794 | 3-Major | ROM layout file missing for Blade B2250 in BIG-IP VIPRION 2400 chassis | |
691485-2 | 3-Major | K47635484 | System fails to boot when syslog-ng is not running. |
674320-3 | 3-Major | K11357182 | Syncing a large number of folders can prevent the configuration getting saved on the peer systems |
623930-2 | 3-Major | vCMP guests with vlangroups may loop packets internally | |
623336-2 | 3-Major | After an upgrade, the old installation's CA bundle may be used instead of the one that comes with the new version of TMOS★ | |
610442-1 | 3-Major | K75051412 | vcmp_media_insert failed message and lind restart loop on vCMP guest when installing with block-device-image with bad permissions on .iso★ |
610417-3 | 3-Major | K54511423 | Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported. |
601709 | 3-Major | K02314881 | I2C error recovery for BIG-IP 4340N/4300 blades |
584583-6 | 3-Major | K18410170 | Timeout error when using the REST API to retrieve large amount of data |
577474-4 | 3-Major | K35208043 | Users with auditor role are unable to use tmsh list sys crypto cert |
546145-4 | 3-Major | Creating local user for previously remote user results in incomplete user definition. | |
544906-1 | 3-Major | K07388310 | Issues when using remote authentication when users have different partition access on different devices |
508556-1 | 3-Major | K17035 | CSR missing SAN when renewing cert in GUI |
488417-2 | 3-Major | K16977 | Config load failure with 'Input error: can't create user' after upgrade★ |
428876-1 | 3-Major | dtca-bundle.crt file version can be out of sync with config★ | |
423928-2 | 3-Major | K42630383 | syslog messages over 8 KB in length cause logstatd to exit |
697904 | 4-Minor | GUI does not show Device names with <> properly. | |
551349-4 | 4-Minor | K80203854 | Non-explicit (*) IPv4 monitor destination address is converted to IPv6 on upgrade★ |
545799-2 | 4-Minor | K48550324 | Dashboard fails to export derived throughput history |
541550-1 | 4-Minor | Defining more than 10 remote-role groups can result in authentication failure | |
522632 | 5-Cosmetic | K20301558 | Qkview generates error-level message |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
621452-3 | 1-Blocking | K58146172 | Connections can stall with TCP::collect iRule |
659899-5 | 2-Critical | K10589537 | Rare, intermittent system instability observed in dynamic load-balancing modes |
646643-3 | 2-Critical | K43005132 | HA standby virtual server with non-default lasthop settings may crash. |
644112-4 | 2-Critical | K56150996 | Permanent connections may be expired when endpoint becomes unreachable |
643631-1 | 2-Critical | K70938130 | Serverside connections on virtual servers using VDI may become zombies. |
615303-1 | 2-Critical | K47381511 | bigd crash with Tcl monitors |
604926-1 | 2-Critical | K50041125 | The TMM may become unresponsive when using SessionDB data larger than ~400K |
581746-3 | 2-Critical | K42175594 | MPTCP or SSL traffic handling may cause a BIG-IP outage |
515915-4 | 2-Critical | K47804233 | Server side timewait close state causes long establishment under port reuse |
487925-1 | 2-Critical | TMM "unexpected message" assert in diameter_tcl_handler() | |
698000-4 | 3-Major | K04473510 | Connections may stop passing traffic after a route update |
680755-2 | 3-Major | K27015502 | max-request enforcement no longer works outside of OneConnect |
662881-3 | 3-Major | K10443875 | L7 mirrored packets from standby to active might cause tmm core when it goes active. |
658214-3 | 3-Major | K20228504 | TCP connection fail intermittently for mirrored fastl4 virtual server |
650292-3 | 3-Major | DNS transparent cache can return non-recursive results for recursive queries | |
647165 | 3-Major | A monitor may unexpectedly transition from up to down and back to up. | |
645197-2 | 3-Major | Monitors receiving unique HTTP "success" response codes may stop monitoring after status change | |
645036-4 | 3-Major | K85772089 | Removing pool from virtual server does not update its status |
643777-3 | 3-Major | K27629542 | LTM policies with more than one IP address in TCP address match may fail |
641512-3 | 3-Major | K51064420 | DNSSEC key generations fail with lots of invalid SSL traffic |
640565-3 | 3-Major | K11564859 | Incorrect packet size sent to clone pool member |
636149 | 3-Major | Multiple monitor response codes to single monitor probe failure | |
627246-2 | 3-Major | K09336400 | TMM memory leak when ASM policy configured on virtual server |
618254 | 3-Major | Non-zero Route domain is not always used in HTTP explicit proxy | |
607246-2 | 3-Major | Encrypted cookie insert persistence with fallback may not honor cookie after fallback expires | |
591666-2 | 3-Major | TMM crash in DNS processing on TCP virtual with no available pool members | |
587705-7 | 3-Major | K98547701 | Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools. |
557667-1 | 3-Major | K73162091 | Some monitor types may fail to probe when the monitor definition is changed |
542009-2 | 3-Major | K01162427 | tmm might loop and get killed by sod when the system tries to process an invalid-message-length MPI message. |
538705-1 | 3-Major | K01545350 | tmm assert 'valid private' |
536563-2 | 3-Major | Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' or 'No flow found for ACK' on subsequent packets. | |
528198-2 | 3-Major | reject in iRule event FLOW_INIT may not respond with a RST | |
520604-8 | 3-Major | K52431550 | Route domain creation may fail if simultaneously creating and modifying a route domain |
517756-7 | 3-Major | Existing connections can choose incorrect route when crossing non-strict route-domains | |
494333-2 | 3-Major | In specific cases, persist cookie insert fails to insert a session cookie when using an iRule | |
483653-2 | 3-Major | In some traffic situations, virtuals using SSL can excessively buffer client data instead of closing the TCP window | |
483257-1 | 3-Major | K17051 | Cannot delete keys without extension .key (and certificates without .crt) using iControl SOAP |
475681-1 | 3-Major | K17021 | Changing virtual server type from Standard to Performance (HTTP) can make it impossible to connect to VIP |
467551-6 | 3-Major | K17011 | TCP syncookie and Selective NACK (profile option) causes traffic to be dropped |
462881-1 | 3-Major | K17006 | Configuration utility allows for mismatch in IP protocol and transport profile |
435055-1 | 3-Major | K17291 | ECDHE-ECDSA ciphers with hybrid certificate (RSA signed EC cert) |
352957-1 | 3-Major | K03005026 | Route lookup after change in route table on established flow ignores pool members |
530877-4 | 4-Minor | K13887095 | TCP profile option Verified Accept might cause iRule processing to run twice in very specific circumstances. |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
645615-3 | 2-Critical | K70543226 | zxfrd may fail and restart after multiple failovers between blades in a chassis. |
584374-1 | 2-Critical | K67622400 | iRule cmd: RESOLV::lookup causes tmm crash when resolving an IP address. |
636853-1 | 3-Major | Under some conditions, a change in the order of GTM topology records does not take effect. | |
629530-3 | 3-Major | K53675033 | Under certain conditions, monitors do not time out. |
625671-2 | 3-Major | The diagnostic tool dnsxdump may crash with non-standard DNS RR types. | |
527387-1 | 3-Major | K06611108 | Timeout config settings can result in incorrect monitoring |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
694073-4 | 3-Major | All signature update details are shown in 'View update history from previous BIG-IP versions' popup |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
652004-4 | 2-Critical | K45320415 | Show /apm access-info all-properties causes memory leaks in tmm |
649234-4 | 2-Critical | K64131101 | TMM crash from a possible memory corruption. |
685857 | 3-Major | Memory consumption of tmm slowly increases. | |
684325-4 | 3-Major | APMD Memory leak when applying a specific access profile | |
678976-5 | 3-Major | K24756214 | Do not print all HTTP headers to avoid printing user credentials to /var/log/apm. |
677058-4 | 3-Major | Citrix Logon prompt with two factor auth or Logon Page agent with two password type variables write password in plain text | |
675866-3 | 3-Major | WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO | |
670918-1 | 3-Major | Flash AS3 wrappers should have an additional check for the activation object | |
670910-1 | 3-Major | Flash AS3 flash.external.ExternalInterface.call() wrapper can fail when loaderInfo object is undefined | |
655146-5 | 3-Major | APM Profile access stats are not updated correctly | |
654513-5 | 3-Major | K11003951 | APM daemon crashes when the LDAP query agent returns empty in its search results. |
648083-1 | 3-Major | K83700745 | APM rewrite process may incorrectly handle the eval() function. |
610582-5 | 3-Major | Device Guard prevents Edge Client connections | |
576350-2 | 3-Major | K32581271 | External input from client doesn't pass to policy agent if it is not the first in the chain. |
565347-1 | 3-Major | Rewrite engine behaves improperly in case of AS2 SWF with a badly formatted 'push' instruction | |
436489-4 | 3-Major | Session variables defined within the "Relay State" parameter of an SP initiated SSO session may fail. |
Wan Optimization Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
682281 | 2-Critical | iSession tunnels are not reused and idle tunnels are not terminated by the sweeper | |
549327-3 | 3-Major | iSession remote endpoint connection not re-established | |
479183-2 | 3-Major | K01749002 | Unexpected iSession tunnel state transition causes TMM to restart. |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
640407-4 | 2-Critical | Usage of iRule commands that try to get or set connection state during CLIENT_CLOSED iRule event may core with MRF | |
639236-3 | 2-Critical | K66947004 | Parser doesn't accept Contact header with expires value set to 0 that is not the last attribute |
559953-2 | 2-Critical | tmm core on long DIAMETER::host value | |
679114-1 | 3-Major | Persistence record expires early if an error is returned for a BYE command | |
674747-1 | 3-Major | K30837366 | sipdb cannot delete custom bidirectional persistence entries. |
673814-2 | 3-Major | K37822302 | Custom bidirectional persistence entries are not updated to the session timeout |
642298-2 | 3-Major | Unable to create a bidirectional custom persistence record in MRF SIP | |
625098-1 | 3-Major | SCTP::local_port iRule not supported in MRF events | |
624023-1 | 3-Major | TMM cores in iRule when accessing a SIP header that has no value | |
620929-5 | 3-Major | New iRule command, MR::ignore_peer_port | |
620759-5 | 3-Major | Persist timeout value gets truncated when added to the branch parameter. | |
609328-1 | 3-Major | K53447441 | SIP Parser incorrectly parsers empty header |
603019-5 | 3-Major | Inserted SIP VIA branch parameter not unique between INVITE and ACK | |
598700-8 | 3-Major | MRF SIP Bidirectional Persistence does not work with multiple virtual servers | |
493020-1 | 3-Major | K21254213 | MRF SIP iRules events not raised if previous message's event is still running |
632658-5 | 4-Minor | Enable SIP::persist command to operate during SIP_RESPONSE event | |
617690-2 | 4-Minor | enable SIP::respond iRule command to operate during MR_FAILED event |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
673029-1 | 2-Critical | Debug image TMM crash | |
624744-4 | 2-Critical | Potential crash in a multi-blade chassis during CMP state changes. | |
623922-1 | 2-Critical | K64388805 | TMM failure in PEM while processing Service-Provider Disaggregation |
622220-3 | 2-Critical | Disruption during manipulation of PEM data with suspected flow irregularity | |
616008-4 | 2-Critical | K23164003 | TMM core may be seen when using an HSL format script for HSL reporting in PEM |
678822-5 | 3-Major | Gx/Gy stats display provision pending sessions if there is no route to PCRF or the app is unlicensed | |
642068-2 | 3-Major | PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens | |
641482-5 | 3-Major | Subscriber remains in delete pending state until CCR-t ack has success as result code is received | |
623037-1 | 3-Major | delete of pem session attribute does not work after a update | |
680729-5 | 4-Minor | K64307999 | DHCP Trace log incorrectly marked as an Error log. |
628869-1 | 4-Minor | Unconditional logs seen due to the presence of a PEM iRule. |
Cumulative fixes from BIG-IP v11.6.2 Hotfix 1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
693211-4 | CVE-2017-6168 | K21905460 | CVE-2017-6168 |
Functional Change Fixes
None
Cumulative fixes from BIG-IP v11.6.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
684879-3 | CVE-2017-6164 | K02714910 | Malformed TLS1.2 records may result in TMM segmentation fault. |
653993-2 | CVE-2017-6132 | K12044607 | A specific sequence of packets to the HA listener may cause tmm to produce a core file |
653880-1 | CVE-2017-6214 | K81211720 | Kernel Vulnerability: CVE-2017-6214 |
652516-1 | CVE-2016-10088 CVE-2016-10142 CVE-2016-2069 CVE-2016-2384 CVE-2016-6480 CVE-2016-7042 CVE-2016-7097 CVE-2016-8399 CVE-2016-9576 | K31603170 | Multiple Linux Kernel Vulnerabilities |
649907-3 | CVE-2017-3137 | K30164784 | BIND vulnerability CVE-2017-3137 |
649904-3 | CVE-2017-3136 | K23598445 | BIND vulnerability CVE-2017-3136 |
648865-1 | CVE-2017-6074 | K82508682 | Linux kernel vulnerability: CVE-2017-6074 |
644904-4 | CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925, CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7929, CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933, CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937, CVE-2016-7938, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973, CVE-2016-7986, CVE-2016-7992, CVE-2016-7993, CVE-2016-8574, CVE-2016-8575, CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984, CVE-2016-7985 CVE-2017-5202, CVE-2017-5203, CVE-2017-5204, CVE-2017-5205, CVE-2017-5341, CVE-2017-5342, CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485, CVE-2017-5486 |
K55129614 | tcpdump 4.9 |
644693-4 | CVE-2016-2183, CVE-2017-3272, CVE-2017-3289, CVE-2017-3253, CVE-2017-3261, CVE-2017-3231,CVE-2016-5547,CVE-2016-5552, CVE-2017-3252, CVE-2016-5546, CVE-2016-5548, CVE-2017-3241 | K15518610 | Fix for multiple CVE for openjdk-1.7.0 |
643187-3 | CVE-2017-3135 | K80533167 | BIND vulnerability CVE-2017-3135 |
641360-3 | CVE-2017-0303 | K30201296 | SOCKS proxy protocol error |
638556-3 | CVE-2016-10045 | K73926196 | PHP Vulnerability: CVE-2016-10045 |
636702-2 | CVE-2016-9444 | K40181790 | BIND vulnerability CVE-2016-9444 |
636700-3 | CVE-2016-9147 | K02138183 | BIND vulnerability CVE-2016-9147 |
636699-4 | CVE-2016-9131 | K86272821 | BIND vulnerability CVE-2016-9131 |
630475-4 | CVE-2017-6162 | K13421245 | TMM Crash |
626360-5 | CVE-2017-6163 | K22541983 | TMM may crash when processing HTTP2 traffic |
624903-3 | CVE-2017-6140 | K55102452 | Improved handling of crypto hardware decrypt failures on 2000s/2200s or 4000s/4200v platforms. |
624526-1 | CVE-2017-6159 | K10002335 | TMM core in mptcp |
610255-2 | CVE-2017-6161 | K62279530 | CMI improvement |
563154-2 | CVE-2015-2925 CVE-2015-5307 CVE-2015-7613 CVE-2015-7872 CVE-2015-8104 | K31026324 K94105604 K90230486 | Multiple Linux Kernel vulnerabilities |
560109-3 | CVE-2017-6160 | K19430431 | Client capabilities failure |
540174-3 | CVE-2015-5364 CVE-2015-5366 | K17307 K17309 | CVE updates from https://rhn.redhat.com/errata/RHSA-2015-1623.html |
655059-2 | CVE-2017-6134 | K37404773 | TMM Crash |
648879-1 | CVE-2016-6136 CVE-2016-9555 | K90803619 | Linux kernel vulnerabilities: CVE-2016-6136 CVE-2016-9555 |
645101-4 | CVE-2017-3731, CVE-2017-3732 | K44512851 | OpenSSL vulnerability CVE-2017-3732 |
640768-1 | CVE-2016-10088 CVE-2016-9576 |
K05513373 | Kernel vulnerability: CVE-2016-10088 |
638137-1 | CVE-2016-7117 CVE-2016-4998 CVE-2016-6828 | K51201255 | CVE-2016-7117 CVE-2016-4998 CVE-2016-6828 |
637666-3 | CVE-2016-10033 | K74977440 | PHP Vulnerability: CVE-2016-10033 |
635314-4 | CVE-2016-1248 | K22183127 | vim Vulnerability: CVE-2016-1248 |
631688-4 | CVE-2016-9311 CVE-2016-9310 CVE-2016-7427 CVE-2016-7428 CVE-2016-9312 CVE-2016-7431 CVE-2016-7434 CVE-2016-7429 CVE-2016-7426 CVE-2016-7433 | K55405388 K87922456 K63326092 K51444934 K80996302 | Multiple NTP vulnerabilities |
625372-2 | CVE-2016-2179 | K23512141 | OpenSSL vulnerability CVE-2016-2179 |
623119-6 | CVE-2016-4470 | K55672042 | Linux kernel vulnerability CVE-2016-4470 |
622496-6 | CVE-2016-5829 | K28056114 | Linux kernel vulnerability CVE-2016-5829 |
622178-3 | CVE-2017-6158 | K19361245 | Improve flow handling when Autolasthop is disabled |
622126-3 | CVE-2016-7124 CVE-2016-7125 CVE-2016-7126 CVE-2016-7127 | K54308010 | PHP vulnerability CVE-2016-7124 |
614147-3 | CVE-2017-6157 | K02692210 | SOCKS proxy defect resolution |
613225-3 | CVE-2016-2180, CVE-2016-6306, CVE-2016-6302 | K90492697 | OpenSSL vulnerability CVE-2016-6306 |
613127-6 | CVE-2016-5696 | K46514822 | Linux TCP Stack vulnerability CVE-2016-5696 |
607314-3 | CVE-2016-3500 CVE-2016-3508 | K25075696 | Oracle Java vulnerability CVE-2016-3500, CVE-2016-3508 |
600232-4 | CVE-2016-2177 | K23873366 | OpenSSL vulnerability CVE-2016-2177 |
600223-4 | CVE-2016-2177 | K23873366 | OpenSSL vulnerability CVE-2016-2177 |
600069-3 | CVE-2017-0301 | K54358225 | Portal Access: Requests handled incorrectly |
592485-2 | CVE-2015-5157 CVE-2015-8767 | K17326 | Linux kernel vulnerability CVE-2015-5157 |
592001-2 | CVE-2016-4071 CVE-2016-4073 | K64412100 | CVE-2016-4073 PHP vulnerabilities |
540018-2 | CVE-2014-3940 CVE-2014-3184 CVE-2015-0239 | K16429 K15685 K15912 | Multiple Linux Kernel Vulnerabilities |
533413-4 | CVE-2011-5321 CVE-2015-3636 CVE-2015-1593 CVE-2015-2830 CVE-2015-2922 | K51518670 | CVE updates from https://rhn.redhat.com/errata/RHSA-2015-1221.html |
527563-6 | CVE-2015-1805 CVE-2015-3331 CVE-2014-9419 CVE-2014-9420 CVE-2014-9585 | K17458 K16819 K17551 K17543 K17241 | Kernel Vulnerabilities |
600205-4 | CVE-2016-2178 | K53084033 | OpenSSL Vulnerability: CVE-2016-2178 |
598002-3 | CVE-2016-2178 | K53084033 | OpenSSL vulnerability CVE-2016-2178 |
591438-2 | CVE-2015-8865 | K54924436 | PHP vulnerability CVE-2015-8865 |
569355-3 | CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494 | K50118123 | Java vulnerabilities CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494 |
492732-2 | CVE-2014-3184 | K15912 | Linux kernel driver vulnerabilities CVE-2014-3184, CVE-2014-3185, CVE-2014-3611, CVE-2014-3645, and CVE-2014-3646 |
655021-3 | CVE-2017-3138 | K23598445 | BIND vulnerability CVE-2017-3138 |
621935-3 | CVE-2016-6304 | K54211024 | OpenSSL vulnerability CVE-2016-6304 |
606771-4 | CVE-2016-5399 CVE-2016-6288 CVE-2016-6289 CVE-2016-6290 CVE-2016-5385 CVE-2016-6291 CVE-2016-6292 CVE-2016-6207 CVE-2016-6294 CVE-2015-8879 CVE-2016-6295 CVE-2016-6296 CVE-2016-6297 | K35799130 | Multiple PHP vulnerabilities |
601268-1 | CVE-2015-8874 CVE-2016-5770 CVE-2016-5772 CVE-2016-5768 CVE-2016-5773 CVE-2016-5769 CVE-2016-5766 CVE-2016-5771 CVE-2016-5767 CVE-2016-5093 CVE-2016-5094 | K43267483 | PHP vulnerability CVE-2016-5766 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
643210-1 | 2-Critical | K45444280 | Restarting MCPD on Secondary Slot of Chassis causes deletion of netHSM keys on SafeNet HSM |
633723-2 | 3-Major | New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot | |
609674-2 | 3-Major | machine certificate check creates issuer string with DC with reverse order | |
545263-4 | 3-Major | Add SSL maximum aggregate active handshakes per profile and per global |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
534824-1 | 1-Blocking | K02954921 | Incorrect key/certificate when creating clientSSL profile and modifying key/cert in the same transaction. |
480073-1 | 1-Blocking | Adding a new chassis and syncing the configuration cause mcpd to restart. | |
638935-7 | 2-Critical | Monitor with send/receive string containing double-quote may cause upgrade to fail.★ | |
625824-3 | 2-Critical | iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory | |
610354-2 | 2-Critical | TMM crash on invalid memory access to loopback interface stats object | |
542898-3 | 2-Critical | Virtual Edition: Disk partition /var shows 100% after live install to 12.0.0 | |
528343-2 | 2-Critical | Loading cli preference that does not contain the user attribute will fail | |
514514-1 | 2-Critical | Running gtm_add can result in error message about encrypted attributes. | |
513151-8 | 2-Critical | VIPRION B2150 blades show up as unknown when SNMP queries the OID sysObjectID. | |
483373-2 | 2-Critical | Incorrect bash prompt for created admin role users | |
667278-4 | 3-Major | DSC connections between BIG-IP units may fail to establish | |
650002-3 | 3-Major | tzdata bug fix and enhancement update | |
648316 | 3-Major | K10776106 | Flows using DEFLATE decompresion can generate error message during flow tear-down. |
647944-3 | 3-Major | MCP may crash when making specific changes to a FIX profile attached to more than one virtual server | |
645179-3 | 3-Major | Traffic group becomes active on more than one BIG-IP after a long uptime | |
644184-1 | 3-Major | K36427438 | ZebOS daemons hang while AgentX SNMP daemon is waiting. |
631627-5 | 3-Major | Applying BWC over route domain sometimes results in tmm not becoming ready on system start | |
628164-2 | 3-Major | K20766432 | OSPF with multiple processes may incorrectly redistribute routes |
622133-4 | 3-Major | VCMP guests may incorrectly obtain incorrect MAC addresses | |
621273-4 | 3-Major | DSR tunnels with transparent monitors may cause TMM crash. | |
619060-2 | 3-Major | Reduction in boot time in BIG-IP Virtual Edition platforms | |
617628-2 | 3-Major | SNMP reports incorrect value for sysBladeTempTemperature OID | |
491406-1 | 3-Major | TMM SIGSEGV in sctp_output due to NULL snd_dst | |
485164-2 | 3-Major | MCPD cores when the Check Service Date in the license is not current. | |
393270-4 | 3-Major | Configuration utility may become non-responsive or fail to load. | |
655691-1 | 4-Minor | GUI image list contains misleading 'MD5 Sum Verified' field | |
654566-1 | 4-Minor | K94822416 | Incomplete files still linked in /shared/vmisolinks |
634371-3 | 4-Minor | Cisco ethernet NIC driver | |
442322-2 | 4-Minor | vCMP guest names in statistics limited to 32 characters |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
618905-3 | 1-Blocking | tmm core while installing Safenet 6.2 client | |
646604-3 | 2-Critical | K21005334 | Client connection may hang when NTLM and OneConnect profiles used together |
642400-1 | 2-Critical | Path MTU discovery occasionally fails | |
637181-3 | 2-Critical | VIP-on-VIP traffic may stall after routing updates | |
635274-3 | 2-Critical | K21514205 | SSL::sessionid command may return invalid values |
634259 | 2-Critical | K50166002 | IP tuple nexthop object can be freed while still referenced by another structure |
625198-3 | 2-Critical | TMM might crash when TCP DSACK is enabled | |
603667-3 | 2-Critical | TMM may leak or corrupt memory when configuration changes occur with plugins in use | |
600982-1 | 2-Critical | TMM crashes at ssl_cache_sid() with "prf->cache.sid == 0" | |
597978-4 | 2-Critical | GARPs may be transmitted by active going offline | |
581829-1 | 2-Critical | Traffic that uses a network HSM for crypto services can fail to recover. | |
566071-1 | 2-Critical | network-HSM may not be operational on secondary slots of a standby chassis. | |
503125-4 | 2-Critical | Excessive MPI net traffic can cause tmm panics on chassis systems | |
477195-3 | 2-Critical | OSPFv3 session gets stuck in loading state | |
474797 | 2-Critical | Malformed SSL packets can cause errors in /var/log/ltm | |
663326-3 | 3-Major | Thales HSM: "fipskey.nethsm --export" fails to make stub keys | |
654109-3 | 3-Major | K01102467 | Configuration loading may fail when iRules calling procs in other iRules are deleted |
648954-3 | 3-Major | K01102467 | Configuration validation (e.g., ConfigSync) may fail after an iRule is deleted, if the iRule made procedure calls |
643582-1 | 3-Major | Config load with large ssl profile configuration may cause tmm restart | |
613369-1 | 3-Major | Half-Open TCP Connections Not Discoverable | |
612694-3 | 3-Major | TCP::close with no pool member results in zombie flows | |
608551-4 | 3-Major | Half-closed congested SSL connections with unclean shutdown might stall. | |
604496-2 | 3-Major | SQL (Oracle) monitor daemon might hang. | |
508486-2 | 3-Major | TCP connections might stall if initialization fails | |
499615-3 | 3-Major | RAM cache serves zero length documents. | |
423392-5 | 3-Major | tcl_platform is no longer in the static:: namespace | |
511985-4 | 4-Minor | Large numbers of ERR_UNKNOWN appearing in the logs |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
624193-1 | 3-Major | Topology load balancing not working as expected | |
468503-1 | 3-Major | The Update Check operation reports a different version of IP geolocation database than what is installed. | |
644220-2 | 4-Minor | Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
618771-2 | 2-Critical | Some Social Security Numbers are not being masked | |
577668-1 | 2-Critical | ASM Remote logger doesn't log 64 KB request. | |
569583-1 | 2-Critical | Secondary Blade Rejects All Traffic after being added to the chassis★ | |
568347-2 | 2-Critical | BD Memory corruption | |
665905-1 | 3-Major | K83305000 | Signature System corruption from specific ASU prevents ASU load after upgrade |
664930-1 | 3-Major | Policy automatic learning mode changes to manual after failover | |
625832-2 | 3-Major | A false positive modified domain cookie violation | |
616169-2 | 3-Major | ASM Policy Export returns HTML error file | |
604923-3 | 3-Major | REST id for Signatures change after update | |
572885-2 | 3-Major | Policy automatic learning mode changes to manual after failover | |
427644-2 | 3-Major | asm_config_server_rpc might crash during ASM policy sync | |
366605-1 | 3-Major | response_log_size_limit does not limit the log size. | |
557098-1 | 4-Minor | K80251813 | Correlation is continuously restarted with 'An instance with pid xxxx is already running' error in the ltm log |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
602654-3 | 2-Critical | TMM crash when using AVR lookups | |
639617 | 3-Major | When AVR collect Page load time and/or session data the Content-Length can be set incorrectly | |
635561-3 | 3-Major | Heavy URLs statistics are not shown after upgrade. | |
631722-2 | 3-Major | Some HTTP statistics not displayed after upgrade | |
573764-3 | 3-Major | In some cases, only primary blade retains it's statistics after upgrade on multi bladed system | |
570926-1 | 3-Major | Provide a way to configure where in payload the CSPM JS is injected. | |
560114-7 | 3-Major | Monpd is being affected by an I/O issue which makes some of its threads freeze | |
512303-1 | 3-Major | Install does not complete (stays at 0%) because the UCS save operation hangs while backing up the AVR database. | |
639395-1 | 4-Minor | K91614278 | AVR does not display 'Max read latency' units. |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
679235-4 | 2-Critical | Inspection Host NPAPI Plugin for Safari can not be installed | |
638570-2 | 2-Critical | "ACCESS::session remove" hangs in ACCESS_POLICY_COMPLETED | |
632798-1 | 2-Critical | K30710317 | Double-free may occur if Access initialization fails |
499800-1 | 2-Critical | Customized logout page is not displayed after logon failure | |
481481-1 | 2-Critical | APM on a multi blade chassis: On an idle machine 'rewrite' processes can takes up to half CPU cycles. | |
676300-6 | 3-Major | K04551025 | EPSEC binaries may fail to upgrade in some cases★ |
658852-1 | 3-Major | Empty User-Agent in iSessions requests from APM client on Windows | |
649613-1 | 3-Major | Multiple UDP/TCP packets packed into one DTLS Record | |
645684-1 | 3-Major | Flash application components are loaded into wrong ApplicationDomain after Portal Access rewriting. | |
638780-1 | 3-Major | Handle 302 redirects for VMware Horizon View HTML5 client | |
620829-4 | 3-Major | Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly | |
619486-1 | 3-Major | Scripts on rewritten pages could fail with JavaScript exception if application code modifies window.self | |
618170-1 | 3-Major | Some URL unwrapping functions can behave bad | |
615970-2 | 3-Major | SSO logging level may cause failover | |
601420-2 | 3-Major | Possible SAML authentication loop with IE and multi-domain SSO. | |
597214-2 | 3-Major | Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly | |
583272-1 | 3-Major | "Corrupted Connect Error" when using IPv6 and On-Demand Cert Auth | |
559402-1 | 3-Major | Client initiated form based SSO fails when username and password not replaced correctly while posting the form | |
557841-1 | 3-Major | Policy sync fails when adding host to AppTunnel on LSO resolve | |
557399-2 | 3-Major | Browser could become unresponsive when page with specific script constructions is accessed through Portal Access | |
508699-1 | 3-Major | Import with reuse is failing if profile and resource are sharing the same name | |
474606-1 | 3-Major | [Flash AS3] ApplicationDomain matching fails for relative URLs | |
611968-1 | 4-Minor | JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow |
WebAccelerator Fixes
ID Number | Severity | Solution Article(s) | Description |
476460-6 | 4-Minor | WAM Range HTTP header limited to 8 ranges |
Wan Optimization Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
644970-2 | 2-Critical | Editing a virtual server config loses SSL encryption on iSession connections | |
644489-2 | 3-Major | K14899014 | Unencrypted iSession connection established even though data-encrypt configured in profile |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
649933-3 | 3-Major | Fragmented RADIUS messages may be dropped |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
652400-1 | 3-Major | During blade changes, PBA may cause a TMM restart |
Cumulative fixes from BIG-IP v11.6.1 Hotfix 2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
631582-4 | CVE-2016-9250 | K55792317 | Administrative interface enhancement |
624570-3 | CVE-2016-8864 | K35322517 | BIND vulnerability CVE-2016-8864 |
624457-3 | CVE-2016-5195 | K10558632 | Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195 |
616864-3 | CVE-2016-2776 | K18829561 | BIND vulnerability CVE-2016-2776 |
612128 | CVE-2016-6515 | K31510510 | OpenSSH vulnerability CVE-2016-6515 |
611469-2 | CVE-2016-7467 | K95444512 | Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector |
597394-1 | CVE-2016-9252 | K46535047 | Improper handling of IP options |
596340-3 | CVE-2016-9244 | K05121675 | F5 TLS vulnerability CVE-2016-9244 |
591329-2 | CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 | K36488941 | CVE-2016-2108 fixed in Oracle Access Manager library used by BIG-IP APM |
588496-3 | CVE-2009-3555 | K10737 | SSL Renegotiation vulnerability - CVE-2009-3555 / VU#120541 |
586131-3 | CVE-2014-3566 | K15702 | SSLv3 vulnerability CVE-2014-3566 |
580026-3 | CVE-2017-6165 | K74759095 | HSM logging error |
635412-2 | CVE-2017-6137 | K82851041 | Invalid mss with fast flow forwarding and software syn cookies |
618261-3 | CVE-2016-2182 | K01276005 | OpenSSL vulnerability CVE-2016-2182 |
604442-1 | CVE-2016-6249 | K12685114 | iControl log |
599536-2 | CVE-2017-6156 | K05263202 | IPsec peer with wildcard selector brings up wrong phase2 SAs |
597023-4 | CVE-2016-4954 | K82644737 | NTP vulnerability CVE-2016-4954 |
594496-3 | CVE-2016-4539 | K35240323 | PHP Vulnerability CVE-2016-4539 |
591455-2 | CVE-2016-1550 CVE-2016-1548 CVE-2016-2516 CVE-2016-2518 | K24613253 | NTP vulnerability CVE-2016-2516 |
591447-3 | CVE-2016-4070 | K42065024 | PHP vulnerability CVE-2016-4070 |
520924-4 | CVE-2016-5020 | K00265182 | Restricted roles for custom monitor creation |
475743-4 | CVE-2017-6128 | K92140924 | Improve administrative login efficiency |
635933-1 | CVE-2004-0790 | K23440942 | The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable |
600198-4 | CVE-2016-2178 CVE-2016-6306 CVE-2016-6302 CVE-2016-2216 | K53084033 | OpenSSL vulnerability CVE-2016-2178 |
599285-4 | CVE-2016-5094 CVE-2016-5095 CVE-2016-5096 | K51390683 | PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095 |
597010-4 | CVE-2016-4955 | K03331206 | NTP vulnerability CVE-2016-4955 |
596997-4 | CVE-2016-4956 | K64505405 | NTP vulnerability CVE-2016-4956 |
591767-3 | CVE-2016-1547 | K11251130 | NTP vulnerability CVE-2016-1547 |
573343-3 | CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 CVE-2015-8158 | K01324833 | NTP vulnerability CVE-2015-8158 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
620712-1 | 3-Major | Added better search capabilities on the Pool Members Manage & Pool Create page. | |
597797-1 | 3-Major | K78449695 | Allow users to disable enforcement of RFC 7057 |
581840 | 3-Major | K46576869 | Cannot manage BIG-IP version 11.6.1 or 11.6.1 HF1 through BIG-IQ. |
564876-1 | 3-Major | New DB variable log.lsn.comma changes CGNAT logs to CSV format | |
561348-4 | 3-Major | krb5.conf file is not synchronized between blades and not backed up | |
541549-4 | 3-Major | AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination. | |
530109-5 | 3-Major | OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled. | |
454492-1 | 3-Major | Improved handling of signature_algorithms extension to avoid using SHA1 in TLS handshake signatures | |
451433-7 | 3-Major | HA group combined with other failover (e.g., VLAN Failsafe or Gateway Failsafe) | |
609084-1 | 4-Minor | K03808942 | Max number of chunks not configurable above 1000 chunks |
591733-2 | 4-Minor | K83175883 | Save on Auto-Sync is missing from the configuration utility. |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
624263-3 | 2-Critical | iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response | |
624245 | 2-Critical | Hung tasks leading to system problems and lack of management access via ssh/GUI | |
614865-2 | 2-Critical | Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors. | |
613536-2 | 2-Critical | tmm core while running the iRule STATS:: command | |
605476-2 | 2-Critical | statsd can core when reading corrupt stats files. | |
601527-3 | 2-Critical | mcpd memory leak and core | |
591104-3 | 2-Critical | ospfd cores due to an incorrect debug statement. | |
587698-2 | 2-Critical | bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured | |
583516-3 | 2-Critical | tmm ASSERT's "valid node" on Active, after timer fire.. | |
574055-3 | 2-Critical | TMM crash after changing raccoon log level | |
570881-4 | 2-Critical | IPsec configuration mismatch in IKEv2 causes TMM crash in isakmp_parse_proposal () | |
570663-3 | 2-Critical | Using iControl get_certificate_bundle_v2 causes a memory leak | |
570419-2 | 2-Critical | Use of session DB on multi-process appliances and blades may core. | |
567457-3 | 2-Critical | TMM may crash when changing the IKE peer config. | |
460833-1 | 2-Critical | MCPD sync errors and restart after multiple modifications to file object in chassis | |
457252-1 | 2-Critical | tmm crash when using sip_info persistence without a sip profile | |
440752-1 | 2-Critical | qkview might loop writing output file if MCPD fails during execution | |
355806-3 | 2-Critical | Starting mcpd manually at the command line interferes with running mcpd | |
623401-4 | 3-Major | Intermittent OCSP request failures due to non-optimal default TCP profile setting | |
621417-1 | 3-Major | sys-icheck error for /usr/share/defaults/bigip_base.conf in AWS. | |
621242 | 3-Major | Reserve enough space in the image for future upgrades. | |
616242-2 | 3-Major | K39944245 | basic_string::compare error in encrypted SSL key file if the first line of the file is blank★ |
615934-2 | 3-Major | Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors. | |
609119-5 | 3-Major | Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3: | |
608320-4 | 3-Major | iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response | |
604931-1 | 3-Major | K42028295 | bgpd might core on restarting process with BGP debug enabled. |
603149-1 | 3-Major | Large ike-phase2-lifetime-kilobytes values in racoon ipsec-policy | |
601502-1 | 3-Major | Excessive OCSP traffic | |
600558-3 | 3-Major | Errors logged after deleting user in GUI | |
597729-1 | 3-Major | Errors logged after deleting user in GUI | |
597601-4 | 3-Major | Improvement for a previous issue regressed NAT-T | |
596814-3 | 3-Major | HA Failover fails in certain valid AWS configurations | |
592870-3 | 3-Major | Fast successive MTU changes to IPsec tunnel interface crashes TMM | |
590904-5 | 3-Major | New HA Pair created using serial cable failover only will remain Active/Active | |
586878-2 | 3-Major | During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.★ | |
585485-4 | 3-Major | inter-ability with "delete IPSEC-SA" between AZURE, ASA, and the BIG-IP system | |
583285-7 | 3-Major | K24331010 | BIG-IP logs INVALID-SPI messages but does not remove the associated SAs. |
577440-1 | 3-Major | audit logs may show connection to hagel.mnet | |
571344-3 | 3-Major | SSL Certificate with special characters might cause exception when GUI retrieves items list page.★ | |
566507-2 | 3-Major | Wrong advertised next-hop in BGP for a traffic group in Active-Active deployment | |
560510-6 | 3-Major | Invalid /etc/resolv.conf when more than one DNS servers are set and MCPD is down. | |
557059-2 | 3-Major | When a virtual server has an Anti-Fraud Profile and a Web Acceleration profile, POST requests to non-protected URLs hang | |
543208 | 3-Major | Upgrading to v12.x or later in a sync-failover group might cause mcpd to become unresponsive.★ | |
534021-5 | 3-Major | HA on AWS uses default AWS endpoint (EC2_URL). | |
533813-3 | 3-Major | Internal Virtual Server in partition fails to load from saved config | |
528498-5 | 3-Major | Recently-manufactured hardware may not be identified with the correct model name and SNMP OID | |
523642-5 | 3-Major | Power Supply status reported incorrectly after LBH reset | |
523527-6 | 3-Major | K43121346 | Upgrade from 10.x to 11.2.0 or later does not add existing routing protocols to RD0.★ |
516540-3 | 3-Major | K17501 | devmgmtd file object leak |
509400-1 | 3-Major | K36089384 | vCMP VIPRION: internal flooded unicast packets with multi-slot trunks impact performance |
502714-4 | 3-Major | K75031635 | Deleting files and file object references in a single transaction might cause validation errors |
481089-7 | 3-Major | Request group incorrectly deleted prior to being processed | |
479660-2 | 3-Major | tmm crash in ipsec when ipsec-policy and ike-peer do not match. | |
460176-4 | 3-Major | Hardwired failover asserts active even when standalone | |
400456-3 | 3-Major | HTTP monitors with long send or receive strings may not save or update | |
339825-3 | 3-Major | Management.KeyCertificate.install_certificate_from_file failing silently | |
598498-4 | 4-Minor | Cannot remove Self IP when an unrelated static ARP entry exists. | |
585097-3 | 4-Minor | Traffic Group score formula does not result in unique values. | |
581835-3 | 4-Minor | Command failing: tmsh show ltm virtual vs_name detail. | |
551208-1 | 4-Minor | Nokia alarms are not deleted due to the outdated alert_nokia.conf. | |
542347-1 | 4-Minor | Denied message in audit log on first time boot | |
541320-6 | 4-Minor | K50973424 | Sync of tunnels might cause restore of deleted tunnels. |
535544-5 | 4-Minor | Enhancement: ltm virtual translate-port, translate-address are not listed if they are enabled | |
477700-1 | 4-Minor | K04116117 | Detail missing from power supply 'Bad' status log messages |
470627-2 | 5-Cosmetic | Incorrect and benign log message of bandwidth utilization exceeded when licensed with rate limit in VE | |
442231-2 | 5-Cosmetic | Pendsect log entries have an unexpected severity |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
622166 | 2-Critical | HTTP GET requests with HTTP::cookie iRule command receive no response | |
619528-2 | 2-Critical | TMM may accumulate internal events resulting in TMM restart | |
616215-2 | 2-Critical | TMM can core when using LB::detach and TCP::notify commands in an iRule | |
613088-1 | 2-Critical | pkcs11d thread has session initialization problem. | |
612229-2 | 2-Critical | TMM may crash if LTM a disable policy action for 'LTM Policy' is not last | |
607360-2 | 2-Critical | Safenet 6.2 library missing after upgrade★ | |
605865-2 | 2-Critical | Debug TMM produces core on certain ICMP PMTUD packets | |
604223-1 | 2-Critical | pkcs11d signal handler improvement to turn off all threads at time of "SIGTERM" | |
603082-2 | 2-Critical | Ephemeral pool members are getting deleted/created over and over again. | |
603032-2 | 2-Critical | clientssl profiles with sni-default enabled may leak X509 objects | |
602326-3 | 2-Critical | Intermittent pkcs11d core when stopping or restarting pkcs11d service | |
597966 | 2-Critical | ARP/neighbor cache nexthop object can be freed while still referenced by another structure | |
588351-2 | 2-Critical | IPv6 fragments are dropped when packet filtering is enabled. | |
574153-2 | 2-Critical | If an SSL client disconnects while data is being sent to SSL client, the connection may stall until TCP timeout. | |
526367-3 | 2-Critical | tmm crash | |
509646-7 | 2-Critical | Occasional connections reset when using persistence | |
480009-2 | 2-Critical | OSPFv2 Redistributed routes are deleted after blade failover with Graceful Restart | |
624616-3 | 3-Major | Safenet uninstall is unable to remove libgem.so | |
618517-2 | 3-Major | K61255401 | bigd may falsely complain of a file descriptor leak when it cannot open its debug log file; bigd stops monitoring |
617862-1 | 3-Major | Fastl4 handshake timeout is absolute instead of relative | |
617858-1 | 3-Major | bigd core when using Tcl monitors | |
617824-2 | 3-Major | "SSL::disable/enable serverside" + oneconnect reuse is broken | |
613673-1 | 3-Major | K48693281 | Pool members may not be marked up and/or there might be a slight delay in monitors |
610609-1 | 3-Major | Total connections in bigtop, SNMP are incorrect | |
610429-3 | 3-Major | X509::cert_fields iRule command may memory with subpubkey argument | |
607304-2 | 3-Major | TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap. | |
606575-3 | 3-Major | Request-oriented OneConnect load balancing ends when the server returns an error status code. | |
604977-3 | 3-Major | K08905542 | Wrong alert when DTLS cookie size is 32 |
603606 | 3-Major | tmm core | |
603236-2 | 3-Major | 1024 and 4096 size key creation issue with SafeNet 6.2 with 6.10.9 firmware | |
602366-2 | 3-Major | Safenet 6.2 HA performance | |
602358-2 | 3-Major | BIG-IP ServerSSL connection may reset during rengotiation with some SSL/TLS servers due to ClientHello version | |
601496-1 | 3-Major | iRules and OCSP Stapling | |
601178-3 | 3-Major | HTTP cookie persistence 'preferred' encryption | |
600827-5 | 3-Major | K21220807 | Stuck Nitrox crypto queue can erroneously be reported |
600593-4 | 3-Major | Use of HTTP Explicit Proxy and OneConnect can lead to an issue with CONNECT HTTP requests | |
598874-3 | 3-Major | GTM Resolver sends FIN after SYN retransmission timeout | |
595275-2 | 3-Major | Virtual IP address change might cause VIP state to go from GREEN to RED to GREEN | |
594642-1 | 3-Major | Stream filter may require large allocations by Tcl leading TMM to core on allocation failure. | |
592871-2 | 3-Major | Cavium Nitrox PX/III stuck queue diagnostics missing. | |
592497-2 | 3-Major | Idle timeout ineffective for FIN_WAIT_2 when server-side expired and HTTP in fallback state. | |
591789-1 | 3-Major | IPv4 fragments are dropped when packet filtering is enabled. | |
591659-3 | 3-Major | K47203554 | Server shutdown is propagated to client after X-Cnection: close transformation. |
591476-8 | 3-Major | K53220379 | Stuck crypto queue can erroneously be reported |
591343-2 | 3-Major | K03842525 | SSL::sessionid output is not consistent with the sessionid field of ServerHello message. |
588115-3 | 3-Major | TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw | |
586738-2 | 3-Major | The tmm might crash with a segfault. | |
584029-2 | 3-Major | Fragmented packets may cause tmm to core under heavy load | |
578971-1 | 3-Major | When mcpd is restarted on a blade, cluster members may be temporarily marked as failed | |
576224-1 | 3-Major | NetHSM does not come back after TCP connection to device is reset | |
573402-2 | 3-Major | 'C_GetAttributeValue error' with netHSM | |
572281-2 | 3-Major | Variable value in the nesting script of foreach command get reset when there is parking command in the script | |
571573-2 | 3-Major | K20320811 | Persistence may override node/pmbr connection limit |
570057-3 | 3-Major | Can't install more than 16 SafeNet HSMs in its HA group | |
569642-4 | 3-Major | Deleting all routes on a unit with a mirroring fastL4 Virtual may cause TMM to core | |
569288-2 | 3-Major | Different LACP key may be used in different blades in a chassis system causing trunking failures | |
569206-2 | 3-Major | K47952434 | After connectivity loss and restoration between HSM and pkcs11d, SSL fails on some blades. |
568743-3 | 3-Major | TMM core when dnssec queries to dns-express zone exceed nethsm capacity | |
568543-3 | 3-Major | Syncookie mode is activated on wildcard virtuals | |
567862-1 | 3-Major | intermittent SSL traffic failure with Safenet HSM on BIG-IP chassis and appliance | |
565799-2 | 3-Major | CPU Usage increases when using masquerade addresses | |
563227-3 | 3-Major | K31104342 | When a pool member goes down, persistence entries may vary among tmms |
557358-1 | 3-Major | TMM SIGSEGV and crash when memory allocation fails. | |
556117-2 | 3-Major | client-ssl profile is case-sensitive when checking server_name extension | |
555432-1 | 3-Major | Large configuration files may go missing on secondary blades | |
550669-1 | 3-Major | K06263705 | Monitors stop working - throttling monitor instance probe because file descriptor limit 65436 reached |
549329-1 | 3-Major | K02020031 | L7 mirrored ACK from standby to active box can cause tmm core on active |
545450-3 | 3-Major | Log activation/deactivation of TM.TCPMemoryPressure | |
541126-4 | 3-Major | Safenet connection may fail on restarting pkcs11d or HSM reboot or if the connection to HSM is lost and then resumed | |
537553-6 | 3-Major | tmm might crash after modifying virtual server SSL profiles in SNI configuration | |
528736-1 | 3-Major | When tcp connection is aborting tmm can crash with "hud_oob consumed" message | |
525675 | 3-Major | SSL with forward proxy can leak memory | |
522310-3 | 3-Major | ICMP errors cause the associated FastL4/TCP connection to be reset | |
519746-1 | 3-Major | ICMP errors may reset FastL4 connections unexpectedly | |
518086-6 | 3-Major | Safenet HSM Traffic failure after system reboot/switchover | |
505705-7 | 3-Major | Expired mirrored persistence entries not always freed using intra-chassis mirroring | |
501984-2 | 3-Major | TMM may experience an outage when an iRule fails in LB_SELECTED. | |
500003-4 | 3-Major | Incoming NTP packets from configured NTP server to non-local IP breaks outgoing NTP | |
494977-2 | 3-Major | Rare outages possible when using config sync and node-based load balancing | |
490740-10 | 3-Major | TMM may assert if HTTP is disabled by another filter while it is parked | |
475677-3 | 3-Major | Connections may hang until timeout if a LTM policy action failed | |
464801-2 | 3-Major | Intermittent tmm core | |
442539-1 | 3-Major | OneConnect security improvements. | |
587966-3 | 4-Minor | K77283304 | LTM FastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port |
574020-4 | 4-Minor | Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}') | |
538708-3 | 4-Minor | TMM may apply SYN cookie validation to packets before generating any SYN cookies | |
513288-5 | 4-Minor | Management traffic from nodes being health monitored might cause health monitors to fail. | |
499795-2 | 4-Minor | "persist add" in server-side iRule event can result in "Client Addr" being pool member address | |
446830-3 | 4-Minor | Current Sessions stat does not increment/decrement correctly. |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
603598-2 | 2-Critical | big3d memory under extreme load conditions | |
587656-3 | 2-Critical | GTM auto discovery problem with EHF for ID574052 | |
587617-3 | 2-Critical | While adding GTM server, failure to configure new IP on existing server leads to gtmd core | |
621239-1 | 3-Major | Certain DNS queries bypass DNS Cache RPZ filter. | |
620215-3 | 3-Major | TMM out of memory causes core in DNS cache | |
619398-4 | 3-Major | TMM out of memory causes core in DNS cache | |
613576-2 | 3-Major | QOS load balancing links display as gray | |
613045 | 3-Major | Interaction between GTM and 10.x LTM results in some virtual servers marked down | |
601180-1 | 3-Major | K73505027 | Link Controller base license does not allow DNS namespace iRule commands.★ |
589256-3 | 3-Major | K71283501 | DNSSEC NSEC3 records with different type bitmap for same name. |
588289-4 | 3-Major | GTM is Re-ordering pools when adding pool including order designation | |
574052-2 | 3-Major | GTM autoconf can cause high CPU usage for gtmd | |
491801 | 3-Major | GTM iRule command [LB::status up] gives error | |
615187-1 | 4-Minor | Missing hyperlink to GSLB virtual servers and servers on the pool member page. |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
634001-1 | 2-Critical | ASM restarts after deleting a VS that has an ASM security policy assigned to it | |
582003-2 | 2-Critical | BD crash on startup or on XML configuration change | |
515728-5 | 2-Critical | Repeated BD cores. | |
514571-1 | 2-Critical | Apply policy operation hangs | |
511187-1 | 2-Critical | The BIG-IP ASM bd process may produce a core file when a large BIG-IP ASM configuration is modified on a loaded system | |
499347-3 | 2-Critical | JSON UTF16 content could be blocked by ASM as Malformed JSON | |
621524-3 | 3-Major | Processing Timeout When Viewing a Request with 300+ Violations | |
605921 | 3-Major | scriptd and mcpd cores following multiple failovers due to bd (asm) | |
605616-3 | 3-Major | Creating 256 Fundamental Security policies will result in an out of memory error | |
603945-1 | 3-Major | BD config update should be considered as config addition in case of update failure | |
603479-1 | 3-Major | "ASM starting" while it's already running, causing the restart of all ASM daemons | |
602221-3 | 3-Major | Wrong parsing of redirect Domain | |
600174-1 | 3-Major | Wildcard "*" redirection domain cannot be deleted if list is scrollable | |
582683-5 | 3-Major | xpath parser doesn't reset a namespace hash value between each and every scan | |
580168-2 | 3-Major | Information missing from ASM event logs after a switchboot and switchboot back | |
576591-4 | 3-Major | Support for some future credit card number ranges | |
573406-3 | 3-Major | ASU cannot be completed if license was last activated more than 18 months before | |
559541-2 | 3-Major | ICAP anti virus tests are not initiated on XML with when should | |
553976-1 | 3-Major | AJAX File uploads don't work in IE (import policy doesn't work) | |
528071-1 | 3-Major | ASM periodic updates (cron) write errors to log | |
521204-1 | 3-Major | Include default values in XML Policy Export | |
508957-1 | 3-Major | ASM REST Slowness Viewing Policy List | |
392121-1 | 3-Major | TMSH Command to retrieve the memory consumption of the bd process | |
609496-1 | 4-Minor | Improved diagnostics in BD config update (bd_agent) added | |
603071-1 | 4-Minor | XHTML validation fails on obfuscated JavaScript | |
471766-2 | 4-Minor | Number of decoding passes configuration |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
565085-2 | 3-Major | Analytics profile allows invalid combination of entities for Alerts setup | |
488989-3 | 3-Major | AVRD does not print out an error message when the external logging fails | |
474613-1 | 3-Major | Upgrading from previous versions★ |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
622830 | 2-Critical | LDAP type CRLDP is parsed incorrectly | |
622244-1 | 2-Critical | Edge client can fail to upgrade when always connected is selected | |
618324-2 | 2-Critical | Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor | |
617310-1 | 2-Critical | Edge client can fail to upgrade when Always Connected is selected★ | |
614322-3 | 2-Critical | K31063537 | TMM might crash during handling of RDG-RPC connection when APM is used as RD Gateway |
608408-4 | 2-Critical | TMM may restart if SSO plugin configuration initialization fails due to internal error in tmconf library | |
582440-2 | 2-Critical | Linux client does not restore route to the default GW on Ubuntu 15.10 | |
625376-1 | 3-Major | In some cases, download of PAC file by edge client may fail | |
623562-1 | 3-Major | Large POSTs rejected after policy already completed | |
621202-1 | 3-Major | Portal Access: document.write() with very long string as argument may be handled incorrectly. | |
620614-2 | 3-Major | Citrix PNAgent replacement mode: iOS Citrix receiver fails to add new store account | |
619879-3 | 3-Major | HTTP iRule commands could lead to WEBSSO plugin being invoked | |
617316-1 | 3-Major | Desktop title is garbled for Citrix Storefront integration mode with non-sta configuration | |
617002-3 | 3-Major | SWG with Response Analytics agent in a Per-Request policy fails with some URLs | |
616838 | 3-Major | Citrix Remote desktop resource custom parameter name does not accept hyphen character | |
614891-4 | 3-Major | Routing table doesn't get updated when EDGE client roams among wireless networks | |
613613-1 | 3-Major | Incorrect handling of form that contains a tag with id=action | |
612419-2 | 3-Major | APM 11.4.1 HF10 - suspected memory leak (umem_alloc_32/network access (variable)) | |
611669-1 | 3-Major | Mac Edge Client customization is not applied on macOS 10.12 Sierra | |
610248 | 3-Major | IE 11 browser does not display VDI profile columns properly | |
610243 | 3-Major | HTML5 access fails for Citrix Storefront integration mode with gateway pass through authentication | |
610224-1 | 3-Major | APM client may fetch expired certificate when a valid and an expired certificate co-exist | |
610180-3 | 3-Major | SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin. | |
604767-4 | 3-Major | Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object. | |
603293-3 | 3-Major | Incorrect handling of L4 Dynamic ACL when it is processed together with L7 ACLs | |
601905-4 | 3-Major | POST requests may not be forwarded to backend server when EAM plugin is enabled on the virtual server | |
600116-1 | 3-Major | DNS resolution request may take a long time in some cases | |
598211-2 | 3-Major | Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode. | |
591268-3 | 3-Major | VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions | |
583113-3 | 3-Major | NTLM Auth cannot be disabled in HTTP_PROXY_REQUEST event | |
582752-2 | 3-Major | Macrocall could be topologically not connected with the rest of policy.★ | |
569309-1 | 3-Major | Clientside HTML parser does not recognize HTML event attributes without value | |
567503-5 | 3-Major | K03293396 | ACCESS::remove can result in confusing ERR_NOT_FOUND logs |
566998-2 | 3-Major | Edge client upgrade fails if client was configured in locked mode★ | |
559082-1 | 3-Major | Tunnel details are not shown for MAC Edge client | |
554458 | 3-Major | No Session Variables displayed when click on "View Session Variables" link in APM "All Sessions" reports with reduced zeros in Session ID | |
509595-1 | 3-Major | Start uri is blank when going through portal in ie, but loads fine in firefox | |
451301-1 | 3-Major | HTTP iRules break Citrix HTML5 functionality | |
389484-4 | 3-Major | OAM reporting Access Server down with JDK version 1.6.0_27 or later | |
366149-1 | 3-Major | ACL support for VPN tunnels | |
238444-2 | 3-Major | K14219 | An L4 ACL has no effect when a layered virtual server is used. |
620922-1 | 4-Minor | Online help for Network Access needs update |
WebAccelerator Fixes
ID Number | Severity | Solution Article(s) | Description |
472942-2 | 2-Critical | K04924125 | tmm crash while changing acceleration policy |
596569-2 | 3-Major | Memory leak on Central device in Symmetric deployment | |
506315-5 | 3-Major | WAM/AAM is honoring OWS age header when not honoring OWS maxage. | |
474445-2 | 3-Major | TMM crash when processing unexpected HTTP response in WAM |
Wan Optimization Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
619757-3 | 2-Critical | iSession causes routing entry to be prematurely freed |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
607713-4 | 3-Major | SIP Parser fails header with multiple sequential separators inside quoted string. | |
601255-3 | 3-Major | RTSP response to SETUP request has incorrect client_port attribute | |
599521-2 | 3-Major | Persistence entries not added if message is routed via an iRule | |
598854-1 | 3-Major | sipdb tool incorrectly displays persistence records without a pool name | |
597835-1 | 3-Major | K12228503 | Branch parameter in inserted VIA header not consistent as per spec |
583010-9 | 3-Major | Sending a SIP invite with 'tel' URI fails with a reset |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
619710 | 3-Major | GUI gives error when clicking "Update" making changes to VS in Security-Policies | |
618902-3 | 3-Major | PCCD memory usage increases on configuration changes and recompilation due to small amount of memory leak on each compilation | |
614563-1 | 3-Major | AVR TPS calculation is inaccurate | |
605427-2 | 3-Major | TMM may crash when adding and removing virtual servers with security log profiles | |
592113-1 | 3-Major | tmm core on the standby unit with dos vectors configured | |
580460-1 | 3-Major | Client side integrity defense or proactive may break application | |
495390-4 | 3-Major | An error occurs on Active Rules page after attempting to reorder Rules in a Policy |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
553735-3 | 2-Critical | K30332053 | TMM core on HTTP response with steering action. |
527992-2 | 2-Critical | tmm might crash with 'DHCP:dhcp_server_flow_connect' error when the server flow is already connected to a different client. | |
624091 | 3-Major | DHCP relay is not forwarding all of the DHCPOFFERS to clients | |
611355 | 3-Major | tmm core with PEM | |
608742-4 | 3-Major | K48561135 | DHCP: DHCP renew ACK messages from server are getting dropped by BIG-IP in Forward mode. |
592070-1 | 3-Major | DHCP server connFlow when created based on the DHCP client connFlow does not have the traffic group ID copied | |
551303-3 | 3-Major | K75280116 | TMM may core during processing of a CCA-T. |
472122-4 | 3-Major | DHCPv4: When configured in forwarding mode, BIG-IP will support client messages that use either UDP 67 or 68 as the source port. |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
532365-1 | 3-Major | lsndb cores with "Assertion `size < bin_key_size' failed" | |
504828-2 | 3-Major | "translate address" and "translate port" are enabled by default when configure from GUI | |
481948-1 | 3-Major | LSN_DELETE messages may not be logged in PBA mode |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
615260 | 2-Critical | out of memory condition when URL categorization is configured to work with large feedlists |
Device Management Fixes
ID Number | Severity | Solution Article(s) | Description |
522268-2 | 2-Critical | hostagentd memory leak on VCMP hosts |
Cumulative fixes from BIG-IP v11.6.1 Hotfix 1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
596488-4 | CVE-2016-5118 | K82747025 | GraphicsMagick vulnerability CVE-2016-5118. |
591806-3 | CVE-2016-3714 | K03151140 | ImageMagick vulnerability CVE-2016-3714 |
591328-2 | CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 | K36488941 | OpenSSL vulnerability CVE-2016-2106 |
591327-2 | CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 | K36488941 | OpenSSL vulnerability CVE-2016-2106 |
591325-2 | CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 | K75152412 | OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 |
591042-5 | CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 | K23230229 | OpenSSL vulnerabilities |
579955-2 | CVE-2016-7475 | K01587042 | BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475 |
577826-4 | CVE-2016-1286 | K62012529 | BIND vulnerability CVE-2016-1286 |
573778-7 | CVE-2016-1714 | K75248350 | QEMU vulnerability CVE-2016-1714 |
573124-2 | CVE-2016-5022 | K06045217 | TMM vulnerability CVE-2016-5022 |
563670-11 | CVE-2015-3194, CVE-2015-3195, CVE-2015-3196 | K86772626 | OpenSSL vulnerabilities |
601938-3 | CVE-2016-7474 | K52180214 | MCPD stores certain data incorrectly |
593447-2 | CVE-2016-5024 | K92859602 | BIG-IP TMM iRules vulnerability CVE-2016-5024 |
591918-4 | CVE-2016-3718 | K61974123 | ImageMagick vulnerability CVE-2016-3718 |
591908-4 | CVE-2016-3717 | K29154575 | ImageMagick vulnerability CVE-2016-3717 |
591894-4 | CVE-2016-3715 | K10550253 | ImageMagick vulnerability CVE-2016-3715 |
591881-4 | CVE-2016-3716 | K25102203 | ImageMagick vulnerability CVE-2016-3716 |
587077-3 | CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2115 CVE-2016-2118 | K37603172 | Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118 |
585424-3 | CVE-2016-1979 | K20145801 | Mozilla NSS vulnerability CVE-2016-1979 |
582813-1 | CVE-2016-0774 | K08440897 | Linux Kernel CVE-2016-0774 |
579220-3 | CVE-2016-1950 | K91100352 | Mozilla NSS vulnerability CVE-2016-1950 |
564111-1 | CVE-2015-8395 CVE-2015-8384 CVE-2015-8392 CVE-2015-8394 CVE-2015-8391 CVE-2015-8390 CVE-2015-8389 CVE-2015-8388 CVE-2015-8387 CVE-2015-8386 CVE-2015-8385 CVE-2015-8383 CVE-2015-8382 CVE-2015-8381 CVE-2015-8380 CVE-2015-2328 CVE-2015-2327 CVE-2015-8393 | K05428062 | Multiple PCRE vulnerabilities |
541231-2 | CVE-2014-3613 CVE-2014-3707 CVE-2014-8150 CVE-2015-3143 CVE-2015-3148 | K16704 K16707 | Resolution of multiple curl vulnerabilities |
486791-2 | CVE-2014-6421 CVE-2014-6422 CVE-2014-6423 CVE-2014-6424 CVE-2014-6425 CVE-2014-6426 CVE-2014-6427 CVE-2014-6428 CVE-2014-6429 CVE-2014-6430 CVE-2014-6431 CVE-2014-6432 | K16939 | Resolution of multiple wireshark vulnerabilities |
416734-1 | CVE-2012-5195 CVE-2012-5526 CVE-2012-6329 CVE-2013-1667 | K15867 | Multiple Perl Vulnerabilities |
580340-3 | CVE-2016-2842 | K52349521 | OpenSSL vulnerability CVE-2016-2842 |
580313-3 | CVE-2016-0799 | K22334603 | OpenSSL vulnerability CVE-2016-0799 |
579975-3 | CVE-2016-0702 | K79215841 | OpenSSL vulnerability |
579829-3 | CVE-2016-0702 | K79215841 | OpenSSL vulnerability CVE-2016-0702 |
579237-3 | CVE-2016-0705 | K93122894 | OpenSSL Vulnerability CVE-2016-0705 |
579085-4 | CVE-2016-0797 | K40524634 | OpenSSL vulnerability CVE-2016-0797 |
578570-2 | CVE-2016-0705 | K93122894 | OpenSSL Vulnerability CVE-2016-0705 |
577828-5 | CVE-2016-2088 | K59692558 | BIND vulnerability CVE-2016-2088 |
577823-4 | CVE-2016-1285 | K46264120 | BIND vulnerability CVE-2016-1285 |
567379-1 | CVE-2013-4397 | K16015326 | libtar vulnerability CVE-2013-4397 |
565895-4 | CVE-2015-8389 CVE-2015-8388 CVE-2015-5073 CVE-2015-8395 CVE-2015-8393 CVE-2015-8390 CVE-2015-8387 CVE-2015-8391 CVE-2015-8383 CVE-2015-8392 CVE-2015-8386 CVE-2015-3217 CVE-2015-8381 CVE-2015-8380 CVE-2015-8384 CVE-2015-8394 CVE-2015-3210 | K17235 | Multiple PCRE Vulnerabilities |
553454-2 | CVE-2015-2730 | K15955144 | Mozilla NSS vulnerability CVE-2015-2730 |
551287-4 | CVE-2010-2596 CVE-2013-1960 CVE-2013-1961 CVE-2013-4231 CVE-2013-4232 CVE-2013-4243 CVE-2013-4244 | K16715 | Multiple LibTIFF vulnerabilities |
481806-2 | CVE-2013-4002 | K16872 | Java Runtime Environment vulnerability CVE-2013-4002 |
479431-4 | CVE-2014-3596 | K16821 | Apache Axis vulnerability CVE-2014-3596 |
416372-4 | CVE-2012-2677 | K16946 | Boost memory allocator vulnerability CVE-2012-2677 |
570667-16 | CVE-2016-0701 CVE-2015-3197 | K64009378 | OpenSSL vulnerabilities |
517048-1 | CVE-2015-2305 | K16831 | BSD regex library vulnerability CVE-2015-2305 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
532685-6 | 3-Major | PAC file download errors disconnect the tunnel | |
490936-2 | 3-Major | SSLv2/TLSv1-based handshake causing handshake failures | |
544325-3 | 4-Minor | K83161025 | BIG-IP UDP virtual server may not send ICMP Destination Unreachable message Code 3 (port unreachable). |
483508-1 | 4-Minor | K70333230 | Large values may display as negative numbers for 32-bit integer variables in the MIB |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
538761-4 | 1-Blocking | scriptd may core when MCP connection is lost | |
583936-3 | 2-Critical | Removing ECMP route from BGP does not clear route from NSM | |
574116-2 | 2-Critical | MCP may crash when syncing configuration between device groups | |
570973-2 | 2-Critical | L7 hardware syn cookie feature is broken in BIG-IP v12.0.0 hf1 and hf2 | |
569634 | 2-Critical | Aced process is not able to listen to port 6000 | |
568889-2 | 2-Critical | K22989000 | Some ZebOS daemons do not start on blade transition secondary to primary. |
563064-1 | 2-Critical | Bringing up and tearing down an IPsec tunnel will slowly leak tmm memory | |
561814-1 | 2-Critical | TMM Core on Multi-Blade Chassis | |
560683-3 | 2-Critical | HA IPSEC: tmm core/crash on standby in function ikev2_child_delete_outbound() | |
559034-1 | 2-Critical | Mcpd core dump in the sync secondary during config sync | |
557144-3 | 2-Critical | Dynamic route flapping may lead to tmm crash | |
542097-2 | 2-Critical | Update to RHEL6 kernel | |
530903-1 | 2-Critical | HA pair in a typical Active/Standby configuration becomes Active/Active after a software upgrade★ | |
529141-5 | 2-Critical | K95285012 | Upgrade from 10.x fails on valid clientssl profile with BIGpipe parsing error★ |
506274-2 | 2-Critical | TMM crash/core seen when a traffic-selector is created Action discard | |
493053-2 | 2-Critical | Route domains' firewall policies may be removed after sync | |
481647-5 | 2-Critical | OSPF daemon asserts and generates core | |
477611-4 | 2-Critical | ICMP monitor does not work on DAG Round Robin enabled VLANs | |
473527-2 | 2-Critical | IPsec interop problem when using AES-GCM. | |
420438-3 | 2-Critical | Default routes from standby system when HA is configured in NSSA | |
598039-3 | 3-Major | MCP memory may leak when performing a wildcard query | |
595773-3 | 3-Major | Cancellation requests for chunked stats queries do not propagate to secondary blades | |
579284 | 3-Major | Potential memory corruption in MCPd | |
576305-3 | 3-Major | Potential MCPd leak in IPSEC SPD stats query code | |
575735-2 | 3-Major | Potential MCPd leak in global CPU info stats code | |
575726-2 | 3-Major | MCPd might leak memory in vCMP interface stats. | |
575716-2 | 3-Major | MCPd might leak memory in VCMP base stats. | |
575708-2 | 3-Major | MCPd might leak memory in CPU info stats. | |
575671-2 | 3-Major | MCPd might leak memory in host info stats. | |
575660-2 | 3-Major | K50219995 | Potential MCPd leak in TMM rollup stats stats |
575649-2 | 3-Major | MCPd might leak memory in IPFIX destination stats query | |
575619-2 | 3-Major | Potential MCPd leak in pool member stats query code | |
575608-2 | 3-Major | MCPd might leak memory in virtual server stats query. | |
575595-1 | 3-Major | Potential MCPd leak in eviction policy stats. | |
575591-2 | 3-Major | Potential MCPd leak in IKE message stats query code | |
575589-1 | 3-Major | Potential MCPd leak in IKE event stats query code | |
575587-2 | 3-Major | Potential MCPd leak in BWC policy class stats query code | |
575027-2 | 3-Major | Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues. | |
574045-2 | 3-Major | BGP may not accept attributes using extended length | |
571210-4 | 3-Major | Upgrade, load config, or sync might fail on large configs with large objects. | |
571019-3 | 3-Major | Topology records can be ordered incorrectly. | |
570818-2 | 3-Major | Address lease-pool in IKEv2 might interfere with IKEv2 negotiations. | |
570053-2 | 3-Major | K78448635 | HA peer's certkeychain of clientssl profile is unexpectedly either removed or re-named after config sync. |
569356-2 | 3-Major | K91428939 | BGP ECMP learned routes may use incorrect VLAN for nexthop |
569236-4 | 3-Major | K24331010 | BIG-IP logs INVALID-SPI messages but does not remove the associated SAs. |
565534-2 | 3-Major | K40254066 | Some failover configuration items may fail to take effect |
562044-2 | 3-Major | Statistics slow_merge option does not work | |
559939-2 | 3-Major | K30040319 | Changing hostname on host sometimes causes blade to go RED / HA TABLE offline |
558858-4 | 3-Major | K80079953 | Unexpected loss of communication between slots of a vCMP Guest |
558779-6 | 3-Major | SNMP dot3 stats occassionally unavailable | |
557281-2 | 3-Major | The audit_forwarder process fails to exit normally causing the process to consume CPU to near 100% | |
555039-2 | 3-Major | K24458124 | VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration |
553795-4 | 3-Major | Differing cert/key after successful config-sync | |
549971-5 | 3-Major | Some changes to virtual servers' profile lists may cause secondary blades to restart | |
548385-3 | 3-Major | K25231211 | iControl calls that query key/cert from parent folder, and the name is missing the extension, result in incorrect results |
546410-2 | 3-Major | K02151433 | Configuration may fail to load when upgrading from version 10.x.★ |
545745-2 | 3-Major | Enabling tmm.verbose mode produces messages that can be mistaken for errors. | |
542860-4 | 3-Major | TMM crashes when IPsec SA are deleted during HA Active to Standby or vice versa event | |
542742-2 | 3-Major | K07038540 | SNMP reports invalid data from global_stat, avg server-side cur_conns (for 5s, 1m, 5m). |
542320-1 | 3-Major | no login name may appear when running ssh commands through management port | |
541316-3 | 3-Major | K41175594 | Unexpected transition from Forced Offline to Standby to Active |
539199-3 | 3-Major | HTML filter is truncating the server response when sending it to client | |
538133-4 | 3-Major | Only one action per sensor is displayed in sensor_limit_table and system_check | |
537326-2 | 3-Major | NAT available in DNS section but config load fails with standalone license | |
532559-4 | 3-Major | Upgrade fails to 11.5.0 and later if 'defaults-from none' is under profile '/Common/clientssl'. | |
526974-1 | 3-Major | Data-group member records map empty strings to 'none'. | |
521270-2 | 3-Major | Hypervisor might replace vCMP guest SYN-Cookie secrets | |
519081-1 | 3-Major | Cannot use tmsh to load valid configuration created using the GUI. | |
516995-3 | 3-Major | NAT traffic group inheritance does not sync across devices | |
513649-4 | 3-Major | Transaction validation errors on object references | |
512954-2 | 3-Major | ospf6d might leak memory distribute-list is used | |
511900-2 | 3-Major | 'sessiondump -allkeys' command hangs | |
510580-5 | 3-Major | Interfaces might be re-enabled unexpectedly when loading a partition | |
508076-2 | 3-Major | Cannot successfully create a key/cert via tmsh or the GUI of the form name.key1, where extension is in the name. | |
504803-5 | 3-Major | GUI Local Traffic Pool list does not show certain Pools with name containing 'mam'. | |
502049-1 | 3-Major | Qkview may store information in the wrong format | |
502048-1 | 3-Major | Qkview may store information in the wrong format | |
487625-3 | 3-Major | Qkview might hang | |
486725-2 | 3-Major | GUI creating key files with .key extensions in the name causing errors | |
486712-3 | 3-Major | GUI PVA connection maximum statistic is always zero | |
485702-4 | 3-Major | Default SNMP community 'public' is re-added after the upgrade | |
484534-4 | 3-Major | interface STP state stays in blocked when added to STP as disabled | |
481696-2 | 3-Major | Failover error message 'sod out of shmem' in /var/log/ltm | |
479553-4 | 3-Major | Sync may fail after deleting a persistence profile | |
479543-6 | 3-Major | Transaction will fail when deleting pool member and related node | |
478215-2 | 3-Major | The command 'show ltm pool detail' returns duplicate members in some cases | |
477888-4 | 3-Major | ESP ICSA support is non-functional on versions 11.4.0 and up | |
455651-5 | 3-Major | K40300934 | Improper regex/glob validation in web-acceleration and http-compression profiles |
451494-2 | 3-Major | SSL Key/Certificate in different partition with Subject Alternative Name (SAN) | |
425980-3 | 3-Major | Blade number not displayed in CPU status alerts | |
421971-9 | 3-Major | Renewing certificates with SAN input in the GUI leads to error. | |
418664-4 | 3-Major | K21485342 | Configuration utility CSRF vulnerability |
405611-3 | 3-Major | K61045143 | Configuration utility CSRF vulnerability |
375246-1 | 3-Major | Clarification of pool member session enabling versus pool member monitor enabling | |
372118-3 | 3-Major | import_all_from_archive_file and import_all_from_archive_stream does not create file objects. | |
601927-3 | 4-Minor | K52180214 | Security hardening of control plane |
551481-3 | 4-Minor | 'tmsh show net cmetrics' reports bandwidth = 0 | |
536746-3 | 4-Minor | K88051173 | LTM : Virtual Address List page uses LTM : Nodes List search filter. |
533480-5 | 4-Minor | K43353404 | qkview crash |
532086-3 | 4-Minor | K68631333 | Local Traffic Policy Rules Condition List select value to update with existing values. |
478922-3 | 4-Minor | ICSA logging issues on versions 11.4.0 and later | |
466612-1 | 4-Minor | Missing sys DeviceModel OID for VIPRION C2200 chassis | |
487084-2 | 5-Cosmetic | GUI iFile delete confirmation page lists incorrect items to be deleted |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
596619 | 2-Critical | K00539510 | Some 10.2.x client SSL configurations fail to upgrade to 11.6.1.★ |
579919-1 | 2-Critical | TMM may core when LSN translation is enabled | |
575011-4 | 2-Critical | K21137299 | Memory leak. Nitrox3 Hang Detected. |
565409-4 | 2-Critical | Invalid MSS with HW syncookies and flow forwarding | |
559973-2 | 2-Critical | Nitrox can hang on RSA verification | |
558612-4 | 2-Critical | System may fail when syncookie mode is activated | |
558534-3 | 2-Critical | The TMM may crash if http url rewrite is used with APM | |
549868-4 | 2-Critical | K48629034 | 10G interoperability issues reported following Cisco Nexus switch version upgrade. |
534795-1 | 2-Critical | Swapping VLAN names in config results in switch daemon core and restart. | |
521548-6 | 2-Critical | Possible crash in SPDY | |
517613-1 | 2-Critical | ClientSSL profile might have the wrong key/certificate/chain when created with a specific set of steps | |
489217-1 | 2-Critical | "cipher" memory can leak | |
488686-1 | 2-Critical | K24980114 | Large file transfer hangs when HTTP is in passthrough mode |
483665-2 | 2-Critical | Restrict the permissions for private keys | |
466007-2 | 2-Critical | K02683895 | DNS Express daemon, zxfrd, can not start if its binary cache has filled /var |
459671-2 | 2-Critical | iRules source different procs from different partitions and executes the incorrect proc. | |
600535 | 3-Major | TMM may core while exiting if MCPD connection was previously aborted | |
597089-5 | 3-Major | Connections are terminated after 5 seconds when using ePVA full acceleration | |
593530-1 | 3-Major | In rare cases, connections may fail to expire | |
592854-4 | 3-Major | Protocol version set incorrectly on serverssl renegotiation | |
592784-4 | 3-Major | Compression stalls, does not recover, and compression facilities cease. | |
589223-3 | 3-Major | TMM crash and core dump when processing SSL protocol alert. | |
588442-3 | 3-Major | TMM can core in a specific set of conditions. | |
587892-1 | 3-Major | Multiple iRule proc names might clash, causing the wrong rule to be executed. | |
585412-2 | 3-Major | SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines | |
583957-4 | 3-Major | The TMM may hang handling pipelined HTTP requests with certain iRule commands. | |
580303-3 | 3-Major | When going from active to offline, tmm might send a GARP for a floating address. | |
579843-3 | 3-Major | tmrouted may not re-announce routes after a specific succession of failover states | |
579371-2 | 3-Major | K70126130 | BIG-IP may generate ARPs after transition to standby |
576296-2 | 3-Major | MCPd might leak memory in SCTP profile stats query. | |
575626 | 3-Major | K04672803 | Minor memory leak in DNS Express stats error conditions |
575612-3 | 3-Major | Potential MCPd leak in policy action stats query code | |
575347-2 | 3-Major | Unexpected backslashes remain in monitor 'username' attribute after upgrade | |
572025-2 | 3-Major | HTTP Class profile using a path selector upgrade to a policy that does not match the entire path★ | |
571183-2 | 3-Major | Bundle-certificates Not Accessible via iControl REST. | |
569349-2 | 3-Major | Packet's vlan priority is not preserved for CMP redirected flows when net cos feature is enabled | |
566361-8 | 3-Major | K11543589 | RAM Cache Key Collision |
563591-2 | 3-Major | reference to freed loop_nexthop may cause tmm crash. | |
563419-5 | 3-Major | IPv6 packets containing extended trailer are dropped | |
563232-2 | 3-Major | FQDN pool in resource prevents Access Policy Sync. | |
554295-3 | 3-Major | CMP disabled flows are not properly mirrored | |
551189 | 3-Major | Modifying an HTTP cookie value via the HTTP::cookie iRule API may yield to incorrect HTTP header data | |
548583-3 | 3-Major | TMM crashes on standby device with re-mirrored SIP monitor flows. | |
547657-1 | 3-Major | A TCL error in a DNS_RESPONSE iRule event can cause a tmm crash. | |
545704-2 | 3-Major | TMM might core when using HTTP::header in a serverside event | |
543993-3 | 3-Major | Serverside connections may fail to detach when using the HTTP and OneConnect profiles | |
540893-2 | 3-Major | Unevenly loaded tmms while using syncookies may cause occasional spurious connection resets. | |
540213-2 | 3-Major | mcpd will continually restart on newly inserted secondary blades when certain configuration exists on the primary | |
536191-2 | 3-Major | Transparent inherited TCP monitors may fail on loading configuration | |
534111-1 | 3-Major | [SSL] Config sync problems when modifying cert in default client-ssl profile | |
530812-1 | 3-Major | Legacy DAG algorithm reuses high source port numbers frequently | |
530795-3 | 3-Major | In FastL4 TCP virtual servers, ICMP might send wrong SEQ number/ACK number. | |
528734-2 | 3-Major | K04711825 | TCP keeps retransmitting when ICMP Destination Unreachable-Fragmentation Required messages are received. |
527742-4 | 3-Major | K15550890 | The inherit-certkeychain field of a clientSSL profile is not synchronized correctly on a standby BIG-IP system |
523513-3 | 3-Major | COMPRESS::enable keeps compression enabled for a subsequent HTTP request. | |
521711-4 | 3-Major | K14555354 | HTTP closes connection if client sends non-keepalive request and server responds with 200 OK on One-Connect enabled virtual |
521036-2 | 3-Major | Dynamic ARP entry may replace a static entry in non-primary TMM instances. | |
520405-4 | 3-Major | tmm restart due to oversubscribed DNS resolver | |
517510-1 | 3-Major | HTTP monitor might add extra CR/LF pairs to HTTP body when supplied | |
513530-4 | 3-Major | Connections might be reset when using SSL::disable and enable command | |
513319-4 | 3-Major | Incorrect of failing sideband connections from within iRule may leak memory | |
504396-2 | 3-Major | When a virtual's ARP or ICMP is disabled, the wrong mac address is used | |
503257-7 | 3-Major | Persistence, connection limits and HTTP::respond or HTTP::redirect may result in RST | |
502747-1 | 3-Major | Incoming SYN generates unexpected ACK when connection cannot be recycled | |
495588-5 | 3-Major | Configuration fails with Syntax Error after upgrading from pre-11.5.0 releases★ | |
490174-2 | 3-Major | Improved TLS protocol negotiation with clients supporting TLS1.3 | |
472748-1 | 3-Major | SNAT pool stats are reflected in global SNAT stats | |
472571-6 | 3-Major | Memory leak with multiple client SSL profiles. | |
468790-2 | 3-Major | Inconsistent SafeNet key deletion in BIG-IP and Safenet HSM | |
463202-7 | 3-Major | BIG-IP system drops non-zero version EDNS requests | |
623135 | 4-Minor | K68401558 | BIG-IP virtual server TCP sequence numbers vulnerability (CVE-2002-1463) |
572015-3 | 4-Minor | HTTP Class profile is upgraded to a case-insensitive policy★ | |
532799-2 | 4-Minor | K14551525 | Static Link route to /32 pool member can end using dst broadcast MAC |
531979-3 | 4-Minor | SSL version in the record layer of ClientHello is not set to be the lowest supported version. | |
472051-1 | 4-Minor | Manually adding username/password in ZebOS can cause imi to core |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
569972-2 | 2-Critical | Unable to create gtm topology records using iControl REST | |
569521-4 | 2-Critical | Invalid WideIP name without dots crashes gtmd. | |
539466-2 | 2-Critical | Cannot use self-link URI in iControl REST calls with gtm topology | |
569472-2 | 3-Major | TMM segfault in lb_why_pmbr_str after GTM/BIG-IP DNS disables a GTM pool and LB why log is enabled | |
561539-2 | 3-Major | [Upgrade] GTM pool member ratio setting to 0 is not honored when upgrading from v10.2.4 to v11.5.3.★ | |
559975-5 | 3-Major | Changing the username or password used for HTTP monitor basic auth may break HTTP basic auth | |
517582-3 | 3-Major | [GUI] [GTM] Cannot delete Region if attempting to delete another region referenced by a record. | |
510888-1 | 3-Major | [LC] snmp_link monitor is not listed as available when creating link objects |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
578334-3 | 2-Critical | Policy Import (REST, inline XML import) in HA pair (CMI) fails on the peer device, remaining with a stub (default) policy. | |
583686-3 | 3-Major | High ASCII meta-characters can be disallowed on UTF-8 policy via XML import | |
579524-2 | 3-Major | DBD::mysql::db do failed: Duplicate entry '/Common/xxx' for key 'name' | |
577664-2 | 3-Major | Policy import, to inactive policies list, results in different policies on the sync-failover peers | |
572922-2 | 3-Major | Upgrade causes an ASM subsystem error of PL_PARAM_ATTRIBUTES.★ | |
568670-2 | 3-Major | ASM fails to start with error - ndefined subroutine &F5::CRC::get_crc32 | |
559055-1 | 3-Major | Staging is not disabled on wildcard parameter "*" when Learn New Parameters is set to "Add All" | |
554324-1 | 3-Major | K32359424 | Signatures cannot be updated after Signature Systems have become corrupted in database★ |
539704-2 | 3-Major | Large ASM REST response causes all REST to hang | |
531566-2 | 3-Major | A partial response arrives to the client when response logging is turned on | |
521370-3 | 3-Major | Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8 | |
498433-1 | 3-Major | Upgrading with ASM iRule and virtual server with no websecurity profile★ | |
521183-1 | 4-Minor | Upgrade from 11.2.x (or earlier) to 11.5.x/11.6.x can fail when an active DoS profile exists with 'Prevention Duration' set to a value less than 5★ |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
579049-1 | 2-Critical | TMM core due to wrong assert | |
578353 | 2-Critical | Statistics data aggregation process is not optimized | |
575170-3 | 2-Critical | Analytics reports may not identify virtual servers correctly | |
598909-1 | 3-Major | SQL produces errors. AVR does not display any statistics. | |
596945-2 | 3-Major | AVR DNS record lost after upgrade. | |
582029-1 | 3-Major | AVR might report incorrect statistics when used together with other modules. | |
569958-2 | 3-Major | Upgrade for application security anomalies | |
567355-1 | 3-Major | Scheduled report lost after loading configuration | |
559060-3 | 3-Major | AVR reads BIG-IP system's cookie incorrectly in multiple BIG-IP configuration. | |
557062-2 | 3-Major | The BIG-IP ASM configuration fails to load after an upgrade.★ | |
525448-1 | 3-Major | Max TPS is always 0 |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
581770-2 | 1-Blocking | Network Access traffic does not pass IPv6 traffic if a Network Access resource contains IPv4&IPv6 | |
592868-4 | 2-Critical | Rewrite may crash processing HTML tag with HTML entity in attribute value | |
591117-1 | 2-Critical | APM ACL construction may cause TMM to core if TMM is out of memory | |
580817-3 | 2-Critical | Edge Client may crash after upgrade★ | |
579909-2 | 2-Critical | Secondary MCPD exits for APM Sandbox warning improperly treated as configuration error | |
578844-2 | 2-Critical | tmm cores when switching to IPv6 virtual server while connected to IPv4 virtual server with Edge Client. | |
575609-3 | 2-Critical | Zlib accelerated compression can result in a dropped flow. | |
571090 | 2-Critical | When BIG-IP is used as SAML IdP, tmm may restart under certain conditions | |
562919-2 | 2-Critical | TMM cores in renew lease timer handler | |
513083-1 | 2-Critical | d10200: tmm core when using ASM-FPS-AVR-APM-DOS on virtual server. | |
511478-2 | 2-Critical | Possible TMM crash when evaluating expression for per-request policy agents. | |
428068-3 | 2-Critical | Insufficiently detailed causes for session deletion. | |
598981-2 | 3-Major | K06913155 | APM ACL does not get enforced all the time under certain conditions |
597431-4 | 3-Major | VPN establishment may fail when computer wakes up from sleep | |
596116-2 | 3-Major | LDAP Query does not resolve group membership, when required attribute(s) specified | |
592591-1 | 3-Major | Deleting access profile prompts for apply access policy for other untouched access profiles | |
592414-2 | 3-Major | IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed | |
590820-2 | 3-Major | Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser. | |
589794 | 3-Major | APD might crash if LDAP Query agent fails to retrieve primary group for a user | |
589118 | 3-Major | K81314569 | Horizon View client throws an exception when connecting to Horizon 7 VCS through APM. |
588888-2 | 3-Major | K80124134 | Empty URI rewriting is not done as required by browser. |
586718-3 | 3-Major | Session variable substitutions are logged | |
586006-3 | 3-Major | Failed to retrieve CRLDP list from client certificate if DirName type is present | |
585562-1 | 3-Major | VMware View HTML5 client shipped with Horizon 7 does not work through BIG-IP APM in Chrome/Safari | |
582526-2 | 3-Major | Unable to display and edit huge policies (more than 4000 elements) | |
581834-4 | 3-Major | Firefox signed plugin for VPN, Endpoint Check, etc | |
580893-1 | 3-Major | K08731969 | Support for Single FQDN usage with Citrix Storefront Integration mode |
580421-3 | 3-Major | Edge Client may not register DLLs correctly | |
577939-1 | 3-Major | DNS suffixes on user's machine may not be restored correctly in some cases | |
576069-2 | 3-Major | Rewrite can crash in some rare corner cases | |
575499-1 | 3-Major | VPN filter may leave renew_lease timer active after teardown | |
575292-4 | 3-Major | DNS Relay proxy service does not respond to SCM commands in timely manner | |
574781-2 | 3-Major | APM Network Access IPV4/IPV6 virtual may leak memory | |
573643-2 | 3-Major | flash.utils.Proxy functionality is not negotiated | |
573581-4 | 3-Major | DNS Search suffix are not restored properly in some cases after VPN establishment | |
573429-1 | 3-Major | APM Network Access IPv4/IPv6 virtual may leak memory | |
572887-2 | 3-Major | DNS doesn't work properly on Ubuntu 15.10 when using f5fpc CLI client | |
570640-2 | 3-Major | APM Cannot create symbolic link to sandbox. Error: No such file or directory | |
570064-3 | 3-Major | IE gives a security warning asking: "Do you want to run ... InstallerControll.cab" | |
567660-2 | 3-Major | Disabling global Auto Last Hop setting breaks APM's Remote Desktop Gateway (RDG) feature | |
566646-4 | 3-Major | Portal Access could respond very slowly for large text files when using IE < 11 | |
565231-2 | 3-Major | Importing a previously exported policy which had two object names may fail | |
564521-3 | 3-Major | JavaScript passed to ExternalInterface.call() may be erroneously unescaped | |
564482-2 | 3-Major | Kerberos SSO does not support AES256 encryption | |
563349-4 | 3-Major | On MAC, Network Access proxy settings are not applied to tun adapter after VPN is established | |
559218-2 | 3-Major | Iframes could be inaccessible to a parent window on a page accessed through Portal Access | |
558946-4 | 3-Major | TMM may core when APM is provisioned and access profile is attached to the virtual | |
556597-5 | 3-Major | CertHelper may crash when performing Machine Cert Inspection | |
551999-2 | 3-Major | Edge client needs to re-authenticate after lost network connectivity is restored | |
551454-5 | 3-Major | Edge client sends repeated HTTP probe to captive portal probe URL for mis-configured server | |
551260-2 | 3-Major | When SAML IdP-Connector Single Sign On Service URL contains ampersand, redirect URL may be truncated | |
549086-8 | 3-Major | Windows 10 is not detected when Firefox is used | |
547546-3 | 3-Major | Add support for auto-update of MachineCertService | |
541622-6 | 3-Major | APD/APMD Crashes While Verifying CAPTCHA | |
536575-1 | 3-Major | Session variable report can be blank in many cases | |
534901-1 | 3-Major | VMware View HTML5 client may load/initialize with delays | |
534373-5 | 3-Major | Some Text on French Localized Edge client on windows has grammatical error | |
533422-2 | 3-Major | sessiondump is not reusing connections | |
528701-2 | 3-Major | Sessiondump does not accept single dash options | |
528548-2 | 3-Major | @import "url" is not recognized by client-side CSS patcher | |
525429-12 | 3-Major | DTLS renegotiation sequence number compatibility | |
519059-3 | 3-Major | [PA] - Failing to properly patch webapp link, link not working | |
516219-4 | 3-Major | User failed to get profile license in VIPRION 4800 chassis if slot 1 is not enabled | |
508337-4 | 3-Major | In Chrome, parent.document.write() from frame may cause errors on pages accessed through Portal Access | |
493106-4 | 3-Major | HTTP Basic authentication module logs clear text password in /var/log/apm at debug level | |
479715-3 | 3-Major | Multi-tab protection problems with multi-domain SSO | |
409323-3 | 3-Major | OnDemand cert auth redirect omits port information | |
584373-3 | 4-Minor | AD/LDAP resource group mapping table controls are not accessible sometimes | |
580429-5 | 4-Minor | CTU does not show second Class ID for InstallerControll.dll | |
572543-2 | 4-Minor | User is prompted to install components repeatedly after client components are updated. | |
554690-3 | 4-Minor | VPN Server Module generates repeated Error Log "iface eth0 "... every 2 secs | |
541156-2 | 4-Minor | Network Access clients experience delays when resolving a host |
WebAccelerator Fixes
ID Number | Severity | Solution Article(s) | Description |
575631-3 | 3-Major | Potential MCPd leak in WAM stats query code | |
562644-4 | 3-Major | TMM may crash when AAM receives a pipelining HTTP request while shutting down the connection | |
506557-3 | 3-Major | K45240941 | IBR tags might occasionally be all zeroes. |
501714-2 | 3-Major | System does not prevent low quality JPEGs from optimizing to higher quality (becoming larger) does not work when AAM image optimization enabled and JPEG quality in policy is higher than JPEGs on OWS. | |
476476-7 | 3-Major | Occasional inability to cache optimized PDFs and images |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
578564-3 | 3-Major | ICAP: Client RST when HTTP::respond in HTTP_RESPONSE_RELEASE after ICAP REQMOD returned HTTP response | |
573075-2 | 3-Major | ADAPT recursive loop when handling successive iRule events | |
572224-4 | 3-Major | Buffer error due to RADIUS::avp command when vendor IDs do not match | |
570363-2 | 3-Major | Potential segfault when MRF messages cross from one TMM to another. | |
566576-2 | 3-Major | ICAP/OneConnect reuses connection while previous response is in progress | |
550434-5 | 3-Major | Diameter connection may stall if server closes connection before CER/CEA handshake completes | |
561500-1 | 4-Minor | ICAP Parsing improvement |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
484013-4 | 2-Critical | K12435402 | tmm might crash under load when logging profile is used with packet classification |
575571-2 | 3-Major | MCPd might leak memory in FW DOS SIP attack stats query. | |
569337-2 | 3-Major | TCP events are logged twice in a HA setup |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
593070-5 | 2-Critical | TMM may crash with multiple IP addresses per session | |
577863-2 | 3-Major | K56504204 | DHCP relay not forwarding server DHCPOFFER and DHCPACK message after some time |
577814-4 | 3-Major | MCPd might leak memory in PEM stats queries. | |
566061-3 | 3-Major | Subscriber info missing in flow report after subscriber has been deleted |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
515736-4 | 3-Major | LSN pool with small port range may not use all ports |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
561623-3 | 2-Critical | Realtime encryption causes high CPU usage in older browsers | |
593667 | 3-Major | Dashboard displays incomplete alert details when Polish characters are included | |
583445 | 3-Major | Alert dashboard does not correctly display Hebrew characters in alerts. | |
556162-3 | 3-Major | Default obfuscator configuration causes very slow javascript in some browsers |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
595270 | 2-Critical | Memory leaks when session DB tables gets updated | |
554928-1 | 2-Critical | K03353647 | tmm eventually crashes when Classification profile is configured on the virtual server |
Device Management Fixes
ID Number | Severity | Solution Article(s) | Description |
580686-1 | 3-Major | K70973444 | Hostagentd might leak memory on vCMP hosts. |
Cumulative fixes from BIG-IP v11.6.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
570716-3 | CVE-2016-5736 | K10133477 | BIG-IP IPsec IKE peer listener vulnerability CVE-2016-5736 |
565169 | CVE-2013-5825 CVE-2013-5830 | K48802597 | Multiple Java Vulnerabilities |
542314-5 | CVE-2015-8099 | K35358312 | TCP vulnerability - CVE-2015-8099 |
572495-3 | CVE-2016-5023 | K19784568 | TMM may crash if it receives a malformed packet CVE-2016-5023 |
570535 | CVE-2011-5321 CVE-2012-6657 CVE-2013-4483 CVE-2014-3184 CVE-2014-3185 CVE-2014-3611 CVE-2014-3940 CVE-2014-6410 CVE-2014-8160 CVE-2014-9420 CVE-2014-9529 CVE-2014-9584 CVE-2015-1593 CVE-2015-1805 CVE-2015-3636 CVE-2015-5307 CVE-2015-5364 CVE-2015-5366 CVE-2015-7613 CVE-2015-7872 CVE-2015-8104 | K15685 K15912 K31300371 K16011 K21632201 K31026324 K17239 K17543 K17121 K41739114 K17246 K17458 K17244 K17245 K90230486 K17309 K17307 K31026324 K94105604 | Multiple Kernel Vulnerabilities |
567475-5 | CVE-2015-8704 | K53445000 | BIND vulnerability CVE-2015-8704 |
560925-2 | CVE-2015-3194 | K86772626 | OpenSSL Vulnerability fix |
560910-2 | CVE-2015-3194 | K86772626 | OpenSSL Vulnerability fix |
560180-2 | CVE-2015-8000 | K34250741 | BIND Vulnerability CVE-2015-8000 |
554624-2 | CVE-2015-5300 CVE-2015-7704 | K10600056 K17566 | NTP CVE-2015-5300 CVE-2015-7704 |
553902-2 | CVE-2015-5300 CVE-2015-7704 CVE-2015-7871 CVE-2015-7855 CVE-2015-7853 CVE-2015-7852 CVE-2015-7850 CVE-2015-7701 CVE-2015-7691 CVE-2015-7692 CVE-2015-7702 CVE-2015-5196 | K17516 | Multiple NTP Vulnerabilities |
546080-5 | CVE-2016-5021 | K99998454 | Path sanitization for iControl REST worker |
545786-4 | CVE-2015-7393 | K75136237 | Privilege escalation vulnerability CVE-2015-7393 |
545762 | CVE-2015-7394 | K17407 | CVE-2015-7394 |
540767-2 | CVE-2015-5621 | K17378 | SNMP vulnerability CVE-2015-5621 |
539923-1 | CVE-2016-1497 | K31925518 | BIG-IP APM access logs vulnerability CVE-2016-1497 |
534090-2 | CVE-2015-5380 | K17238 | Node.js vulnerability CVE-2015-5380 |
518275-2 | CVE-2016-4545 | K48042976 | The BIG-IP system may stop the normal processing of SSL traffic and dump a TMM core file |
508057-1 | CVE-2015-0411 | K44611310 | MySQL Vulnerability CVE-2015-0411 |
497065-1 | CVE-2013-6435 | K16383 | Linux RPM vulnerability CVE-2013-6435 |
488015-1 | CVE-2014-3669 CVE-2014-3670 CVE-2014-3668 | K15866 | Multiple PHP vulnerabilities |
472093-1 | CVE-2015-8022 | K12401251 | APM TMUI Vulnerability CVE-2015-8022 |
556383-1 | CVE-2015-7181 CVE-2015-7182 CVE-2015-7183 | K31372672 | Multiple NSS Vulnerabilities |
550596-3 | CVE-2016-6876 | K52638558 | RESOLV::lookup iRule command vulnerability CVE-2016-6876 |
534633-3 | CVE-2015-5600 | K17113 | OpenSSH vulnerability CVE-2015-5600 |
527762-1 | CVE-2015-4000 | K16674 | TLS vulnerability CVE-2015-4000 |
525232-1 | CVE-2015-4024 CVE-2014-8142 | K16826 | PHP vulnerability CVE-2015-4024 |
500089-1 | CVE-2015-0206 | K16124 | OpenSSL vulnerability CVE-2015-0206 |
472696-1 | CVE-2014-1544 | K16716 | Multiple Mozilla Network Security Services vulnerabilities |
470842-1 | CVE-2012-5784 | K14371 | Apache Axis vulnerability CVE-2012-5784 |
427174-7 | CVE-2013-1620 CVE-2013-0791 | K15630 | SOL15630: TLS in Mozilla NSS vulnerability CVE-2013-1620 |
560969-2 | CVE-2015-3196 | K55540723 | OpenSSL vulnerability fix |
560962-2 | CVE-2015-3196 | K55540723 | OpenSSL Vulnerability CVE-2015-3196 |
560948-2 | CVE-2015-3195 | K12824341 | OpenSSL vulnerability CVE-2015-3195 |
527639-2 | CVE-2015-1791 | K16914 | CVE-2015-1791 : OpenSSL Vulnerability |
527638-2 | CVE-2015-1792 | K16915 | OpenSSL vulnerability CVE-2015-1792 |
527637-2 | CVE-2015-1790 | K16898 | PKCS #7 vulnerability CVE-2015-1790 |
527633-2 | CVE-2015-1789 | K16913 | OpenSSL vulnerability CVE-2015-1789 |
500094-1 | CVE-2014-3570 | K16120 | OpenSSL vulnerability CVE-2014-3570 |
500093-1 | CVE-2014-8275 | K16136 | OpenSSL vulnerability CVE-2014-8275 |
500092-1 | CVE-2015-0205 | K16135 | OpenSSL vulnerability CVE-2015-0205 |
500090-1 | CVE-2014-3572 | K16126 | OpenSSL vulnerability CVE-2014-3572 |
494735-1 | CVE-2014-3566 | K15702 | SSLv3 vulnerability CVE-2014-3566 |
479897-1 | CVE-2014-2497 CVE-2014-3538 CVE-2014-3597 CVE-2014-4670 CVE-2014-4698 CVE-2014-5120 CVE-2014-0238 | K15761 | Multiple PHP 5.x vulnerabilities |
567484-5 | CVE-2015-8705 | K86533083 | BIND Vulnerability CVE-2015-8705 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
470715-5 | 2-Critical | K16019 | Excessive IP fragmentation on tmm_bp vlan causes ftp data loss with vlan name >= 16 characters long |
539130-6 | 3-Major | K70695033 | bigd may crash due to a heartbeat timeout |
530133-3 | 3-Major | Support for New Platform: BIG-IP 10350 FIPS | |
520277-2 | 3-Major | Components validation alert | |
497395-1 | 3-Major | Correctly assign severity to check component alerts | |
493507-1 | 3-Major | License checks for fictive URLs and injected tags | |
490537-6 | 3-Major | Persistence Records display in GUI might cause system crash with large number of records | |
382157-3 | 3-Major | K17163 | Stats presented by the MIB sysVlanStatTable does not match sflow vlan stats |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
492460-3 | 1-Blocking | K17320 | Virtual deletion failure possible when using sFlow |
572086 | 2-Critical | K49725838 | Unable to boot v11.6.0 on 7250 or 10250 platforms |
564427-3 | 2-Critical | Use of iControl call get_certificate_list_v2() causes a memory leak. | |
562959-2 | 2-Critical | In some error scenarios, IPsec might send packets not intended for the IPsec over the tunnel. | |
562122-5 | 2-Critical | Adding a trunk might disable vCMP guest | |
557680-1 | 2-Critical | Fast successive MTU changes to IPsec tunnel interface crashes TMM | |
556380-2 | 2-Critical | mcpd can assert on active connection deletion | |
555686-5 | 2-Critical | Copper SFPs OPT-0015 on 10000-series appliance may cause interfaces to not come up and/or show corrupted serial numbers | |
554609-4 | 2-Critical | K87381045 | Kernel panics during boot when RAM spans multiple NUMA nodes. |
552481 | 2-Critical | Disk provisioning error after restarting ASM service. | |
551661-2 | 2-Critical | Monitor with send/receive string containing double-quote may fail to load. | |
544913-6 | 2-Critical | K17322 | tmm core while logging from TMM during failover |
544481-5 | 2-Critical | IPSEC Tunnel fails for more than one minute randomly. | |
543924 | 2-Critical | Update kernel to latest public RHEL6.4 kernel: 2.6.32-358.61.1.el6 | |
520380-6 | 2-Critical | K41313442 | save-on-auto-sync can spawn multiple invocations of tmsh, starving system of memory |
511527-2 | 2-Critical | snmpd segmentation fault at get_bigip_profile_user_stat() | |
510559-6 | 2-Critical | Add logging to indicate that compression engine is stalled. | |
505071-5 | 2-Critical | Delete and create of the same object can cause secondary blades' mcpd processes to restart. | |
504508-5 | 2-Critical | K16773 | IPsec tunnel connection from BIG-IP to some Cisco ASA does not stay up when DPD (Dead Peer Detection) is enabled |
503600-6 | 2-Critical | K17149 | TMM core logging from TMM while attempting to connect to remote logging server |
502841-2 | 2-Critical | K17580 | REST API hangs due to icrd startup issues |
490801-2 | 2-Critical | mod_ssl: missing support for TLSv1.1 and TLSv1.2 | |
484453-6 | 2-Critical | K15853 | Messages logged when registering with LOP daemon (lopd) or CAN daemon (cand) |
365219-2 | 2-Critical | Trust upgrade fails when upgrading from version 10.x to version 11.x.★ | |
606540-1 | 3-Major | K33064211 | DB variable changed via GUI does not sync across HA group |
567774-1 | 3-Major | ca-devices and non-ca-devices addition/deletion has been removed from restart cm trust-domain Root | |
563475-3 | 3-Major | K00301400 | ePVA dynamic offloading can result in immediate eviction and re-offloading of flows. |
562928 | 3-Major | Curl connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled | |
560423-2 | 3-Major | VxLAN tunnel IP address modification is not supported | |
560220-1 | 3-Major | Missing partition and subPath fields for some objects in iControl REST | |
559584-2 | 3-Major | K23410869 | tmsh list/save configuration takes a long time when config contains nested objects. |
558573-2 | 3-Major | K65352421 | MCPD restart on secondary blade after updating Pool via GUI |
556284-5 | 3-Major | K55622762 | iqsyncer: GTM/LC config sync failure with error from local mcpd Monitor parent not found |
555905-3 | 3-Major | sod health logging inconsistent when device removed from failover group or device trust | |
554563-3 | 3-Major | Error: Egress CoS queue packet drop counted against both Drops In and Drops Out statistics. | |
554340-4 | 3-Major | IPsec tunnels fail when connection.vlankeyed db variable is disabled | |
553649-3 | 3-Major | The SNMP daemon might lock up and fail to respond to SNMP requests. | |
553576-3 | 3-Major | K17356 | Intermittent 'zero millivolt' reading from FND-850 PSU |
552585-3 | 3-Major | K32030059 | AAA pool member creation sets the port to 0. |
551927-2 | 3-Major | ePVA snoop header's transform vlan should be set properly under asymmetric routing condition | |
551742-2 | 3-Major | Hardware parity error mitigation for the SOURCE_VP table on 10000s/10200v/10250v platforms and B4300/B4340N and B2250 blades | |
550694-3 | 3-Major | K60222549 | LCD display stops updating and Status LED turns/blinks Amber |
550536-3 | 3-Major | Incorrect information/text (in French) is displayed when the Edge Client is launched | |
549543-3 | 3-Major | K37436054 | DSR rejects return traffic for monitoring the server |
548239-3 | 3-Major | K04844213 | BGP routing using route-maps cannot match route tags |
547532-2 | 3-Major | Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades | |
541569-3 | 3-Major | K59519340 | IPsec NAT-T (IKEv1) not working properly |
540996-2 | 3-Major | Monitors with a send attribute set to 'none' are lost on save | |
540871-1 | 3-Major | K01418954 | Update/deletion of SNMPv3 user does not work correctly |
539822-4 | 3-Major | tmm may leak connflow and memory on vCMP guest. | |
539784-4 | 3-Major | HA daemon_heartbeat mcpd fails on load sys config | |
538663-3 | 3-Major | SSO token login does not work due to remote role update failures. | |
538024-3 | 3-Major | K60507424 | Configuration containing a virtual server with a named wildcard destination address ('any6') may fail to load |
534582-4 | 3-Major | K10397582 | HA configuration may fail over when standby has only base configuration loaded. |
534076-2 | 3-Major | K34873265 | SNMP configured trap-source might not be used in v1 snmp traps. |
533826-5 | 3-Major | SNMP Memory Leak on a VIPRION system. | |
531986-3 | 3-Major | Hourly AWS VE license breaks after reboot with default tmm route/gateway. | |
531705-2 | 3-Major | K53725847 | List commands on non-existent iRules incorrectly succeeds. |
530242-3 | 3-Major | K08654415 | SPDAG on VIPRION B2250 blades might cause traffic imbalance among TMMs |
529977-1 | 3-Major | OSPF may not process updates to redistributed routes | |
529484-4 | 3-Major | Virtual Edition Kernel Panic under load | |
528987-3 | 3-Major | Benign warning during formatting installation | |
528276-7 | 3-Major | K39167163 | The device management daemon can crash with a malloc error |
526817-4 | 3-Major | snmpd core due to mcpd message timer thread not exiting | |
526031-2 | 3-Major | K38429933 | OSPFv3 may not completely recover from "clear ipv6 ospf process" |
524300-2 | 3-Major | K71003856 | The MOS boot process appears to hang. |
523867-3 | 3-Major | 'warning: Failed to find EUDs' message during formatting installation | |
522871-1 | 3-Major | K13764703 | [TMSH] nested wildcard deletion will delete all the objects (matched or not matched) |
522837-1 | 3-Major | MCPD can core as a result of another component shutting down prematurely | |
522332-1 | 3-Major | K81374736 | Configuration upgrade of httpclass which has the 'hosts' attribute done incorrectly★ |
521144-5 | 3-Major | K16799 | Network failover packets on the management interface sometimes have an incorrect source-IP |
517388-7 | 3-Major | Parsing the DN (for subject or issuer) in a certificate does not take into account all the possible RDNs. | |
517209-7 | 3-Major | K81807474 | tmsh save sys config file /var/tmp or /shared/tmp can make some BIG-IP functionality unusable |
517020-5 | 3-Major | SNMP requests fail and subsnmpd reports that it has been terminated. | |
516322-7 | 3-Major | The BIG-IP system may erroneously remove an iApp association from the virtual server. | |
513974-7 | 3-Major | K16691 | Transaction validation errors on object references |
513659-3 | 3-Major | K72841425 | AAM Policy not all regex characters can be used via the GUI |
512130-4 | 3-Major | Remote role group authentication fails with a space in LDAP attribute group name | |
510381-3 | 3-Major | bcm56xxd might core when restarting due to bundling config change. | |
503246-4 | 3-Major | TMM crashes when unable to allocate large amount of provisioned memory | |
496679-5 | 3-Major | Configuration loads may fail because the 'default-device' on a traffic-group object does not contain a valid value.★ | |
495865-2 | 3-Major | K15116582 | iApps/tmsh cannot reconfigure pools that have monitors associated with them. |
491727-2 | 3-Major | K17029 | Upgrade can fail to load config due to tcp profile no longer allowing time-wait-timeout of 4294967295 (indefinite).★ |
482373-3 | 3-Major | Can not delete and re-create a new virtual server that uses the same virtual address in the same transaction | |
480246-4 | 3-Major | K17080 | Message: Data publisher not found or not implemented when processing request |
473415-1 | 3-Major | K93511901 | ASM Standalone license has to include URL and HTML Rewrite★ |
449453-5 | 3-Major | K17368 | Loading the default configuration may cause the mcpd process to restart and produce a core file. |
439559-2 | 3-Major | K16262 | APM policy sync resulting in failover device group sync may make the failover sync fail |
433466-4 | 3-Major | Disabling bundled interfaces affects first member of associated unbundled interfaces | |
421012-3 | 3-Major | K73028377 | scriptd incorrectly reports that it is running on a secondary blade |
405635-2 | 3-Major | Using the restart cm trust-domain command to recreate certificates required by device trust. | |
553174-4 | 4-Minor | Unable to query admin IP via SNMP on VCMP guest | |
533790-4 | 4-Minor | Creating multiple address entries in data-group might result in records being incorrectly deleted | |
519216-4 | 4-Minor | Abnormally high CPU utilization from external SSL/OpenSSL monitors | |
480071-2 | 4-Minor | K75451516 | Backslashes in policy rule added/duplicated when modified in GUI. |
401893-3 | 4-Minor | Allowing tilde in HTTP Profile fields Response Headers Allowed and Encrypt Cookies | |
223884 | 4-Minor | Module not licensed message appears when APM is provisioned and APML is licensed. | |
572133-2 | 5-Cosmetic | tmsh save /sys ucs command sends status messages to stderr | |
413708-5 | 5-Cosmetic | K31302478 | BIG-IP system may use an ephemeral source port when sending SNMP IPv6 UDP response. |
388274-3 | 5-Cosmetic | LTM pool member link in a route domain is wrong in Network Map. | |
291469-2 | 5-Cosmetic | K10643 | SNMP query fails to return ARP entries when the ARP table exceeds 2,048 entries. |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
536690-4 | 1-Blocking | K82591051 | Occasional host-tmm connections within a chassis will fail (affects APM processes trying to connect to a tmm) |
476386-2 | 1-Blocking | DHE-RSA-AES256-SHA256 and DHE-RSA-AES128-SHA256 should only be supported for tls1.2 | |
576314-2 | 2-Critical | SNMP traps for FIPS device fault inconsistent among versions. | |
565810-2 | 2-Critical | K93065637 | OneConnect profile with an idle or strict limit-type might lead to tmm core. |
562566-2 | 2-Critical | K39483533 | Mirrored persistence entries retained after expiration |
554967-3 | 2-Critical | Small Client EDNS0 Limits can Sometimes Truncate DNSSEC or iRule DNS Packets | |
552151-2 | 2-Critical | Continuous error report in /dev/log/ltm: Device error: n3-compress0 Nitrox 3, Hang Detected | |
549782-1 | 2-Critical | XFV driver can leak memory | |
545810-1 | 2-Critical | K14304373 | TMM halts and restarts |
544375-1 | 2-Critical | Unable to load certificate/key pair | |
542564-3 | 2-Critical | bigd detection and logging of load and overload | |
540568-2 | 2-Critical | TMM core due to SIGSEGV | |
540473-6 | 2-Critical | peer/clientside/serverside script with parking command may cause tmm to core. | |
537988-5 | 2-Critical | K76135297 | Buffer overflow for large session messages |
534804-2 | 2-Critical | TMM may core with rate limiting enabled and service-down-action reselect on poolmembers | |
534052-3 | 2-Critical | K17150 | VLAN failsafe triggering on standby leaks memory |
530505-4 | 2-Critical | IP fragments can cause TMM to crash when packet filtering is enabled | |
529920-7 | 2-Critical | Connection mirroring with OneConnect on a virtual server can cause TMM crash on standby unit | |
528739-1 | 2-Critical | K47320953 | DNS Cache might use cached data from ADDITIONAL sections in ANSWER responses. |
527011-6 | 2-Critical | Intermittent lost connections with no errors on external interfaces | |
525882-2 | 2-Critical | K29113720 | SSL client certificate verification during SSL handshake might leak a reference to the issuer certificate. |
524605-2 | 2-Critical | Requests/responses may not be fully delivered to plugin in some circumstances | |
523995-2 | 2-Critical | IPv4 link-local addresses can cause TMM crash when used in conjunction with ECMP routes | |
521336-6 | 2-Critical | pkcs11d initialization retry might post misleading error messages and eventually result in a pkcs11d core | |
520105-3 | 2-Critical | Possible segfault during hardware accelerated compression. | |
517465-4 | 2-Critical | tmm crash with ssl | |
509284-2 | 2-Critical | Improved reliability of a module interfacing with HSM | |
507611-4 | 2-Critical | K17151 | On BIG-IP 2000- and 4000-series platforms BGP sessions with TCP MD5 enabled might fail to establish connection to neighbors. |
489451-3 | 2-Critical | K17278 | TMM might panic due to OpenSSL failure during handshake generation |
489329-6 | 2-Critical | Memory corruption can occur with SPDY/HTTP2 profile(s) | |
484214-2 | 2-Critical | Nitrox got stuck when processed certain SSL records | |
483719-2 | 2-Critical | K16260 | vlan-groups configured with a single member VLAN result in memory leak |
341928-4 | 2-Critical | CMP enabled virtual servers which target CMP disabled virtual servers can crash TMM. | |
570617-4 | 3-Major | HTTP parses fragmented response versions incorrectly | |
564371-2 | 3-Major | FQDN node availability not reset after removing monitoring | |
562308-2 | 3-Major | FQDN pool members do not support manual-resume | |
562292-1 | 3-Major | Nesting periodic after with parking command could crash tmm | |
560685 | 3-Major | TMM may crash with 'tmsh show sys conn'. | |
559933-2 | 3-Major | K83032815 | tmm might leak memory on vCMP guest in SSL forward proxy |
558517-3 | 3-Major | Upgrading results in additional escaping for monitor send/recv strings in /config/bigip.conf.★ | |
557783-2 | 3-Major | K14147369 | TMM generated traffic to external IPv6 global-addr via ECMP routes might use link-local addr |
556568-2 | 3-Major | TMM can crash with ssl persistence and fragmented ssl records | |
556560-2 | 3-Major | K80741043 | DNS messages may become malformed if the Additional section contains an OPT record followed by multiple records. |
556103-3 | 3-Major | Abnormally high CPU utilization for external monitors | |
554769-4 | 3-Major | CPM might crash when TCLRULE_HTTP_RESPONSE is triggered. | |
554761-5 | 3-Major | Unexpected handling of TCP timestamps under syncookie protection. | |
553688-4 | 3-Major | TMM can core due to memory corruption when using SPDY profile. | |
553613-3 | 3-Major | FQDN nodes do not support session user-disable | |
552931-4 | 3-Major | Configuration fails to load if DNS Express Zone name contains an underscore | |
552865-4 | 3-Major | K34035224 | SSL client authentication should ignore invalid signed Certificate Verify message when PCM is set to 'request'. |
550782-4 | 3-Major | Cache Lookups for Validating Resolvers ignore the query's DNSSEC OK (DO) bit | |
550689-2 | 3-Major | Resolver H.ROOT-SERVERS.NET Address Change | |
549800-2 | 3-Major | K53086012 | Renaming a virtual server with an attached plugin can cause buffer overflow |
549406-5 | 3-Major | K63010180 | Destination route-domain specified in the SOCKS profile |
548680-2 | 3-Major | TMM may core when reconfiguring iApps that make use of iRules with procedures. | |
548678-2 | 3-Major | ASM blocking page does not display when using SPDY profile | |
548563-2 | 3-Major | Transparent Cache Messages Only Updated with DO-bit True | |
547732-1 | 3-Major | TMM may core on using SSL::disable on an already established serverside connection | |
544028-5 | 3-Major | K21131221 | Verified Accept counter 'verified_accept_connections' might underflow. |
543220-1 | 3-Major | K12153351 | Global traffic statistics does not include PVA statistics |
542724-1 | 3-Major | K29441414 | If there is OCSP Stapling enabled on a clientSSL profile, under certain remote conditions, TMM could crash |
542640-2 | 3-Major | bigd intentionally cores when it should shutdown cleanly | |
541571-3 | 3-Major | K97140208 | FQDN ephemeral nodes not repopulated after recreating with swapped IP addresses |
538639-3 | 3-Major | P-256 ECDH performance improvements | |
538603-2 | 3-Major | K03383492 | TMM core file on pool member down with rate limit configured |
537964-4 | 3-Major | K17388 | Monitor instances may not get deleted during configuration merge load |
535759-3 | 3-Major | K99840695 | SMTP monitor might mark the server down even if the server answers the HELO message. |
534457-2 | 3-Major | Dynamically discovered routes might fail to remirror connections. | |
533820-5 | 3-Major | DNS Cache response missing additional section | |
532911-2 | 3-Major | K03753124 | Setting 'Untrusted Certificate Response Control' to ignore in server SSL profile does not ignore self-signed untrusted certificates. |
532107-2 | 3-Major | K16716213 | [LTM] [DNS] Maximum RTT value for nameserver cache still exists after nameserver cache is deleted |
530761-1 | 3-Major | TMM crash in DNS processing on a TCP virtual | |
529899-1 | 3-Major | Installation may fail with the error "(Storage modification process conflict.)".★ | |
528407-4 | 3-Major | K72235143 | TMM may core with invalid lasthop pool configuration |
528007-6 | 3-Major | Memory leak in ssl | |
527149-3 | 3-Major | K57034242 | FQDN template node transitions to 'unknown' after configuration reload |
527027-4 | 3-Major | DNSSEC Unsigned Delegations Respond with Parent Zone Information | |
527024-3 | 3-Major | DNSSEC Unsigned Delegations Respond with Parent Zone Information | |
525989-2 | 3-Major | K17165 | A disabled blade is spontaneously re-enabled |
525958-11 | 3-Major | TMM may crash if loadbalancing to node's IP in iRule routed towards an unreachable nexthop. | |
525672-2 | 3-Major | tmm memory leak with SSL forward proxy virtual server having CLIENTSSL_CLIENTHELLO with SNI lookup. | |
525322-7 | 3-Major | Executing tmsh clientssl-proxy cached-certs crashes tmm | |
524960-2 | 3-Major | K17434 | 'forward' command does not work if virtual server has attached pool |
524641-1 | 3-Major | K11504283 | Wildcard NAPTR record after deleting the NAPTR records |
523471-2 | 3-Major | pkcs11d core when connecting to SafeNet HSM | |
519217-4 | 3-Major | K89004553 | tmm crash: valid proxy |
517282-7 | 3-Major | K63316585 | The DNS monitor may delay marking an object down or never mark it down |
517053-2 | 3-Major | bigd detection and logging of load and overload | |
516816-4 | 3-Major | RSA key with DSA-signed or ECDSA-signed certificate silently fails handshake. | |
515759-3 | 3-Major | K92401129 | Configuration objects with more than four vlans in vlan list may cause memory utilization to increase over time |
513213-5 | 3-Major | FastL4 connection may get RSTs in case of hardware syncookie enabled. | |
513142-3 | 3-Major | FQDN nodes with a default monitor may cause configuration load failure | |
512119-2 | 3-Major | Improved UDP DNS packet truncation | |
511057-5 | 3-Major | K60014038 | Config sync fails after changing monitor in iApp |
510264-1 | 3-Major | TMM core associated with smtps profile. | |
509641-3 | 3-Major | K46511710 | Ephemeral pool members may not inherit attributes from FQDN parent |
507410-2 | 3-Major | Possible TMM crash when handling certain types of traffic with SSL persistence enabled | |
507109-4 | 3-Major | inherit-certkeychain attribute of child Client SSL profile can unexpectedly change during upgrade★ | |
505089-4 | 3-Major | Spurious ACKs result in SYN cookie rejected stat increment. | |
504545-2 | 3-Major | K17419 | FQDN: node without service checking reported as 'service checking enabled, no results yet' |
502480-1 | 3-Major | Mirrored connections on standby device do not get closed when Verified Accept is enabled | |
500786-6 | 3-Major | Heavy memory usage while using fastL4/BIGTCP virtual with HTTP profile | |
499430-2 | 3-Major | K16623 | Standby unit might bridge network ingress packets when bridge_in_standby is disabled |
488921-2 | 3-Major | BIG-IP system sends unnecessary gratuitous ARPs | |
476567-5 | 3-Major | K16561 | fastL4: acceleration state is incorrectly reported on show sys conn |
476564-5 | 3-Major | K16884 | ePVA FIX: no RST for an unaccelerated flow targeting a network virtual |
475701-2 | 3-Major | FastL4 with FIX late-bind enabled may not honor client-timeout | |
472532-4 | 3-Major | Cipher dhe-rsa-aes256-sha256 is missing from the SSL cipher list | |
460946-2 | 3-Major | NetHSM key is displayed as normal in GUI | |
458348-2 | 3-Major | RESOLV:: iRule commands and sFlow don't function correctly when using non-default CMP hashing. | |
455762-1 | 3-Major | K17094 | DNS cache statistics incorrect |
452443-2 | 3-Major | DNS cache resolver cannot send egress traffic on a VLAN with src-ip or dst-ip cmp hash configured | |
452439-5 | 3-Major | K15574 | TMM may crash when enabling DOS sweep/flood if a TMM process has multiple threads |
446526-7 | 3-Major | TCP virtual server/UDP virtual server without datagram-LB mode enabled running DNS cache and suspending iRules might cause TMM crash. | |
441058 | 3-Major | K17366 | TMM can crash when a large number of SSL objects are created |
424831-6 | 3-Major | K14573 | State Mirroring does not work for an HA pair that uses only hardwired (serial) failover, without network failover |
418890-2 | 3-Major | K92193116 | OpenSSL bug can prevent RSA keys from rolling forward★ |
406001-3 | 3-Major | Host-originated traffic cannot use a nexthop in a different route domain | |
372473-2 | 3-Major | mcp error 0x1020003 may be logged to /var/log/tmm when TMM crashes | |
554774-2 | 4-Minor | Persist lookup across services might fail to return a matching record when multiple records exist. | |
551614-2 | 4-Minor | K10607444 | MTU Updates should erase all congestion metrics entries |
546747-2 | 4-Minor | K72042050 | SSL connections may fail with a handshake failure when the ClientHello is sent in multiple packets |
541134-2 | 4-Minor | K51114681 | HTTP/HTTPS monitors transmit unexpected data to monitored node. |
534458-6 | 4-Minor | K17196 | SIP monitor marks down member if response has different whitespace in header fields. |
452482-7 | 4-Minor | HTTP virtual servers with cookie persistence might reset incoming connections | |
558053-2 | 5-Cosmetic | Pool's 'active_member_cnt' attribute may not be updated as expected. | |
529897-1 | 5-Cosmetic | Diameter monitor logging displays hex when monitor failing instead of the AVP which the monitor is failing on. |
Performance Fixes
ID Number | Severity | Solution Article(s) | Description |
489816-1 | 1-Blocking | F5 Enterprise MIB attribute sysTmmStatMemoryTotal returning zero★ | |
548796-2 | 2-Critical | Avrd is at CPU is 100% |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
533658-5 | 2-Critical | DNS decision logging can trigger TMM crash | |
471467 | 2-Critical | gtmparse segfaults when loading wideip.conf because of duplicate virtual server names | |
469033 | 2-Critical | Large big3d memory footprint. | |
551767-3 | 3-Major | K03432500 | GTM server 'Virtual Server Score' not showing correctly in TMSH stats |
546640 | 3-Major | tmsh show gtm persist <filter option> does not filter correctly | |
529460-7 | 3-Major | K17209 | Short HTTP monitor responses can incorrectly mark virtual servers down. |
526699-6 | 3-Major | K40555016 | TMM might crash if BIG-IP DNS iRule nodes_up references invalid IP/Port. |
481328-2 | 3-Major | K50139533 | Many 'tmsh save sys config gtm-only partitions all' stack memory issue. |
552352-2 | 4-Minor | K18701002 | tmsh list display incorrectly for default values of gtm listener translate-address/translate-port |
494796 | 4-Minor | Unable to create GTM Listener with non-default protocol profile. |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
565463-2 | 1-Blocking | ASM-config consumes 1.3GB RAM after repeated Policy Import via REST | |
566758-2 | 2-Critical | Manual changes to policy imported as XML may introduce corruption for Login Pages | |
555057-3 | 2-Critical | ASM REST: Removing a Signature Set From One Security Policy Removes It From All Security Policies. | |
555006-3 | 2-Critical | ASM REST: lastUpdateMicros is not updated when changing a Custom Signature | |
552139-2 | 2-Critical | K61834804 | ASM limitation in the pattern matching matrix builtup |
478351-1 | 2-Critical | K17319 | Changing management IP can lead to bd crash |
475551-1 | 2-Critical | Flaw in CSRF protection mechanism | |
474252-1 | 2-Critical | K17344 | Applying ASM security policy repeatedly fills disk partition on a chassis |
574451-2 | 3-Major | K90243258 | ASM chassis sync occasionally fails to load on secondary slot |
563237 | 3-Major | ASM REST: name for ipIntelligenceReference is incorrect | |
562775-2 | 3-Major | Memory leak in iprepd | |
558642-1 | 3-Major | Cannot create the same navigation parameter in two different policies | |
554367-1 | 3-Major | BIG-IQ ASM remote logger: Requests are not be logged. | |
553146-2 | 3-Major | K95632194 | BD memory leak |
547000-4 | 3-Major | K47219203 | Enforcer application might crash on XML traffic when out of memory |
542511-2 | 3-Major | K97242554 | 'Unhandled keyword ()' error message in GUI and/or various ASM logs |
541852-1 | 3-Major | ASM REST: PATCH to XML Profiles with unmodified "validationFiles" fails | |
541406-1 | 3-Major | ASM REST: XML Profile Validation File Associations are Removed on a Partial PATCH Request | |
540390-2 | 3-Major | ASM REST: Attack Signature Update cannot roll back to older attack signatures | |
538195-1 | 3-Major | Incremental Manual sync does not allow overwrite of 'newer' ASM config | |
535188-3 | 3-Major | Response Pages custom content with \n instead of \r\n on policy import. | |
534246-2 | 3-Major | rest_uuid should be calculated from the actual values inserted to the entity | |
531809-2 | 3-Major | FTP/SMTP traffic related bd crash | |
530598-1 | 3-Major | Some Session Tracking data points are lost on TMM restart | |
529610-1 | 3-Major | K32565535 | On HA setups ASM session tracking page display an empty list when in fact there are asm entries in session db |
529535-4 | 3-Major | MCP validation error while deactivating a policy that is assigned to a virtual server | |
526162-7 | 3-Major | K52335623 | TMM crashes with SIGABRT |
520732-3 | 3-Major | XML policy import adds default entities if the relevant element list (in policy xml doc) is specified and empty | |
514313-1 | 3-Major | K00884154 | Logging profile configuration is updated unnecessarily |
514061-4 | 3-Major | K17562 | False positive scenario causes SMTP transactions to hang and eventually reset. |
503696-1 | 3-Major | BD enforcer updates may be stuck after BD restart | |
491371-1 | 3-Major | K17285 | CMI: Manual sync does not allow overwrite of 'newer' ASM config |
491352-3 | 3-Major | Added ASM internal parameter to add more XML memory | |
481530-1 | 3-Major | K86019555 | Signature reporting details for sensitive data violation |
538837-1 | 4-Minor | REST: Filtering login pages or parameters by their associated URL does not work |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
529900-1 | 2-Critical | K88373692 | AVR missing some configuration changes in multiblade system |
519257-2 | 2-Critical | cspm script isn't injected in text/html chuncked response | |
470559 | 2-Critical | TMM crash after traffic stress with rapid changes to Traffic capturing profiles | |
552488-1 | 3-Major | K73600514 | Missing upgrade support for AFM Network DoS reports.★ |
549393-3 | 3-Major | K73435148 | SWG URL categorization may cause the /var/lib/mysql file system to fill. |
535246-6 | 3-Major | K17493 | Table values are not correctly cleaned and can occupy entire disk space. |
530952-1 | 3-Major | MySql query fails with error number 1615 'Prepared statement needs to be re-prepared' | |
529903-1 | 3-Major | Incorrect reports on multi-bladed systems | |
528031-3 | 3-Major | K10097225 | AVR not reporting the activity of standby systems. |
491185-1 | 3-Major | URL Latencies page: pagination limited to 180 pages | |
490999-2 | 3-Major | Subscriber-level AVR statistics display the subscriber-type as "Unknown" for subscribers created using Radius Acct-Start | |
537435-1 | 4-Minor | Monpd might core if asking for export report by email while monpd is terminating | |
495744-1 | 4-Minor | Some user defined ASM reports are not loading correctly after upgrade from 11.4 upwards★ |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
553330-3 | 1-Blocking | Unable to create a new document with SharePoint 2010 | |
579559-2 | 2-Critical | DTLS Networks Access may not work with some hardware platforms with Nitrox hardware acceleration | |
572563-3 | 2-Critical | PWS session does not launch on Internet Explorer after upgrade | |
569306-3 | 2-Critical | Edge client does not use logon credentials even when "Reuse Windows Logon Credentials" is selected | |
565056-3 | 2-Critical | K87617654 | Fail to update VPN correctly for non-admin user. |
555507-2 | 2-Critical | K88973987 | Under certain conditions, SSO plugin can overrun memory not owned by the plugin. |
555272-8 | 2-Critical | Endpoint Security client components (OPSWAT, EPSEC) may fail to upgrade★ | |
551764-3 | 2-Critical | K14954742 | [APM] HTTP status 500 response of successful Access Policy in clientless mode on chassis platform |
530622-1 | 2-Critical | EAM plugin uses high memory when serving very high concurrent user load | |
522997-3 | 2-Critical | K52553016 | Websso cores when it tries to shutdown |
491080-5 | 2-Critical | K92821195 | Memory leak in access framework |
571003-1 | 3-Major | TMM Restarts After Failover | |
570563-2 | 3-Major | K35470551 | CRL is not being imported/exported properly |
569255-3 | 3-Major | K81130213 | Network Access incorrectly manipulates routing table when second adapter being connected if "Allow Local subnet access' is set to ON |
566908-5 | 3-Major | K54435973 | Webserver listening on local Wifi or ethernet IP cannot be accessed after VPN with proxy.pac file |
565527-3 | 3-Major | K94548429 | Static proxy settings are not applied if NA configuration |
564496-3 | 3-Major | Applying APM Add-on License Does Not Change Effective License Limit | |
564493 | 3-Major | K74284318 | Copying an access profile appends an _1 to the name. |
564262-4 | 3-Major | K21518043 | Network Access does not work if DNS cannot be resolved on client and PAC file contains DNS resolution code |
564253-5 | 3-Major | Firefox signed plugin for VPN, Endpoint Check, etc | |
563474-2 | 3-Major | K51244380 | SNMP F5-BIGIP-APM-MIB::apmPmStatConfigSyncState returns 0 for edited access profile |
561976 | 3-Major | K55561335 | Values of high-water and low-water mark for 'apd' pending request queue might not handle requests completely. |
558870-3 | 3-Major | K12012384 | Protected workspace does not work correctly with third party products |
558631-2 | 3-Major | K81306414 | APM Network Access VPN feature may leak memory |
555457-5 | 3-Major | K16415235 | Reboot is required, but not prompted after F5 Networks components have been uninstalled |
555435-2 | 3-Major | K34742242 | AD Query fails if cross-domain option is enabled and administrator's credentials are not specified |
554993-2 | 3-Major | Profile Stats Not Updated After Standby Upgrade Followed By Failover | |
554899-2 | 3-Major | K57540380 | MCPD core with access policy macro during config sync in HA configuration |
554626-1 | 3-Major | K14263316 | Database logging truncates log values greater than 1024 |
554228-5 | 3-Major | OneConnect does not work when WEBSSO is enabled/configured. | |
554041-5 | 3-Major | No connectivity inside enterprise network for "Always Connected" client if Network Location Awareness is enabled | |
553734-1 | 3-Major | Issue with assignment of non-string value to Form.action in javascript. | |
553063-1 | 3-Major | Epsec version rolls back to previous version on a reboot | |
552498-1 | 3-Major | APMD basic authentication cookie domains are not processed correctly | |
549588-2 | 3-Major | EAM memory leak when cookiemap is destroyed without deleting Cookie object in it | |
549108-1 | 3-Major | K52519223 | RDP resource 'Custom parameters' fail to accept parameters containing spaces or colon in the value |
548361 | 3-Major | Performance degradation when adding VDI profile to virtual server | |
543222-3 | 3-Major | apd may crash if an un-encoded session variable contains "0x" | |
539270-6 | 3-Major | A specific NTLM client fails to authenticate with BIG-IP | |
539229-7 | 3-Major | EAM core while using Oracle Access Manager | |
531983-5 | 3-Major | [MAC][NA] Routing table is not updated correctly in connected state when new adapter is added | |
528808-3 | 3-Major | Source NAT translation doesn't work when APM is disabled using iRule | |
526637-4 | 3-Major | tmm crash with APM clientless mode | |
522791-2 | 3-Major | K45123459 | HTML rewriting on client might leave 'style' attribute unrewritten. |
520088-2 | 3-Major | Citrix HTML5 Receiver does not properly display initial tour and icons | |
518550-3 | 3-Major | Incorrect value of form action attribute inside 'onsubmit' event handler in some cases | |
517846-2 | 3-Major | K25627866 | View Client cannot change AD password in Cross Domain mode |
511893-5 | 3-Major | Client connection timeout after clicking Log In to Access Policy Manager on a Chassis | |
492122-5 | 3-Major | K42635442 | Now Windows Logon Integration does not recreate temporary user for logon execution each time |
488811-5 | 3-Major | F5-prelogon user profile folder are not fully cleaned-up | |
482177-4 | 3-Major | K16777 | Accessing Sharepoint web application portal interferes with IdP initiated SAML SSO |
472446-2 | 3-Major | Customization group template file might cause mcpd to restart | |
471318-1 | 3-Major | K22671941 | AD/LDAP group name matching should be case-insensitive |
467256-2 | 3-Major | K25633150 | Deleting OPSWAT/Epsec packages from GUI does not delete files from disk causing UCS packages to bloat |
462598-4 | 3-Major | K17184 | Failover triggered due to a TMM crash resulting from unavailable APM renderer pool members. |
462258-8 | 3-Major | AD/LDAP server connection failures might cause apd to stop processing requests when service is restored | |
461084-3 | 3-Major | K48281763 | Kerberos Auth might fail if client request contains Authorization header |
389328-7 | 3-Major | RSA SecurID node secret is not synced to the standby node |
WebAccelerator Fixes
ID Number | Severity | Solution Article(s) | Description |
551010-7 | 3-Major | Crash on unexpected WAM storage queue state | |
525478-2 | 3-Major | K80413728 | Requests for deflate encoding of gzip documents may crash TMM |
Wan Optimization Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
552198-5 | 3-Major | K27590443 | APM App Tunnel/AM iSession Connection Memory Leak |
547537-3 | 3-Major | TMM core due to iSession tunnel assertion failure |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
538784-3 | 3-Major | K91532102 | ICAP implementation incorrect when HTTP request or response is missing a payload |
523854-1 | 3-Major | K35305250 | TCP reset with RTSP Too Big error when streaming interleaved data |
545985-3 | 4-Minor | ICAP 2xx response (except 200, 204) is treated as error |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
561433-3 | 3-Major | TMM Packets can be dropped indiscriminately while under DoS attack | |
489379-1 | 3-Major | Bot signature is not matched |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
529634-2 | 2-Critical | Crash observed with HSL logging | |
512069-2 | 2-Critical | TMM restart while relicensing the BIG-IP using the base license. | |
510923-2 | 2-Critical | TMM crashes on the disabled secondary blade and bigstart restart or reboot is triggered. | |
565765-3 | 3-Major | Flow reporting does not occur for unclassified flows. | |
564263-3 | 3-Major | PEM: TMM asserts when Using Debug Image when Gy is being used | |
560607-3 | 3-Major | Resource Limitation error when removing predefined policy which has multiple rules | |
559382-1 | 3-Major | Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers | |
557675-3 | 3-Major | Failover from PEM to PCRF can cause session lookup inconsistency | |
549283-3 | 3-Major | Add a log message to indicate transition in the state of Gx and Gy sessions. |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
555369-3 | 2-Critical | K43151094 | CGNAT memory leak when non-TCP/UDP traffic directed at public addresses |
545783-3 | 2-Critical | TMM crashes when forwarding an inbound connection on Large Scale NAT (LSN) pool | |
540571-2 | 2-Critical | TMM cores when multicast address is set as destination IP via iRules and LSN is configured | |
540484-2 | 2-Critical | K04005785 | "show sys pptp-call-info" command can cause tmm crash |
535101-1 | 2-Critical | Connections to LSN pools in PBA mode may cause tmm core if used in conjunction with udp_gtm_dns profile. |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
564039-3 | 2-Critical | WebSafe "Missing component" check gets applied on request with different referrer domain. | |
563554-3 | 2-Critical | Accept-language in alerts | |
559129-3 | 2-Critical | Update Generic Malware Signatures to detect new Dyre variant | |
554540 | 2-Critical | RAT detection failure | |
554537-2 | 2-Critical | Failed alerts on Internet Explorer | |
541670-1 | 2-Critical | Memory leak and potential crash bug in secure channel cookie handling | |
537106-3 | 2-Critical | Component checks wait for page load | |
564040-4 | 3-Major | Differentiation of missing component alerts | |
560069-1 | 3-Major | Default obfuscator configuration causes very slow javascript in some browsers | |
558255-2 | 3-Major | Filtering encryption alerts | |
555818-3 | 3-Major | Bait failure alerts do not give details of the cause of failure | |
554546-2 | 3-Major | Only first entry in 'Mandatory Words' list is effective | |
552476-2 | 3-Major | Use of JavaScript's 'eval' function may be prohibited by site's content security policy | |
551893-2 | 3-Major | Alerts send from FPS plugin via HSL are sent in a malformed HTTP format | |
542586-3 | 3-Major | Fallback alert mechanism can result in page refresh in Internet Explorer 8 | |
542581-3 | 3-Major | WebSafe alerts with HTML attached cause the page to run slowly | |
542472 | 3-Major | SSL::disable for alerts does not take effect and first alert fails | |
503160-3 | 3-Major | FPS malicious words doesn't trigger alert when ignore list is defined | |
560791 | 4-Minor | FPS doesn't encrypt inputs of type "hidden" | |
555827-2 | 4-Minor | No fallback for alerts. | |
547038-2 | 4-Minor | In very fast transactions, some detection data is missing |
Device Management Fixes
ID Number | Severity | Solution Article(s) | Description |
538722-3 | 3-Major | K06150134 | Configurable maximum message size limit for restjavad |
iApp Technology Fixes
ID Number | Severity | Solution Article(s) | Description |
546082-5 | 2-Critical | Special characters might change input. |
Cumulative fixes from BIG-IP v11.6.0 Hotfix 8 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
600662-4 | CVE-2016-5745 | K64743453 | NAT64 vulnerability CVE-2016-5745 |
599168-4 | CVE-2016-5700 | K35520031 | BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700 |
598983-4 | CVE-2016-5700 | K35520031 | BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700 |
580596-9 | CVE-2013-0169 CVE-2016-6907 | K14190 K39508724 | TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907 |
569467-11 | CVE-2016-2084 | K11772107 | BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084. |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
557221-7 | 2-Critical | Inbound ISP link load balancing will use pool members for only one ISP link per data center |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
596603-11 | 2-Critical | AWS: BIG-IP VE doesn't work with c4.8xlarge instance type. | |
547047 | 2-Critical | K31076445 | Older cli-tools unsupported by AWS |
595874-4 | 3-Major | Upgrading 11.5.x/11.6.x hourly billing instances to 12.1.0 fails due to license SCD.★ | |
556277-6 | 3-Major | Config Sync error after hotfix installation (chroot failed rsync error)★ | |
499537-3 | 3-Major | K22406859 | Qkview may store information in the wrong format |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
557645-5 | 3-Major | Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms. |
Cumulative fixes from BIG-IP v11.6.0 Hotfix 7 that are included in this release
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
591857 | 1-Blocking | 10-core vCMP guest with ASM may not pass traffic |
Cumulative fixes from BIG-IP v11.6.0 Hotfix 6 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
532522-3 | CVE-2015-1793 | K16937 | CVE-2015-1793 |
536984 | CVE-2015-8240 | K06223540 | Ensure min_path_mtu is functioning as designed. |
536481-9 | CVE-2015-8240 | K06223540 | F5 TCP vulnerability CVE-2015-8240 |
534630-5 | CVE-2015-5477 | K16909 | Upgrade BIND to address CVE 2015-5477 |
530829 | CVE-2015-5516 | K00032124 | UDP traffic sent to the host may leak memory under certain conditions. |
529509-5 | CVE-2015-4620 | K16912 | BIND Vulnerability CVE-2015-4620 |
527799-9 | CVE-2015-4000 CVE-2015-1792 CVE-2015-1791 CVE-2015-1790 CVE-2015-1789 CVE-2015-1788 CVE-2014-8176 | K16674 K16915 K16914 | OpenSSL library in APM clients updated to resolve multiple vulnerabilities |
527630-1 | CVE-2015-1788 | K16938 | CVE-2015-1788 : OpenSSL Vulnerability |
506034-3 | CVE-2014-9297 CVE-2014-9298 CVE-2014-9750 CVE-2014-9751 | K16393 | NTP vulnerabilities (CVE-2014-9297,CVE-2014-9298) |
540849-5 | CVE-2015-5986 | K17227 | BIND vulnerability CVE-2015-5986 |
540846-5 | CVE-2015-5722 | K17181 | BIND vulnerability CVE-2015-5722 |
531576-1 | CVE-2016-7476 | K87416818 | TMM vulnerability CVE-2016-7476 |
520466-2 | CVE-2015-3628 | K16728 | Ability to edit iCall scripts is removed from resource administrator role |
516618-5 | CVE-2013-7424 | K16472 | glibc vulnerability CVE-2013-7424 |
526514-1 | CVE-2016-3687 | K26738102 | Open redirect via SSO_ORIG_URI parameter in multi-domain SSO |
522878-1 | CVE-2016-3686 | K82679059 | Hide the cleartext Session ID (MRHSessionCookie) visible as part of URL query param to prevent unauthorized access. |
515345-1 | CVE-2015-1798 | K16505 | NTP Vulnerability |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
502443-4 | 2-Critical | K16457 | After enabling a blade/HA member, pool members are marked down because monitoring starts too soon. |
520705-5 | 3-Major | Edge client contains multiple duplicate entries in server list | |
498992-6 | 3-Major | Troubleshooting enhancement: improve logging details for AWS failover failure. | |
471042-6 | 3-Major | Datastor High Velocity Traffic Pattern Changes | |
224903-5 | 3-Major | K71296207 | CounterBasedGauge64 MIB values do not work with Network Management Systems. The MIB should be Gauge32. |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
544980-3 | 1-Blocking | BIG-IP Virtual Edition may have minimal disk space for the /var software partition when deploying from the OVA file for the Better or Best license bundle. | |
535806-2 | 1-Blocking | Not enough free disk space for live install of BIG-IP 12.0.0 from 11.5.3 VE | |
507312-1 | 1-Blocking | icrd segmentation fault | |
477218-5 | 1-Blocking | Simultaneous stats query and pool configuration change results in process exit on secondary. | |
473033-5 | 1-Blocking | Datastor Now Uses Syslog-ng | |
529510-2 | 2-Critical | Multiple Session ha state changes may cause TMM to core | |
523434 | 2-Critical | K85242410 | mcpd on secondary blades will restart with an error message about a sflow_http_virtual_data_source object |
513454-3 | 2-Critical | An snmpwalk with a large configuration can take too long, causing snmpd or mcpd restarts | |
510979-1 | 2-Critical | Password-less SSH access after tmsh load of UCS may require password after install. | |
509503-4 | 2-Critical | tmsh load sys config merge file 'filename' takes signficant time for firewall rulelist configuration | |
507602-1 | 2-Critical | K17166 | Data packet over IPsec tunnel might be looping between cores after rekey if IPsec lifebyte is enabled |
506199-4 | 2-Critical | VCMP guests on VDAG platforms can experience excessive tmm redirects after multiple guest provisioning cycles | |
504496-3 | 2-Critical | AAA Local User Database may sync across failover groups | |
497078-1 | 2-Critical | Modifying an existing ipsec policy configuration object might cause tmm to crash | |
479460-5 | 2-Critical | SessionDb may be trapped in wrong HA state during initialization | |
473105 | 2-Critical | FastL4 connections reset with pva-acceleration set to guaranteed | |
471860-3 | 2-Critical | K16209 | Disabling interface keeps DISABLED state even after enabling |
470813-1 | 2-Critical | Memory corruption in f5::rest::CRestServer::g_portToServerMap | |
468473-2 | 2-Critical | K16193 | Monitors with domain username do not save/load correctly |
464870-7 | 2-Critical | K94275315 | Datastor cores and restarts. |
438674-5 | 2-Critical | K14873 | When log filters include tamd, tamd process may leak descriptors |
429018-2 | 2-Critical | K17438 | tmipsecd cores when deleting a non-existing traffic selector |
420107-2 | 2-Critical | TMM could crash when modifying HTML profile configuration | |
364978-1 | 2-Critical | Active/standby system configured with unit 2 failover objects★ | |
544888-5 | 3-Major | K17426 | Idle timeout changes to five seconds when using PVA full or Assisted acceleration. |
534251-1 | 3-Major | Live update with moving config breaks password-less ssh access | |
533458-4 | 3-Major | Insufficient data for determining cause of HSB lockup. | |
533257-2 | 3-Major | tmsh config file merge may fail when AFM security log profile is present in merged file | |
528881 | 3-Major | NAT names with spaces in them do not upgrade properly★ | |
528310 | 3-Major | K17384 | Upgrade failure when CertKeyChain exists in non-Common partition★ |
527537 | 3-Major | CGNAT experiences increased CPU utilization with a high concurrent connection load and persistence enabled | |
527145-4 | 3-Major | K53232218 | On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown. |
527094-1 | 3-Major | K17295 | iControl REST: the records collection in tm/ltm/data-group/internal/ may show wrong partition and subPath metadata. |
527021-1 | 3-Major | BIG-IQ iApp statistics corrected for empty pool use cases | |
526419-1 | 3-Major | Deleting an iApp service may fail | |
524791-3 | 3-Major | non_blocking_send/receive do not correctly handle EINTR situation for poll() == 0 | |
524753-1 | 3-Major | IPsec interface is not forwarding TCP flow to the host when the destination is tunnel self-ip | |
524490-4 | 3-Major | K17364 | Excessive output for tmsh show running-config |
524326-4 | 3-Major | Can delete last ip address on a gtm server but cannot load a config with a gtm server with no ips | |
523922-4 | 3-Major | Session entries may timeout prematurely on some TMMs | |
523125 | 3-Major | K17350 | Disabling/enabling blades in cluster can result in inconsistent failover state |
520640-2 | 3-Major | K31002924 | The iControl Management.Zone.get_zone() method can return zone options in a format inconsistent for use with the Management.Zone.set_zone_option() method. |
519510-3 | 3-Major | K17164 | Throughput drop and rxbadsum stat increase in tagged VLAN with LRO/GRO on BIG-IP VE running on ESX platforms with particular network hardware |
519372 | 3-Major | K55273152 | vCMP guest memory growth due to large number of /var/run/tmstats-rsync.* files. |
519068-3 | 3-Major | device trust setup can require restart of devmgmtd | |
518283 | 3-Major | K16524 | Cookie rewrite mangles 'Set-Cookie' headers |
518039-1 | 3-Major | BIG-IQ iApp statistics corrected for partition use cases | |
517580-3 | 3-Major | K16787 | OPT-0015 on 10000-series appliance may cause bcm56xxd restarts |
517178-2 | 3-Major | K29660332 | BIG-IP system as SAML Service Provider cannot process some messages from SimpleSAMLphp under certain conditions |
516669-1 | 3-Major | K34602919 | Rarely occurring SOD core causes failover. |
515667-4 | 3-Major | Unique truncated SNMP OIDs. | |
514726-4 | 3-Major | K17144 | Server-side DSR tunnel flow never expires |
514724-1 | 3-Major | crypto-failsafe fail condition not cleared when crypto device restored | |
513916-5 | 3-Major | K80955340 | String iStat rollup not consistent with multiple blades |
513294-8 | 3-Major | LBH firmware v3.07 update for BIG-IP 5000-/7000-series appliances | |
510159-1 | 3-Major | Outgoing MAP tunnel statistics not updated | |
510119-4 | 3-Major | HSB performance can be suboptimal when transmitting TSO packets. | |
509782-3 | 3-Major | K16780 | TSO packets can be dropped with low MTU |
509504-5 | 3-Major | K17500 | Excessive time to save/list a firewall rule-list configuration |
509037-1 | 3-Major | K17058 | BIG-IP systems allows creating wild-card IPIP tunnels with the same local-address and tunnel-type |
507853-1 | 3-Major | MCP may crash while performing a very large chunked query and CPU is highly loaded | |
507575-1 | 3-Major | An incorrectly formated NAPTR creation via iControl can cause an error. | |
506041-2 | 3-Major | K01256304 | Folders belonging to a device group can show up on devices not in the group |
505045-1 | 3-Major | K56700956 | MAP implementation not working with EA bits length set to 0. |
504494-2 | 3-Major | K43624250 | Upgrading to 11.5.0 and later might associate a disabled HA group to traffic groups.★ |
502238-3 | 3-Major | K16736 | Connectivity and traffic interruption issues caused by a stuck HSB transmit ring |
501437-3 | 3-Major | rsync daemon does not stop listening after configsync-ip set to none | |
500234-4 | 3-Major | TMM may core during failover due to invalid memory access in IPsec components | |
499260-3 | 3-Major | Deleting trust-domain fails when standby IP is in ha-order | |
497564-2 | 3-Major | Improve High Speed Bridge diagnostic logging on transmit/receive failures | |
497304-1 | 3-Major | Unable to delete reconfigured HTTP iApp when auto-sync is enabled | |
495526-1 | 3-Major | IPsec tunnel interface causes TMM core at times | |
493246-2 | 3-Major | K17414 | SNMP error: Unknown Object Identifier (Index out of range:0 ) for sysCpuSensorSlot |
493213-1 | 3-Major | RBA eam and websso daemons segfaulting while provisioning | |
491716-2 | 3-Major | SNMP attribute type incorrect for certain OIDs | |
491556-7 | 3-Major | K16573 | tmsh show sys connection output is corrected |
489084-1 | 3-Major | Validation error in MCPD for FQDN nodes | |
484706-2 | 3-Major | K16460 | Incremental sync of iApp changes may fail |
483104-3 | 3-Major | K17365 | vCMP guests report platform type as 'unknown' |
481648-8 | 3-Major | mib-2 ipAddrTable interface index does not correlate to ifTable | |
480679-1 | 3-Major | K16858 | The big3d daemon does not receive config updates from mcpd |
473348-6 | 3-Major | K16654 | SNMP hbInterval value not set to 300 sec after upgrade from 11.2.x to 11.3.0 or later |
473088-4 | 3-Major | K17091 | Virtual server with RequestAdapt/ResponseAdapt profiles along with a OneConnect profile |
470756-6 | 3-Major | snmpd cores or crashes with no logging when restarted by sod | |
468837-5 | 3-Major | SNAT translation traffic group inheritance does not sync across devices | |
464252-2 | 3-Major | Possible tmm crash when modifying html pages with HTML profile. | |
464024-4 | 3-Major | K16455 | File descriptor leak when running some TMSH commands through scriptd |
458104-3 | 3-Major | K16795 | LTM UCS load merge trunk config issue |
455264-3 | 3-Major | K54105052 | Error messages are not clear when adding member to device trust fails |
442871-1 | 3-Major | K17185 | BIG-IP VE instances created using OpenStack interfaces may fail to detect the KVM hypervisor |
441297-3 | 3-Major | K16493 | Trunk remains down and interface's status is 'uninit' after mcpd restart |
416388-1 | 3-Major | vCMPD will not reattach to guest | |
410398-3 | 3-Major | sys db tmrouted.rhifailoverdelay does not seem to work | |
405752-1 | 3-Major | K22040410 | TCP Half Open monitors sourced from specific source ports can fail |
383784-5 | 3-Major | K17289 | Remote Auth user names containing blank space cannot login through TMSH. |
362267-3 | 3-Major | K17488 | Configuring network failover on a VIPRION cluster using the blade management addresses results in 'Cannot assign requested address' errors★ |
359774-6 | 3-Major | Pools in HA groups other than Common★ | |
355661-3 | 3-Major | K85476133 | sod logs error 010c003b:3: bind fails on recv_sock_fd, Cannot assign requested address |
524606-1 | 4-Minor | SElinux violations prevent cpcfg from touching /service/mcpd/forceload | |
524185 | 4-Minor | Unable to run lvreduce | |
523863-2 | 4-Minor | istats help not clear for negative increment | |
492163-3 | 4-Minor | K12400 | Applying a monitor to pool and pool member may cause an issue. |
475647-2 | 4-Minor | VIPRION Host PIC firmware version 7.02 update | |
473163-2 | 4-Minor | RAID disk failure and alert.conf log message mismatch results in no trap | |
471827-1 | 4-Minor | Firstboot early syslog-ng log: /var/run/httpd.pipe does not exist★ | |
465675-3 | 4-Minor | K07816405 | Invalid MAX-ACCESS clause for deprecated variables: ltmNodeAddrNewSessionEnable and ltmPoolMemberNewSessionEnable. |
465317-1 | 4-Minor | K10890804 | Failure notice from '/usr/bin/set-rsync-mgmt-fw close' seen on each boot. |
464043-3 | 4-Minor | Integration of Firmware for the 2000 Series Blades | |
443298-2 | 4-Minor | FW Release: Incorporate VIPRION 2250 LOP firmware v1.20 | |
356658-2 | 5-Cosmetic | K28234602 | Message logged when remote authenticated users do not have local account login |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
522784-2 | 1-Blocking | After restart, system remains in the INOPERATIVE state | |
420341-6 | 1-Blocking | K17082 | Connection Rate Limit Mode when limit is exceeded by one client also throttles others |
552937-1 | 2-Critical | HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the next pipelined request to fail. | |
539344-1 | 2-Critical | SPDY child flow aborted while stalled leaves freed SPDY stream in SPDY stalled list | |
538255 | 2-Critical | SSL handshakes on 4200/2200 can cause TMM cores. | |
533388-1 | 2-Critical | tmm crash with assert "resume on different script" | |
530963-4 | 2-Critical | BIG-IP TLS doesn't correctly verify Finished.verify_data on non-Cavium platforms | |
528432-2 | 2-Critical | Control plane CPU usage reported too high | |
523079-2 | 2-Critical | Merged may crash when file descriptors exhausted | |
514108-1 | 2-Critical | TSO packet initialization failure due to out-of-memory condition. | |
510837-2 | 2-Critical | Server initiated renegotiation fails with dhe_dss/ecdhe_ecdsa and ecdh_ecdsa ciphers. BIG-IP sends bad client key exchange. | |
509346-2 | 2-Critical | Intermittent or complete SSL handshake failure with netHSM keys | |
506304-2 | 2-Critical | UDP connections may stall if initialization fails | |
505331-1 | 2-Critical | K17092 | SASP Monitor may core |
505222-2 | 2-Critical | DTLS drops egress packets when traffic is sufficiently heavy. | |
503343-7 | 2-Critical | TMM crashes when cloned packet incorrectly marked for TSO | |
499422-1 | 2-Critical | K31310380 | An optimistic ACK sent by a server in response to a BIG-IP FIN/ACK packet result in a FIN/ACK storm. |
497299-5 | 2-Critical | Thales install fails if the BIG-IP system is also configured as the RFS | |
492352-3 | 2-Critical | SSL profiles using password protected SSL keys cause config utility error | |
481677-2 | 2-Critical | A possible TMM crash in some circumstances. | |
481162-2 | 2-Critical | K16458 | vs-index is set differently on each blade in a chassis |
474601-5 | 2-Critical | FTP connections are being offloaded to ePVA | |
450814-10 | 2-Critical | Early HTTP response might cause rare 'server drained' assertion | |
431283-7 | 2-Critical | iRule binary scan may core TMM when the offset is large | |
426328-8 | 2-Critical | K14654 | Updating iRule procs while in use can cause a core |
402412-8 | 2-Critical | FastL4 tcp handshake timeout is not honored, connection lives for idle timeout. | |
551612 | 3-Major | BIG-IP SSL does not support sending multiple certificate verification requests to the hardware accelerator at the same time in 11.6.0. | |
530431 | 3-Major | K17537 | FQDN nodes: ephemeral nodes not being created for resolved FQDN hosts★ |
526810-5 | 3-Major | Crypto accelerator queue timeout is now adjustable | |
525557 | 3-Major | FQDN ephemeral nodes not re-populated after deleted and re-created | |
524666-3 | 3-Major | DNS licensed rate limits might be unintentionally activated. | |
522147-2 | 3-Major | 'tmsh load sys config' fails after key conversion to FIPS using web GUI | |
521774-3 | 3-Major | K17420 | Traceroute and ICMP errors may be blocked by AFM policy |
521538-2 | 3-Major | K08025400 | Keep-alive transmissions do not resume after failover of flows on an L4 virtual, when the sequence number is known |
521522-3 | 3-Major | K21981142 | Traceroute through BIG-IP may display destination IP address at BIG-IP hop |
521408-3 | 3-Major | Incorrect configuration in BigTCP Virtual servers can lead to TMM core | |
520540-1 | 3-Major | Specific iRule commands may generate a core file | |
518020-11 | 3-Major | K16672 | Improved handling of certain HTTP types. |
517790-1 | 3-Major | When non-HTTP traffic causes the server-side to receive unexpected data, the connection will be dropped | |
517556-3 | 3-Major | DNSSEC unsigned referral response is improperly formatted | |
516598-1 | 3-Major | K82721850 | Multiple TCP keepalive timers for same Fast L4 flow |
516320-2 | 3-Major | TMM may have a CPU spike if match cross persist is used. | |
515817-2 | 3-Major | TMM may not reset connection when receiving an ICMP error | |
515322-1 | 3-Major | Intermittent TMM core when using DNS cache with forward zones | |
515072-4 | 3-Major | K17101 | Virtual servers with priority groups reset incoming connections when a non-zero connection limit is increased |
514246-3 | 3-Major | connflow_precise_check_begin does not check for NULL | |
512383-3 | 3-Major | K68275911 | Hardware flow stats are not consistently cleared during fastl4 flow teardown. |
512148-1 | 3-Major | K17154 | Self IP address cannot be deleted when its VLAN is associated with static route |
512062-2 | 3-Major | K21528300 | A db variable to disable verification of SCTP checksum when ingress packet checksum is zero |
510921-1 | 3-Major | K23548911 | Database monitors do not support IPv6 nodes |
510720-1 | 3-Major | K81614705 | iRule table command resumption can clear the header buffer before the HTTP command completes |
510638-1 | 3-Major | K37513511 | [DNS] Config change in dns cache resolver does not take effect until tmm restart |
507529-1 | 3-Major | Active crash with assert: tmm failed assertion, non-zero ha_unit required for mirrored flow | |
506282-1 | 3-Major | K16168 | GTM DNSSEC keys generation is not sychronized upon key creation |
505059-1 | 3-Major | Some special characters are not properly handled for username and password fields in TCL monitors | |
504899-2 | 3-Major | Duplicated snat-translation addresses are possible (a named and an anonymous (created by snatpool) one) | |
504306-2 | 3-Major | https monitors might fail to re-use SSL sessions. | |
504105-4 | 3-Major | RR-DAG enabled UDP ports may be used as source ports for locally originated traffic | |
503979-1 | 3-Major | High CPU usage when DNS cache resolver sends a large number of DNS queries to the backend name server. | |
503384-1 | 3-Major | K17394 | SMTP monitor fails on multi line greeting banner in SMTP server |
501516-5 | 3-Major | If a very large number of monitors is configured, bigd can run out of file descriptors when it is restarted. | |
497742-3 | 3-Major | Some TCP re-transmits on translucent vlangroup skip bit-flip on source MAC address | |
496758-5 | 3-Major | K16465 | Monitor Parameters saved to config in a certain order may not construct parameters correctly |
495836-2 | 3-Major | SSL verification error occurs when using server side certificate. | |
495557-1 | 3-Major | Ephemeral node health status may report as 'unknown' rather than the expected 'offline' | |
490713-3 | 3-Major | FTP port might occasionally be reused faster than expected | |
490429-2 | 3-Major | K17206 | The dynamic routes for the default route might be flushed during operations on non-default route domains. |
488600-2 | 3-Major | iRule compilation fails on upgrade★ | |
488581 | 3-Major | K17539 | The TMM process may restart and produce a core file when using the SSL::disable clientside iRule command within a HTTP_REQUEST event |
485472-3 | 3-Major | iRule virtual command allows for protocol mismatch, resulting in crash | |
479674-1 | 3-Major | K16629 | bigd crash on improper monitor configuration (timeout less than the interval) for Tcl monitors. |
478617-6 | 3-Major | K16451 | Don't include maximum TCP options length in calculating MSS on ICMP PMTU. |
478439-6 | 3-Major | K16651 | Unnecessary re-transmission of packets on higher ICMP PMTU. |
478257-7 | 3-Major | Unnecessary re-transmission of packets on ICMP notifications even when MTU is not changed | |
476097-1 | 3-Major | K15274113 | TCP Server MSS option is ignored in verified accept mode |
474356-1 | 3-Major | Client SSL on partition other than /Common does not load if no key/cert/inherit-certkeychain | |
471059-4 | 3-Major | Malformed cookies can break persistence | |
465607-7 | 3-Major | K15966 | TMM cores with TMM log error 'Assertion "flow in use" failed.' when isuing FastHTTP. |
465590-9 | 3-Major | K17531 | Mirrored persistence information is not retained while flows are active |
465052-6 | 3-Major | K16060 | Some HTTP::cookie iRule commands can cause TMM to core if required arguments are missing |
462714-2 | 3-Major | K66236389 | Source address persistence record times out even while traffic is flowing on FastL4 profile virtual server |
460627-3 | 3-Major | K17059 | SASP monitor starts a new connection to the Group Workload Manager (GWM) server when a connection to it already exists |
447874-5 | 3-Major | TCP zero window suspends data transfer | |
447043-3 | 3-Major | K17095 | Cannot have 2 distinct 'contains' conditions on the same LTM policy operand |
422107-8 | 3-Major | K17415 | Responses from DNS transparent cache will no longer contain RRSIG for queries without DO bit set |
422087-5 | 3-Major | K16326 | Low memory condition caused by Ram Cache may result in TMM core |
375887-4 | 3-Major | K17282 | Cluster member disable or reboot can leak a few cross blade trunk packets |
374339-4 | 3-Major | HTTP::respond/redirect might crash TMM under low-memory conditions | |
364994-7 | 3-Major | K16456 | TMM may restart or disabled connections may be reused when a OneConnect profile is configured and OneConnect reuse is disabled be an iRule. |
352925-2 | 3-Major | K16288 | Updating a suspended iRule and TMM process restart |
348000-1 | 3-Major | HTTP response status 408 request timeout results in error being logged. | |
342013-6 | 3-Major | K27445955 | TCP filter doesn't send keepalives in FIN_WAIT_2 |
226892-13 | 3-Major | K12831 | Packet filter enabled, default action discard/reject and IP fragment drop |
486485-1 | 4-Minor | TCP MSS is incorrect after ICMP PMTU message. | |
454692-4 | 4-Minor | K16235 | Assigning 'after' object to a variable causes memory leaks |
442647-5 | 5-Cosmetic | K04311130 | IP::stats iRule command reports incorrect information past 2**31 bits |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
515797-1 | 2-Critical | Using qos_score command in RULE_INIT event causes TMM crash | |
513464-1 | 2-Critical | Some autodiscovered virtuals may be removed from pools. | |
471819-2 | 2-Critical | The big3d agent restarts periodically when upgrading the agent on a v11.4.0 or prior system and Common Criteria mode is enabled. | |
517083-1 | 3-Major | Some auto-discovered virtual servers may be removed from pools. | |
516685-2 | 3-Major | ZoneRunner might fail to load valid zone files. | |
516680-2 | 3-Major | ZoneRunner might fail when loading valid zone files. | |
515033 | 3-Major | [ZRD] A memory leak in zrd | |
515030-1 | 3-Major | K74820030 | [ZRD] A memory leak in Zrd |
514236-1 | 3-Major | [GUI][GTM] GUI does not prefix partition to device-name for BIG-IP DNS Server IP addresses | |
496775-3 | 3-Major | K16194 | [GTM] [big3d] Unable to receive mark LTM virtual server up if there is another VS with same ltm_name for the bigip monitor |
479142-1 | 3-Major | K16173 | Deleting a virtual server does not delete the resource record (RR) in ZoneRunner Daemon (ZRD) |
465951-2 | 3-Major | K12562945 | If net self description size =65K, gtmd restarts continuously |
479084-1 | 4-Minor | ZoneRunner can fail to respond to commands after a VE resume. | |
353556-4 | 4-Minor | big3d https monitor is unable to correctly monitor the web server when SSL protocol is changed |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
524428-1 | 2-Critical | Adding multiple signature sets concurrently via REST | |
524004-1 | 2-Critical | Adding multiple signatures concurrently via REST | |
520280-1 | 2-Critical | Perl Core After Apply Policy Action | |
513822-1 | 2-Critical | ASM REST: Expected Content Value Is Not Set When Setting The responseActionType For A Response Page | |
511196-1 | 2-Critical | UMU memory is not released when remote logger can't reach its detination | |
532030-3 | 3-Major | ASM REST: Custom Signature Set Created via REST is Different Than When Created From GUI | |
531539-1 | 3-Major | K05113177 | The NTLM login is not recognized as failed login. |
527861 | 3-Major | When Many entities are displayed on the "Illegal Meta Character in Value" manual traffic learning screen, the Configuration utility becomes unresponsive. | |
526856-1 | 3-Major | "Use of uninitialized value" warning appears on UCS installation due to ASM signature inconsistency | |
523261-1 | 3-Major | ASM REST: MCP Persistence is not triggered via REST actions | |
523260-1 | 3-Major | K52028045 | Apply Policy finishes with coapi_query failure displayed |
523201-2 | 3-Major | Expired files are not cleaned up after receiving an ASM Manual Synchronization | |
520585-2 | 3-Major | Changing Security Policy Application Language Is Not Validated or Propagated Properly | |
519053-1 | 3-Major | Request is forwarded truncated to the server after answering challenge on a big request | |
516522-1 | 3-Major | K04420402 | After upgrade from any pre-11.4.x to 11.4.x through 12.0.0, the configured redirect URL location is empty.★ |
486829-1 | 3-Major | K17512 | HTTP Protocol Compliance options should not be modified during import/upgrade★ |
467930-1 | 3-Major | K47335122 | Searching ASM Request Log for requests with specific violations |
514117-1 | 4-Minor | Store source port higher than 32767 in Request Log record |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
531526-2 | 3-Major | K17560 | Missing entry in SQL table leads to misleading ASM reports |
530356-2 | 3-Major | Some AVR tables that hold ASM statistics are not being backed up in upgrade process. | |
526277-1 | 3-Major | AFM attack may never end on AVR dos overview page in a chassis based BIG-IP | |
525708-1 | 3-Major | K17555 | AVR reports of last year are missing the last month data |
519022-2 | 3-Major | K01334306 | Upgrade process fails to convert ASM predefined scheduled-reports.★ |
518663-1 | 3-Major | Client waits seconds before page finishes load | |
499315-1 | 3-Major | Added "Collect full URL" functionality. | |
485251-1 | 3-Major | AVR core witch include tmstat backtrace | |
479334-5 | 3-Major | monpd/ltm log errors after Hotfix is applied | |
472117-2 | 3-Major | Analytics scheduled report: "predefinedReportName" and "multiLeveledReport" are mutually exclusive |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
492149-3 | 1-Blocking | Inline JavaScript with HTML entities may be handled incorrectly | |
488736-5 | 1-Blocking | Fixed problem with iNotes 9 Instant Messaging | |
482266-3 | 1-Blocking | Windows 10 support for Network Access / BIG-IP Edge Client | |
482241-1 | 1-Blocking | Windows 10 cannot be properly detected | |
439880-2 | 1-Blocking | NTLM authentication does not work due to incorrect NetBIOS name | |
405769-3 | 1-Blocking | APM Logout page is not protected against CSRF attack. | |
532340-1 | 2-Critical | When FormBased SSO or SAML SSO are configured, tmm may restart at startup | |
526754-2 | 2-Critical | F5unistaller.exe crashes during uninstall | |
525562-1 | 2-Critical | Debug TMM Crashes During Initialization | |
523313-1 | 2-Critical | K17574 | aced daemon might crash on exit |
520298-2 | 2-Critical | Java applet does not work | |
520145-3 | 2-Critical | [Policy Sync] OutOfMemoryError exception when syncing big and complex APM policy | |
519864-3 | 2-Critical | Memory leak on L7 Dynamic ACL | |
518260-1 | 2-Critical | Missing NTLMSSP_TARGET_INFO flag on NTLMSSP_CHALLENGE message | |
517988-2 | 2-Critical | TMM may crash if access profile is updated while connections are active | |
514220-1 | 2-Critical | New iOS-based VPN client may fail to create IPv6 VPN tunnels | |
509490-2 | 2-Critical | [IE10]: attachEvent does not work | |
507681-5 | 2-Critical | Window.postMessage() does not send objects in IE11 | |
506223-2 | 2-Critical | A URI in request to cab-archive in iNotes is rewritten incorrectly | |
502269-1 | 2-Critical | Large post requests may fail using form based SSO. | |
493993-6 | 2-Critical | K15914 | TMM crashes on the standby when starting up in HA config and Active processing traffic in APM module |
492287-1 | 2-Critical | Support Android RDP client 8.1.3 with APM remote desktop gateway | |
480272-6 | 2-Critical | K17117 | During OAM SDK initialization, ObConfig initialization returns wrong accessgate ID |
540778-3 | 3-Major | Multiple SIGSEGV with core and failover with no logged indicator | |
539013-6 | 3-Major | DNS resolution does not work on a Windows 10 desktop with multiple NICs after VPN connection has been established in some cases | |
537614-1 | 3-Major | Machine certificate checker fails to use Machine cert check service if Windows has certain display languages | |
537000-2 | 3-Major | Installation of Edge Client can cause Windows 10 crash in some cases | |
534755-1 | 3-Major | Deleting APM virtual server produces ERR_NOT_FOUND error | |
533566-1 | 3-Major | Support for View HTML5 client v3.5 shipped with VCS 6.2 | |
532761 | 3-Major | APM fails to handle compressed ICA file in integration mode | |
532096-2 | 3-Major | Machine Certificate Checker is not backward compatible with 11.4.1 (and below) when MatchFQDN rule is used | |
531910-1 | 3-Major | apmd, apd, localmgr random crash | |
531883-2 | 3-Major | Windows 10 App Store VPN Client must be detected by BIG-IP APM | |
531541-1 | 3-Major | Support Citrix Receiver 4.3 for Windows in PNAgent mode | |
531529-1 | 3-Major | Support for StoreFront proxy | |
531483-2 | 3-Major | Copy profile might end up with error | |
530800-1 | 3-Major | Messages can't be sent from OWA2010 via Portal Access if form-based SSOv2 is in use. | |
530773 | 3-Major | per-request policy logs frequently in apm logs | |
530697-2 | 3-Major | Windows Phone 10 platform detection | |
529392-2 | 3-Major | Win10 and IE11 is not determined in case of DIRECT rule of proxy autoconfig script | |
528768-1 | 3-Major | Relaxing validation against "_" character for ActiveDirectory server FQDN for NTLM authentication | |
528727-1 | 3-Major | In some cases HTML body.onload event handler is not executed via portal access. | |
528726-3 | 3-Major | AD/LDAP cache size reduced | |
528675-2 | 3-Major | BIG-IP EDGE Client can indefinitely stay "disconnecting..." state when captive portal session expired | |
526677-1 | 3-Major | VMware Horizon HTML5 View access client can not connect when using View Connection Server running version 6.1.1 | |
526617-1 | 3-Major | TMM crash when logging a matched ACL entry with IP protocol set to 255 | |
526578-1 | 3-Major | Network Access client proxy settings are not applied on German Windows | |
526492-2 | 3-Major | DNS resolution fails for Static and Optimized Tunnels on Windows 10 | |
526275-1 | 3-Major | VMware View RSA/RADIUS two factor authentication fails | |
526084-3 | 3-Major | Windows 10 platform detection for BIG-IP EDGE Client | |
525384-2 | 3-Major | Networks Access PAC file now can be located on SMB share | |
524909-2 | 3-Major | Windows info agent could not be passed from Windows 10 | |
523431-2 | 3-Major | Windows Cache and Session Control cannot support a period in the access profile name | |
523390-2 | 3-Major | Minor memory leak on IdP when SLO is configured on bound SP connectors. | |
523327-2 | 3-Major | In very rare cases Machine Certificate service may fail to find private key | |
523305-1 | 3-Major | Authentication fails with StoreFront protocol | |
523222-6 | 3-Major | Citrix HTML5 client fails to start from Storefront in integration mode when Access Policy is configured with Redirect ending. | |
521835-2 | 3-Major | [Policy Sync] Connectivity profile with a customized logo fails | |
521773-2 | 3-Major | K10105099 | Memory leak in Portal Access |
521506-2 | 3-Major | Network Access doesn't restore loopback route on multi-homed machine | |
520642-3 | 3-Major | Rewrite plugin should check length of Flash files and tags | |
520390-1 | 3-Major | Reuse existing option is ignored for smtp servers | |
520205-3 | 3-Major | Rewrite plugin could crash on malformed ActionScript 3 block in Flash file | |
520118-2 | 3-Major | Duplicate server entries in Server List. | |
519966-2 | 3-Major | APM "Session Variables" report shows user passwords in plain text | |
519415-3 | 3-Major | apm network access tunnel ephemeral listeners ignore irules (related-rules from main virtual ) | |
519198-3 | 3-Major | [Policy Sync] UI General Exception Error when sync a policy in non-default partition as non-default admin user | |
518981-2 | 3-Major | RADIUS accounting STOP message may not include long class attributes | |
518583-2 | 3-Major | Network Access on disconnect restores redundant default route after looped network roaming for Windows clients | |
518573 | 3-Major | The -decode option should be added to expressions in AD and LDAP group mapping. | |
518432 | 3-Major | [Mac][Linux][NA] TLS tunnel freezes on Mac and Linux in case of SSL renegotiation | |
517564-1 | 3-Major | APM cannot get groups from an LDAP server, when LDAP server is configured to use non-default port | |
517441-5 | 3-Major | apd may crash when RADIUS accounting message is greater than 2K | |
516839-3 | 3-Major | Add client type detection for Microsoft Edge browser | |
516462-2 | 3-Major | Gateways for excluded address space routes are not adjusted correctly during roaming between networks on Windows machines | |
515943-2 | 3-Major | "Session variables" report may show empty if session variable value contains non-English characters | |
514912-3 | 3-Major | Portal Access scripts had not been inserted into HTML page in some cases | |
513969-3 | 3-Major | UAC prompt is shown for machine cert check for non-limited users, even if machine cert check service is running | |
513953-1 | 3-Major | K17122 | RADIUS Auth/Acct might fail if server response size is more than 2K |
513706-2 | 3-Major | K16958 | Incorrect metric restoration on Network Access on disconnect (Windows) |
513545-1 | 3-Major | '-decode' option produce incorrect value when it decodes a single value | |
513283-1 | 3-Major | Mac Edge Client doesnt send client data if access policy expired | |
513098-1 | 3-Major | K17180 | localdb_mysql_restore.sh failed with exit code |
512345-2 | 3-Major | K17380 | Dynamic user record removed from memcache but remains in MySQL |
512245-7 | 3-Major | Machine certificate agent on OS X 10.8 and OS X 10.9 uses local host name instead of hostname | |
511854-4 | 3-Major | K85408112 | Rewriting URLs at client side does not rewrite multi-line URLs |
510709-1 | 3-Major | Websso start URI match fails if there are more than 2 start URI's in SSO configuration. | |
509722-1 | 3-Major | BWC traffic blocked | |
509677-1 | 3-Major | Edge-client crashes after switching to network with Captive Portal auth | |
504031-1 | 3-Major | document.write()/document.writeln() redefinition does not work | |
501494-1 | 3-Major | if window.onload is assigned null, then null should be retrieved | |
500938-3 | 3-Major | Network Access can be interrupted if second NIC is disconnected | |
500450-1 | 3-Major | ASM and APM on same virtual server caused Set-Cookie header modification done by ASM not honored by APM websso. | |
495336-1 | 3-Major | K39768154 | Logon page is not displayed correctly when 'force password change' is on for local users. |
494637-2 | 3-Major | K80550446 | localdbmgr process in constant restart/core loop |
494565-4 | 3-Major | K65181614 | CSS patcher crashes when a quoted value consists of spaces only |
493023-3 | 3-Major | Export of huge policies might ends up with 'too many pipes opened' error | |
492701-3 | 3-Major | Resolved LSOs are overwritten by source device in new Policy Sync with new LSO | |
492305-1 | 3-Major | Recurring file checker doesn't interrupt session if client machine has missing file | |
490830-4 | 3-Major | Protected Workspace is not supported on Windows 10 | |
488105-3 | 3-Major | TMM may generate core during certain config change. | |
483792-5 | 3-Major | when iSession control channel is disabled, don't assign app tunnel, MSRDP, opt tunnel resources | |
483501-1 | 3-Major | Access policy v2 memory leak during object deletion in tmm. | |
483286-3 | 3-Major | APM MySQL database full as log_session_details table keeps growing | |
483020-1 | 3-Major | K17533 | [SWG] Policy execution hang when using iRule event in VPE |
482699-4 | 3-Major | VPE displaying "Uncaught TypeError" | |
482251-3 | 3-Major | K95824957 | Portal Access. Location.href(url) support. |
481987-6 | 3-Major | Allow NTLM feature to be enabled with APM Limited license | |
481663-5 | 3-Major | Disable isession control channel on demand. | |
480761-1 | 3-Major | Fixed issue causing TunnelServer to crash during reconnect | |
478751-6 | 3-Major | K35826411 | OAM10g form based AuthN is not working for a single/multiple domain. |
478492-7 | 3-Major | K17476 | Incorrect handling of HTML entities in attribute values |
475735-4 | 3-Major | K30145457 | Failed to load config after removing peer from sync-only group |
475403-2 | 3-Major | Tunnel reconnect with v2.02 does not occur | |
474779-1 | 3-Major | EAM process fails to register channel threads (MPI channel) with TMM, and subsequent system call fails. | |
473488-6 | 3-Major | K17376 | In AD Query agent, resolving of nested groups may cause apd to spin |
473255-3 | 3-Major | K41869058 | Javascript sibmit() method could be rewritten incorrectly inside of 'with' statement. |
472256-3 | 3-Major | K17259 | tmsh and tmctl report unusually high counter values |
472062-3 | 3-Major | K17480 | Unmangled requests when form.submit with arguments is called in the page |
471117-4 | 3-Major | K17546 | iframe with JavaScript in 'src' attribute not handled correctly in IE11 |
468137-6 | 3-Major | Network Access logs missing session ID | |
466745-3 | 3-Major | Cannot set the value of a session variable with a leading hyphen. | |
462514-1 | 3-Major | K91196715 | Support for XMLHttpRequest is extended |
461189-5 | 3-Major | K16563 | Generated assertion contains HEX-encoded attributes |
458450-2 | 3-Major | K16941 | The ECA process may produce a core file when processing HTTP headers |
457760-5 | 3-Major | EAM not redirecting stdout/stderr from standard libraries to /var/log/apm | |
452010-3 | 3-Major | K16609 | RADIUS Authentication fails when username or password contain non-ASCII characters |
446860-4 | 3-Major | APM Exchange Proxy does not honor tmm.access.maxrequestbodysize DB variable and is subject to ID 405348 | |
442698-10 | 3-Major | APD Active Directory module memory leak in exception | |
431467-1 | 3-Major | Mac OS X support for nslookup and dig utilities to use VPN DNS | |
426209-2 | 3-Major | exporting to a CSV file may fail and the Admin UI is inaccessible | |
423282-8 | 3-Major | K17116 | BIG-IP JavaScript includes can be improperly injected in case of conditional commment presence |
408851-7 | 3-Major | Some Java applications do not work through BIG-IP server | |
402793-12 | 3-Major | APM Network Accces tunnel slows down and loses data in secure renegotiation on Linux and Mac clients | |
340406-10 | 3-Major | Localization of BIG-IP Edge Client for Macintosh | |
533723-4 | 4-Minor | [Portal Access] Client side HTML rewriter should not rewrite content within "textarea" tag. | |
524756 | 4-Minor | APM Log is filled with errors about failing to add/delete session entry | |
523158-2 | 4-Minor | In vpe if the LDAP server returns "cn=" (lower case) dn/group match fails | |
517872-1 | 4-Minor | Include proxy hostname in logs in case of name resolution failure | |
513201-6 | 4-Minor | Edge client is missing localization of some English text in Japanese locale | |
510459-1 | 4-Minor | In some cases Access does not redirect client requests | |
507321-3 | 4-Minor | JavaScript error if user-defined object contains NULL values in 'origin' and/or 'data' fields | |
497627-3 | 4-Minor | K58125050 | Tmm cores while using APM network access and no leasepool is created on the BIG-IP system. |
486661-3 | 4-Minor | Network Access should provide client IP address on reconnect log records | |
482145-3 | 4-Minor | Text in buttons not centered correctly for higher DPI settings | |
478658-6 | 4-Minor | Window.postMessage() does not send objects | |
478261-2 | 4-Minor | WinInet handle leak in Edge Client on Windows | |
473685-1 | 4-Minor | Websso truncates cookie domain value |
WebAccelerator Fixes
ID Number | Severity | Solution Article(s) | Description |
522231-3 | 3-Major | TMM may crash when a client resets a connection | |
521455-2 | 3-Major | K16963 | Images transcoded to WebP format delivered to Edge browser |
Wan Optimization Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
497389-1 | 3-Major | Extraneous dedup_admin core | |
485182-2 | 3-Major | K19303084 | wom_verify_config does not recognize iSession profile in /Common sub-partition |
480910 | 3-Major | A TCP profile with 'Rate Pace" or 'Tail Loss Probe' enabled fails to successfully establish a connection. | |
442884-1 | 3-Major | TMM assert 'spdy pcb initialized' in spdy_process() |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
521556-1 | 2-Critical | Assertion "valid pcb" in TCP4 with ICAP adaptation | |
516057-3 | 2-Critical | Assertion 'valid proxy' can occur after a configuration change with active IVS flows. | |
503652-4 | 2-Critical | K17162 | Some SIP UDP connections are lost immediately after enabling a blade on the Active HA unit. |
480311-1 | 3-Major | K47143123 | ADAPT should be able to work with OneConnect |
489957-5 | 4-Minor | RADIUS::avp command fails when AVP contains multiple attribute (VSA). | |
478920 | 4-Minor | SIP::discard is not invoked for all request messages |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
524748-1 | 2-Critical | PCCD optimization for IP address range | |
506286-1 | 2-Critical | TMSH reset of DOS stats | |
534886-1 | 3-Major | AFM Security checks were not being done for DNS over TCP | |
532022-1 | 3-Major | tmm can crash when the reply pkt to a service flow request is a DoS pkt | |
531761-1 | 3-Major | Web navigation flow may be reset when main page responds with non-HTML content | |
530865-2 | 3-Major | AFM Logging regression for Global/Route Domain Rules incorrectly using virtual server logging profile (if it exists) | |
526774 | 3-Major | Search in FW policy disconnects GUI users | |
525522 | 3-Major | Redirect loop when Proactive Bot Defense is enabled and deployment has multiple domains | |
523465-2 | 3-Major | Log an error message when firewall rule serialization fails due to maximum blob limit being hit. | |
521763-1 | 3-Major | Attack stopped and start messages should not have source/dst ip addresses in log messages | |
515112-1 | 3-Major | Delayed ehash initialization causes crash when memory is fragmented. | |
510224-2 | 3-Major | All descriptions for address-list members are flushed after the address-list was updated | |
509934-1 | 3-Major | Blob activation fails due to counter revision | |
509919-2 | 3-Major | Incorrect counter for SelfIP traffic on cluster | |
509600-1 | 3-Major | Global rule association to policy is lost after loading config. | |
481706-2 | 3-Major | AFM DoS Sweep Vector could log attack detected msgs from a non-attacking src IP | |
533808-1 | 4-Minor | Unable to create new rule for virtual server if order is set to "before"/"after" | |
533336-2 | 4-Minor | Display 'description' for port list members | |
528499 | 4-Minor | AFM address lists are not sorted while trying to create a new rule. | |
510226-2 | 4-Minor | All descriptions for ports-list's members are flushed after the port-list was updated | |
491165-1 | 4-Minor | Legal IP addresses sometimes logged in Attack Started/Stopped message. | |
495432-2 | 5-Cosmetic | Add new log messages for AFM rule message load/activation in datapath. |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
545558-1 | 1-Blocking | Send RAA when RAR is sent by PCRF and session is deleted immediately after its created. | |
533929 | 1-Blocking | PEM::subscriber info irule command can cause tmm core | |
525175-1 | 1-Blocking | Fix a crash issue when querying SSP with multi-ip. | |
524780-1 | 1-Blocking | TMM crash when quering the session information | |
522933-1 | 1-Blocking | diam_app_process_async_lookup may cause TMM crash | |
534490 | 2-Critical | Fixed TMM crash when iRule configuration is modified. | |
534018-1 | 2-Critical | Memory leak while running some of PEM::session and PEM::subscriber commands. | |
533734-1 | 2-Critical | K82536069 | DHCPv6 packets arriving via tunnel are not forwarded to backend server on VIPRION |
533203 | 2-Critical | K98322810 | TMM may core on resuming iRule if the underlying flow has been deleted. |
528715-1 | 2-Critical | rare tmm crash when ipother irule parks | |
527016-1 | 2-Critical | CLASSIFICATION_DETECTED irule event results in tmm core | |
524374-1 | 2-Critical | TMM may crash if PEM report format script with iRule are executed on top of existing parked iRule | |
523296-1 | 2-Critical | TMM may core when using iRule custom actions in PEM policies | |
519506-1 | 2-Critical | Flows dropped with initiate data from sever on virtual servers with HTTP | |
491771-2 | 2-Critical | Parking command called from inside catch statement | |
541592-1 | 3-Major | PEM : Diameter virtual reconfiguration might stop CCR-I/U/T going out for subscriber sessions | |
537034 | 3-Major | K13145204 | PEM: CPU spike seen when iRule tries to update nonexistent sessions. |
534323-1 | 3-Major | Session will be replaced rather than re-created when we update a new IP addr along with the existing IP addr. | |
533513-1 | 3-Major | Data plane Listener summary does not show LSN translation correctly | |
529414-1 | 3-Major | PEM: After Diameter Fatal-Grace time expiry, Some subscriber sessions might be deleted very soon | |
528787-1 | 3-Major | PEM: RAR after session being deleted from Radius/TMSH when connection down will return RAA with success code. | |
528247-1 | 3-Major | PEM: New Requested units empty for when used units matches granted service units | |
528238-1 | 3-Major | Quota Policy Added multiple times will lead to reset of Subscriber flows | |
527725-1 | 3-Major | BIG-IP crash caused by PSC::ip_address iRule is fixed | |
527292-1 | 3-Major | BIG-IP crash caused by PSC::user_name iRule is fixed | |
527289-1 | 3-Major | TMM crashes with core when PSC::ip_address iRule is used to list IPs | |
527076-1 | 3-Major | TMM crashes with core when PSC::policy iRule is used to set more than 32 policies | |
526786-1 | 3-Major | Session lookup fails | |
526368-1 | 3-Major | The number of IPv4 addresses per Gx session exceeds the limit of 1 | |
526295-3 | 3-Major | BIG-IP crashes in debug mode when using PEM iRule to create session with calling-station-id and called-station-id | |
525860-2 | 3-Major | PEM: Duplicate sessions formed with same IP | |
525633-1 | 3-Major | K02093894 | Configurable behavior if PCRF returns unknown session ID in middle of session. |
525416-1 | 3-Major | List of IPs in "tmsh show pem sessiondb subscriber-id " may be reversed. | |
524409-1 | 3-Major | Fix TMSH show and reset-stats commands for multi-ip sessions defect. | |
524198-1 | 3-Major | PEM: Invalid HSL log generated when when session with static subscriber deleted. | |
522934 | 3-Major | Provide and option to encode subscription ID in CCR-U/CCR-T messages over Gx/Gy | |
522579-1 | 3-Major | TMM memory leak when RAR messages received from PCRF to delete for a non-existing sessions in PEM | |
522141-1 | 3-Major | Tmm cores while changing properties of PEM policies and rules. | |
522140-1 | 3-Major | Multiple IP is not added through iRule after setting the state of a session to provision by iRule | |
521683-1 | 3-Major | PEM: Session is not replaced by third and subsequent RADIUS start messages containing specific multiple IPs | |
521655-2 | 3-Major | Session hangs when trying to switch state to provisioned | |
504627-1 | 3-Major | Valid RADIUS sessions deleted on no session inactivity if no subscriber traffic exists during session timeout period. | |
499778-1 | 3-Major | A static subscriber's session is not deleted if master-IP is deleted from the subscriber's list of IPs | |
471926-1 | 3-Major | Static subscriber sessions lost after bigstart restart | |
539677-1 | 4-Minor | The file /etc/wr_urldbd/bcsdk.cfg needs to be included in the .ucs file |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
533562-1 | 2-Critical | K15320373 | Memory leak in CGNAT can result in crash |
515646-1 | 2-Critical | K17339 | TMM core when multiple PPTP calls from the same client |
509108-1 | 2-Critical | CGNAT PBA may log port-block allocation and port-block release log messages for a port-block which is already allocated to a different subscriber | |
494743-1 | 2-Critical | K17389 | Port exhaustion errors on VIPRION 4800 when using CGNAT |
494122-2 | 2-Critical | K02533962 | Deterministic NAT state information from HSL is not usable on VIPRION B4300 blades |
490893-4 | 2-Critical | K16762 | Determinstic NAT State information incomplete for HSL log format |
505097-1 | 3-Major | lsn-pool backup-member not propagated to route table after tmrouted restart | |
504021-1 | 3-Major | lsn-pool member routes not properly propagated to routing table when lsn-pool routing-advertisement is enabled | |
500424-2 | 3-Major | dnatutil exits when reverse mapping one of the snippet results in "No tmms on the blade" error | |
486762-1 | 3-Major | K05172346 | lsn-pool connection limits may be invalid when mirroring is enabled |
480119-2 | 3-Major | K16112 | Vague error - Error ERR_BOUNDS connflow ... processing pullup of control message. |
455020-1 | 3-Major | RTSP profile idle timeout is not applied if it is longer than the TCP profile timeout |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
526124 | 2-Critical | Parameter matching inconsistency | |
520090-1 | 2-Critical | K17546 | Flows are closed as expired rather than closed gracefully. |
529573 | 3-Major | CSS attribute name | |
527075 | 3-Major | Update domain availability default settings | |
525283-1 | 3-Major | Add obfuscator tuning tools | |
524032-1 | 3-Major | Control sending alerts during the source integrity learning process | |
513860-1 | 3-Major | Incomplete support for special characters in input field names | |
503461-1 | 3-Major | K88491629 | Intermittent JavaScript failure on Safari on Macintosh computer or device. |
529587 | 4-Minor | Errornous JS injections |
Device Management Fixes
ID Number | Severity | Solution Article(s) | Description |
525595 | 1-Blocking | K38134424 | Memory leak of inbound sockets in restjavad. |
509273 | 2-Critical | hostagentd consumes memory over time | |
533307 | 3-Major | Increasing memory usage due to continual creation of authentication tokens | |
521272 | 3-Major | K16751 | Fixed memory leak in restjavad's Authentication Token worker |
iApp Technology Fixes
ID Number | Severity | Solution Article(s) | Description |
495525-1 | 4-Minor | iApps fail when using FQDN nodes in pools |
Cumulative fixes from BIG-IP v11.6.0 Hotfix 5 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
523032-6 | CVE-2015-3456 | K16620 | qemu-kvm VENOM vulnerability CVE-2015-3456 |
513034-1 | CVE-2015-4638 | K17155 | TMM may crash if Fast L4 virtual server has fragmented packets |
511651-3 | CVE-2015-5058 | K17047 | CVE-2015-5058: Performance improvement in packet processing. |
477281-4 | CVE-2014-6032 | K15605 | Improved XML Parsing |
477278-5 | CVE-2014-6032 | K15605 | XML Entity Injection vulnerabilities CVE-2014-6032 and CVE-2014-6033 |
476157-3 | CVE-2014-4341 CVE-2014-4342 | K15547 | MIT Kerberos 5 vulnerability CVE-2014-4342 |
507842-2 | CVE-2015-1349 | K16356 | Patch for BIND Vulnerability CVE-2015-1349 |
513382-13 | CVE-2015-0286 CVE-2015-0287 CVE-2015-0289 CVE-2015-0293 CVE-2015-0209 CVE-2015-0288 | K16317 | Resolution of multiple OpenSSL vulnerabilities |
485917-3 | CVE-2004-1060 | K15792 | BIG/IP is vulnerable to Path MTU discovery attack (CVE-2004-1060) |
476738-1 | CVE-2007-6199 | K15549 | rsync daemon may be configured to listen on a public port |
430799-3 | CVE-2010-5107 | K14741 | CVE-2010-5107 openssh vulnerability |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
500303-3 | 2-Critical | K17302 | Virtual Address status may not be reliably communicated with route daemon |
499947 | 2-Critical | Improved performance loading thousands of Virtual Servers | |
497433-2 | 2-Critical | SSL Forward Proxy server side now supports all key exchange methods. | |
487552-3 | 2-Critical | triplets-not-allowed threshold too high because LTM minimum requirements for 6G guests are coming from 8G table | |
361367-3 | 2-Critical | Create 8 MB-aligned partitions/volumes for VE images to improve disk I/O. | |
523803 | 3-Major | Support two-factor authentication for Citrix Receivers in StoreFront proxy mode | |
512016-1 | 3-Major | DB variable added to determine DNS UDP truncation behavior. | |
504348-1 | 3-Major | K53152418 | iRules in event ADAPT_REQUEST_RESULT or ADAPT_RESPONSE_RESULT cannot see modified headers |
502770-2 | 3-Major | clientside and serverside command crashes TMM | |
495273-1 | 3-Major | LDAP extended error info only available at debug log level which could affect Branch rules | |
480811-2 | 3-Major | K25171635 | qkview will not collect lib directories. |
474465-3 | 3-Major | Analysis processes appear to use high CPU though not affecting data plane |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
510393-1 | 1-Blocking | TMM may occasionally restart with a core file when deployed VCMP guests are stopped | |
504490-1 | 1-Blocking | K16789 | The BIG-IP system sometimes takes longer on boot up to become Active. |
468175-8 | 1-Blocking | IPsec interop with Cisco systems intermittent outages | |
520349 | 2-Critical | iControl portal restarts | |
509475 | 2-Critical | SPDY profile with activation-mode always may not load on upgrade to 11.6.0 or later | |
509276-4 | 2-Critical | VXLAN tunnels with floating local addresses generate incorrect gratuitous ARPs on standby device | |
507487-1 | 2-Critical | ZebOS Route not withdrawn when VAddr/VIP down and no default pool | |
505323-1 | 2-Critical | K17349 | NSM hangs in a loop, utilizing 100% CPU |
502675-1 | 2-Critical | Improve reliability of LOP/LBH firmware updates | |
501343-3 | 2-Critical | In FIPS HA setup, peer may use the FIPS public-handle instead of the FIPS private-handle | |
495335-1 | 2-Critical | K17436 | BWC related tmm core |
492458-1 | 2-Critical | BIOS initial release | |
487233-1 | 2-Critical | K16747 | vCMP guests are unable to access NTP or RSYNC via their management network. |
484733-4 | 2-Critical | aws-failover-tgactive.sh doesn't skip network forwarding virtuals | |
474751-1 | 2-Critical | IKEv1 daemon crashes when flushing SAs | |
474323 | 2-Critical | ePVA IPv6 feature is not available | |
467646 | 2-Critical | K16184 | IDE DMA timeouts can result in stuck processes |
467196-5 | 2-Critical | K16015 | Log files limited to 24 hours |
466266-1 | 2-Critical | In rare cases, an upgrade (or a restart) can result in an Active/Active state★ | |
460730-7 | 2-Critical | On systems with multiple blades, large queries can cause TMM to restart | |
452293-4 | 2-Critical | K16186 | Tunneled Health Monitor traffic fails on Standby device |
445911-6 | 2-Critical | TMM fast forwarded flows are offloaded to ePVA | |
430323-4 | 2-Critical | VXLAN daemon may restart when 8000 VXLAN tunnels are configured | |
422460-8 | 2-Critical | : | |
376120-4 | 2-Critical | K15726 | tmrouted restart after reconfiguration of previously deleted route domain |
519877 | 3-Major | External pluggable module interfaces not disabled correctly. | |
516073 | 3-Major | Revised AWS Setup Guide | |
514450-4 | 3-Major | VXLAN: Remote MAC address movement does not trigger ARL updates across TMMs. | |
512485-3 | 3-Major | Forwarding of flooded VXLAN-encapsulated unicast frames may introduce additional forwarding | |
510597-3 | 3-Major | SNAT Origin Address List is now stored correctly when first created | |
507461-6 | 3-Major | Net cos config may not persist on HA unit following staggered restart of both HA pairs. | |
507327-1 | 3-Major | Programs that read stats can leak memory on errors reading files | |
506281 | 3-Major | F5 Internal tool change to facilitate creating Engineering Hotfixes. | |
505878 | 3-Major | K17355 | Configuration load failure on secondary blades may occur when the chassis is rebooted |
504572-4 | 3-Major | K30038035 | PVA accelerated 3WHS packets are sent in wrong hardware COS queue |
503875-1 | 3-Major | K81433151 | Configure bwc policy category max rate |
503604-3 | 3-Major | Tmm core when switching from interface tunnel to policy based tunnel | |
501953-2 | 3-Major | HA failsafe triggering on standby device does not clear next active for that device. | |
501371-4 | 3-Major | K39672730 | mcpd sometimes exits while doing a file sync operation |
495862-1 | 3-Major | Virtual status becomes yellow and gets connection limit alert when all pool members forced down | |
494978-1 | 3-Major | The hostagentd daemon should not be running in non-vcmp mode. | |
494367-2 | 3-Major | HSB lockup after HiGig MAC reset | |
491791-3 | 3-Major | GET on non-existent pool members does not show error | |
490414-1 | 3-Major | /shared/vmisolinks present on systems running versions where block-devices are not present | |
489750-3 | 3-Major | K16696 | Deletion of FIPS keys by-handle may delete key in FIPS-card even if key exists in BIG-IP config |
488916 | 3-Major | CIDR can now be used for SNAT Origin Address List | |
488374-2 | 3-Major | K17019 | Mismatched IPsec policy configuration causes racoon to core after failed IPsec tunnel negotiation |
486512-7 | 3-Major | audit_forwarder sending invalid NAS IP Address attributes | |
485939-1 | 3-Major | K16822 | OSPF redistributing connected subnets that are configured in the network element with infinity metric in a HA pair. |
485833-7 | 3-Major | The mcpd process may leak memory when using tmsh to modify user attributes | |
484861-5 | 3-Major | K16919 | A standby-standby state can be created when auto failback acts in a CRC disagreement scenario |
483762-3 | 3-Major | K15790 | Overlapping vCMP guest MAC addresses |
483751-1 | 3-Major | K16729 | Internal objects can have load failures on restarted blades |
483699-1 | 3-Major | K16888 | No Access error when trying to access iFile object in Local Traffic :: iRules : iFile list |
483683-3 | 3-Major | K16210 | MCP continues running after "Unexpected exception caught in MCPProcessor::rm_DBLowHighWide" error |
482434 | 3-Major | Possible performance degradation in AWS cloud | |
481082-2 | 3-Major | Software auto update schedule settings can be reset during a full sync | |
478761-1 | 3-Major | load sys config default does not work with iCR | |
477859-1 | 3-Major | ZebOS config load may fail if password begins with numeric character | |
477789-4 | 3-Major | SSL Certificate can accommodate & (ampersand) in the Common Name, Organization Name, Division and SAN. | |
476288-1 | 3-Major | Tmrouted restarted after a series of creating/deleting route domains and adding/deleting protocols due to seg fault | |
473200-2 | 3-Major | Renaming a virtual server causes unexpected configuration load failure | |
473037-1 | 3-Major | K16896 | BIG-IP 2000/4000 platforms do not support RSS with L4 data on SCTP |
472365-4 | 3-Major | The vCMP worker-lite system occasionally stops due to timeouts | |
471496-2 | 3-Major | Standby node sends a summary LSA for the default route into a stub area with the same metric value as that of Active node. | |
468517-5 | 3-Major | K16249 | Multi-blade systems can experience active/standby flapping after both units rebooted |
464132-2 | 3-Major | K15665 | Serverside SSL cannot be disabled if Rewrite profile is attached |
463715-3 | 3-Major | syscalld logs erroneous and benign timeout messages | |
447075-1 | 3-Major | CuSFP module plugged in during links-down state will cause remote link-up | |
440346-5 | 3-Major | K16265 | Monitors removed from a pool after sync operation |
440154-3 | 3-Major | When IKEv2 is in use, user can only associate one Traffic Selector object with the IKE Peer object | |
439343 | 3-Major | Client certificate SSL authentication unable to bind to LDAP server | |
436682-5 | 3-Major | Optical SFP modules shows a higher optical power output for disabled switch ports | |
431634-6 | 3-Major | tmsh: modify gtm server 'xxx' virtual-servers replace-all-with 'yyy' fails | |
420204-3 | 3-Major | FIPS key deletion by-handle does not post an error if corresponding key object exists but the keyname is more than 32 characters long | |
416292-1 | 3-Major | MCPD can core as a result of another component shutting down prematurely | |
394236-3 | 3-Major | MCP unexpectedly exits, "failure has occurred, There is no active database transaction, status: 0 - | |
510049 | 4-Minor | Revised BIG-IP CGNAT Implementations content | |
493223-3 | 4-Minor | syscalld core dumps now keep more debugging information | |
490171-1 | 4-Minor | K61258430 | Cannot add FQDN node if management route is not configured |
477111-5 | 4-Minor | Dual management routes in the main routing table | |
475592-2 | 4-Minor | Per-core and system CPU usage graphs do not match | |
473517-2 | 4-Minor | 'OID not increasing error' during snmpwalk | |
463959-1 | 4-Minor | stpd attempts to connect to slots in a chassis that are empty | |
492422-4 | 5-Cosmetic | K24508323 | HTTP request logging reports incorrect response code |
466116-3 | 5-Cosmetic | Intermittent 'AgentX' warning messages in syslog/ZebOS log files |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
511873 | 1-Blocking | TMM core observed during SSL cert-related tmsh execution. | |
507490-1 | 1-Blocking | Invalid HTTP/2 input can cause the TMM to hang | |
507139-1 | 1-Blocking | Invalid HTTP/2 input can cause the TMM to hang | |
504225-2 | 1-Blocking | Virtual creation with the multicast IPv6 address returns error message | |
488931-1 | 1-Blocking | TMM may restart when MPTCP traffic is being handled. | |
520413 | 2-Critical | TMM may crash when using woodside congestion control | |
516408-1 | 2-Critical | SSL reports certificate verification OK even verification returns failure for pcm=request. | |
516179-1 | 2-Critical | K16420 | Woodside falsely detects congestion |
514521 | 2-Critical | Rare TMM Cores with TCP SACK and Early Retransmit | |
509310-5 | 2-Critical | Bad outer IPv4 UDP checksum observed on egressing VxLAN traffic on VIPRION chassis and 5000 series appliances | |
503620-3 | 2-Critical | ECDHE_ECDSA and DHE_DSS ciphers do not work with OpenSSL 1.0.1k and later | |
495875-2 | 2-Critical | K16204 | Connection limit on nodes causes TMM infinite loop and heartbeat failure with heavy traffic |
495030-1 | 2-Critical | Segfault originating from flow_lookup_nexthop. | |
494319-1 | 2-Critical | K16811 | Proxy SSL caused tmm to core by dereferencing a null pointer |
491030-6 | 2-Critical | Nitrox crypto accelerator can sometimes hang when encrypting SSL records | |
489796-2 | 2-Critical | K16298 | TMM cores when Woodside congestion control is used. |
488908-1 | 2-Critical | K16808 | In client-ssl profile which serves as server side, BIG-IP SSL does not initialize in initialization function. |
486450-2 | 2-Critical | iApp re-deployment causes mcpd on secondaries to restart | |
485189-3 | 2-Critical | TMM might crash if unable to find persistence cookie | |
480699-2 | 2-Critical | K15728 | HA mirroring can overflow buffer limits on larger platforms |
480370-6 | 2-Critical | K17147 | Connections to virtual servers with port-preserve property will cause connections to leak in TMM |
480299-1 | 2-Critical | K16627 | Delayed update of Virtual Address might not always happen. |
480113-4 | 2-Critical | Install of FIPS exported key files (.exp) causes device-group sync failure | |
479171-3 | 2-Critical | K15613 | TMM might crash when DSACK is enabled |
478983-1 | 2-Critical | K16809 | TMM core during certificate verification against CRL |
478592-1 | 2-Critical | K16798 | When using the SSL forward proxy feature, clients might be presented with expired certificates. |
477064-1 | 2-Critical | K17268 | TMM may crash in SSL |
476683-2 | 2-Critical | Suspended DNS_RESPONSE events are not resumed | |
476599-4 | 2-Critical | TMM may panic when resuming DNS_REQUEST iRule event | |
475408-1 | 2-Critical | SSL persistence profile does not find the server certificate. | |
475231-5 | 2-Critical | TCP::close in CLIENTSSL_CLIENTCERT iRule event may result in tmm crash | |
474974-3 | 2-Critical | Fix ssl_profile nref counter problem. | |
474388-3 | 2-Critical | K16957 | TMM restart, SIGSEGV messages, and core |
472585-3 | 2-Critical | tmrouted crashes after a series configuration changes | |
470191-2 | 2-Critical | K15760 | Virtual with FastL4 with loose initiation and close enabled might result in TMM core |
417068-6 | 2-Critical | Key install or deletion failure on FIPS key names longer than 32 chars on some platforms | |
517124 | 3-Major | HTTP::retry incorrectly converts its input | |
516292-1 | 3-Major | K17023 | Incorrect handling of repeated headers |
515482 | 3-Major | K93258439 | Multiple teardown conditions can cause crash |
514604-1 | 3-Major | Nexthop object can be freed while still referenced by another structure | |
513243-1 | 3-Major | K17561 | Improper processing of crypto error condition might cause memory issues. |
512490-3 | 3-Major | Increased latency during connection setup when using FastL4 profile and connection mirroring. | |
511517-1 | 3-Major | K17111 | Request Logging profile cannot be configured with HTTP transparent profile |
511130-3 | 3-Major | TMM core due to invalid memory access while handling CMP acknowledgement | |
509416 | 3-Major | Suspended 'after' commands may result in unexpected behaviors | |
508716-4 | 3-Major | DNS cache resolver drops chunked TCP responses | |
507127-2 | 3-Major | DNS cache resolver is inserted to a wrong list on creation. | |
506702-4 | 3-Major | TSO can cause rare TMM crash. | |
506290-4 | 3-Major | MPI redirected traffic should be sent to HSB ring1 | |
505964 | 3-Major | Invalid http cookie handling can lead to TMM core | |
505056-5 | 3-Major | BIG-IP system might send an egress packet with a priority different from that of ingress packet on the same flow. | |
504633-1 | 3-Major | DTLS should not update 'expected next sequence number' when the record is bad. | |
503741-2 | 3-Major | K16662 | DTLS session should not be closed when it receives a bad record. |
503214-3 | 3-Major | Under heavy load, hardware crypto queues may become unavailable. | |
503118-2 | 3-Major | clientside and serverside command crashes TMM | |
502959-2 | 3-Major | Unable get response from virtual server after node flapping | |
502683-3 | 3-Major | Traffic intermittently dropped in syncookie mode, especially when hardware syncookie is on | |
502149-3 | 3-Major | K06334742 | Archiving EC cert/key fails with error 'EC keys are incompatible for Webserver/EM/iQuery.' |
501690-3 | 3-Major | TMM crash in RESOLV::lookup for multi-RR TXT record | |
499950-5 | 3-Major | In case of intra_cluster ha, node flapping may still lead to inconsistent persistence entries across TMMs | |
499946-3 | 3-Major | K16801 | Nitrox might report bad records on highly fragmented SSL records |
499478-2 | 3-Major | K16850453 | Bug 464651 introduced change-in-behavior for SSL server cert chains by not including the root certificate |
499280-1 | 3-Major | Client side or server side SSL handshake may fail if it involves SHA512-signed certificates in TLS1.2 | |
499150-3 | 3-Major | K16721 | OneConnect does not reuse existing connections in VIP targeting VIP configuration |
498334-2 | 3-Major | K16867 | DNS express doesn't send zone notify response |
498269-1 | 3-Major | K16856 | 5200 does not forward STP BPDUs across VLAN groups when in PASSTHRU mode |
497584-2 | 3-Major | The RA bit on DNS response may not be set | |
496950-1 | 3-Major | Flows may not be mirrored successfully when static routes and gateways are defined. | |
496588-1 | 3-Major | HTTP header that is larger than 64K can be analyzed incorrectly, leading to TMM crash | |
495574-3 | 3-Major | K16111 | DB monitor functionality might cause memory issues |
495443-4 | 3-Major | K16621 | ECDH negotiation failures logged as critical errors. |
495253-1 | 3-Major | K16603 | TMM may core in low memory situations during SSL egress handling |
494322-6 | 3-Major | The HTTP_REQUEST iRule event may cause the TMM to crash if the explicit proxy is used | |
493673-2 | 3-Major | K12352524 | DNS record data may have domain names compressed when using iRules |
493140-1 | 3-Major | K16969 | Incorrect persistence entries are created when invoking cookie hash persistence within an iRule using offset and length parameters. |
493117-6 | 3-Major | K16986 | Changing the netmask on an advertised virtual address causes it to stop being advertised until tmrouted is restarted |
491518-2 | 3-Major | SSL persistence can prematurely terminate TCP connection | |
491454-6 | 3-Major | SSL negotiation may fail when SPDY profile is enabled | |
490817-1 | 3-Major | SSL filter might report codec alerts repeatedly | |
490480-3 | 3-Major | UCS load may fail if the UCS contains FIPS keys with names containing dot★ | |
490129-1 | 3-Major | K16740 | SMTP monitor could not create socket on IPv6 node address |
488598-1 | 3-Major | K16631 | SMTP monitor on non-default route domain fails to create socket |
487757 | 3-Major | Hybrid higig/front panel port packet discard (Ingress back-pressure v.s. Egress queue discard) counts can be expected during bursty or severe MMU traffic congestion on B4300/B2200/10000/12000-family platforms. | |
487592 | 3-Major | K65442255 | Change in the caching duration of OCSP response when there is an error |
487587-2 | 3-Major | The allowed range of 'status-age' in OCSP Stapling Parameters (for clientSSL OCSP Stapling) might not be wide enough for some of the scenarios | |
487554-2 | 3-Major | K41581381 | System might reuse TCP source ports too quickly on the server side. |
486724-3 | 3-Major | K16750 | After upgrading from v10 to v11 in a FIPS HA setup, config-sync fails★ |
484305-2 | 3-Major | K16733 | Clientside or serverside command with parking command crashes TMM |
483539-1 | 3-Major | With fastL4, incorrect MSS value might be used if SYN has options without MSS specified | |
483353-1 | 3-Major | HTTP compression might cause TMM crash in low-memory conditions | |
481880-5 | 3-Major | SASPD monitor cores | |
481216-1 | 3-Major | Fallback may be attempted incorrectly in an abort after an Early Server Response | |
480686-7 | 3-Major | K15781 | Packet loop in VLAN Group |
480443-1 | 3-Major | K17464 | Internal misbehavior of the SPDY filter |
479682-4 | 3-Major | K16862 | TMM generates hundreds of ICMP packets in response to a single packet |
479176-1 | 3-Major | K16824 | TMM hangs and receives SIGABRT due to race condition during DNS db load |
478840-1 | 3-Major | K17014 | Cannot delete keys in subfolders using the BIG-IP GUI |
478734-5 | 3-Major | Incorrect 'FIPS import for failed for key' failure when operation actually succeeds | |
478195-4 | 3-Major | Installation of FIPS .exp key files sets incorrect public exponent. | |
477375-5 | 3-Major | SASP Monitor may core | |
475791-4 | 3-Major | K16171 | HTTP caching configured in a Web Acceleration profile may dispatch internal messages out-of-order, leading to assert |
475322-2 | 3-Major | cur_conns number different in tmstat and snmp output. | |
474584-2 | 3-Major | K16261 | igbvf driver leaks xfrags when partial jumbo frame received |
474226-2 | 3-Major | LB_FAILED may not be triggered if persistence member is down | |
474002-4 | 3-Major | K15972 | Server SSL profile unable to complete SSL handshake when server selects DHE-based key exchange, and is configured with 2048-bit or larger DH keys |
473759-1 | 3-Major | Unrecognized DNS records can cause mcpd to core during a DNS cache query | |
472148-7 | 3-Major | Highly fragmented SSL records can result in bad record errors on Nitrox based systems | |
471821-1 | 3-Major | Compression.strategy "SIZE" is not working | |
471625-8 | 3-Major | After deleting external data-group, importing a new or editing existing external data-group does not propagate to TMM | |
470394-2 | 3-Major | K16242 | Priority groups may result in traffic being load balanced to a single pool member. |
469705-4 | 3-Major | TMM might panic when processing SIP messages due to invalid route domain | |
469115-3 | 3-Major | K75513721 | Management client-ssl profile does not support multiple key/cert pair. |
468472-7 | 3-Major | Unexpected ordering of internal events can lead to TMM core. | |
467868-3 | 3-Major | K15959 | Leak due to monitor status reporting |
464651-2 | 3-Major | K16636 | Multiple root certificates with same 'subject' and 'issuer' may cause the tmm to core. |
464163-3 | 3-Major | K15988 | Customized cert-key-chain of a client ssl profile might be reverted to its parent's. |
457934-4 | 3-Major | SSL Persistence Profile Causing High CPU Usage | |
456763-5 | 3-Major | L4 forwarding and TSO can cause rare TMM outages | |
456413-5 | 3-Major | Persistence record marked expired though related connection is still active | |
455840-7 | 3-Major | EM analytic does not build SSL connection with discovered BIG-IP system | |
449891-7 | 3-Major | Fallback source persistence entry is not used when primary SSL persistence fails | |
447272-2 | 3-Major | K17288 | Chassis with MCPD audit logging enabled will sync updates to device group state |
444710-6 | 3-Major | Out-of-order TCP packets may be dropped | |
443006-1 | 3-Major | In low memory situations initializing the HTTP parser will cause the TMM to crash | |
438792-5 | 3-Major | Node flapping may, in rare cases, lead to inconsistent persistence behavior | |
428163-3 | 3-Major | Removing a DNS cache from configuration can cause TMM crash | |
384451-6 | 3-Major | Duplicated cert/keys/chain might cause SIGABRTs and low-memory conditions | |
503560-2 | 4-Minor | Statistics profiles cannot be configured along with HTTP transparent profile on the same virtual server. | |
498597-5 | 4-Minor | K16761 | SSL profile fails to initialize and might cause SSL operation issues |
481820-1 | 4-Minor | Internal misbehavior of the SPDY filter | |
480888-2 | 4-Minor | K51148522 | Tcl parks during HTTP::collect, and serverssl is present, data can be truncated |
469739-4 | 4-Minor | K16218 | ConfigSync may fail if HA pair has dissimilar cert-key-chain sub-object names within an SSL profile |
463696-5 | 4-Minor | FIPS keys might not be recoverable from UCS | |
451224-3 | 4-Minor | IP packets that are fragmented by TMM, the fragments will have their DF bit |
Performance Fixes
ID Number | Severity | Solution Article(s) | Description |
476144-1 | 1-Blocking | TMM generates a core file when dynamically loading a shared library. | |
497619-6 | 3-Major | K16183 | TMM performance may be impacted when server node is flapping and persist is used |
426939-5 | 3-Major | K15337 | APM Polices does not work in VIPRION 4800 chassis if there is no slot1 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
477240-2 | 2-Critical | iQuery connection resets every 24 hours | |
499719-1 | 3-Major | Order Zones statistics would cause database error | |
475549-3 | 3-Major | Input handling error in GTM GUI | |
475092 | 3-Major | Viewing DNS::Zones:Zones:Zones List:Statistics in the GUI generates error. | |
468519-1 | 3-Major | BIG-IP DNS configuration load failure from invalid bigip_gtm.conf file. | |
494305-3 | 4-Minor | K36360597 | [GUI] [GTM] Cannot remove the first listed dependent virtual server from dependency list. |
491554-2 | 4-Minor | K54162409 | [big3d] Possible memory leakage for auto-discovery error events. |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
488306-1 | 1-Blocking | Requests not logged locally on the device | |
478674-1 | 1-Blocking | K08359230 | ASM internal parameters for high availability timeout was not handled correctly |
516523-2 | 2-Critical | Full ASM Config Sync was happening too often in a Full Sync Auto-Sync Device Group | |
515433-1 | 2-Critical | K16639 | BD crash on specific signature sets configuration. |
512616-1 | 2-Critical | BD crash during brute force attack on cluster environement | |
508908-1 | 2-Critical | Enforcer crash | |
507919-1 | 2-Critical | Updating ASM through iControl REST does not affect CMI sync state | |
506372 | 2-Critical | XML validation files related errors on upgrade | |
504182-1 | 2-Critical | Enforcer cores after upgrade upon the first request★ | |
503169-1 | 2-Critical | XML validation files are broken after upgrade★ | |
493401-2 | 2-Critical | Concurrent REST calls on a single endpoint may fail | |
492978-1 | 2-Critical | All blades in a cluster remain offline after provisioning ASM or FPS | |
487420-1 | 2-Critical | BD crash upon stress on session tracking | |
486323-1 | 2-Critical | K16817 | The datasyncd process may keep restarting during the first 30 minutes following a hotfix installation |
481476-5 | 2-Critical | MySQL performance | |
517245-2 | 3-Major | A request that should be blocked was forwarded to the server | |
515449-1 | 3-Major | bd agent listens on all addresses instead of the localhost only | |
515190-2 | 3-Major | Event Logs -> Brute Force Attacks can't show details after navigating to another page | |
514093-1 | 3-Major | Allow request logs to be filtered by destination IP | |
513763 | 3-Major | Slow response from GUI when listing Event Logs | |
512668-1 | 3-Major | ASM REST: Unable to Configure Clickjacking Protection via REST | |
512001-1 | 3-Major | Using REST API to Update ASM Attack Signatures Fails | |
512000-1 | 3-Major | Event Log Filter using Policy Group isn't accurate | |
511947-1 | 3-Major | K24475274 | Policy auto-merge of Policy Diff |
511488-1 | 3-Major | Correlation restarting on a multi-bladed vCMP guest | |
511477-2 | 3-Major | Manage ASM security policies from BIG-IQ | |
510499-2 | 3-Major | K17544 | System Crashes after Sync in an ASM-only Device Group. |
509968-3 | 3-Major | BD crash when a specific configuration change happens | |
509873-1 | 3-Major | K01443011 | Rare crash and core dump of TMM or bd after rebooting a device or joining a trust domain. |
509495 | 3-Major | A TMM memory leak when HTTP protocol security enabled profile and no AFM license | |
508519-4 | 3-Major | Performance of Policy List screen | |
508338-1 | 3-Major | Under rare conditions cookies are enforced as base64 instead of clear text | |
507905 | 3-Major | Saving Policy History during UCS load causes db deadlock/timeout★ | |
507902-1 | 3-Major | K16697 | Failure and restart of mcpd in secondary blade when cluster is part of a trust domain. |
507289-3 | 3-Major | User interface performance of Web Application Security Editor users | |
506407 | 3-Major | K04420402 | Certain upgrade paths to 11.6.x lose the redirect URL configuration for Alternate Response Pages★ |
506386-2 | 3-Major | Automatic ASM sync group remains stuck in init state when configured from tmsh | |
506355-1 | 3-Major | Importing an XML file without defined entity sections | |
506110-1 | 3-Major | K25430927 | Log flood within datasyncd.log in clustered environment |
504973-1 | 3-Major | Configuring a route domain with 32 bit subnet mask, 128 bit mask saved instead | |
504718-2 | 3-Major | K75221274 | Policy auto-merge of Policy Diff |
502852-2 | 3-Major | Deleting an in-use custom policy template | |
501612-4 | 3-Major | Spurious Configuration Synchronizations | |
500544-1 | 3-Major | XML validation files are not correctly imported/upgraded | |
498708-1 | 3-Major | Errors logged in bd.log coming from the ACY module | |
498189-3 | 3-Major | ASM Request log does not show log messages. | |
497769 | 3-Major | Policy Export: BIG-IP does not export redirect URL for 'Login Response Page' | |
496565-1 | 3-Major | Secondary Blades Request a Sync | |
496264-1 | 3-Major | SOAP Methods Were Not Being Validated For WSDL Based XML Profiles | |
490284-3 | 3-Major | K17383 | ASM user interface extremely slow to respond (e.g., longer that 2 minutes to render policy list) |
489648-1 | 3-Major | Empty violation details for attack signatures | |
485764-5 | 3-Major | K17401 | WhiteHat vulnerability assessment tool is configured but integration does not work correctly |
484079-1 | 3-Major | K90502502 | Change to signature list of manual Signature Sets does not take effect. |
482915-1 | 3-Major | K17510 | Learning suggestion for the maximum headers check violation appears only for blocked requests |
475819-4 | 3-Major | K17325 | BD crash when trying to report attack signatures |
471103-1 | 3-Major | K10340625 | Ignoring null values for parameters with different content types |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
508544-1 | 3-Major | AVR injects CSPM JavaScript when the payload does not contain an HTML <head> tag | |
504414-1 | 3-Major | AVR HTTP External log - missing fields | |
503683 | 3-Major | Configuration upgrade failure due to change in an ASM predefined report name★ | |
503471-1 | 3-Major | K17395 | Memory leak can occur when there is a compressed response, and abnormal termination of the connection |
500457-1 | 3-Major | Synchronization problem in AVR lookups that sometimes causes TMM and other daemons, such as the Enforcer, to crash | |
500034-1 | 3-Major | [SMTP Configuration] Encrypted password not shown in GUI | |
497681-1 | 3-Major | Tuning of Application DoS URL qualification criteria | |
497376-1 | 3-Major | Wrong use of custom XFF headers when there are multiple matches | |
488713-1 | 3-Major | Corrupt memory |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
497662-3 | 1-Blocking | BIG-IP DoS via buffer overflow in rrdstats | |
517146-1 | 2-Critical | Log ID 01490538 may be truncated | |
516075-6 | 2-Critical | Linux command line client fails with on-demand cert | |
513795-1 | 2-Critical | HTML5 client is not available on APM Full Webtop when using VMware Horizon 6.1 | |
507782-1 | 2-Critical | TMM crashes for Citrix connection when Address field in the ICA file has non-patched/invalid data | |
506235-2 | 2-Critical | TMM Crash | |
497436-4 | 2-Critical | Mac Edge Client behaves erratically while establishing network access connection | |
496894-1 | 2-Critical | TMM may restart when accessing SAML resource under certain conditions. | |
495901-3 | 2-Critical | Tunnel Server crash if probed on loopback listener. | |
493360-1 | 2-Critical | Fixed possible issue causing Edge Client to crash during reconnect | |
489328-9 | 2-Critical | When BIG-IP virtual accessed with multiple tabs with long initial URLs before session creation can cause TMM crash. | |
473092-1 | 2-Critical | Transparent Proxy + On-Demand Cert Auth will reset | |
431980-1 | 2-Critical | K17310 | SWG Reports: Overview and Reports do not show correct data. |
515387 | 3-Major | Update EPSEC package to latest verified in 11.6.0 branch | |
514636-1 | 3-Major | K17137 | SWG Category Lookup using Subject.CN results in a crash if the certificate presented does not have a Subject.CN. |
514277-1 | 3-Major | Provide a way to enable connection bar for Citrix desktops only | |
513646-1 | 3-Major | K37170914 | APM(ACCESS)/SWG filter might process SessionDB replies after flow has been aborted resulting in orphaned timer |
512999-1 | 3-Major | K17432 | LDAP Query may fail if user belongs to a group from foreign domain |
512378-1 | 3-Major | Changing per request policy in the middle of data traffic can cause TMM to crash | |
511961-1 | 3-Major | BIG-IP Edge Client does not display logon page for FirePass | |
511648-2 | 3-Major | K16959 | On standby TMM can core when active system sends leasepool HA commands to standby device |
511441-3 | 3-Major | K17564 | Memory leak on request Cookie header longer than 1024 bytes |
509956-4 | 3-Major | Improved handling of cookie values inside SWG blocked page. | |
509758-2 | 3-Major | EdgeClient shows incorrect warning message about session expiration | |
509010 | 3-Major | Adding/Deleting a local user takes 30 seconds to complete | |
508719-1 | 3-Major | K22391125 | APM logon page missing title |
508630-4 | 3-Major | The APM client does not clean up DNS search suffixes correctly in some cases | |
507899 | 3-Major | Custom APM report - Assigned IP field shows 'IPv4' instead of assigned IP value | |
507318-3 | 3-Major | JS error when sending message from DWA new message form using Chrome | |
507116-1 | 3-Major | K17030 | Web-application issues and/or unexpected exceptions. |
506349-4 | 3-Major | BIG-IP Edge Client for Mac identified as browser by APM in some cases | |
505797-1 | 3-Major | Citrix Receiver for Android fails to authenticate with APM configured as StoreFront proxy and Access Gateway | |
505755-3 | 3-Major | K11043155 | Some scripts on dynamically loaded html page could be not executed. |
504880-2 | 3-Major | TMM may crash when RDP client connects to APM configured as Remote Desktop Gateway | |
504606-3 | 3-Major | Session check interval now has minimum value | |
503319-4 | 3-Major | K16901 | After network access is established browser sometimes receives truncated proxy.pac file |
502441-5 | 3-Major | Network Access connection might reset for large proxy.pac files. | |
502016-4 | 3-Major | MAC client components do not log version numbers in log file. | |
501498-1 | 3-Major | APM CTU doesn't pick up logs for Machine Certificate Service | |
499620-6 | 3-Major | BIG-IP Edge Client for MAC shows wrong SSL protocol version; does not display the protocol version that was negotiated. | |
499427-1 | 3-Major | Windows File Check does not work if the filename starts with an ampersand | |
498993-1 | 3-Major | K16972 | it is possible to get infinite loop in LDAP Query while resolving nested groups |
498782-2 | 3-Major | K17104 | Config snapshots are deleted when failover happens |
498469-5 | 3-Major | Mac Edge Client fails intermittently with machine certificate inspection | |
497455-1 | 3-Major | MAC Edge client crashed during routine Network Access. | |
497325-1 | 3-Major | K16643 | New users cannot log in to Windows-based systems after installing BIG-IP EDGE client in certain deployment |
496817-1 | 3-Major | Big-IP Edge client for Windows fails to connect to Firepass server if tunnel is established through a proxy | |
495702-4 | 3-Major | K40419383 | Mac Edge Client cannot be downloaded sometimes from management UI |
495319-3 | 3-Major | Connecting to FP with APM edge client is causing corporate network to be inaccessible | |
495265-1 | 3-Major | SAML IdP and SP configured in same access profile not supported | |
494176-5 | 3-Major | Network access to FP does not work on Yosemite using APM Mac Edge Client. | |
494088-4 | 3-Major | APD or APMD should not assert when it can do more by logging error message before exiting. | |
490844-4 | 3-Major | K50522620 | Some controls on a web page might stop working. |
490681-1 | 3-Major | K17470 | Memcache entry for dynamic user leaks |
490675-1 | 3-Major | K16855 | User name with leading or trailing spaces creates problems. |
489382-7 | 3-Major | Machine Cert allows mismatched SubjectCN and FQDN for browsers in case of valid cert | |
487170-1 | 3-Major | Enahnced support for proxy servers that resolve to multiple IP addresses | |
486597-1 | 3-Major | Fixed Network Access renegotiation procedure | |
486268-1 | 3-Major | APM logon page missing title | |
485355-3 | 3-Major | Click-to-Run version of Office 2013 does not work inside PWS (Protected WorkSpace) | |
484582-2 | 3-Major | APM Portal Access is inaccessible. | |
483526-1 | 3-Major | Rarely seen Edge Client for Mac crash on session disconnect | |
482269-1 | 3-Major | APM support for Windows 10 out-of-the-box detection | |
480817-3 | 3-Major | Added options to troubleshoot client by disabling specific features | |
480242-5 | 3-Major | APD, APMD, MCPD communication error failure now reported with error code | |
477898-1 | 3-Major | Some strings on BIG-IP APM EDGE Client User Interface were not localized | |
477795-1 | 3-Major | SSL profile passphrase may be displayed in clear text on the Dashboard | |
476038-1 | 3-Major | Mac Edge Client crashes on OS X 10.7 if a user adds new server using its IP address rather than DNS name | |
475505-6 | 3-Major | Windows Phone 8.1 built-in browser is not properly detected by BIG-IP system. | |
474698-2 | 3-Major | BIG-IP as IdP can send incorrect 'Issuer' element for some SLO requests under certain conditions. | |
474582-3 | 3-Major | Add timestamps to logstatd logs for Policy Sync | |
473697-6 | 3-Major | HD Encryption check should provide an option to choose drive | |
473129-5 | 3-Major | K15943 | httpd_apm access_log remains empty after log rotation |
471421-5 | 3-Major | K16270 | Ram cache evictions spikes with change of access policy leading to slow webtop rendering |
471331-2 | 3-Major | APM::RBA reset due to a leaked HUDEVT_REQUEST_DONE | |
460715-5 | 3-Major | Changes in captive portal probe URL | |
452464-4 | 3-Major | K28271912 | iClient does not handle multiple messages in one payload. |
452416-1 | 3-Major | tmctl leasepool_stat and snmp apmLeasepoolStatTable return incorrect values | |
437744-4 | 3-Major | K15186 | SAML SP service metadata exported from APM may fail to import. |
437743-6 | 3-Major | Import of Access Profile config that contains ssl-cert is failing | |
436201-6 | 3-Major | JavaScript can misbehave in case of the 'X-UA-Compatible' META tag when a client uses IE11 | |
433972-13 | 3-Major | New Event dialog widget is shifted to the left and Description field does not have action widget | |
433847-1 | 3-Major | APD crashes with a segmentation fault. | |
432900-9 | 3-Major | APM configurations can fail to load on newly-installed systems★ | |
431149-6 | 3-Major | K17217 | APM config snapshot disappears and users see "Access Policy configuration has changed on gateway" |
416115-14 | 3-Major | Edge client continues to use old IP address even when server IP address changed | |
410089-2 | 3-Major | Linux client hangs after receiving the application data | |
403991-8 | 3-Major | Proxy.pac file larger than 32 KB is not supported | |
510596-6 | 4-Minor | Broken DNS resolution on Linux client when "DNS Default Domain Suffix" is empty | |
505662-1 | 4-Minor | Signed SAML IdP/SP exported metadata contains some elements in wrong order | |
504461-2 | 4-Minor | Logon Page agent gets empty user input in clientless mode 3 when a Variable Assign agent resides in front of it. | |
485202-1 | 4-Minor | LDAP agent does not escape '=' character in LDAP DN | |
482134-1 | 4-Minor | APD and APMD cores during shutdown. | |
471452-2 | 4-Minor | Access policy in progress with multiple tabs, landing URL set to the tab in which policy is completed. | |
465012-4 | 4-Minor | Rewrite plugin may crash if webtrace or debug log level is enabled for Portal Access | |
464992-7 | 4-Minor | Mac Edge fails to pass machine certificate inspection if domain component is included in search criteria | |
461597-11 | 4-Minor | MAC edge client doesn't follow HTTP 302 redirect if new site has untrusted self-signed certificate | |
460427-2 | 4-Minor | Address collision reported when the Primary blade goes down or its TMM crashes in an Chassis IntraCluster environment. | |
456911-3 | 4-Minor | Add BIG-IP hostname to system's static DNS host entries | |
493385-6 | 5-Cosmetic | BIG-IP Edge Client uses generic icon set even if F5 icon set is configured |
WebAccelerator Fixes
ID Number | Severity | Solution Article(s) | Description |
514838-1 | 1-Blocking | TMM Crash on Relative URL | |
514785-2 | 1-Blocking | TMM crash when processing AAM-optimized video URLs | |
486346-3 | 2-Critical | Prevent wamd shutdown cores | |
447254-1 | 2-Critical | Core in parked transaction due to evicted stand-in document | |
511534-1 | 3-Major | K44288136 | A large number of regular expressions in match rules on path-segments may cause an AAM policy to take too long to load, |
481431-1 | 3-Major | AAM concatenation set memory leak on configuration change | |
467633-5 | 3-Major | WAM CSS minification can add spaces to the output, potentially coring TMM (in rare cases) | |
488917-2 | 4-Minor | Potentially confusing wamd shutdown error messages |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
486356-1 | 2-Critical | K16807 | unable to configure a virtual with stats profile and sip profile in 11.6.0 |
482436-1 | 2-Critical | K16973 | BIG-IP processing of invalid SIP request may result in high CPU utilization |
478442-5 | 2-Critical | Core in sip filter due to sending of HUDEVT message while processing of HUDCTL message | |
477318-1 | 2-Critical | Fixes possible segfault | |
466761-4 | 2-Critical | Heartbeat, UDP packet with only double CRLF, on existing SIP flow results in connection loss. | |
455006-7 | 2-Critical | K50532341 | Invalid data is merged with next valid SIP message causing SIP connection failures |
512054-1 | 3-Major | K17135 | CGNAT SIP ALG - RTP connection not created after INVITE |
511326-2 | 3-Major | K24410405 | SIP SUBSCRIBE message not forwarded by BIG-IP when configured as SIP ALG with translation. |
507143-1 | 3-Major | K17071 | Diameter filter may process HUDCTL_ABORT message before processing previously queued events leading to tmm assertion |
503676-4 | 3-Major | SIP REFER, INFO, and UPDATE request do not trigger SIP_REQUEST or SIP_REQUEST_SEND iRule events | |
500365-3 | 3-Major | TMM Core as SIP hudnode leaks | |
499701-1 | 3-Major | SIP Filter drops UDP flow when ingressq len limit is reached. | |
472376-3 | 3-Major | K17190 | A SIP virtual server may crash while trying to send a message if the connection is in the process of shutting down |
448493-10 | 3-Major | SIP response from the server to the client get dropped |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
515562-1 | 2-Critical | K16813 | Sweep and flood may crash if it is enabled when AFM is not licensed or provisioned. |
513403-1 | 2-Critical | K16490 | TMM asserts when certain ICMP packets (e.g multicast echo) are classified by AFM and match rules at Global and Route Domain context with logging enabled for these rules and also log-translations is enabled in AFM Logging configuration. |
512609 | 2-Critical | Firewall rules specifying wildcard IPv6 addresses match IPv4 addresses | |
503541-2 | 2-Critical | Use 64 bit instead of 10 bit for Rate Tracker library hashing. | |
501480-3 | 2-Critical | AFM DoS Single Endpoint Sweep and Flood Vectors crash TMM under heavy traffic. | |
500925-3 | 2-Critical | Introduce a new sys db variable to control number of merges per second of Rate Tracker library. | |
517019-1 | 3-Major | AVR-HTTP (and Application DoS): Detection of pool-member is sometimes incorrect | |
515187-2 | 3-Major | Certain ICMP packets are evaluated twice against Global and Route Domain ACL rules. | |
513565-1 | 3-Major | AFM Kill-on-the-fly does not re-evaluate existing flows against any Virtual/SelfIP ACL policies if a Global or Route-Domain rule action is modified from Accept-Decisively to Accept. | |
511406-1 | 3-Major | K16421 | Pagination issue on firewall policy rules page |
505624-1 | 3-Major | Remote logger will continue to get DoS L7 messages after it was removed from the virtual server configuration | |
503085-3 | 3-Major | Make the RateTracker threshold a constant | |
502414-2 | 3-Major | Make the RateTracker tier3 initialization number less variant. | |
501986-3 | 3-Major | Add a sys db tunable to make Sweep and Flood vectors be rate-limited per-TMM process | |
496278-2 | 3-Major | K16294 | Disabling/enabling Rule within Rule List causes disabling/enabling of other Rule with the same name |
500449 | 4-Minor | "Any IPv4 or IPv6" choice in sweep attack has atypical definition | |
497311 | 4-Minor | Can't add a ICMPv6 type and code to a FW rule. |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
519407-1 | 2-Critical | PEM session lookup by subscriber ID in TMSH fails if same IP is being used to create session with different subscriber ID | |
518967-1 | 2-Critical | K45215234 | Possible error when parsing for certain URL categorization input. |
508051-1 | 2-Critical | K53394418 | DHCP response may return to wrong DHCP client. |
506734 | 2-Critical | Cloud lookup stress condition | |
506283 | 2-Critical | 100% TPS drop when webroot cloud lookup is enabled under stress condition | |
505529 | 2-Critical | wr_urldbd restarts continuously on VIPRION chassis with webroot lookup enabled. | |
505069 | 2-Critical | Webroot cloud lookup granularity | |
503381-2 | 2-Critical | SSL persistence may cause connection resets | |
500219-1 | 2-Critical | TMM core if identical radius starts messages received | |
496976-2 | 2-Critical | Crash when receiving RADIUS message to update PEM static subscriber. | |
484278-4 | 2-Critical | K16734 | BIG-IP crash when processing packet and running iRule at the same time |
480544-1 | 2-Critical | Secondary IP flows are not forwarded in multiple IP session | |
473680-1 | 2-Critical | K17559 | Multiple DHCP solicit packets may not succeed. |
515638 | 3-Major | 5% drop in Webroot cloud lookup performance with mixed upper/lowercase URLs | |
512734 | 3-Major | Socket error when Webroot cloud lookup is enabled under stress condition | |
511064-1 | 3-Major | K17108 | Repeated install/uninstall of policy with usage monitoring stops after second time |
510811-1 | 3-Major | PEM::info irule does not take effect if used right after PEM::session config policy irule | |
510721-1 | 3-Major | PEM::enable / PEM::disable iRule errors out with an error message | |
509105-1 | 3-Major | K74503799 | TMM cores sometimes if provisioning hold time is set to non-zero. |
507753 | 3-Major | URL categorization missed if HTTP1.0 header does not have HOST | |
507549-1 | 3-Major | PEM may ignore a RAR if the target session is in the Provision-Pending state | |
506578 | 3-Major | Webroot cloud lookup does not yield a category. | |
505986 | 3-Major | Extra Webroot cloud lookup requests when cache is full | |
504028-1 | 3-Major | Generate CCR-T first and then CCR-I if session being replaced | |
495913-2 | 3-Major | TMM core with CCA-I policy received with uninstall | |
488166-1 | 3-Major | Provide an option to delete the session if IP class address Limit reached when new IP being added and create a new one instead. | |
467106-1 | 3-Major | Loading ucs file after install 11.6.0 on top of 11.5.0 failed when Gx reporting is enabled.★ | |
512663 | 4-Minor | Added urlcatblindquery iRule command | |
489767 | 4-Minor | Webroot cloud lookup support | |
478399-2 | 4-Minor | PEM subscriber sessions are created without PEM licensed, if "radiusLB-subscriber-awre" profile is configured. |
Carrier-Grade NAT Fixes
ID Number | Severity | Solution Article(s) | Description |
519723 | 2-Critical | dnatutil utility needs update because DAG changed. | |
494280-3 | 2-Critical | K16256 | TMM crashes when PPTP finds a redirected flow when checking for an existing tunnel |
493807-5 | 2-Critical | K15989 | TMM might crash when using PPTP with profile logging enabled |
482202-1 | 3-Major | Very long FTP command may be ignored. |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
487553 | 3-Major | FPS alerts |
Anomaly Detection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
461949 | 2-Critical | K16431 | Virtual server with Portal Access and DOS profile resets connection |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
513215 | 2-Critical | Only one of the TMMs load the classification library after an IM package upgrade | |
508660-1 | 2-Critical | Intermittent TMM crash in classification library | |
484483-2 | 2-Critical | TCP and UDP was classified as Unknown by classification library |
Cumulative fixes from BIG-IP v11.6.0 Hotfix 4 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
503237-8 | CVE-2015-0235 | K16057 | CVE-2015-0235 : glibc vulnerability known as Ghost |
496849-1 | CVE-2014-9326 | K16090 | F5 website update retrievals vulnerability |
494078-4 | CVE-2014-9326 | K16090 | Update Check feature can be target of man-in-middle-attack |
492368-5 | CVE-2014-8602 | K15931 | Unbound vulnerability CVE-2014-8602 |
492367-4 | CVE-2014-8500 | K15927 | BIND vulnerability CVE-2014-8500 |
489323-1 | CVE-2015-8098 | K43552605 | Out-of-bounds memory access when 'remotedesktop' profile is assigned to a virtual server. |
477274-8 | CVE-2014-6031 | K16196 | Buffer Overflow in MCPQ |
500088-1 | CVE-2014-3571 | K16123 | OpenSSL Vulnerability (January 2015) - OpenSSL 1.0.1l update |
497719-1 | CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296 | K15934 | NTP vulnerability CVE-2014-9293, NTP vulnerability CVE-2014-9294, NTP vulnerability CVE-2014-9295, and NTP vulnerability CVE-2014-9296 |
496845-1 | CVE-2014-9342 | K15933 | NTP vulnerability CVE-2014-9296 |
482710-4 | CVE-2014-3566 | K15702 | SSLv3 protocol disabled in APM clients |
474757-15 | CVE-2014-3508 CVE-2014-5139 CVE-2014-3509 CVE-2014-3505 CVE-2014-3506 CVE-2014-3507 CVE-2014-3510 CVE-2014-3511 CVE-2014-3512 | K15573 | OpenSSL DTLS vulnerabilities CVE-2014-3505, CVE-2014-3506, and CVE-2014-3507, OpenSSL vulnerability CVE-2014-3508, OpenSSL vulnerability CVE-2014-3510, TLS vulnerability CVE-2014-3511. |
485812-2 | CVE-2014-3660 | K15872 | libxml2 vulnerability CVE-2014-3660 |
471014-14 | CVE-2014-2970 CVE-2014-5139 | K15567 | OpenSSL vulnerability CVE-2014-5139 |
Functional Change Fixes
ID Number | Severity | Solution Article(s) | Description |
480583-1 | 2-Critical | Support SIP/DNS DOS only for UDP packets and SIP DOS does not drop packets but count drops | |
477524 | 3-Major | Enable ssh for admin account and disable ssh for root account for Amazon deployments |
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
493275-3 | 1-Blocking | Restoring UCS file breaks auto-sync requiring forced sync. | |
483436-1 | 1-Blocking | No support in license files for 'hourly billing'. | |
482943-1 | 1-Blocking | Cannot upgrade because of lack of root/admin access. | |
476126-1 | 1-Blocking | K16683 | Adding SR-IOV and VLAN tagging in the F5 VE with Emulex NIC |
475829-1 | 1-Blocking | AWS - VE is locked out after live install on 2nd slot. | |
499880 | 2-Critical | boot menu titles might not contain volume suffix | |
487567-4 | 2-Critical | Addition of a DoS Profile Along with a Required Profile May Fail | |
486137-3 | 2-Critical | License activation may not proceed if MCPD is not fully operational★ | |
484399-2 | 2-Critical | K16048 | Virtual Edition second installation slot and VMWare |
478896 | 2-Critical | Hourly Billing AMIs for 11.6.0 contain internal instead of production license | |
477031-2 | 2-Critical | Deleting multiple VXLAN tunnels with flooding type multipoint can cause TMM restart | |
473641-1 | 2-Critical | Missing a tunnel FDB endpoint configuration in VXLAN tunnels could result in memory leak | |
497870-1 | 3-Major | PEM configured with BWC doing pem policy changes could trigger leak | |
497062-1 | 3-Major | K16964 | PEM configured with BWC doing PEM policy changes could trigger leak |
492809-4 | 3-Major | K16166 | Small but continuous mcpd memory leak associated with statistics. |
485352-1 | 3-Major | TMM dumps core file when loading configuration or starting up | |
483228-3 | 3-Major | The icrd_child process generates core when terminating | |
479359-1 | 3-Major | Loading a UCS file with no-platform-check stalls at platform check★ | |
479302-3 | 3-Major | K16641 | Error message in ltm log: bcm56xxd: reading L2 entry Operation failed bs_arl.cpp. |
479152-5 | 3-Major | K15888 | Hardware parity error mitigation on 10000s/10200v/10250v platforms and B4300/B4340N and B2250 blades |
474332-3 | 3-Major | No 'base-installable' images (release plus hotfix) for VM | |
474172 | 3-Major | BIG-IQ at times cannot discover BIG-IP running TMOS 11.6.0 - 11.6.0 HF3, failure reason: Failed getting time zone. | |
474166-4 | 3-Major | ConfigSync operation failing with rarely occurring sFlow error | |
473409-1 | 3-Major | Route domain stats can not be reset by using F5-BIGIP-LOCAL-MIB::ltmRouteDomainStatResetStats | |
468514-4 | 3-Major | K16000 | Receiving several ConfigSync requests in a short period of time may cause the mcpd process to restart and produce a core file |
468021-3 | 3-Major | UCS file from earlier version may not load into 11.5.0 or later image★ | |
481135-1 | 4-Minor | K15818 | The pool members of a wide IP in Link Controller can not be modified once created |
441512-4 | 4-Minor | K15840 | ConfigSync failing with sFlow error |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
490225-3 | 2-Critical | K16030 | Duplicate DNSSEC keys can cause failed upgrade.★ |
484948-1 | 2-Critical | K16732 | UDP connflow may aborted from parked iRule in server_closed. |
478812-2 | 2-Critical | DNSX Zone Transfer functionality preserved after power loss | |
502174-4 | 3-Major | DTLS fragments do not work for ClientHello message. | |
484429-4 | 3-Major | After updating a key/certificate in place and synchronizing the configuration, TMM may log critical-level messages that it could not load a key, certificate, or chain. | |
483974-2 | 3-Major | Unrecognized EDNS0 option may be considered malformed. | |
483328-4 | 3-Major | K15851 | Client SSL profiles might fail to complete handshake, system logs critical-level error '01260000:2: Profile name-of-profile: could not load key/certificate' |
477924-1 | 3-Major | System can crash referencing compression provider where selection of provider has been deferred | |
477394-1 | 3-Major | LTM might reset and cause out-of-ports | |
476281 | 3-Major | K16681 | tmm crash on uninitialized variable |
475055-3 | 3-Major | Core caused by incorrect accounting of I/O flows | |
472944-3 | 3-Major | SMTPS race condition after STARTTLS may cause incorrect SMTP responses | |
463902-3 | 3-Major | Hardware Compression in CaveCreek may cause excessive memory consumption. | |
437627-5 | 3-Major | TMM may crash if fastl4 vs has fragmeneted pkt | |
492780-1 | 4-Minor | K37345003 | Elliptic Curves Extension in ServerHello might cause failed SSL connection. |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
482442-5 | 4-Minor | [GTM] [GUI] Changes to a single wideip Propagates to All WIPs |
Application Security Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
504232-1 | 2-Critical | Attack signatures are not blocked after signature/set change | |
489705-2 | 2-Critical | K16245 | Running out of memory while parsing large XML SOAP requests |
478876-2 | 2-Critical | BIG-IP with many active ASM accounts after a restart | |
478672-1 | 2-Critical | Enforcer memory leak | |
477432-6 | 2-Critical | Roll forward from 11.3.0 with iApp configured fails to load correctly and causes bd to core★ | |
475856-1 | 2-Critical | BD may crash when enabling Base64 Decoding on Wildcard cookie | |
496011-1 | 3-Major | K17385 | Resets when session awareness enabled |
492570-1 | 3-Major | JavaScript error during CSRF protection | |
481792-1 | 3-Major | K84202340 | BD may crash within HTTP payload parser. |
476191-1 | 3-Major | Bypass unicode validation on XML and JSON profiles by internal parameter | |
476179-1 | 3-Major | Brute Force end attack operation mode reported as blocking while it was actually in transparent mode | |
475861-1 | 3-Major | Session Awareness: Requests are reset | |
475135-1 | 3-Major | BIG-IP goes offline after time change | |
474430-1 | 3-Major | Rare issue: client session might not be restored by fingerprint in the Web Scraping mitigation. | |
473410-1 | 3-Major | Policy Diff on merging missing URLs | |
470779-1 | 3-Major | The Enforcer should exclude session awareness violations when counting illegal requests. | |
469786-1 | 3-Major | K04393808 | Web Scraping Mitigation: Display of request status when configuration includes an ASM iRule |
467776-1 | 3-Major | Fix in the Guardium to ASM protocol | |
450241-3 | 3-Major | K21100172 | iControl error when discover ASM from EM |
441239-1 | 3-Major | Event Correlation is not enabled on vCMP guests if the disk is SSD. | |
438809-6 | 3-Major | K17098 | Brute Force Login |
Application Visibility and Reporting Fixes
ID Number | Severity | Solution Article(s) | Description |
499299-1 | 2-Critical | Synchronization problem in AVR lookups sometimes causes TMM and other daemons, such as the Enforcer, to crash | |
480350-1 | 2-Critical | K15251065 | AVR and APM: TMM crashes |
476336 | 2-Critical | TMM and other daemons, such as the Enforcer, crash | |
475439-1 | 2-Critical | K16434 | Synchronization problem in AVR lookups sometimes causes TMM and other daemons, such as the Enforcer, to crash |
474251-1 | 2-Critical | IP addresses are not properly cleaned from lookup tables, so there might be no room for new IP addresses to be collected. | |
472969-1 | 2-Critical | If you try to create more than 264 AVR profiles, avrd might crash. | |
499036 | 3-Major | Rare cases of errors when loading data into mysql | |
496560-1 | 3-Major | AVR and APM: TMM crashes (additional fixes for ID 480350) | |
493825-1 | 3-Major | K17520 | Upgrade failure from version 11.4.0 due to incorrect configuration being saved★ |
489682-1 | 3-Major | K40339022 | Configuration upgrade failure due to change in an ASM predefined report name★ |
481541-1 | 3-Major | Memory leak in monpd when LTM and AVR or ASM are provisioned | |
478346-1 | 3-Major | Some AVR statistics not collected properly | |
472607 | 3-Major | VCMP: Warning messages in AVR log | |
467945-3 | 3-Major | Error messages in AVR monpd log |
Access Policy Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
488986-2 | 1-Blocking | K16582 | Access policy cannot enter Windows Protected Workspace on Internet Explorer versions 10 and 11, and edge client. |
504060 | 2-Critical | iOS and Mac receivers cannot create account on Citrix StoreFront in proxy mode | |
494098-6 | 2-Critical | K16857 | PAC file download mechanism race condition |
485906 | 2-Critical | TMM may core when an APM virtual server has a OneConnect profile attached to the virtual server | |
485465-3 | 2-Critical | K16775 | TMM might restart under certain conditions when executing SLO. |
484454-3 | 2-Critical | K16669 | Users not able to log on after failover |
482833 | 2-Critical | apd crash for missing db variable | |
479524-5 | 2-Critical | K16823 | If a "refresh" response header should not be rewritten, it can crash the rewrite plugin or be improperly rewritten |
477540-1 | 2-Critical | K16851 | 'ACCESS::policy evaluate' iRule command causes crash of apmd daemon |
476736-2 | 2-Critical | APM IPv6 Network Access connection may fail in some cases | |
475049-1 | 2-Critical | Missing validation of disallowing empty DC configuration list | |
474532-5 | 2-Critical | K16357 | TMM may restart when SLO response is received on SLO request URL (.../post/sls) |
474392-1 | 2-Critical | OS X 10.10 Yosemite support | |
474058-5 | 2-Critical | K16689 | When the BIG-IP system is configured as Service Provider, APD may restart under certain conditions |
471874-1 | 2-Critical | K16850 | VDI plugin crashes when trying to respond to client after client has disconnected |
469960-1 | 2-Critical | K16333 | Managing apd connection from tmm |
458928-5 | 2-Critical | APMD cores in Kerberos authentication, when the agent tries to derefence a null authparam session variable. | |
455284-4 | 2-Critical | K15907 | Monitor traffic rejected with ICMP message, causing node down |
496449-1 | 3-Major | APM does not support using session variables for the destination address in Citrix and VMware View remote desktop resources. | |
496447-1 | 3-Major | APM does not apply route domain configured in visual policy editor to Citrix/VMware View connections when their backends are specified as hostname/IP address. | |
496441-1 | 3-Major | APM does not apply route domain configured in visual policy editor to Java AppTunnel connections. | |
496440-1 | 3-Major | APM does not apply route domain configured in visual policy editor to Java RDP connections. | |
494284-3 | 3-Major | K16624 | Mac Edge Client, with primary language of German shows unneeded text shown under disconnected status. |
494189-1 | 3-Major | Poor performance in clipboard channel when copying | |
493487-3 | 3-Major | K45558362 | Function::call() and Function::apply() wrapping does not work as expected |
493164-3 | 3-Major | K62553244 | flash.net.NetConnection::connect() has an erroneous security check |
492238-6 | 3-Major | K16848 | When logging out of Office 365 TMM may restart |
492153-2 | 3-Major | K17055 | Edge clients shuts down the DTLS channel if the state of IP address on the adapter that was used to build the tunnel, changes to deprecated. |
491887-1 | 3-Major | K16645 | Changing the ending of a macro in Access Policy crashes TMM. |
491478-1 | 3-Major | EAM is a CMP plugin and spins up one thread per TMM. | |
491233-1 | 3-Major | K16105 | Rare deadlock in CustomDialer component |
490811-5 | 3-Major | Proxy configuration might not to be restored correctly in some rare cases | |
490482-1 | 3-Major | K16638 | Applying Access Policy with an unused macro crashes TMM. |
488892-3 | 3-Major | JavaRDP client disconnects | |
487859-1 | 3-Major | K42022001 | Importing local db users from a CSV file that has no UID set, displays incorrect information in the GUI. |
485948-5 | 3-Major | K17418 | Machine Info Agent should have a fallback branch |
485396 | 3-Major | Online help about persistent cookies does not specify supported use | |
484847-2 | 3-Major | DTLS cannot be disabled on Edge Client for troubleshooting purposes | |
484298-2 | 3-Major | K16605 | The aced process may restart in a loop |
483601 | 3-Major | K16895 | APM sends a logout Bookmarked Access whitelist URL when session is expired. |
483379-1 | 3-Major | High CPU consumption and unresponsive interface of the menubar icon after 20-30 minutes | |
482260-4 | 3-Major | Location of Captive portal configuration registry entry in 64 bit windows is incorrect | |
482046-1 | 3-Major | Old password is not verified during password change from View client. | |
481257-5 | 3-Major | Information on "OPSWAT Integration Libraries V3" is missing from CTU report | |
481210-1 | 3-Major | K16426 | Active Directory Query doesn't populate all values of multi-value attributes |
481203-5 | 3-Major | User name case sensitivity issue | |
481046-5 | 3-Major | K17497 | F5_Inflate_text(o, incr, v) wrapper need to be fixed for case when o is script tag |
481020-1 | 3-Major | K17487 | Traffic does not flow through VPN tunnel in environements where proxy server is load balanced |
480995-1 | 3-Major | APM client components are not using extended logging by default. | |
480247-5 | 3-Major | Modifying edge client application folder causes gatekeeper to throw warning | |
480047-1 | 3-Major | BIG-IP Edge Client for Windows does not enable you to generate a client troubleshooting report from the user interface. | |
479451-1 | 3-Major | K16737 | Different Outlook users with same password and client IP are tied to a single APM session when using Basic auth |
478491 | 3-Major | Microsoft RDP client for iOS doesn't work against F5 APM for versions >= 8.1.0 | |
478333 | 3-Major | Edge-Client client shows an error about corrupted config file, when User's profile and temp folders located on different partitions | |
478285-2 | 3-Major | [MAC][NA] Routing table is not restored correctly in multi-homed environment if server settings disallow local subnet access | |
478214-1 | 3-Major | APM Native RDP Proxy does not allow users to authenticate without specifying a domain name. | |
478115-5 | 3-Major | The action attribute value of a form HTML tag is not properly rewritten in the Minimal Content Rewriting mode when it starts with "/" | |
477841-1 | 3-Major | Safari 8 does not use Network Access proxy. | |
477642-5 | 3-Major | Portal Access rewriting leads to page reload in Firefox | |
477474-3 | 3-Major | K03431040 | Wrong HTML rewriting at client side for very special case |
477445-1 | 3-Major | K16752 | APM client improved to support 2 interface connected to the same network segment |
476133-1 | 3-Major | In APM OAM authentication, ObSSOCookie _lastUseTime was not updated. | |
476033-1 | 3-Major | APM does not support Microsoft Remote Desktop 8.0.8 client for iOS to work using APM as RD Gateway. | |
476032-1 | 3-Major | BIG-IP Edge Client may hang for sometime when disconnecting from Firepass server | |
475770-1 | 3-Major | Fixed routing table management for cases when 2 or more interfaces are used | |
475682-6 | 3-Major | APM OAM should be sending a single Cookie header with the cookies delimited by semi-colon. | |
475650-5 | 3-Major | K16271 | The TMM may restart when processing single logout (SLO) messages. |
475363-6 | 3-Major | Empty or invalid configuration, or during exception in NTLM, handling might not work as expected. | |
475360-6 | 3-Major | Edge client remembers specific virtual server URI after it is redirected | |
475262-1 | 3-Major | In some cases Edge Client for Windows does not re-resolve server hostname while reconnecting | |
475163-5 | 3-Major | Submitting an HTML form that does not have an action attribute is a 404 error and 'null' in the request URL. | |
475148-1 | 3-Major | Microsoft RDP Client for Mac OS X ver. 8.0.9 does not work correctly with BIG-IP APM. | |
475143 | 3-Major | CATEGORY::filetype command may cause tmm to crash and restart | |
474730-5 | 3-Major | Incorrect handling of form if it contains a tag with id=action | |
474231-5 | 3-Major | RAM cache evictions spikes with change of access policy which may lead to slow webtop rendering | |
473728-3 | 3-Major | K16899 | Incorrect HTML form handling. |
473386-4 | 3-Major | K17540 | Improved Machine Certificate Checker matching criteria for FQDN case |
473344-6 | 3-Major | Kerberos Request-Based Auth (RBA) failure when session is initially created on a different VIP. | |
472825-2 | 3-Major | K52892802 | The Dashboard charts may dip when a blade is rebooted. |
471825-3 | 3-Major | K16637 | Add 'Date:' header in email message generated by APM Email agent to comply with RFC 5322. |
471772-1 | 3-Major | APM does not support VMware View application remoting. | |
471714-1 | 3-Major | K16637 | Certain SMTP servers (Windows) do not receive complete email due to missing CRLF header terminator in Emails generated by APM Email agent. |
471125 | 3-Major | Fixed issue causing EdgeClient to work improperly behind environment with CaptivePortal. | |
470414-4 | 3-Major | Portal Access rewrite daemon may crash while processing some Flash files | |
470225-4 | 3-Major | K15951 | Machine Certificate checker now correctly works in Internet Explorer 11 |
470205-2 | 3-Major | /config/.../policy_sync_d Directory Is 100% Full | |
469100-5 | 3-Major | K17145 | JavaScript index expressions with a comma are not properly rewritten |
468478-5 | 3-Major | K16659 | APM Portal Access becomes unresponsive. |
467849-6 | 3-Major | In some cases user cannot go to external sites through proxy when vpn is connected | |
466877-6 | 3-Major | K16774 | When BIG-IP is used as SAML SP, signatures created by IBM Tivoli Federated Identity Manager may fail validation |
466325-6 | 3-Major | K16692 | Continuous policy checks on windows might fail incorrectly in some cases |
463776-2 | 3-Major | K17142 | VMware View client freezes when APM PCoIP is used and user authentication fails against VCS 5.3 |
463230-1 | 3-Major | Aced service does not recover if child process dies. | |
462727-1 | 3-Major | K16436 | TMM crash when processing ACCESS::session iRule without an attached Access Policy |
456403-2 | 3-Major | Citrix Storefront native protocol | |
454493-1 | 3-Major | K16566 | VMWare View applications are not available on BIG-IP APM webtops |
447013-4 | 3-Major | K15890619 | The Citrix Client Detection process may incorrectly prompt for the installation of client software. |
441355-1 | 3-Major | Enable change password within vmview client when password doesn't meet the AD policy requirements | |
439518-3 | 3-Major | K16254 | Portal access resource item modifications are not synced |
438730-5 | 3-Major | K16666 | DNS Filtering driver causes crash/BSOD |
432102-6 | 3-Major | HTML reserved characters not supported as part of SAML RelayState | |
431810-5 | 3-Major | K16315 | APMD process core due to missing exception handling in execute agents |
428387-2 | 3-Major | SAML SSO could fail if SAML configuration contains special XML characters (&,<,>,",') | |
418850-1 | 3-Major | Do not restrict AD to be the last auth agent for View Client | |
407350-4 | 3-Major | Client side checks on Windows Phone 8 | |
400726-4 | 3-Major | No support for multi-valued attributes inside SAML assertion. | |
398657-8 | 3-Major | Active Session Count graph underflow | |
503924-1 | 4-Minor | Citrix receivers cannot authenticate | |
492844-1 | 4-Minor | Office365 generated SAML SLO message causes browser connection to be reset. | |
489888-1 | 4-Minor | Configuring VDI profile when APM is not provisioned, but does not. | |
489364-1 | 4-Minor | Now web VPN client correctly minimizes IE window to tray | |
485760-1 | 4-Minor | Tag <NameIDFormat> in SAML metadata may contain wrong attributes | |
480827-1 | 4-Minor | Logging might show unnecessary messages when Citrix Receiver connects to Storefront: err tmm[20105]: 01490563:3: 00000000: Access stats encountered error: Failed to add/delete session entry (ERR_NOT_FOUND). | |
480360-5 | 4-Minor | Edge Client for Mac blocks textexpander application's functionality | |
478397-1 | 4-Minor | Memory leak in BIG-IP APM Edge Client Windows API. | |
477138-1 | 4-Minor | Only one of several VMware View Desktop/Application pools with the same display name can be launched from APM Webtop | |
473377-5 | 4-Minor | BIG-IP as IdP may rejects AuthnRequest with specific NameID format | |
472216-2 | 4-Minor | Duration counter for customized Edge Client | |
466797-6 | 4-Minor | Added warning message when maximum session timeout is reached | |
464547-1 | 4-Minor | Show proper error message when VMware View client sends invalid credentials to APM | |
450033-5 | 4-Minor | Sometimes VMware View client 2.3 for Windows can't launch desktops via APM | |
447302-3 | 4-Minor | APM incorrectly supports 'redirect' ending in an access policy for web browser clients when deployed for Citrix Web Interface in proxy mode. | |
432423-5 | 4-Minor | Need proactive alerts for APM license usage | |
421901-2 | 4-Minor | The 'Restore down' button can be hidden for full-screen RDP resources. | |
503673-1 | 5-Cosmetic | APM sets MRHSession cookie on /cgi/login request from Citrix Receivers | |
486344-2 | 5-Cosmetic | French translation does not properly fit buttons in BIG-IP Edge client on Windows | |
484856-1 | 5-Cosmetic | Citrix remote desktop visible even if the user cannot access it |
Wan Optimization Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
479889-5 | 1-Blocking | Memory leaks when iSession and iControl are configured | |
480305-1 | 4-Minor | tmm log flood: isession_handle_evt: bad transition:7 |
Service Provider Fixes
ID Number | Severity | Solution Article(s) | Description |
476886-3 | 3-Major | K15727 | When ICAP cuts off request payload, OneConnect does not drop the connection |
472092-3 | 3-Major | ICAP loses payload at start of request in response to long execution time of iRule |
Advanced Firewall Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
496036 | 1-Blocking | K16640 | GUI throws an error in some situations when an ASM policy is assigned to virtual server |
484245-1 | 1-Blocking | Delete firewall rule in GUI changes port settings in other rules to 'any' | |
498227-2 | 2-Critical | Incorrect AFM firewall rule counter update after pktclass-daemon restarts. | |
497342 | 2-Critical | TMM crash while executing FLOW_INIT event (with multiple commands that abort the connection) in an iRule attached to an AFM firewall rule. | |
480903-1 | 2-Critical | AFM DoS ICMP sweep mitigation performance impact | |
478644 | 2-Critical | dwbld race with mcpd causes core. | |
477769-1 | 2-Critical | TMM crash (panic) in AFM pktclass code (Assertion 'classifier ref non-zero' failed.) when virtual server has SPDY or HTTP Prefetching enabled along with AFM Rules. | |
469512-2 | 2-Critical | TMM aborted by SOD due to heartbeat failure when trying to load huge firewall policies. | |
500640-1 | 3-Major | K21264026 | TMM core might occur if FLOW_INIT iRule attached to Virtual server |
497732-2 | 3-Major | Enabling specific logging may trigger other unrelated events to be logged. | |
497667-2 | 3-Major | Configuring of ICMPv4/ICMPv6 ip-protocol in mgmt port ACL Rules generated error | |
497263-1 | 3-Major | Global whitelist count exhausted prematurely | |
496498-3 | 3-Major | Firewall rule compilation will fail in certain scenario when there are multiple scheduled AFM rules and one of the non scheduled AFM rule is modified. | |
495928-5 | 3-Major | APM RDP connection gets dropped on AFM firewall policy change | |
495698-3 | 3-Major | iRule can be deleted even though it exists in a rule-list | |
493234-1 | 3-Major | Device version in AFM log message could be empty | |
485787-1 | 3-Major | Firewall ACL counters for staged policy attached to a Virtual/SelfIP are not incremented when a policy with a similar rule to drop/reject packets is enforced by the Global or Route Domain context | |
485771-1 | 3-Major | TMM crashes while executing multiple FLOW_INIT events and one of the event triggers an abort. | |
480826 | 3-Major | IPs can be added for infinite duration | |
478816 | 3-Major | Fastl4 TCP connection trasitions are not logged | |
477576-1 | 3-Major | Valid iRule command FLOWTABLE::limit gets rejected when virtual server or route domain name is not specified | |
474896-1 | 3-Major | K10035412 | Remote logs without attack ID and mitigation fields |
442535-5 | 3-Major | K16227 | Time zone changes do not apply to log timestamps without tmm restart |
429885-6 | 3-Major | K17576 | Traffic that does not match any virtual or Self IP is dropped silently (without any logs or statistics) |
498785 | 4-Minor | Black List Classes/Black List Categories terminology inconsistency | |
481189-2 | 4-Minor | Change the default value of pccd.hash.load.factor to 25 | |
480623 | 4-Minor | Category defaulted to whitelist when a valid category was not specified | |
480196 | 4-Minor | Packets not counted in tmctl ip_intelligence_stat on accept-decisively ACL match | |
478631 | 4-Minor | No validation for Shun TTL lengths |
Policy Enforcement Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
489754-1 | 2-Critical | K17408 | Flow based reporting attribute mismatch between TMUI and TCL |
483798-1 | 2-Critical | TMM crashes if iRule PSC::ip_address is used after RADIUS Authentication of DHCP discovery. | |
481373-1 | 2-Critical | TMM might core when deleting an entry for a user in a Radius AAA cache | |
472860-3 | 2-Critical | RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented. | |
484095-1 | 3-Major | RADIUS accounting message with multiple IPv6 prefix causes TMM crash | |
482137-1 | 3-Major | Adding TCP iRules to PEM space | |
479917-1 | 3-Major | TMM crashes if new IP address is added to a session through radius interim update message. | |
476705-1 | 3-Major | TMM can crash if receiving radius start or stop messages with multiple IP but no subscriber ID. | |
474638-1 | 3-Major | PEM: Session policy list may be lost if there is an radius update of custom attributes | |
453959-3 | 3-Major | UDP profile improvement for flexible TTL handling | |
481950-1 | 4-Minor | DHCP: Need an upgrade script for DHCPRELAY virtuals for BIG-IP version 11.5 and 11.4★ | |
476904-2 | 4-Minor | App type 0 session Update Failed on PEMDB: ERR_INPROGRESS |
Fraud Protection Services Fixes
ID Number | Severity | Solution Article(s) | Description |
484020 | 2-Critical | If Identify as Username is enabled for a parameter, the Encrypt checkbox is not grayed out. | |
492549 | 3-Major | FPS injection only into success responses | |
489933 | 3-Major | Generic malware false positives | |
486001 | 3-Major | Application Layer encryption not working on password field in certain situations | |
485253 | 3-Major | Enable directory protection | |
482034 | 3-Major | Browser displays error in console in Firefox 3.6.22 | |
474469 | 3-Major | Identical source integrity alerts are present. | |
473771 | 3-Major | No URL path in the Browser Automation alert | |
491168 | 4-Minor | Encrypt checkbox should be greyed out for a new parameter when Application Layer Encryption is disabled under URL Configuration. | |
478859 | 4-Minor | Username displayed with trailing "&" sign |
Traffic Classification Engine Fixes
ID Number | Severity | Solution Article(s) | Description |
487512-1 | 2-Critical | Enable Bittorrent classification in Qosmos by default | |
479450 | 2-Critical | K16766 | SSL traffic is not forwarded to destination |
Cumulative fixes from BIG-IP v11.6.0 Hotfix 3 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
484635-1 | CVE-2014-3513 CVE-2014-3567 CVE-2014-3566 CVE-2014-3568 | K15722 | OpenSSL DTLS SRTP Memory Leak CVE-2014-3513, OpenSSL vulnerability CVE-2014-3567, and OpenSSL vulnerability CVE-2014-3568. |
451218-2 | CVE-2014-8730 | K15882 | TLS1.x padding vulnerability CVE-2014-8730. |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
478791-1 | 1-Blocking | Hardware compression test fails on 5000 series, 7000 series, 10000 series platforms |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
488208-1 | 2-Critical | openssl v1.0.1j. | |
485188-1 | 3-Major | Support for TLS_FALLBACK_SCSV |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Solution Article(s) | Description |
487808-3 | 3-Major | End of Life announcement for inbound and outbound cost-based link load balancing and inbound link path-based load balancing. |
Cumulative fixes from BIG-IP v11.6.0 Hotfix 2 that are included in this release
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Solution Article(s) | Description |
476475 | 1-Blocking | SSL accelerator card does not function on the BIG-IP 12250 platform. | |
479374-5 | 2-Critical | K16255 | Setting appropriate TX driver settings for 40 GB interfaces. |
478948 | 2-Critical | DC PSU reported as AC | |
477676 | 2-Critical | HSB v2.3.12.1 bitstream integrated to fix HSB firmware issues | |
473772 | 3-Major | SNMP reports the incorrect product name for the BIG-IP 10350 NEBS platform. | |
473210 | 3-Major | Chassis Temperature Status not showing Nitrox3x3 temperatures | |
472767-1 | 3-Major | Adding slots to running guests with host-iso can become stuck | |
467693-1 | 3-Major | K16664 | sysObjectID SNMP OID returns 'linux' instead of BIG-IP platform. |
410101-3 | 3-Major | HSBe2 falls off the PCI bus |
Local Traffic Manager Fixes
ID Number | Severity | Solution Article(s) | Description |
477571-1 | 2-Critical | HTTP/2 support. |
Cumulative fixes from BIG-IP v11.6.0 Hotfix 1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Solution Article(s) | Description |
480931-1 | CVE-2014-6271 CVE-2014-7169 CVE-2014-7187 CVE-2014-7186 CVE-2014-6277 CVE-2014-6278 | K15629 | Multiple BASH vulnerabilities - ShellShock |
Functional Change Fixes
None
Cumulative fix details for BIG-IP v11.6.3.3 that are included in this release
726239-2 : interruption of traffic handling as sod daemon restarts TMM
Component: Local Traffic Manager
Symptoms:
When the receiving host in a TCP connection has set its send window to zero (stopping the flow of data), following certain unusual protocol sequences, the logic in the TMM that persists in probing the zero window may enter an endless loop.
Conditions:
When the TCP implementation is probing a zero-window connection under control of a persist timer.
Impact:
Lack of stability on the device. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This fix handles a rare TMM crash when TCP persist timer is active.
724680-2 : OpenSSL Vulnerability: CVE-2018-0732
Solution Article: K21665601
724319 : BIG-IP versions 11.6.3.x show 'Edition' as 'Final', not 'Point Release'
Component: TMOS
Symptoms:
When issuing the command 'tmsh show sys version' or viewing the /VERSION file, BIG-IP versions 11.6.3.x show the 'Edition' element as 'Final', not the expected 'Point Release'.
For example, on BIG-IP v11.6.3.2, the 'tmsh show sys version' command shows:
# tmsh show sys version
Sys::Version
Main Package
Product BIG-IP
Version 11.6.3.2
Build 0.0.2
Edition Final
Date Wed May 23 19:39:10 PDT 2018
Conditions:
This occurs on all Point Release versions of BIG-IP v11.6.3.x.
Impact:
Possibly misleading indication of whether the installed BIG-IP v11.6.3.x version is a Point Release or not.
Workaround:
The final numeric element in the Version string indicates the Point Release number.
Fix:
When issuing the command 'tmsh show sys version' or viewing the /VERSION file, BIG-IP versions 11.6.3.x show the 'Edition' element as the expected 'Point Release'.
723130-5 : Invalid-certificate warning displayed when deploying BIG-IP VE OVA file
Component: TMOS
Symptoms:
The OVA signing certificate that signs BIG-IP Virtual Edition (VE) OVA files expired. When deploying a BIG-IP VE from an OVA file, an invalid-certificate warning might be displayed due to the expired OVA signing certificate.
Conditions:
This issue may be encountered during the creation of new instances of BIG-IP VE in clients that check the validity of the OVA signing certificate (e.g., VMware).
Note: Existing BIG-IP VE instances are not subject to this issue.
Impact:
There might be questions about the integrity of the OVA file, and in some cases, might not be able to deploy a new instance from an OVA file.
Workaround:
The expired OVA signing certificate has been replaced with a valid signing certificate.
Fix:
The expired OVA signing certificate has been replaced with a valid signing certificate.
722387-1 : TMM may crash when processing APM DTLS traffic
Component: Local Traffic Manager
Symptoms:
When processing DTLS traffic for APM, TMM may crash.
Conditions:
APM provisioned and configured.
DTLS enabled in APM configuration.
Impact:
TMM crash, leading to a failover event.
Workaround:
None.
Fix:
DTLS traffic is now processed as expected.
722363-4 : Client fails to connect to server when using PVA offload at Established
Component: Local Traffic Manager
Symptoms:
A client can fail to connect to the server on subsequent attempts if using FastL4 with hardware (HW) acceleration.
When this issue occurs, the profile_bigproto_stat/rxsynatestablished stat is non-zero.
Conditions:
A FastL4 virtual server is configured with offload_state = EST.
Impact:
Clients fail to connect to the server.
Workaround:
There is no workaround other than to disable PVA acceleration.
721924-4 : bgpd may crash processing extended ASNs
Component: TMOS
Symptoms:
Under certain conditions bgpd may crash while processing extended ASNs.
Conditions:
Dynamic routing enabled.
Extended ASP capabilities enabled: bgp extended-asn-cap enabled
Impact:
Dynamic routing disrupted while bgpd restarts.
Fix:
bgpd now processes extended ASNs as expected.
719554-4 : Linux Kernel Vulnerability: CVE-2018-8897
Solution Article: K17403481
716992-4 : The ASM bd process may crash
Solution Article: K75432956
716922-5 : Reduction in PUSH flags when Nagle Enabled
Component: Local Traffic Manager
Symptoms:
When Nagle is enabled in the TCP profile, the number of PUSH flags generated by the BIG-IP system drops substantially compared to the Nagle-disabled case, or to the Nagle-enabled case prior to v12.1.2-HF1. This matters most when there is a single outstanding unsent segment in the send buffer awaiting acknowledgment of all other data.
Conditions:
-- Nagle is enabled.
-- Running BIG-IP software versions later than v12.1.2-HF1.
Note: The problem is only impactful when the client withholds ACKs when there is no PUSH flag.
Impact:
If the client withholds ACKs, this can save handset power, but it also causes Nagle's algorithm to withhold the last bit of data, increasing latency.
Workaround:
Set Nagle to the 'Auto' setting or 'Disabled'.
Mote: To take advantage of some of the Nagle benefits, use 'Auto'.
Fix:
Revised PUSH flag setting logic to set the flag in cases where sending is Nagle-limited.
716900-5 : TMM core when using MPTCP
Component: Local Traffic Manager
Symptoms:
In some cases TMM may crash when processing MPTCP traffic.
Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.
Impact:
Traffic interrupted while TMM restarts.
Workaround:
There is no workaround other than to disable MPTCP.
Fix:
TMM no longer produces a core.
715923-2 : When processing TLS traffic TMM may reset connections
Component: Local Traffic Manager
Symptoms:
Under certain conditions TMM may reset TLS connections with a BAD_RECORD_MAC alert.
Conditions:
TLS profile active.
Impact:
BIG-IP sends a BAD_RECORD_MAC alert and terminates the SSL connection.
Workaround:
None.
Fix:
TMM now processes TLS traffic as expected.
714879-5 : APM CRLDP Auth passes all certs
Component: Access Policy Manager
Symptoms:
In some situations, a failure to download a new CRL may result in the CRLDP Auth agent treating revoked certs as valid.
Conditions:
Non-zero value for the update-interval in the CRLDP AAA object, and a download failure occurs while trying to update the CRL.
Impact:
Revoked users may regain access.
Workaround:
None.
Fix:
Failure to download a CRL will now revert to the cached CRL, if that CRL is still valid under its nextUpdate time. If there is no valid cached CRL, APM reverts to the action specified in the AAA CRLDP setting of 'Null CRL Allowed'.
714716-4 : Apmd logs password for acp messages when in debug mode
Component: Access Policy Manager
Symptoms:
Apmd logs password when executing policy via iRule.
Conditions:
-- APM is licensed and provisioned
-- Executing policy via iRule using iRule command 'ACCESS::policy evaluate'.
-- Clear text password is supplied for authentication
-- Debug mode active
Impact:
Apmd logs clear text password
Workaround:
Use '-secure' option when providing/setting password session variable in iRule, for example:
-- ACCESS::session data get [-sid <sid>] [-secure] <key> -ssid <session_id>
-- ACCESS::session data set [-sid <sid>] [-secure] <key> [<value>]
Fix:
Apmd now no longer logs password in debug mode when evaluating policy via iRule.
713951-2 : tmm core files produced by nitrox_diag may be missing data
Component: Local Traffic Manager
Symptoms:
When the nitrox_diag utility generates a tmm core file, that file might include data for only one tmm thread instead of all tmm threads.
Conditions:
-- Running the nitrox_diag utility.
-- Using devices with the Cavium Nitrox crypto card.
-- The nitrox_diag utility generates a tmm core file.
Impact:
The resulting core file might include data for only one tmm thread instead of all tmm threads, making it more difficult for F5 to diagnose reported problems with the Cavium Nitrox crypto card. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
When the nitrox_diag utility generates a tmm core file, that file now includes data for all tmm threads instead of only one.
711281-2 : nitrox_diag may run out of space on /shared
Component: Local Traffic Manager
Symptoms:
Running nitrox_diag may lose collected data if there is insufficient free space for the tar file to be created.
Conditions:
-- Running nitrox_diag.
-- Insufficient free space available on /shared.
Impact:
Might lose data required to diagnose problems with Cavium Nitrox chips.
Workaround:
The only workaround is to ensure there is enough free space for the files to be created.
In general, planning enough space for two copies of a tmm core file and two copies of a qkview works. That might require approximately one gigabyte. Though more might be needed for systems with a large amount of RAM.
Fix:
nitrox_diag now clears the older data before gathering new data, instead of after. Note, however, that if there is insufficient free space on /shared to collect the raw data, the operation still cannot succeed.
710827-5 : TMUI dashboard daemon stability issue
Component: TMOS
Symptoms:
Some dashboard requests may cause a crash of TMUI dashboard daemons, affecting the TMUI dashboard.
Conditions:
Request sent to BIG-IP dashboard.
Impact:
Only the TMUI dashboard goes offline. Other TMUI functionality is not affected by this issue.
Workaround:
None available.
Fix:
Setup a correct exception handling prevented TMUI dashboard service failure.
710314-3 : TMM may crash while processing HTML traffic
Solution Article: K94105051
710148-5 : CVE-2017-1000111 & CVE-2017-1000112
Solution Article: K60250153
710028-5 : LTM SQL monitors may stop monitoring if multiple monitors querying same database
Component: Local Traffic Manager
Symptoms:
When using an SQL monitor to monitor the health of SQL database pool members, one of the health monitors may stop actively monitoring one or more pool members.
When this problem occurs, the following error messages may be logged in /var/log/DBDaemon-0.log:
[if debug = yes in monitor configuration]:
Using cached DB connection for connection string '<connection string>'
then multiple, periodic instances of the following message, referencing the same connection string:
Abandoning hung SQL query: '<query string>' for: '<connection string>'
or:
<connection string>(<thread-number>): Hung SQL query; abandoning
Conditions:
This may occur when all of the following conditions are met:
-- Using one of the following LTM monitors: mssql, mysql, oracle, postgresql.
-- Configuring multiple pool members for the same node (server).
-- Configuring multiple SQL monitors that query the same server and database.
And when one or both of the following conditions are met:
Either:
-- The SQL monitor is configured with a non-zero 'count' value.
Or:
-- An error occurs while querying a SQL database, such as [recorded in the DBDaemon log]:
java.io.EOFException: Can not read response from server. Expected to read 4 bytes, read 0 bytes before connection was unexpectedly lost.
Impact:
When this problem occurs, the affected pool members are reported down, even though the database is actually up and responding correctly to traffic.
Workaround:
When this problem occurs, successful monitoring can be temporarily restored by disabling then re-enabling monitoring of affected pool members.
To avoid one possible trigger for this issue (and thus reduce the likelihood of this issue occurring), configure the 'count' parameter in the SQL monitor configuration to a value of '0'.
Fix:
LTM SQL monitors continue monitoring when multiple monitors/ query the same server and database.
708653-4 : TMM may crash while processing TCP traffic
Component: Local Traffic Manager
Symptoms:
Under certain conditions, TMM may crash while processing TCP traffic
Conditions:
TCP profile enabled
Impact:
TMM crash leading to a failover event
Fix:
TMM processes TCP traffic as expected
708382 : Multiple TMM cores in http_cookie_decrypt
Component: Local Traffic Manager
Symptoms:
Client/server SSL profiles, HTTP profile, and cookie persistence profile experiences multiple cores in http_cookie_decrypt.
Conditions:
This occurs with a virtual server configured as follows:
-- Client/server SSL profiles.
-- HTTP profile.
-- Cookie persistence profile
Impact:
Device fails over. TMM cores. Traffic disrupted while tmm restarts.
Workaround:
This is likely a rarely occurring event. There is no workaround short of not using encryption for HTTP cookie persistence.
708249-5 : nitrox_diag utility generates QKView files with 5 MB maximum file size limit
Component: Local Traffic Manager
Symptoms:
When nitrox_diag generates a QKView file, the utility does not use the -s0 flag for the qkview command. That means there is a 5 MB file-size limit for the resulting QKView file nitrox_diag generates.
Conditions:
Run the nitrox_diag command.
Impact:
QKView files generated in response to running the nitrox_diag command might not contain all necessary information, for example, the result might contain truncated log files.
Workaround:
After running nitrox_diag, run the following command to generate a complete QKView file: qkview -s0
Fix:
Nitrox_diag utility now uses the -s0 command to generate QKView files, so there is no longer a 5 MB maximum file size limit, and the full QKView file is created.
708114-2 : TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed
Solution Article: K33319853
Component: Local Traffic Manager
Symptoms:
TMM crashes when receiving the HUDEVT_SSL_OCSP_RESUME_CLNT_HS after the SSL connection is closed.
Conditions:
-- The SSL connection has been closed.
-- SSL receives the HUDEVT_SSL_OCSP_RESUME_CLNT_HS message.
Impact:
TMM crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The system now ensures that SSL can still properly process the messages, even when the SSL connection is closed.
707738-5 : Network Access cannot be established on Windows 10 RS4
Solution Article: K84747528
Component: Access Policy Manager
Symptoms:
Network Access cannot be established on Microsoft Windows 10 RS4. Both EdgeClient and F5 VPN fails with the following error: An incorrect structure size was detected.
Note: Custom Dial-up entry client is not affected.
This is caused by Windows 10 RS4 regression in Remote Access System (RAS).
Conditions:
Networks Access connection fails when any of the following conditions are met:
-- The Windows system is clean Windows 10 RS4 installation
-- The Windows system has never connected to APM.
-- The Windows system previously was connected to APM, but the BIG-IP Administrator modified Network Access resource settings
When all of the following conditions are met, Network Access continues to work, unless the Administrator modifies the resource configuration or the user connects to a new APM server:
-- The Windows system was previously connected to a specific virtual server on a particular APM.
-- The Windows system was upgraded from previous Windows 10 version to Windows 10 RS4.
-- The Windows system Administrator has not modified any settings of Network Access resource.
Impact:
Network Access connection cannot be established.
Workaround:
None.
Note: This is caused by Windows 10 RS4 regression in RAS.
Fix:
Due to an issue introduced in Windows RS4, a VPN connection could not be established. This has been fixed.
707445-1 : Nitrox 3 compression hangs/unable to recover
Solution Article: K47025244
Component: TMOS
Symptoms:
LTM logs show the following message:
Nitrox 3, Hang Detected: compression device was reset
When the error manifests, there will be three error messages sent to the log over a period of several seconds. The device is then considered unrecoverable and marked down, and will no longer accept compression requests.
Conditions:
This applies only to vCMP guests. Some compression requests can stall the device after a bad compression request is made.
Note: Traffic volume and concurrence, along with the type of error have to occur together in order to result in this issue, so the issue is not easily reproduced.
Impact:
Once the device is marked down, compression will be sent to the software compression provider, until tmm on the device is restarted. This can cause local CPU utilization to climb.
Workaround:
There is no complete workaround without a software fix. However, compression will always default to the software compression provider when hardware cannot be recovered.
There are three recovery options available if the TMM-internal reset fails to recover the compression device automatically. These should be employed in this order:
A. Restart tmm using the command: bigstart restart tmm.
B. Restart the vCMP guest.
C. Restart the host (which restarts all guests).
Note: Because of the traffic volume, timing, and error type that cause this condition, this error might recur. This issue appears to be caused by a particular compression request. So regardless of the recovery method you execute, the problem may recur in a short time, or months later.
Fix:
Compression device reset recovery made more robust for some compression failures.
707226-3 : DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations
Component: TMOS
Symptoms:
Mitigations might CVE-2017-5754 Meltdown/PTI (Page Table Isolation) can negatively impact performance.
Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.
Conditions:
Mitigations for CVE-2017-5754 Meltdown/PTI (Page Table Isolation) enabled.
Impact:
Meltdown/PTI mitigations may negatively impact performance.
Workaround:
Disable CVE-2017-5754 Meltdown/PTI mitigations.
To turn off mitigations for CVE-2017-5754 Meltdown/PTI, run the following command:
tmsh modify sys db kernel.pti value disable
Note: Turning off these mitigations renders the system vulnerable to CVE-2017-5754 Meltdown; but in order to take advantage of this vulnerability, they must already possess the ability to run arbitrary code on the system. Good access controls and keeping your system up-to-date with regards to security fixes will mitigate this risk on non-VCMP systems. vCMP systems with multiple tenants should leave these mitigations enabled.
Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.
Fix:
On releases that provide mitigations for CVE-2017-5754 Meltdown/PTI, the protection is enabled by default, but can be controlled using db variables.
Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.
706304 : ASU and other Update Check services overload F5 download server
Component: Application Security Manager
Symptoms:
ASM Signature Update (ASU) and other Update Check services may fail due to an overload on the F5 download server.
Conditions:
-- Automatic update attempt is initiated during specified schedule.
-- F5 download server is overloaded by Update attempts.
Impact:
ASU and other Update Check services fail.
Workaround:
To work around this issue, run manual updates instead.
To prevent this issue, change the time of the daily job run. To do so, follow these steps:
1. Open the cron job text file.
# vi /etc/crontab
2. Change this line as follows:
From: 02 4 * * * root run-parts /etc/cron.daily
To: 10 4 * * * root run-parts /etc/cron.daily
3. Save the changes, and quit vi.
This will change the automatic updates to run at 4:10 rather than 4:02.
Fix:
ASU and other Update Check services now stagger download attempts to prevent F5 download server overload.
705794-4 : Under certain circumstances a stale http2 stream can cause a tmm crash
Component: Local Traffic Manager
Symptoms:
A HTTP2 stream is getting overlooked when cleaning up a HTTP2 flow.
Conditions:
Currently only known is that the closing_stream is not empty. Exact entrance conditions not clear.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
HTTP2 flows are properly cleaned up to prevent a tmm crash.
705476-5 : Appliance Mode does not follow design best practices
Component: TMOS
Symptoms:
Appliance Mode does not follow design best practices
Conditions:
Appliance Mode does not follow design best practices
Impact:
Appliance Mode does not follow design best practices
Fix:
Appliance Mode now follows design best practices
704580-4 : apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP
Solution Article: K05018525
704490-1 : CVE-2017-5754 (Meltdown)
Solution Article: K91229003
704483-1 : CVE-2017-5753 (Spectre Variant 1)
Solution Article: K91229003
704184-4 : Create files with owner only read write permissions
Solution Article: K52171282
703940-4 : Malformed HTTP/2 frame consumes excessive system resources
Solution Article: K45611803
703515-6 : MRF SIP LB - Message corruption when using custom persistence key
Solution Article: K44933323
Component: Service Provider
Symptoms:
If the custom persistence key is not a multiple of 3 bytes, the SIP request message may be corrupted when the via header is inserted.
Conditions:
Custom persistence key is not a multiple of 3 bytes
Impact:
The SIP request message may be corrupted when the via header is inserted.
Workaround:
Pad the custom persistence key to a multiple of 3 bytes in length.
Fix:
All persistence key lengths work as expected.
702490-5 : Windows Credential Reuse feature may not work
Component: Access Policy Manager
Symptoms:
Windows Credential Reuse feature may not work requiring that the EdgeClient end user enter credentials in the EdgeClient login window as well as at the Microsoft Windows logon screen, instead of getting Single Sign-On (SSO).
The logterminal.txt file contains messages similar to the following:
<Date and time>, 1312,1320,, 48, \certinfo.cpp, 926, CCertInfo::IsSignerTrusted(), the file is signed by 3rd party certificate
<Date and time>, 1312,1320,, 1, \certinfo.cpp, 1004, CCertInfo::IsSignerTrusted(), EXCEPTION - CertFindCertificateInStore() failed, -2146885628 (0x80092004) Cannot find object or property.
<Date and time>, 1312,1320,, 1, \certinfo.cpp, 1009, , EXCEPTION caught
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 256, IsTrustedClient, EXCEPTION - File signed by untrusted certificate
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 264, , EXCEPTION caught
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 360, GetCredentials, EXCEPTION - Access Denied - client not trusted
Conditions:
-- Using a specific combination of versions of F5 Credential Manager Service and EdgeClient on Windows systems.
-- The Reuse Credential option is enabled in the Connectivity Profile.
Impact:
The EdgeClient end user must retype credentials in EdgeClient login windows instead of having the login occur without requiring credentials, as SSO supports.
Workaround:
There is no workaround at this time.
Fix:
Previously, in some situations, Windows Credential Reuse did not work, requiring the EdgeClient end user to log in separately. This issue has been fixed.
702443 : A pool can be deleted despite being referenced as a clone-pool by an LTM policy action
Solution Article: K22510506
Component: Local Traffic Manager
Symptoms:
If a pool is being referenced as a clone-pool by a policy action, it can be deleted without any validation errors.
Conditions:
-- LTM policies configured.
-- At least one policy action forwards to the pool as a clone-pool.
-- No other objects reference the pool.
-- The referenced pool is deleted.
Impact:
The policy is deleted without error, but the reference to the pool remains. The policy will be referencing a pool that no longer exists. Config sync operations fail, and the configuration does not load.
Workaround:
Manually remove the reference to the pool from the policy action.
Fix:
Prevented pools from being deleted when they are referenced as clone-pools by policy actions.
702151-3 : HTTP/2 can garble large headers
Component: Local Traffic Manager
Symptoms:
The HTTP/2 filter may incorrectly encode large headers.
Conditions:
A header that encodes to larger than 2048 bytes may be incorrectly encoded.
Impact:
The garbled header may no longer conform to the HPACK spec, and cause the connection to be dropped. The garbled header may be correctly formed, but contain incorrect data.
Fix:
The HTTP/2 filter correctly encodes large HTTP headers.
701944-6 : machine certificate check crash for 'match issuer' configuration on macOS Sierra 10.12.6
Solution Article: K42284762
Component: Access Policy Manager
Symptoms:
Machine certificate check crashes a Mac BIG-IP Edge Client running on macOS Sierra 10.12.6 (16G29) when 'match issuer' is specified in the configuration.
Conditions:
- Machine certificate check configured for with 'match issuer' configuration.
- macOS Sierra 10.12.6 (16G29).
- BIG-IP Edge client.
- F5 EPI.
Impact:
Machine certificate check does not pass because Edge client crashes.
Workaround:
None.
Fix:
The machine certificate check now completes successfully using the Mac BIG-IP Edge Client running on macOS Sierra 10.12.6 (16G29) when "match issuer" is specified in the configuration.
701626-4 : GUI resets custom Certificate Key Chain in child client SSL profile
Solution Article: K16465222
Component: TMOS
Symptoms:
In the GUI, editing a client SSL profile or selecting a different parent profile changes the Certificate Key Chain to default (i.e., /Common/default.crt and /Common/default.key).
Conditions:
This happens in the following scenario:
1. Using the GUI, create a client SSL profile.
2. Configure the new profile to inherit from a client SSL profile other than the default, clientssl.
3. Click the Custom box for Certificate Key Chain and select a different cert and key from the default.
4. Click Update.
5. In the GUI, change any setting in the newly created profile, or select a different parent profile (but not the clientssl profile).
6. Click Update again.
Impact:
The system resets Certificate Key Chain to default, even though the Custom box is checked.
Workaround:
To work around this issue in the GUI, click the Custom checkbox next to the 'Certificate Key Chain' option in the parent profile. This will set the value of inherit-certkeychain to false , preventing the issue from occurring.
You can also use tmsh to update parent profile settings to avoid the occurrence of this issue..
Fix:
GUI no longer resets custom Certificate Key Chain in child client SSL profiles.
701359-3 : BIND vulnerability CVE-2017-3145
Solution Article: K08613310
701253-2 : TMM core when using MPTCP
Component: Local Traffic Manager
Symptoms:
When MPTCP is enabled on a virtual server, TMM may generate a core file and restart.
Conditions:
MPTCP must be in use.
Impact:
TMM crash, leading to a failover event.
Workaround:
Disable MPTCP.
Fix:
Prevented TMM core.
700889-1 : Software syncookies without TCP TS improperly include TCP options that are not encoded
Solution Article: K07330445
Component: Local Traffic Manager
Symptoms:
When sending a software syncookie and there is no TCP timestamp option, tmm sends back TCP options like window scaling (WS), sackOK, etc. The values for these options are encoded in the timestamp field which is not sent. When the final ACK of the 3WHS arrives (without a timestamp), there is no way to know that the BIG-IP system negotiated the use of SACK, WS and other options that were encoded in the timestamp. This will leave the client believing that options are enabled and the BIG-IP believing that they are not.
Conditions:
TCP timestamps are disabled by the client, or in the TCP profile.
Impact:
In one known case, the client was Windows 7 which apparently disables timestamps by default. Users might experience poor connection performance because the client believed it was using WS, and that the BIG-IP system would scale up the advertised window. However, the BIG-IP system does not using WS in this case, and used the window size from the TCP header directly, causing the BIG-IP system to send small packets (believing it had filled the window) and wait for a response.
Workaround:
Specifically prevent the WS issue by lowering the send_buffer_size and receive_window_size to less than or equal to 65535.
Fix:
Added dependency between the window scale option and the timestamp option in a SYN/ACK response.
700571-1 : SIP MR profile, setting incorrect branch param for CANCEL to INVITE
Component: Service Provider
Symptoms:
BIG-IP SIP profile MR does not maintain the Via 'branch parameter' ID when the Via header insertion is enabled for INVITE and CANCEL for the same INVITE.
Conditions:
This happens only when the following conditions are both met:
-- The transport connection that issued INVITE has been terminated.
-- A new transport is used to issue CANCEL
Impact:
The result is different branch IDs for the BIG-IP system-generated Via header. INVITE is only cancelled on the calling side, while on the called side, the line will ring until time out.
Workaround:
None.
Fix:
The branch parameter value calculation now remains consistent throughout the connection.
700393-5 : Under certain circumstances a stale http2 stream can cause a tmm crash
Component: Local Traffic Manager
Symptoms:
Tmm may crash due to a stale/stalled HTTP2 stream.
Conditions:
http2 profile in use.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround at this time.
Fix:
Stale/stalled HTTP2 streams are handled correctly to prevent a tmm crash.
699455-2 : SAML export does not follow best practices
Solution Article: K50254952
699346-1 : NetHSM capacity reduces when handling errors
Solution Article: K53931245
699267-3 : LDAP Query may fail to resolve nested groups
Component: Access Policy Manager
Symptoms:
LDAP Query agent may fail to resolve nested groups for a user.
/var/log/apm logfile contains the following error messages when 'debug' log level is enabled for Access Profile:
err apmd[17159]: 014902bb:3: /Common/ldap_access:Common:254fdc14 Failed to process the LDAP search result while getting group membership down with error (No such object.).
err apmd[17159]: 014902bb:3: /Common/ldap_access:Common:254fdc14 Failed to process the LDAP search result while querying LDAP with error (No such object.).
Conditions:
LDAP Query agent is configured in an Access Policy.
'Fetch groups to which the user or group belong' option is enabled
Impact:
LDAP Query agent fails.
unable to get user identity.
unable to finalize Access Policy.
Fix:
after fix, LDAP Query resolves all nested groups as expected and session.ldap.last.attr.memberOf attributes contains user's groups
698000-4 : Connections may stop passing traffic after a route update
Solution Article: K04473510
Component: Local Traffic Manager
Symptoms:
When a pool is used with a non-translating virtual server, routing updates may lead to an incorrect lookup of the nexthop for the connection.
Conditions:
-- Pool on a non-translating virtual server.
-- Routing update occurs.
Impact:
Connections may fail after routing updates. New connections will not be affected.
Workaround:
Use a route to direct traffic to the ultimate destination rather than using a pool to indicate the nexthop.
Fix:
Routing updates no longer interrupts traffic to connections using a pool member to reach the nexthop.
697904 : GUI does not show Device names with <> properly.
Component: TMOS
Symptoms:
When the Device Name has <> (left and right angle brackets) in the name, the GUI does not show the name properly.
Conditions:
Device Name contains <> characters.
Impact:
User is unable to see the device name in the GUI.
Workaround:
Use tmsh to see the device name.
Fix:
Enable the GUI to show device name with <> characters.
697794 : ROM layout file missing for Blade B2250 in BIG-IP VIPRION 2400 chassis
Component: TMOS
Symptoms:
An error similar to the following is posted when blade B2250 is PXE-booted and an attempt is made to extract OPTN class data from the SPI flashrom:
ERROR: Could not open ROM layout (/usr/firmware/victoria2-rom.layout).
Please run "flashrom --help" for usage info.
Conditions:
When the ROM layout file is missing under the /usr/firmware/ directory in Maintenance OS (MOS).
Impact:
Failure to extract OPTN class data from the SPI flashrom results in failure to determine whether the system should be RAID formatted.
Workaround:
None.
697303-4 : BD crash
Component: Application Security Manager
Symptoms:
BD crashes.
Conditions:
-- The internal parameter relax_unicode_in_json is set to 1.
-- Specific traffic scenario.
Impact:
BD crash, failover, and traffic disturbance.
Workaround:
Turn off the internal parameter relax_unicode_in_json.
Fix:
BD no longer crashes under these conditions.
696265-2 : BD crash
Solution Article: K60985582
Component: Application Security Manager
Symptoms:
BD crash.
Conditions:
ecard_max_http_req_uri_len is set to a value greater than 8 KB.
Impact:
Potential traffic disturbance and failover.
Workaround:
Change the value of ecard_max_http_req_uri_len to a size lower than 8 KB.
Fix:
Fixed a BD crash scenario.
696049-4 : High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running
Component: Service Provider
Symptoms:
High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running.
Conditions:
Multiple response messages arrive on a connection while an asynchronous Tcl command is running on that connection.
Impact:
High CPU load might occur as multiple responses will be assigned the same request_sequence_number.
Workaround:
None.
Fix:
Request_sequence_numbers are not assigned to response messages until the Tcl event is executed for that message. This avoids assigning the same number to multiple events.
695901-3 : TMM may crash when processing ProxySSL data
Solution Article: K46940010
694922-2 : ASM Auto-Sync Device Group Does Not Sync
Component: Application Security Manager
Symptoms:
In rare circumstances a device may enter an untrusted state and confuse the device group.
Conditions:
1) ASM sync is enabled on an autosync device group
2) A new ASM entity is created on a device
Impact:
ASM configuration is not correctly synchronized between devices
Workaround:
1) Remove ASM sync from the device group (Under Security ›› Options : Application Security : Synchronization : Application Security Synchronization)
2) Restart asm_config_server.pl on both devices and wait until they come back up
3) Change the device group to a manual sync group
4) On the device with the good configuration re-enable ASM sync for the device group
5) Make a spurious ASM change, and push the configuration.
6) Change the sync type back to automatic
Fix:
Devices no longer spuriously enter an untrusted state
694901-1 : CVE-2015-8710: Libxml2 Vulnerability
Solution Article: K45439210
694073-4 : All signature update details are shown in 'View update history from previous BIG-IP versions' popup
Component: Application Security Manager
Symptoms:
If you are running a BIG-IP release named with 4 digits (e.g., 12.1.3.1), all signature update details are shown only in 'View update history from previous BIG-IP versions' popup. The 'Latest update details' section is missing.
Conditions:
Running a BIG-IP software release named with 4 digits (e.g., 12.1.3.1).
Impact:
Low and incorrect visibility of signature update details.
Workaround:
Signature update details can be viewed in 'View update history from previous BIG-IP versions' popup.
Fix:
Signature updates are now shown correctly for all versions.
693810-4 : CVE-2018-5529: APM linux client vunlerability
Solution Article: K52171282
693744-2 : CVE-2018-5531: vCMP vulnerability
Solution Article: K64721111
693739-5 : VPN cannot be established on macOS High Sierra 10.13.1 if full tunneling configuration is enabled
Component: Access Policy Manager
Symptoms:
For some Network Access configurations, VPN cannot establish a connection with client systems running macOS High Sierra 10.13.1 using F5 Edge client or Browser helper apps.
Conditions:
The following conditions must be true:
-- The Network Access resource Traffic Options setting is configured for Force all Traffic Through Tunnel.
-- The Network Access resource Allow Local Subnet setting is disabled.
(Both of these options are defaults.)
-- Client running macOS High Sierra 10.13.1.
Impact:
The Edge Client unsuccessfully tries to connect, resulting in a loop. The client cannot establish VPN.
Workaround:
1. Navigate to the Network Access resource.
2. Set the Network Access resource Allow Local Subnet checkbox to Enabled.
3. Save the setting, and apply the Access Policy.
Fix:
Edge Client operation does not go into a reconnect loop and is able to establish and maintain connection successfully on macOS High Sierra 10.13.1.
693211-4 : CVE-2017-6168
Solution Article: K21905460
692095-4 : bigd logs monitor status unknown for FQDN Node/Pool Member
Solution Article: K65311501
Component: Local Traffic Manager
Symptoms:
While monitoring FQDN nodes or pool members, bigd may log the current or previous monitor status of the node or pool member as 'unknown' in messages where that state internally could have been logged as 'checking' or 'no address' for FQDN template nodes. Other states for FQDN configured nodes or pool members log monitor status as expected. Messages are similar to the following:
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status unknown [ ip.address: unknown ] [ was up for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: unknown ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: up ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status unknown. [ ] [ was unchecked for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status up. [ ] [ was unknown for ##hrs:##mins:##sec ]
Conditions:
This may occur of the FQDN template node or pool member is in a 'checking' or 'no address' state.
The 'checking' state may occur if the DNS resolution of the FQDN node or pool member name is in progress.
The 'no address' state may occur if no IP addresses were returned by the DNS server for the configured FQDN node or pool member name.
Impact:
Unable to triage state of FQDN nodes or pool members identified in these log messages, to determine whether further troubleshooting is required, or what specific problem condition might require further investigation.
Workaround:
None.
Fix:
An FQDN-configured node or pool member logs each internal monitor status, including for scenarios of 'checking' and 'no address' for FQDN template nodes which were previously logged as 'unknown'.
691806-4 : RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state
Solution Article: K61815412
Component: Local Traffic Manager
Symptoms:
The BIG-IP system resets connection with RST if it receives FIN/ACK in SYN-RECEIVED state.
Conditions:
The BIG-IP system receives FIN/ACK when it is in SYN-RECEIVED state.
Impact:
The BIG-IP system resets connection with RST.
Workaround:
None.
Fix:
The BIG-IP system now responds with FIN/ACK to early FIN/ACK.
691670-2 : Rare BD crash in a specific scenario
Component: Application Security Manager
Symptoms:
BD crash or False reporting of signature ID 200023003.
Conditions:
JSON/XML/parameters traffic (should not happen with the enforce value signature).
Impact:
Failover, traffic disturbance in the core case. False positive violation or blocking in the other scenario.
Workaround:
Removing attack signature 200023003 from the security policy stops the issue.
Fix:
Fix a bug in the signatures engine that causes a false positive reporting of a signature. In some rare cases, this false reporting may cause a crash.
A newly released attack signature update changes the signature in a way that it no longer causes the issue to happen.
691485-2 : System fails to boot when syslog-ng is not running.
Solution Article: K47635484
Component: TMOS
Symptoms:
System hangs during boot while trying to start the httpd service.
Conditions:
syslog-ng is not running.
Impact:
System fails to boot
Workaround:
Correct the /etc/syslog-ng/syslog-ng.conf file if necessary and start the syslog-ng service using the following command:
service syslog-ng start
The system should continue to boot.
690819-2 : Using an iRule module after a 'session lookup' may result in crash
Component: TMOS
Symptoms:
'session lookup' does not clean up an internal structure after the call finishes. If another iRule module uses the values in this internal structure after a 'session lookup', it may result in a core or other undesired behavior.
Conditions:
Calling 'session lookup' in an iRule where a result is successfully retrieved, and then calling another module.
Impact:
The system may core, or result in undefined and/or undesired behavior.
Workaround:
Check the return value of 'session lookup' before using another iRule module.
If 'session lookup' says that the entry exists, call 'session lookup' again for a key that is known to not exist.
688625-3 : PHP Vulnerability CVE-2017-11628
Solution Article: K75543432
687658-3 : Monitor operations in transaction will cause it to stay unchecked
Component: TMOS
Symptoms:
If a monitored object is deleted and created or modified in the same transaction, and any of its monitor configuration is changed (either the monitor, or the state user-down), the monitor state will become unchecked.
Conditions:
This only happens within transactions.
Note: Using the command 'modify ltm pool <name> members replace-all-with' is considered a transaction containing a delete and create of pool members.
Impact:
Monitor state never returns to its correct value.
Workaround:
Do not do these operations in transactions. For pool members, use 'modify ltm pool <name> members modify' instead of replace-all-with.
687193-3 : TMM may leak memory when processing SSL Forward Proxy traffic
Solution Article: K45325728
686389-4 : APM does not honor per-farm HTML5 client disabling at the View Connection Server
Component: Access Policy Manager
Symptoms:
Current logic for determining whether to offer HTML5 client option works for Horizon 6.x (and earlier) but it does not work for Horizon 7.x.
With Horizon 7.x, VMware has enhanced the XML so that each resource includes a flag to indicate whether HTML5 client is enabled (absence of <html-access-disabled/> tag). APM does not honor this flag to show HTML5 client option to APM end user only if it has been enabled for that resource.
Conditions:
-- APM webtop with a VMware View resource assigned.
-- HTML5 Access disabled for some of the RDS farms managed by the broker.
Impact:
APM offers HTML5 client launch option and actually runs it if requested, although it is disabled at the backend.
Workaround:
There is no workaround at this time.
Fix:
For Horizon 7.x, the system now honors the <html5-access-disabled> flag in broker responses to disable HTML5 client for those RDS desktops and apps that have this flag set.
Behavior Change:
Before this fix, all the RDS desktops and apps were available for HTML5 client if it was installed on VCS.
Now, for those desktops and apps where HTML5 access has been deliberately disabled at the broker, only the native client option will be available.
686305-5 : TMM may crash while processing SSL forward proxy traffic
Solution Article: K64552448
685857 : Memory consumption of tmm slowly increases.
Component: Access Policy Manager
Symptoms:
Memory consumption of tmm slowly increases.
Conditions:
This occurs only when a session is terminated in policy evaluation phase, e.g., a client lands on the logon page and lets it times out.
You can determine whether this issue is occurring by checking for memory usage as 'session' is expanded to 4 GB.
Impact:
Device may fail over to another unit in the high-availability (HA) configuration.
Workaround:
To recover from this issue, restart tmm.
Note: Traffic will be disrupted while tmm restarts.
Fix:
Memory consumption of tmm no longer increases when a client allows the logon page to time out.
685708-5 : Routing via iRule to a host without providing a transport from a transport-config created connection cores
Component: Service Provider
Symptoms:
Using MR::message route command without specifying a transport to use (virtual or config) will core if the connection receiving the request was created using a transport-config.
Conditions:
Using MR::message route command without specifying a transport to use (virtual or config) will core if the connection receiving the request was created using a transport-config.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Specify a transport to use for creating a new outgoing connection in the MR::message route command.
Fix:
The system will no longer core.
685207-3 : DoS client side challenge does not encode the Referer header.
Component: Application Security Manager
Symptoms:
XSS reflection when DoS client side is enabled as a mitigation, or a proactive bot defense is enabled.
Conditions:
1. Login to the client IP address and send the ab request.
2. Once the DoS attack starts, sends the curl request
hl=en&q=drpdrp'-alert(1)-'drpdrp".
3. Unencoded Referer header is visible.
Impact:
The XSS reflection occurs after triggering the DoS attack.
Workaround:
None.
Fix:
DoS client side challenge now encodes the Referer header.
684937-5 : [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users
Solution Article: K26451305
Component: Access Policy Manager
Symptoms:
APM performance of handling HTTP request drops gradually when Kerberos SSO is being used over period of time.
Websso process CPU usage is very high during this time. The latency can vary between APM end users.
Conditions:
-- A large number of APM end users have logged on and are using Kerberos SSO.
-- Running APM.
Impact:
Increased latency of HTTP request processing.
Workaround:
Reduce the number of cached Kerberos user tickets by lowering the cache lifetime.
Fix:
LRU cache performance no longer drops linearly with the number of caches Kerberos tickets, the latency of HTTP request processing has been significantly improved.
684879-3 : Malformed TLS1.2 records may result in TMM segmentation fault.
Solution Article: K02714910
684325-4 : APMD Memory leak when applying a specific access profile
Component: Access Policy Manager
Symptoms:
Access profile having CheckMachineCert agent, while updating profile using 'Apply access policy', each time it leaks 12096 bytes of memory.
Conditions:
-- Access profile configured with agent 'CheckMachineCert'.
-- Repeatedly update the profile using 'Apply access policy'.
Impact:
APMD process stops after repeated application of the script.
Workaround:
None.
Fix:
APMD no longer leaks memory when applying Access profile configured with agent 'CheckMachineCert'.
684312-3 : During Apply Policy action, bd agent crashes, causing the machine to go Offline
Solution Article: K54140729
Component: Application Security Manager
Symptoms:
During Apply Policy action, bd agent crashes, causing with this error:
--------------------
crit perl[21745]: 01310027:2: ASM subsystem error (bd_agent,): bd_agent exiting, error:[Bit::Vector::new_Dec(): input string syntax error at /usr/local/share/perl5/F5/CfgConvert.pm line 66, <$inf> line 1. ]
--------------------
Causing bd and bd_agent processes restart, and causing the machine to go Offline.
Conditions:
-- ASM provisioned.
-- Applying policy.
-- Corrupted data was attempted to be loaded during an Apply Policy action.
Impact:
bd and bd_agent processes restart, causing the machine to go Offline while the processes restart..
Workaround:
None.
Fix:
During Apply Policy action, bd agent no longer crashes when attempting to load corrupted data.
683241-4 : Improve CSRF token handling
Solution Article: K70517410
Component: Application Security Manager
Symptoms:
Under certain conditions, CSRF token handling does not follow current best practices.
Conditions:
CSRF is configured.
Impact:
CSRF token handling does not follow current best practices.
Workaround:
None.
Fix:
CSRF token handling now follows current best practices.
683113-5 : [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users
Solution Article: K22904904
Component: Access Policy Manager
Symptoms:
APM performance of handling HTTP request drops gradually when Kerberos SSO is being used over a period of time.
Websso CPU usage is very high.
The BIG-IP system response can rate drop to the point that the clients disconnect after waiting for a response. The system logs error messages similar to the following: Failure occurred when processing the work item.
Conditions:
-- Running APM.
-- A large number of APM end users (~20 KB) have logged on and are using Kerberos SSO.
Impact:
Increased latency of HTTP request processing.
Workaround:
Reduce the number of cached Kerberos user tickets by lowering the cache lifetime.
Fix:
Improvements to the krb5 library have been implemented for better scalability, so the latency of HTTP request processing has been significantly improved.
682682-5 : tmm asserts on a virtual server-to-virtual server connection
Component: Local Traffic Manager
Symptoms:
tmm might crash when using a virtual server-to-virtual server connection, and that connection has a TCP profile with keepalive configured.
Conditions:
-- L7 virtual server-to-virtual server connection (Virtual command, cpm rule, etc.).
-- TCP profile with keepalive configured.
-- (Deflate profile.)
-- At the beginning of the connection, there is a stall for longer than the specified keepalive timer interval.
-- The received response decompresses to a size that is greater than the advertised window size on the first virtual server's TCP stack.
Impact:
Shortly after the keepalive packet is received, which then is decompressed, the assert is triggered, and tmm restarts. Traffic disrupted while tmm restarts.
Workaround:
Remove keepalive from the TCP profiles of the two virtual servers involved.
Fix:
The system now honors the current receive window size when sending keepalives, so the tmm crash no longer occurs.
682281 : iSession tunnels are not reused and idle tunnels are not terminated by the sweeper
Component: Wan Optimization Manager
Symptoms:
When an iSession tunnel is created with certain iSession profile properties, the tunnel is not reused and the idle client-side (incoming) tunnel is not reset by the sweeper. TMM must be restarted to clean up the client-side iSession tunnels. tmm crash
Conditions:
An iSession tunnel is created with these three iSession profile properties:
-- reuse-connection enabled
-- deduplication disabled
-- compression disabled
Impact:
Tunnel is not reused and the idle client-side (incoming) tunnel is not reset by the sweeper. TMM must be restarted to clean up the client-side iSession tunnels. Traffic disrupted while tmm restarts.
Workaround:
Disable the iSession profile reuse-connection property.
Fix:
iSession tunnels are reused and idle tunnels are terminated by the sweeper.
681710-5 : Malformed HTTP/2 requests may cause TMM to crash
Solution Article: K10930474
680755-2 : max-request enforcement no longer works outside of OneConnect
Solution Article: K27015502
Component: Local Traffic Manager
Symptoms:
max-request enforcement does not work when OneConnect is not configured.
Conditions:
-- The max-request enforcement option is configured.
-- OneConnect is not configured.
Impact:
max-request enforcement does not work.
Workaround:
Always use OneConnect.
Fix:
max-request enforcement now works when OneConnect is not configured.
680729-5 : DHCP Trace log incorrectly marked as an Error log.
Solution Article: K64307999
Component: Policy Enforcement Manager
Symptoms:
The following sample DHCP debug log may be found repeatedly in the TMM logs.
<#> <date> <slot#> notice DHCP:dhcpv4_xh_timer_callback/1053: Entering: <mac-addr>
Conditions:
Send a DHCP request through a DHCP virtual and wait for 30 seconds for the DHCP callback to trigger.
Impact:
Possible clutter in the TMM logs.
Workaround:
Set the db variable to critical. To do so, run the following command: setdb tmm.dhcp.log.level critical
Fix:
The following log can be seen only when DHCP debug logs are set to enabled.
<#> <date> <slot#> notice DHCP:dhcpv4_xh_timer_callback/1053: Entering: <mac-addr>
679603-3 : bd core upon request, when profile has sensitive element configured.
Solution Article: K15460886
Component: Application Security Manager
Symptoms:
bd crash, system goes offline.
Conditions:
ASM provisioned.
-- ASM policy attached on a virtual server.
-- json profile configured with sensitive element.
Impact:
System goes offline/fails over.
Workaround:
Remove sensitive elements from the json profile in the ASM policy.
Fix:
ASM now handles this condition so the crash no longer occurs.
679235-4 : Inspection Host NPAPI Plugin for Safari can not be installed
Component: Access Policy Manager
Symptoms:
Inspection Host NPAPI Plugin for Safari on macOS High Sierra can not be installed.
Conditions:
macOS High Sierra, Inspection Host Plugin package installation triggered.
Impact:
Inspection Host plugin cannot be installed, therefore, endpoint checks will not work.
Workaround:
There is no workaround at this time.
Fix:
Previously, the Inspection Host NPAPI Plugin for Safari on macOS High Sierra could not be successfully installed. This plugin can now be successfully installed.
679114-1 : Persistence record expires early if an error is returned for a BYE command
Component: Service Provider
Symptoms:
When an error is returned for a SIP command, the persistence timeout is set to the transaction timeout.
Conditions:
An error is returned for a any SIP command.
Impact:
The persistence record will expire early when the call has not been ended.
Workaround:
None.
Fix:
For BYE commands, the timeout is not set to transaction timeout on failure.
678976-5 : Do not print all HTTP headers to avoid printing user credentials to /var/log/apm.
Solution Article: K24756214
Component: Access Policy Manager
Symptoms:
VDI debug logs print user credentials to /var/log/apm.
Conditions:
VDI debug logs are enabled and VDI functionality is used on the virtual server.
Impact:
User credentials are written to /var/log/apm.
Workaround:
Set VDI debug level to Notice.
Fix:
The system no longer prints user credentials to VDI debug logs.
678822-5 : Gx/Gy stats display provision pending sessions if there is no route to PCRF or the app is unlicensed
Component: Policy Enforcement Manager
Symptoms:
If the PEM subscribers are brought up with diameter apps (Gx/Gy) configured and the PCRF is not reachable since there is no route or simply because there is no license configured for those apps. The Provision pending for sessions will get incremented and never rollback to zero even after the subscribers are cleaned up.
Conditions:
If the route to PCRF/OCS is missing or not reachable.
Impact:
Non-Zero stats for provision pending sessions
Workaround:
Disable the Gx/Gy profile if not required or configure the route.
Fix:
The system no longer increments the stats for diameter apps if the PCRF/OCS is not reachable, so this issue no longer occurs.
678462-1 : after chassis failover: asmlogd CPU 100% on secondary
Component: Application Security Manager
Symptoms:
After a failover in a chassis:
- asmlogd CPU 0% on primary slot (which was secondary before the failover).
- asmlogd CPU 100% on secondary (which was primary before the failover).
Without traffic running through the chassis.
Conditions:
-- ASM provisioned.
-- Chassis with at least two active slots.
-- Chassis failover after some traffic was passed through the chassis.
Impact:
asmlogd CPU shows 100% on secondary (which was primary before the failover), and vice versa.
Workaround:
There is no workaround at this time.
Fix:
The asmlogd process now better handles chassis failovers during which the chassis slots change roles (primary/secondary), so this issue no longer occurs.
677525-5 : Translucent VLAN group may use unexpected source MAC address
Component: Local Traffic Manager
Symptoms:
When a VLAN group is configured in translucent mode, IPv6 neighbor discovery packets sent from the BIG-IP system may have the locally unique bit flipped in the source MAC address.
Conditions:
VLAN group in translucent mode.
Impact:
In an HA configuration, switches in the network may have FDB entries for the standby system assigned to the port of the active system.
Workaround:
No workaround at this time.
Fix:
Translucent VLAN group no longer send neighbor discovery packets whose source MAC has the locally unique bit flipped.
677193-4 : ASM BD Daemon Crash.
Solution Article: K38243073
677119-1 : HTTP2 implementation incorrectly treats SETTINGS_MAX_HEADER_LIST_SIZE
Component: Local Traffic Manager
Symptoms:
When HTTP2 connection's parameters are negotiated, either side may report about its limits in SETTINGS type frame where one of the parameters SETTINGS_MAX_HEADER_LIST_SIZE determines a maximum size of headers list it is willing to accept. BIG-IP incorrectly interchanged this parameter with another one called SETTINGS_HEADER_TABLE_SIZE, limiting value of the former one to 32,768.
Conditions:
HTTP2 is configured and an opposite endpoint (user agent using HTTP2 protocol) tries to set SETTINGS_MAX_HEADER_LIST_SIZE to a value above 32,768.
Impact:
BIG-IP doesn't accept the value and terminates the connection using GOAWAY frame with PROTOCOL_ERROR as a reason.
Fix:
BIG-IP no longer generates an error due to this issue and allows value for SETTINGS_MAX_HEADER_LIST_SIZE to exceed 32,768.
677088-5 : Qkview does not follow current best practices
Component: TMOS
Symptoms:
Qkview does not follow current best practices
Conditions:
Authenticated administrative user initiates a Qkview
Impact:
Qkview output not processed as expected
Fix:
Qkview now follows current best practices
677058-4 : Citrix Logon prompt with two factor auth or Logon Page agent with two password type variables write password in plain text
Component: Access Policy Manager
Symptoms:
Logon page agent with more than one password variable or Citrix logon prompt will log plain text password when debug logging is turned on for access policy.
Conditions:
This occurs when following conditions are met:
- Citrix Logon Prompt with two factor auth or Logon page agent with more than one password variable is added in the Access Policy.
- Access Policy logging is set to debug.
Impact:
APM logs plain text password when debug logging is turned on for access policy.
Workaround:
None.
Fix:
Password values are no longer written in APM logs when debug logging is enabled for access policy.
676982-1 : Active connection count increases over time, long after connections expire
Solution Article: K21958352
Component: Local Traffic Manager
Symptoms:
- Number of active connections is increasing over time.
- Memory used by TMM increases over time.
- Potential TMM restart is possible.
Conditions:
This issue arises only when all the following conditions occur:
- Hardware is chassis type.
- There is more than one blade in service.
- A fastL4 profile is configured (e.g., using bigproto).
- SessionDB is used either by iRules or by native profile
functionality.
Impact:
- Service may be impacted after a period.
- TMM instances may restart.
Workaround:
None.
Fix:
SessionDB-related accesses initiated via iRules are now properly cleaned up and no longer hang.
676457-2 : TMM may consume excessive resource when processing compressed data
Solution Article: K52167636
676416-3 : BD restart when switching FTP profiles
Component: Application Security Manager
Symptoms:
Switching a Virtual Server from an FTP profile with Protocol Security enabled to an FTP profile with Protocol Security disabled, causes the BIG-IP system to go offline, generates errors in the bd log, and causes BD to restart.
Conditions:
-- Running FTP traffic with FTP profile with Protocol Security enabled.
-- On FTP service, change to FTP profile with Protocol Security disabled.
Impact:
BD restart, traffic disrupted, and failover in high availability (HA) configuration.
Workaround:
There is no workaround at this time.
Fix:
This version provides an improved mechanism for switching FTP profiles, so that now there is no BD restart.
676355-3 : DTLS retransmission does not comply with RFC in certain resumed SSL session
Component: Local Traffic Manager
Symptoms:
The DTLS FINISHED message is not retransmitted if it is lost in the Cavium SSL offloading platform. Specifically, it is the CCS plus FINISHED messages that are not retransmitted.
Conditions:
-- In the Cavium SSL offloading platform.
-- DTLS FINISHED Message is lost.
Impact:
When the DTLS FINISHED Message is lost in the Cavium SSL offloading platform, the CCS and FINISHED messages do not get retransmitted.
Workaround:
None.
Fix:
The FINISHED messages are saved before transmitting the Cavium encrypted FINISHED message, and starting the DTLS re-transmit timer. When the re-transmit timer expires, the CCS plus FINISHED messages will be retransmitted.
676300-6 : EPSEC binaries may fail to upgrade in some cases★
Solution Article: K04551025
Component: Access Policy Manager
Symptoms:
Windows client may fail to upgrade endpoint security package in some cases. This happens due to a corrupted registration of old endpoint security components.
Conditions:
Corrupted registry entry related to endpoint security components.
Impact:
Client may not be able to upgrade to latest endpoint package hosted on APM.
Workaround:
Remove the following registry keys from the registry:
Note: Use extra care editing the registry. Only remove the following keys, and no others.
"HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKEY_CLASSES_ROOT\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKEY_CLASSES_ROOT\Wow6432Node\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKEY_CLASSES_ROOT\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKEY_CLASSES_ROOT\Wow6432Node\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"
"HKEY_CLASSES_ROOT\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"
"HKCU\SOFTWARE\Classes\Wow6432Node\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKCU\SOFTWARE\Classes\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKCU\SOFTWARE\Classes\Wow6432Node\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKCU\SOFTWARE\Classes\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKCU\SOFTWARE\Classes\Wow6432Node\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"
"HKCU\SOFTWARE\Classes\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"
Fix:
EPSEC binaries now upgrade successfully.
675866-3 : WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO
Component: Access Policy Manager
Symptoms:
Kerberos rejects tickets with 2 minutes left in their ticket lifetime. This causes tickets to be rejected by KDC, causing APM to disable SSO.
Conditions:
This occurs with Kerberos-protected resources using Windows Server 2012-based DC due to issue described in the Microsoft KB: Kerberos authentication fails when the computer tries to request a service ticket from a Windows Server 2012-based DC, https://support.microsoft.com/en-us/help/2877460/kerberos-authentication-fails-when-the-computer-tries-to-request-a-ser.
Impact:
Cannot access the Kerberos-protected resources.
Workaround:
None.
Fix:
Kerberos SSO (S4U) tickets are not used when the remaining lifetime is less than 5 minutes. Existing tickets with more than half the configured lifetime or at least 1 hour of lifetime remaining are used. If there are no such tickets, then new tickets are acquired and used.
675232-2 : Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction
Component: Application Security Manager
Symptoms:
Errors encountered -
In TMSH CLI transaction:
----------------
transaction failed: 01020036:3: The requested ASM policy (/Common/<some_policy>) was not found.
----------------
In iApp template implementation:
----------------
script did not successfully complete: (01020036:3: The requested ASM policy (/Common/<some_policy>) was not found.
----------------
Conditions:
In an iApp template implementation or TMSH CLI transaction, create a new ASM policy and then try to modify it's active state.
Impact:
The policy is created but the modify action cannot find the policy.
Workaround:
iApps are built to work with ASM Policy Templates.
A new ASM Policy Template can be created from the desired ASM Policy.
That can be done via GUI and starting from from v13.0 via REST as well.
Then, the newly created ASM Policy Template can be referenced in the iApp template implementation or TMSH CLI transaction as follows:
-----------------
tmsh::create asm policy <some_policy> active policy-template NEWLY_CREATED_POLICY_TEMPLATE
-----------------
Fix:
iApp template implementation and TMSH CLI transaction can now modify a newly created ASM policy.
675188-4 : CVE-2017-9233: Expat vulnerability
Component: TMOS
Symptoms:
An infinite loop vulnerability due to malformed XML in external entity was found in entityValueInitProcessor function affecting versions of Expat 2.2.0 and earlier.
Conditions:
Version of expat in use on BIG-IP is v2.2.0 or earlier.
Impact:
BIG-IP is vulnerable to CVE-2017-9233 via the iControl interface.
Fix:
Update to expat v2.2.2
674747-1 : sipdb cannot delete custom bidirectional persistence entries.
Solution Article: K30837366
Component: Service Provider
Symptoms:
Custom bidirectional SIP persistence entries cannot be deleted using the sipdb tool.
Conditions:
Rules and SIP messages created custom bidirectional SIP persistence entries.
Impact:
Custom bidirectional SIP persistence entries exist and can be viewed with the sipdb utility. They cannot be deleted,
however.
Workaround:
None.
Fix:
The sipdb tool now supports deletion of bidirectional SIP persistence entries.
674486-3 : Expat Vulnerability: CVE-2017-9233
Component: TMOS
Symptoms:
An infinite loop vulnerability due to malformed XML in external entity was found in entityValueInitProcessor function affecting versions of Expat 2.2.0 and earlier.
Conditions:
Version of expat in use on BIG-IP is v2.2.0 or earlier.
Impact:
BIG-IP is vulnerable to CVE-2017-9233 via the administrative interface.
Fix:
Expat updated to v2.2.0 or later
674320-3 : Syncing a large number of folders can prevent the configuration getting saved on the peer systems
Solution Article: K11357182
Component: TMOS
Symptoms:
When syncing a large number of folders (more than 56), the configuration on the peer systems fails to save. An error similar to the following appears in the audit log, possibly followed by garbage characters:
notice tmsh[15819]: 01420002:5: AUDIT - pid=15819 user=root folder=/Common module=(tmos)# status=[Syntax Error: "}" is missing] cmd_data=save / sys config partitions { tf01 tf02 tf03 tf04 tf05 tf06 tf07 tf08 tf09 tf10 tf11 tf12 tf13 tf14 tf15 tf16 tf17 tf18 tf19 tf20 tf21 tf22 tf23 tf24 tf25 tf26 tf27 tf28 tf29 tf30 tf31 tf32 tf33 tf34 tf35 tf36 tf37 tf38 tf39 tf40 tf41 tf42 tf43 tf44 tf45 tf46 tf47 tf48 tf49 tf50 tf51 tf52 tf53 tf54 tf55 tf56 tf57 tf58 tf59
Note: These 'tfnn' folder names are examples. The audit log will contain a list of the actual folder names. (Folders are also called 'partitions'.)
Conditions:
-- System is in a device group.
-- Sync operation occurs on the device group.
-- There are a large number of folders (more than 56).
Impact:
Configuration on peer systems in a device group does not get saved after a sync.
Workaround:
Manually save the configuration on peer systems after a sync.
Fix:
The configuration on peer systems is now saved when a large number of folders are involved in the sync.
674189-2 : iControl-SOAP exposed to CVE-2016-0718 in Expat 2.2.0
Solution Article: K52320548
674145-4 : chmand error log message missing data
Component: TMOS
Symptoms:
When there is an error with communication between chmand and lopd, a message is logged giving information about the problem. That message is missing data useful to F5 for determining the cause of the communications error.
Messages similar to:
Jul 11 11:10:19 localhost warning chmand[7815]: 012a0004:4: getLopReg: lop response data does not match request, u16DataLen=0xb expected=0xb, u8Length=0x8 expected=0x, u8Page=0x28 expected=0x$, u8Register=0x50 expected=0xP
The expected data values are missing in this message, making it more difficult for F5 engineers to determine what caused the original communications problem.
Conditions:
This issue only occurs when there is some problem with the communication channel between chmand and lopd.
Impact:
Added difficulty for F5 to determine what problem caused the error message to be logged.
Fix:
The expected data values are properly printed in the log message.
673814-2 : Custom bidirectional persistence entries are not updated to the session timeout
Solution Article: K37822302
Component: Service Provider
Symptoms:
Custom bidirectional persistence entries will be created using the transaction timeout when processing the request, but will not be updated to the session timeout on a successful response.
Conditions:
-- Using custom bidirectional persistence.
-- Successful response message is received.
Impact:
The persistence timeout will prematurely time out.
Workaround:
Set the transaction timeout to the session timeout value.
Fix:
The persistence timeout is correctly updated to the session timeout value when a successful response message is received.
673165-2 : CVE-2017-7895: Linux Kernel Vulnerability
Solution Article: K15004519
673029-1 : Debug image TMM crash
Component: Policy Enforcement Manager
Symptoms:
If a debug TMM is being run and with PEM logging enabled. Under some subscriber addition cases, TMM crashes
Conditions:
-- TMM debug is used.
-- PEM debug log is enabled.
-- Many subscribers are added.
-- The log message crashes subscribers.
Impact:
TMM restarts resulting in failover. Traffic disrupted while tmm restarts.
Workaround:
Do not enable PEM loggins in PEM debug image.
672988-3 : MCP memory leak when performing incremental ConfigSync
Solution Article: K03433341
Component: TMOS
Symptoms:
MCP will leak memory when performing incremental ConfigSync operations to peers in its device group. The memory leak can be seen tmctl utility to watch the umem_alloc_80 cache over time.
This leak occurs on the device that is sending the configuration.
Conditions:
A device group that has incremental sync enabled. In versions prior to BIG-IP v13.0.0, this is controlled by the 'Full Sync' checkbox. When unchecked, the system attempts to perform incremental sync operations.
Impact:
MCP leaks a small amount of memory during each sync operation, and after an extended period of time, might eventually crash.
Workaround:
None.
Fix:
MCPD no longer leaks when performing incremental ConfigSync operations.
672480 : WebSSO plugin process may become unresponsive in rare situations for Kerberos SSO
Component: Access Policy Manager
Symptoms:
HTTP requests that are being processed by Kerberos SSO never leaves APM, and connections simply time out.
Conditions:
There is an issue in MIT krb5 library for calculating wait time for responses from KDC, which ends up with a negative value. This translates to infinite timeout by poll() syscall. At the same time, if all Kerberos requests to KDC are dropped (e.g., by a misconfigured firewall), Kerberos SSO never receives the responses, and Kerberos SSO never gives up on waiting for the KDC response (this is an issue in the library).
Impact:
A deadlock occurs within the Kerberos SSO. Eventually there will be a global deadlock, which causes this particular WebSSO process to be completely unresponsive for Kerberos SSO functionality. APM end users cannot access the backend.
Workaround:
For this issue to have a real impact, there must be an unresponded-to Kerberos request. To eliminate this possibility, make sure there is no firewall blockage, incorrect routing, etc., so that WebSSO always receives responses, even negative ones.
Note: WebSSO will never use infinite timeout when waiting for Kerberos responses, so even if a firewall blocks the Kerberos request, although Kerberos SSO does not function, it does not cause global unresponsiveness from the WebSSO process.
672124-2 : Excessive resource usage when BD is processing requests
Solution Article: K12403422
671638-3 : TMM crash when load-balancing mptcp traffic
Solution Article: K33211839
671498-2 : BIND zone contents may be manipulated
Solution Article: K02230327
671497-2 : TSIG authentication bypass in AXFR requests
Solution Article: K59448931
671447-3 : ZebOS 7 Byte SystemID in IS-IS Restart TLV may cause adjacencies to not form
Component: TMOS
Symptoms:
When using a BIG-IP system configured in an IS-IS network; adjacencies may fail to form with other vendor devices.
Conditions:
- BIG-IP configured to participate as a peer in a IS-IS network.
- IS-IS peers perform strict validation on the length of the Restart TLV.
-- The SystemID used by the BIG-IP system is of length 7 instead of 6. (ZebOS uses a 7-Byte SystemID.)
Impact:
IS-IS adjacencies may not form.
Workaround:
None.
Fix:
The BIG-IP system now uses a correct SystemID length in the Restart TLV.
671326-3 : DNS Cache debug logging might cause tmm to crash.
Solution Article: K81052338
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Cache debug logging might cause tmm to crash.
Conditions:
This occurs when the following conditions are met:
-- The dnscacheresolver.loglevel debug value is set to 1 - 5.
-- tmm.verbose is enabled.
Impact:
tmm crashes and restarts. Traffic disrupted while tmm restarts.
Workaround:
Do not enable the DNS Cache debug log when tmm.verbose is enabled.
Fix:
DNS Cache debug logging no longer causes tmm to crash.
670918-1 : Flash AS3 wrappers should have an additional check for the activation object
Component: Access Policy Manager
Symptoms:
Flash AS3 wrappers should have an additional check for the activation object.
Conditions:
Presence of a getlex (or [get/set]property after getpropstrict/getproperty) instruction that gets/sets the value of an variable with the some interesting name like "url" and defined on an activation object.
Example:
...
(function() {
var url;
(function(){return url;})();
})();
...
Impact:
Flash application malfunction.
Fix:
APM Portal Access Rewrite has been improved to handle Flash ActionScript 3 in a more robust fashion.
670910-1 : Flash AS3 flash.external.ExternalInterface.call() wrapper can fail when loaderInfo object is undefined
Component: Access Policy Manager
Symptoms:
Flash AS3 flash.external.ExternalInterface.call() wrapper can fail when loaderInfo object is undefined.
Conditions:
This might occur when using the following definition:
<?xml version="1.0" encoding="utf-8"?>
<s:Application xmlns:fx="http://ns.adobe.com/mxml/2009"
<-->xmlns:s="library://ns.adobe.com/flex/spark"
<-->width="100%" height="100%"
<-->minWidth="256" minHeight="64"
<-->creationComplete="initApp()">
<--><s:VGroup width="100%" height="100%" verticalAlign="middle" horizontalAlign="center">
<--><--><s:TextInput id="f_output" text="..." width="100%" />
<--><--><fx:Script><![CDATA[
<--><--><-->import flash.external.ExternalInterface;
<--><--><-->private function initApp():void {
<--><--><--><-->f_output.text = ExternalInterface.call("function(v){window.alert(/a\\dc/.toString());return '\\\\Done: '+v+' URL: '+location.href;}", "\\\\Ok?");
<--><--><-->}
<--><-->]]></fx:Script>
<--></s:VGroup>
</s:Application>
Impact:
Flash application malfunction.
Workaround:
None.
Fix:
APM Portal Access Rewrite now correctly handles flash.external.ExternalInterface.call() when the loaderInfo object is not defined.
670822-4 : TMM may crash when processing SOCKS data
Solution Article: K55225440
670816-3 : HTTP/HTTPS/TCP Monitor response code for 'last fail reason' can include extra characters
Solution Article: K44519487
Component: Local Traffic Manager
Symptoms:
An HTTP/HTTPS/TCP monitor response code may contain extraneous trailing characters, such as: 'Response Code: 200 (OKxxx)' where the server response code 'OK' is appended with unrelated characters 'xxx', when the server does not include a carriage-return/line-feed after the response status line.
Conditions:
An HTTP/HTTPS/TCP monitor is configured with a receive string, and the server does not include a carriage-return/line-feed in the TCP segments that match the receive string.
Impact:
The monitor status code displays the correct server response code, but with extraneous trailing characters appended. The monitor continues to function and respond to status changes as expected.
Workaround:
Configure HTTP/HTTPS/TCP servers to return a response that includes a carriage-return/line-feed after the response status line and before the receive string.
Fix:
HTTP/HTTPS/TCP monitor response code for 'last fail reason' no longer contains extraneous trailing characters when the server does not include a carriage-return/line-feed in the TCP segments that match the receive string.
670804-1 : Hardware syncookies, verified-accept, and OneConnect can result in 'verify_accept' assert in server-side TCP
Solution Article: K03163260
Component: Local Traffic Manager
Symptoms:
The system experiences a 'verify_accept' assert in server-side TCP.
Conditions:
-- Verified Accept enabled in TCP profile.
-- Hardware syncookies enabled.
-- OneConnect profile on virtual servers.
-- Syncookie threshold crossed.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
Disable verified accept when used with OneConnect on a virtual server.
Fix:
Verified accept, OneConnect, and hardware syncookies now work together correctly.
669818-3 : Higher CPU usage for syslog-ng when a syslog server is down
Component: TMOS
Symptoms:
Higher CPU usage for syslog-ng when a syslog server is down.
Conditions:
A remote log server is added but it is not available.
Impact:
Potentially higher than expected CPU usage.
Workaround:
To mitigate this issue, use either of the following:
-- Ensure that the remote log server is available.
-- Remove the remote log server from the configuration.
668623-2 : macOS Edge client fails to detect correct system language for regions other than USA
Solution Article: K85991425
Component: Access Policy Manager
Symptoms:
macOS Edge client fails to detect correct system language for regions other than USA.
Conditions:
-- macOS Sierra.
-- Non-English language (e.g., Korean with different regions).
Impact:
Incorrect customization of Edge client for certain items, such as: logo, banner color, banner text color, and tray icon type.
Workaround:
Run one of the following command on the Terminal and re-launch Edge client:
For English:
$ defaults write -globalDomain AppleLanguages -array "en" "en-US"
For German:
$ defaults write -globalDomain AppleLanguages -array "de" "de-US"
For Korean:
$ defaults write -globalDomain AppleLanguages -array "ko" "ko-US"
For Japanese:
$ defaults write -globalDomain AppleLanguages -array "ja" "ja-US"
For French:
$ defaults write -globalDomain AppleLanguages -array "fr" "fr-US"
For Spanish:
$ defaults write -globalDomain AppleLanguages -array "es" "es-US"
For Chinese traditional:
$ defaults write -globalDomain AppleLanguages -array "zh-Hant" "zh-Hant-TW" "zh-Hant-US"
For Chinese simplified:
$ defaults write -globalDomain AppleLanguages -array "zh-Hans" "zh-Hans-US"
Fix:
Customization of the following items for Edge client now correctly reflect the region's language selection.
-- Edge client logo.
-- Banner color.
-- Banner text color.
-- Tray icon.
668521-1 : Bigd might stall while waiting for an external monitor process to exit
Component: Local Traffic Manager
Symptoms:
The bigd process restarts due to a hearbeat failure. /var/log/ltm will contain a message similar to:
warning sod[5444]: 01140029:4: HA daemon_heartbeat bigd fails action is restart.
Conditions:
External monitors are in use. External monitors include user-defined external monitors as well as built-in external monitors (for example, SNMP, LDAP, etc.)
High system load makes this more likely to occur.
Impact:
bigd will restart due to a heartbeat failure and monitoring will be interrupted.
Workaround:
Mitigations:
-- If possible, reduce the system load on the BIG-IP system.
-- If possible, use a built-in monitor type.
Fix:
bigd no longer stalls while waiting for an external monitor process to exit.
668196-3 : Connection limit continues to be enforced with least-connections and pool member flap, member remains down
Component: Local Traffic Manager
Symptoms:
In rare circumstances while using least-connections load balancing with a connection limit applied, if a pool member is at the connection limit and the node is stopped and restarted, the node will remain marked down.
Conditions:
This occurs under the following circumstances:
- Least Connections (node or member).
- Connection limit is set.
- Then a pool member hits the connection limit.
- The pool member is then marked down then up (e.g., manually).
Impact:
Pool member remains marked down.
Workaround:
This condition is very rare but if it occurs you can try removing the pool member or node and re-adding it.
Fix:
Connection limit is now correctly enforced with least-connections and pool member flap, so the member no longer incorrectly remains down.
667278-4 : DSC connections between BIG-IP units may fail to establish
Component: TMOS
Symptoms:
The device service clustering (DSC) connection between two BIG-IP units may fail to establish. One unit will log messages similar to the following example:
-- err mcpd[7912]: 01071af4:3: Inbound CMI connection from IP (192.168.100.1) denied because it came from VLAN (v1542), not from expected VLAN (tmm).
While the unit at the other end of the connection will log messages similar to the following example:
-- notice mcpd[5730]: 01071432:5: CMI peer connection established to 192.168.200.1 port 6699 after 0 retries
May 31 20:58:04 BIG-IP-c-sea notice mcpd[5730]: 0107143c:5: Connection to CMI peer 192.168.200.1 has been removed
Conditions:
This issue occurs when the Self-IP addresses used for Config-Sync by the two BIG-IP units are not in the same IP subnet, and special routing is configured between the BIG-IP units. Examples of special routing include a gateway pool or dynamic routing configurations with multiple routes to the same destination (i.e., ECMP routing).
Impact:
Config-Sync and device discovery operations will fail between affected units.
Workaround:
You can work around this issue by using Self-IP addresses for Config-Sync that are on the same IP subnet or rely on simpler routing to achieve connectivity (i.e., a single route).
Fix:
Config-Sync and device discovery operations no longer fail.
667173-2 : 13.1.0 cannot join a device group with 13.1.0.1
Component: TMOS
Symptoms:
13.1.0.1 cannot form device trust with a 13.1.0 device.
Conditions:
A device running 13.1.0 wanting to establish device trust with a device running 13.1.0.1 or vice versa.
Impact:
Cannot form Device Trust.
Workaround:
13.1.0 cannot initially form device trust with a 13.1.0.1 device. However, if you establish trust from the 13.1.0.1 device and then bring in the 13.1.0 device from 13.1.0.1, you can mitigate this issue. Once trust is formed, there should be no issue.
Fix:
13.1.0.1 now can form device trust with a 13.1.0 device.
666454-6 : Edge client on Macbook Pro with touch bar cannot connect to VPN after OS X v10.12.5 update
Solution Article: K05520115
Component: Access Policy Manager
Symptoms:
Edge client running on Macbook Pro 2016 with a touch bar interface cannot connect to VPN in a full tunneling configuration with 'Prohibit routing table modification' option selected.
Edge client's svpn.log shows an error entry similar to
2017-05-18,13:55:17:000, 16637,16638,svpn, 1, , 870, CMacOSXRouteTable::UpdateIpForwardEntry2(), EXCEPTION - write failed, 22, Invalid argument.
Conditions:
This occurs when all of the following conditions are met:
1) Edge client is running on Macbook Pro that has the iBridge interface (e.g., one with the touch bar).
2) VPN is configured in full tunneling configuration
3) Mac OS X version is v10.12.5.
Note: You can find the interface on the Macbook Pro in the Network Utility under the Info tab.
Impact:
VPN connection will fail.
Workaround:
Use one of the following workarounds:
- Disable 'Prohibit Routing table change' in the network access configuration.
- Enable 'Allow access to local subnets'.
- Enable a split tunneling configuration.
666401-1 : Memory might become corrupted when a Standby device transitions to Active during failover
Solution Article: K03294104
Component: Local Traffic Manager
Symptoms:
When a failover event occurs with connection mirroring enabled, it is possible for memory to be corrupted when the Standby device transitions to Active.
Conditions:
-- Active-Standby high availability configuration.
-- Virtual server configured with the type set to 'Standard'.
-- Connection mirroring enabled.
Impact:
Tmm might crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Memory is no longer corrupted.
665905-1 : Signature System corruption from specific ASU prevents ASU load after upgrade
Solution Article: K83305000
Component: Application Security Manager
Symptoms:
After loading Attack Signature Update "ASM-SignatureFile_20170403_145743.im" on 11.5.4 HF2 (or later) and upgrading to certain software versions, attempts to perform Signature Update fail.
Conditions:
-- Loading Attack Signature Update "ASM-SignatureFile_20170403_145743.im".
-- Using v11.5.4 HF2 (or later).
-- Upgrading the device to 11.6.1, 12.1.0, 12.1.1, or 12.1.2.
Impact:
Attempts to perform Signature Update fail.
Workaround:
The mistaken Signature System can be deleted using the following SQL:
----------------------------------------------------------------------
UPDATE PLC.NEGSIG_SIGNATURE_SYSTEMS set system_id = 14 where system_id = (select system_id FROM PLC.NEGSIG_SYSTEMS where system_name = 'Apache');
DELETE FROM PLC.NEGSIG_SYSTEMS where system_name = 'Apache';
----------------------------------------------------------------------
Fix:
Database corruption introduced by loading Attack Signature Update 'ASM-SignatureFile_20170403_145743.im' is now corrected upon upgrade.
664930-1 : Policy automatic learning mode changes to manual after failover
Component: Application Security Manager
Symptoms:
Policy automatic learning mode changes to manual when a failover occurs.
Conditions:
-- ASM provisioned.
-- Device group with ASM policy sync configured for multi-blade devices.
-- ASM Policy is in automatic learning mode.
-- A failover occurs.
Impact:
The policy changes from automatic learning mode to manual.
Workaround:
None.
Fix:
Policy automatic learning mode no longer changes to manual when a failover occurs. Automatic learning mode will now be disabled only in active/active configurations.
664769-2 : TMM may restart when using SOCKS profile and an iRule
Component: Local Traffic Manager
Symptoms:
TMM restarts when sending traffic through a SOCKS virtual server that has an attached iRule that uses certain blocking commands.
Conditions:
Virtual server has a SOCKS profile, and an iRule which triggers on the SERVER_CONNECTED event. If the iRule uses commands that block, tmm might restart.
Impact:
Unexpected tmm restart. Traffic disrupted while tmm restarts.
Workaround:
Avoid adding iRule on the SERVER_CONNECTED event, or avoid using certain iRule commands which do not complete immediately, such as 'after', 'table', 'session', and others.
Fix:
TMM no longer crashes when using SOCKS profile and serverside iRule parks.
663924-3 : Qkview archives includes Kerberos keytab files
Component: TMOS
Symptoms:
Qkview captures Kerberos keytab files used for APM dataplane services.
Conditions:
APM provisioned with Kerberos authentication.
Impact:
Private security key exposure.
Workaround:
There is no workaround.
Fix:
Qkview no longer collects 'kerberos_keytab_file_d' directory containing keytab files when creating qkview archive.
663326-3 : Thales HSM: "fipskey.nethsm --export" fails to make stub keys
Component: Local Traffic Manager
Symptoms:
When using "fipskey.nethsm --export -i /shared/tmp/testkey.pem -o thaleskey" to export a key file from BIG-IP and import into HSM, the HSM fails to generate the stub key at /config/ssl/ssl.key/ on the BIG-IP system.
Conditions:
-- Thales HSM is installed.
-- Running 'fipskey.nethsm --export' to export a key file from BIG-IP and import it to the Thales HSM.
Impact:
Even the key has been stored in HSM, the BIG-IP is still unable to use it because of its lacking stub key to be configured on the BIG-IP system.
Workaround:
This can be worked around by directly using the Thales command, for example:
[root@localhost:Active:Standalone] config # generatekey --import pkcs11 certreq=yes
type: Key type? (DES3, RSA, DES2) [RSA] >
pemreadfile: PEM file containing RSA key? []
> /shared/tmp/testkey.pem
embedsavefile: Filename to write key to? []
> /config/ssl/ssl.key/thales2
plainname: Key name? [] > thales2
x509country: Country code? [] > US
x509province: State or province? [] > WA
x509locality: City or locality? [] >
x509org: Organisation? [] > F5
x509orgunit: Organisation unit? [] > AS
x509dnscommon: Domain name? [] >
x509email: Email address? [] > test@test.com
nvram: Blob in NVRAM (needs ACS)? (yes/no) [no] >
digest: Digest to sign cert req with? (md5, sha1, sha256, sha384, sha512)
[default sha1] >
Fix:
When using 'fipskey.nethsm --export -i /shared/tmp/testkey.pem -o thaleskey' to export a key file from BIG-IP and import into HSM, the HSM now generates a stub key and stores it at /config/ssl/ssl.key/ on the BIG-IP system, as expected.
663310-4 : named reports "file format mismatch" when upgrading to versions with Bind 9.9.X versions for text slave zone files★
Component: Global Traffic Manager (DNS)
Symptoms:
named reports "file format mismatch", zone files are renamed randomly to db-XXXX files, and zone cannot be loaded.
Conditions:
-- Upgrade from BIG-IP containing pre-9.9.X versions of Bind, to BIG-IP versions with Bind versions later than 9.9.x.
-- Slave zone files are in text format.
-- No options set for masterfile-format text.
Impact:
Zones cannot be loaded.
Workaround:
Before upgrading, add the following line to the named.conf options:
masterfile-format text;
Fix:
BIND 9.9.x changes the default behavior governing the storage format of slave zone files to "raw" from "text".
On upgrade, the config needs to be parsed looking for slave zones that do not specify the masterfile-format and set them to "text".
662881-3 : L7 mirrored packets from standby to active might cause tmm core when it goes active.
Solution Article: K10443875
Component: Local Traffic Manager
Symptoms:
L7 mirrored packets from standby to active might cause tmm core when it goes active.
Conditions:
-- Spurious ACK sent to the standby unit that is mirrored over to the active unit for processing.
-- Matching connection on the active has not been fully initialized.
Impact:
tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Spurious ACK no longer causes outage, instead the packet is dropped.
662850-3 : Expat XML library vulnerability CVE-2015-2716
Solution Article: K50459349
662663-3 : Decryption failure Nitrox platforms in vCMP mode
Solution Article: K52521791
660239-2 : When accessing the dashboard, invalid HTTP headers may be present
Component: TMOS
Symptoms:
When accessing parts of the BIG-IP dashboard via the GUI, there might be invalid HTTP headers in the responses.
Conditions:
Access the dashboard via Statistics :: Dashboard.
Impact:
The invalid HTTP headers might cause issues with the dashboard if there are intervening proxies between the browser and the BIG-IP.
You may see such errors in the http error logs
Feb 20 08:47:58 myBIG-IP err httpd[13777]: [error] [client 10.20.30.40] Response header name '<PostData><![CDATA[table=log%5Fstat]]></PostData>Cache-Control' contains invalid characters, aborting request, referer: https://mybigip.com/tmui/dashboard/MonitorDashboardModule.swf
Workaround:
There is no workaround at this time.
Fix:
Eliminated invalid header data.
659899-5 : Rare, intermittent system instability observed in dynamic load-balancing modes
Solution Article: K10589537
Component: Local Traffic Manager
Symptoms:
The dynamic pool member load-balancing modes require a precision measurement of active connection counts and/or rates. Rare, intermittent system instability has been observed in dynamic pool member selection when a new connection arrives. TMM may restart, leaving a core file.
Conditions:
LTM pool configured to use a dynamic load-balancing mode ('ltm pool NAME load-balancing-mode MODE' where MODE is one of the dynamic load-balancing modes, such as dynamic-ratio-member, least-connections-node, predictive-node, etc.). The dynamic modes use the session database to share data among all TMM instances, and under extremely rare conditions, the session database may become unreliable.
Impact:
TMM restarts and leaves a core file. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The dynamic load-balancing modes are now more tolerant of errors from the underlying session database.
658852-1 : Empty User-Agent in iSessions requests from APM client on Windows
Component: Access Policy Manager
Symptoms:
'User-Agent' might be empty in some '/isession' requests from APM client on Microsoft Windows. Having empty User-Agent headers is not in RFC compliance and forces some firewall to block the connection. This might result in failure to establish a VPN tunnel.
Conditions:
'/isession' requests from APM client on Windows.
Impact:
Failure to establish a VPN tunnel.
Workaround:
None.
Fix:
Now all connections from Windows APM VPN client contain 'User-Agent' headers, as expected.
658214-3 : TCP connection fail intermittently for mirrored fastl4 virtual server
Solution Article: K20228504
Component: Local Traffic Manager
Symptoms:
In some cases, a mirrored FastL4 virtual server may fail to forward the SYN on the server-side after receiving the context-ack from the peer. Note: This is a connection-failure through the active system, not simply a failure to mirror to the peer.
Symptoms include:
-- TCP connection failures.
-- Possibly other packets lost.
Conditions:
-- FastL4 virtual server.
-- Mirroring is enabled.
-- Certain traffic interleaving might be necessary for this intermittent problem to occur.
Impact:
FastL4 mirroring does not always forward SYN to server after receiving context ACK. Connections fail.
Workaround:
Set the tm.fastl4_ack_mirror dv variable using the following command: tmsh modify sys db tm.fastl4_ack_mirror value disable.
Fix:
In this release, mirrored FastL4 virtual server now forward the SYN on the server-side after receiving the context-ack from the peer as expected.
657961-1 : The edit button on the GSLB Wide IP create page does not place the pool name back into the select dropdown
Solution Article: K44031930
Component: Global Traffic Manager (DNS)
Symptoms:
The edit button in the Pools section of a Wide IP create page does not place the pool name entry back into the select dropdown.
Conditions:
There must be a pool in the selected list, that pool must be highlighted when the edit button is clicked.
Impact:
The edit button does not work as intended.
Workaround:
Use the delete button and find the pool in the select dropdown to edit its ratio.
Fix:
Fixed issue that caused the edit button on the Wide IP create page to not place the pool name back into the select dropdown.
657795-2 : Possible performance impact on some SSL connections
Solution Article: K51498984
Component: Local Traffic Manager
Symptoms:
Some SSL connections may be delayed by almost exactly 5 seconds. The delay occurs between the SSL client hello and the server hello response from the BIG-IP system.
Conditions:
-- SSL configured on a Virtual Server. Affects VIPRION/vCMP Guests.
-- Client connects with an SSL session ID that is not in the cache, and in a very specific format that causes tmm to associate the session ID to a blade that does not exist.
Impact:
Performance may be impacted on those SSL connections.
Workaround:
Disable SSL session cache by setting cache-size to zero in the clientssl profile.
Fix:
This release fixes an issue that might cause performance impact on certain SSL connections.
657463 : SSL sends HUDEVT_SENT to TCP in wrong state which causes HTTP disconnect the handshake.
Component: Local Traffic Manager
Symptoms:
SSL sends HUDEVT_SENT to TCP in wrong state which causes HTTP disconnect the handshake.
Conditions:
SSL sends HUDEVT_SENT to TCP in wrong state.
Impact:
Then HTTP disconnects the handshake
Fix:
Don't allow SSL send HUDEVT_SENT event in the wrong state.
655807-3 : With QoS LB, packet rate score is calculated incorrectly and dominates the QoS score
Solution Article: K40341291
Component: Global Traffic Manager (DNS)
Symptoms:
When choosing QoS Load balance, packet rate is dominating the score.
Conditions:
QoS load balance.
Impact:
Load balance decision is mostly impacted by packet rate.
Workaround:
None.
Fix:
Corrected a calculation error for QoS score involving packet rate.
655691-1 : GUI image list contains misleading 'MD5 Sum Verified' field
Component: TMOS
Symptoms:
In the GUI, images in the Image List and Hotfix List contain a field called 'MD5 Sum Verified', which is misleading since no such verification is actually done.
Conditions:
Using BIG-IP GUI and viewing the Image List and Hotfix List.
Impact:
It appears that MD5 sums are being verified when in reality much more limited tests are done.
Workaround:
N/A
Fix:
Replace 'MD5 Sum Verified' with 'BIG-IP Image Verified' in Image List and Hotfix List in BIG-IP GUI to more accurately reflect our verification procedures.
655432-4 : SSL renegotiation failed intermittently with AES-GCM cipher
Solution Article: K85522235
Component: Local Traffic Manager
Symptoms:
SSL failed to renegotiate intermittently with AES-GCM cipher because IV is not properly updated when a change cipher spec message is received.
Conditions:
This failure is more likely to occur during mutual authentication.
Impact:
Some servers authenticate client using renegotiation. This issue prevents their clients from properly connecting to the servers.
Workaround:
Disable AES-GCM cipher.
Fix:
The system now properly updates AES-GCM IV when a change cipher spec message is received.
655211-2 : bigd crash (SIGSEGV) when running FQDN node monitors
Component: Local Traffic Manager
Symptoms:
bigd processing FQDN node monitors may crash due to a timing issue when processing probe responses.
Conditions:
bigd is configured for FQDN node monitors.
Impact:
bigd crashes (SIGSEGV). The system restarts bigd automatically, and monitoring resumes. No other action is needed.
Workaround:
Although no workaround is available for bigd configured for FQDN node monitors, this crash occurs due to a timing issue, and should be rare.
Fix:
bigd no longer crashes (SIGSEGV) when running FQDN node monitors due to a timing issue.
655146-5 : APM Profile access stats are not updated correctly
Component: Access Policy Manager
Symptoms:
The active and established sessions counts in the output of 'tmsh show apm profile access' command are not getting updated as sessions are established and terminated. At the same time, the following errors are showing up in the APM log:
err tmm1[19902]: 01490574:3: (null):Common:00000000: Could not find tmstat. (/Common/Google_vsstats_key)
Conditions:
-- When session is established and terminated.
-- Running the command: tmsh show apm profile access to view stats.
Impact:
APM profile access stats are not accurate.
Workaround:
None.
Fix:
Now the tmsh command "tmsh show apm profile access" displays the correct profile access stats.
655059-2 : TMM Crash
Solution Article: K37404773
655021-3 : BIND vulnerability CVE-2017-3138
Solution Article: K23598445
654599-2 : The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed
Solution Article: K74132601
Component: Global Traffic Manager (DNS)
Symptoms:
Tomcat can potentially drop requests made by the client via the Web GUI on the GSLB Pool Members Manage page.
Conditions:
The config contains a large amount (in the thousands) of GSLB virtual servers or wide IP's, resulting in the action not being completed.
Impact:
The "Finished" button on that page does not save the changes made on that page.
Workaround:
Use TMSH.
Fix:
Fixed an issue with saving GSLB data via the GUI in large configurations.
654566-1 : Incomplete files still linked in /shared/vmisolinks
Solution Article: K94822416
Component: TMOS
Symptoms:
If copying of an image file is interrupted and leaves a partial file with a .part or .filepart extension, it is still linked in /shared/vmisolinks and synced between blades.
Conditions:
Copy of an image to /shared/images is interrupted and a file with a .part or .filepart extension is left behind.
Impact:
The corrupted copy might appear valid when it is not.
Workaround:
Delete incomplete file copies with extension .part or .filepart.
Fix:
Csyncd ignores files with extensions .part or .filepart in /shared/images.
654513-5 : APM daemon crashes when the LDAP query agent returns empty in its search results.
Solution Article: K11003951
Component: Access Policy Manager
Symptoms:
APM daemon crashes when the LDAP query agent returns no search results.
Conditions:
This issue occurs when all of the following conditions are met:
-- Your BIG-IP access profile access policy is configured with an AD Auth agent.
-- The access policy is configured with an LDAP query agent.
-- A user successfully authenticates to the access profile.
-- The LDAP query agent returns no query results.
Impact:
APM daemon crashes, need to restart RBA and WebSSO. This is a very rarely encountered issue.
Workaround:
Add LDAP Auth agent before the LDAP query to the existing policy.
Note: Adding the extra agent, LDAP Auth agent, in the policy will preserve the functionality and features, enabling the policy to fail in LDAP Auth agent, instead of crash in LDAP Query agent.
Fix:
Now APM daemon no longer crashes when the LDAP query agent returns a specific type of null result from its search.
654109-3 : Configuration loading may fail when iRules calling procs in other iRules are deleted
Solution Article: K01102467
Component: Local Traffic Manager
Symptoms:
Loading of the configuration fail with a message indicating a previously deleted iRule cannot be found:
01020036:3: The requested rule (/Common/rule_uses_procs) was not found.
Conditions:
- iRule A is calling another iRule B using proc calls
- iRule A is attached to a virtual server.
- Detaching and deleting iRule A.
- Loading the config (or performing config sync).
Impact:
iRules are still referenced after implicit deletion (via load).
Configuration does not load.
Workaround:
Force reloading of the MCP binary database.
For specific steps, see K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).
Fix:
Configuration loading no longer fails when iRules calling procs in other iRules are deleted.
653993-2 : A specific sequence of packets to the HA listener may cause tmm to produce a core file
Solution Article: K12044607
653880-1 : Kernel Vulnerability: CVE-2017-6214
Solution Article: K81211720
652516-1 : Multiple Linux Kernel Vulnerabilities
Solution Article: K31603170
652400-1 : During blade changes, PBA may cause a TMM restart
Component: Carrier-Grade NAT
Symptoms:
TMM will restart, and an ASSERT will appear in the logs that there have been too many retries.
Conditions:
-- A port block allocation configuration with very high CPU utilization.
-- The addition of a new blade.
-- Running a version earlier than 12.0.0.
Impact:
TMM will restart, so existing blocks and connections will be lost. Traffic disrupted while tmm restarts.
Workaround:
There is no workaround.
652004-4 : Show /apm access-info all-properties causes memory leaks in tmm
Solution Article: K45320415
Component: Access Policy Manager
Symptoms:
When tmsh is used to view session information, memory will leak on each request to pull the session information from tmm. This is a small leak but can be significant issue when all sessions are examined or the sessions are examined multiple times in a short time interval.
Conditions:
when using show /apm access-info all-properties
Impact:
Memory will leak in tmm daemons. This affects all modules that use tmm.
Workaround:
The only workaround is not to use the mcp interface by tmm daemon, or to restart the tmms periodically after using the interface multiple times.
Fix:
Accessing APM session variables via tmsh (e.g., 'tmsh show /apm access-info all-properties') no longer causes a small TMM memory leak.
651772-5 : IPv6 host traffic may use incorrect IPv6 and MAC address after route updates
Component: Local Traffic Manager
Symptoms:
IPv6 traffic generated from the host, either from a host daemon, monitors, or from the command line, may use an MAC and IPv6 source address from a different VLAN.
Conditions:
- Multiple vlans with IPv6 configured addresses.
- Multiple routes to the same destination, either the same or more specific, default routes, etc. that cover the traffic destination.
- Changes in routes that will cause the traffic to the destination to shift from one vlan and gateway to another. This can be typically observed with dynamic routing updates.
Impact:
Traffic to the destination may fail due to using incorrect source IPv6/MAC address.
This may cause monitor traffic to fail.
Workaround:
Continuous traffic to the IPv6 link-local nexthops can avoid this issue.
This may be achieved by a script or an external monitor pinging the nexthop link-local address using the specific vlan.
Fix:
IPv6 host traffic no longer use incorrect IPv6 and MAC address after route updates.
Behavior Change:
Introduction of sys db ipv6.host.router_probe_interval, to control sysctl net.ipv6.conf.default.router_probe_interval value. This value is default to 5s.
651541-3 : Changes to the HTTP profile do not trigger validation for virtual servers using that profile
Solution Article: K83955631
Component: Local Traffic Manager
Symptoms:
Changing the HTTP profile does not trigger validation for virtual servers, so no inter-profile dependencies are checked.
Conditions:
Using an HTTP profile with a virtual server that uses other profiles that have settings that are mutually exclusive with those of the HTTP profile.
Impact:
The system will be in an invalid state. One immediate way this can be seen is when syncing to a peer. The sync operation does not complete as expected.
Workaround:
Use the error messages in the logs to determine how to change the configuration to return the system to a valid state.
Fix:
Changing the HTTP profile now triggers validation of all virtual servers using that profile.
650292-3 : DNS transparent cache can return non-recursive results for recursive queries
Component: Local Traffic Manager
Symptoms:
If a non recursive query is cached by the DNS transparent cache, subsequent recursive queries provide the non-recursive answer.
Conditions:
DNS transparent cache that receives a non-recursive query whose result is stored in the cache.
Impact:
Non recursive responses for recursive requests.
Workaround:
An iRule can be attached to the listener to disable the cache if the "rd bit" is not set in the DNS request.
Fix:
The RD bit is now handled as expected. If a recursive request is received, a non-recursive cached entry is ignored, and replaced, when the recursive request is answered.
650002-3 : tzdata bug fix and enhancement update
Component: TMOS
Symptoms:
There have been changes to timezone data that impact tzdata packages:
* Mongolia no longer observes Daylight Saving Time (DST).
* The Magallanes Region of Chile has moved from a UTC-04/-03 scheme to UTC-03 all year. Starting 2017-05-13 at 23:00, the clocks for the Magallanes Region will differ from America/Santiago.
Conditions:
-- Mongolia during DST portion of the year.
-- Comparing clock times in the America/Santiago zone with those in the Magallanes Region.
Impact:
Timezone data provided in tzdata will not match the area's time. Clocks for the Magallanes Region will differ from America/Santiago (its current timezone).
Workaround:
None.
Fix:
To accommodate for Mongolia no longer observing DST, the new America/Punta_Arenas zone was created. Changes were also made to support other timezone changes.
* The zone1970.tab file has been added to the list of files to be installed with the tzdata packages installation.
Note: Users of tzdata are advised to upgrade tzdata to zdata-2017b-1.el6
649933-3 : Fragmented RADIUS messages may be dropped
Component: Service Provider
Symptoms:
Large RADIUS messages may be dropped when processed by iRules.
Conditions:
This occurs when a RADIUS message that exceeds 2048 bytes is processed by an iRule containing the RADIUS::avp command.
Impact:
The RADIUS message will be dropped, and an error will be logged that resembles:
Illegal argument (line 1) (line 1) invoked from within "RADIUS::avp 61 "integer""
Workaround:
Remove RADIUS::avp commands from iRules processing large messages, or ensure that no RADIUS client or server will send large messages.
649907-3 : BIND vulnerability CVE-2017-3137
Solution Article: K30164784
649904-3 : BIND vulnerability CVE-2017-3136
Solution Article: K23598445
649613-1 : Multiple UDP/TCP packets packed into one DTLS Record
Component: Access Policy Manager
Symptoms:
The system converts the server provided packet into PPP buffers. These PPP packets are used to pack into DTLS records. Currently there is a limit of about 14 KB of DTLS records, such that the system can pack multiple PPP records into one DTLS record.
However, creating bigger DTLS record can cause server IP Fragmentation. In the lossy environment, losing one IP fragment can cause the complete DTLS record to be lost, resulting in poor performance.
Conditions:
Multiple UDP/TCP packets packed into one DTLS Record.
Impact:
In networks with packet losses, the APM end-user application might suffer poor network performance.
Workaround:
None.
Fix:
DTLS performance has been improved in lossy or high latency networks by optimizing the number of encoded ppp records inside of DTLS records.
649564-3 : Crash related to GTM monitors with long RECV strings
Component: Global Traffic Manager (DNS)
Symptoms:
gtmd core dump related to GTM monitors with long RECV strings.
Conditions:
Sufficiently large RECV (receive) string on a GTM Monitor.
Impact:
Core dump. Traffic might be disrupted while gtmd restarts.
Workaround:
None.
Fix:
Fixed an issue relating to a crash when a GTM monitor has a sufficiently large receive string configured.
649234-4 : TMM crash from a possible memory corruption.
Solution Article: K64131101
Component: Access Policy Manager
Symptoms:
When APM resumes an iRule event from an asynchronous session data lookup, the resumption fails due to a bad memory access resulting in a crash.
Conditions:
The following must be true for this to happen:
- APM provisioned and licensed.
- Use of APM iRule events.
- Session data lookup from iRule events.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Access to an invalid or stale Access session result from custom iRules no longer causes TMM crash.
648954-3 : Configuration validation (e.g., ConfigSync) may fail after an iRule is deleted, if the iRule made procedure calls
Solution Article: K01102467
Component: Local Traffic Manager
Symptoms:
Configuration validation fails spuriously, including potentially as a result of a ConfigSync or modifying an iRule, with an error similar to the following:
01020036:3: The requested rule (/Common/rule_uses_procs) was not found.
Referencing an iRule that previously existed, but has been deleted (or is being deleted as a result of a ConfigSync).
Conditions:
-- iRule using procedures in a different iRule.
-- iRule attached to virtual server.
Impact:
iRule procs are still referenced after deletion. Configuration validation fails spuriously.
Workaround:
Force reloading of the MCP binary database.
For specific steps, see K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).
648879-1 : Linux kernel vulnerabilities: CVE-2016-6136 CVE-2016-9555
Solution Article: K90803619
648865-1 : Linux kernel vulnerability: CVE-2017-6074
Solution Article: K82508682
648786-2 : TMM crashes when categorizing long URLs
Solution Article: K31404801
648320-1 : Downloading via APM tunnels could experience performance downgrade.
Solution Article: K38159538
Component: Local Traffic Manager
Symptoms:
Multiple DTLS records can be packed into one UDP packet. When packet size is too large, packet fragmentation is possible at IP layer. This causes high number of packet drops and therefore performance downgrade.
Conditions:
When downloading using APM tunnels.
Impact:
High number of packet drops and inferior performance.
Workaround:
None.
Fix:
One DTLS record is now contained in each UDP packet to avoid packet fragmentation.
648316 : Flows using DEFLATE decompresion can generate error message during flow tear-down.
Solution Article: K10776106
Component: TMOS
Symptoms:
Repeated entries in the ltm log will show a completion-code error (comp_code=4) as in the following:
Zip engine ctx eviction (comp_code=4): ctx dropped.
Conditions:
The problem occurs when a flow that requests DEFLATE decompression is terminated when the compression engine is still in the middle of working on an incomplete DEFLATE block.
Impact:
False errors can appear:
o In fields of tmctl rst_cause_stat table, false stats counters will increment for compression and packet errors.
o Log entries with the "Zip engine... (comp_code=4)" appear in ltm log.
Monitors observing the ltm log or stats in the tmctl rst_cause_stat table will see false positives.
Workaround:
Disable hardware acceleration.
Fix:
A new tcl variable, nitrox::comp_suppress_itrunc, was added. It defaults to NO which yields legacy behavior. Setting it to YES causes comp_code=4 (ITRUNC) errors to not propagate as an error.
To enable the feature, add the following line to /config/tmm_init.tcl:
nitrox::comp_suppress_itrunc yes
You will have to restart tmm for the change to take effect.
648083-1 : APM rewrite process may incorrectly handle the eval() function.
Solution Article: K83700745
Component: Access Policy Manager
Symptoms:
Errors indicated by web-application.
Other potential symptoms include incorrect rendering for some pages and/or links not rewritten in web applications.
Conditions:
Using indirect references to native eval function in web-application code.
For example. using a function in web-application's code similar to the following:
function f(n) {
var e = eval;
return e(n);
}
f(some_text)
Impact:
Application does not work correctly via Portal Access.
Workaround:
Use a custom iRule.
Fix:
Now Portal Access supports calling eval() using indirect references. This improves web-application compatibility.
647944-3 : MCP may crash when making specific changes to a FIX profile attached to more than one virtual server
Component: TMOS
Symptoms:
When a FIX profile is attached to more than one virtual server, making specific edits to the profile may result in MCP crashing and restarting.
Conditions:
A FIX profile is be in use and attached to more than one virtual server. You then edit the profile (and click "Update") in this order:
- Change the Error Action from "Don't Forward" to "Drop Connection"
- Add a new mapping to the Sender and Tag Substitution Data Group Mapping.
Impact:
Traffic disrupted while mcpd restarts.
Fix:
Prevented MCP from crashing when the FIX profile is edited.
647757-1 : RATE-SHAPER:Fred not properly initialized may halt traffic
Solution Article: K96395052
Component: Local Traffic Manager
Symptoms:
RATE-SHAPER:Fred is not properly initialized and might halt traffic.
Conditions:
Initialize RATE-SHAPER:Fred as the drop policy using its default properties.
Impact:
Traffic is halted.
Workaround:
There are two possible workarounds:
-- Initialize the drop policy fred to the value of 9999 instead of default 0.
-- Use RED as drop policy instead of fred.
647165 : A monitor may unexpectedly transition from up to down and back to up.
Component: Local Traffic Manager
Symptoms:
A pool member or node monitor may unexpectedly transition from up to down and back to up even though the pool member or node has not failed.
Conditions:
One or more of FTP, IMAP, POP3, or SMTP monitors are in use. This might also occur with monitor types other than those listed.
Impact:
BIG-IP system might send a premature FIN on the connection. This might result in unexpected monitor flapping even though the monitored object has not failed.
Workaround:
None.
Fix:
BIG-IP system no longer sends a premature FIN on the connection, so unexpected monitor flapping no longer occurs, in this case.
646643-3 : HA standby virtual server with non-default lasthop settings may crash.
Solution Article: K43005132
Component: Local Traffic Manager
Symptoms:
A long-running high availability (HA) Standby Virtual Server with non-default lasthop settings may crash TMM.
Conditions:
-- HA standby virtual server is configured on the system with non-default lasthop configurations (e.g., lasthop pools or autolasthop disabled, etc).
-- That virtual server receives more than 2 billion connections (2 billion is the maximum value of a 32-bit integer).
Impact:
TMM on the next-active device crashes. The Active device is not affected. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
HA standby virtual server configured with non-default lasthop configurations no longer crashes.
646604-3 : Client connection may hang when NTLM and OneConnect profiles used together
Solution Article: K21005334
Component: Local Traffic Manager
Symptoms:
In deployments where a NT LanManager (NTLM) authentication profile and a OneConnect profile are used together in a LTM virtual server to label an authenticated connection to a Domain Controller (DC); if the persisted connection to the DC is re-used, the connection may hang. A connection in this state may not be cleaned up by the sweeper, resulting in a memory leak.
Conditions:
The NTLM and OneConnect profiles are associated with a LTM virtual server.
Impact:
A client connection won't be serviced and TMM memory will leak. Over a long time period, this may result in more widespread service disruptions.
Workaround:
Avoid the use of OneConnect profiles on virtual servers that use NTLM profiles. The connections to the Domain Controller won't be pooled, but all other features will be retained.
Fix:
Fixed a problem that prevented NTLM and OneConnect profiles from working properly on the same LTM virtual server.
646443-3 : Ephemeral Node may be errantly created in bigd, causing crash
Solution Article: K54432535
Component: Local Traffic Manager
Symptoms:
When FQDN Ephemeral Nodes are being used at the same time as static Node objects, and there is change in those objects, either via DNS resolver changes or manual changes to static nodes, there exists a chance where one may be misidentified as the other during an update, causing a crash in bigd.
Conditions:
FQDN Nodes and Static Nodes being used. Change in node settings or creation/deletion of nodes.
Impact:
Bigd crashes, causing interruption in monitoring.
Workaround:
Avoid use of FQDN Nodes and Pool Members; use only static-IP Nodes/Members instead.
Fix:
Fixed case where misidentification may occur, resulting in bigd running without crashing.
645684-1 : Flash application components are loaded into wrong ApplicationDomain after Portal Access rewriting.
Component: Access Policy Manager
Symptoms:
Flash ActionScript3 application components are loaded into incorrect ApplicationDomain and in some rare cases this may cause errors in application.
Conditions:
This can occur when viewing Flash video while connected to APM.
Impact:
Flash applications might fail to render through Portal Access.
Workaround:
None
Fix:
Flash files accessed through Portal Access are now loading components into correct Application Domain. This improves compatibility with Flash apps.
645615-3 : zxfrd may fail and restart after multiple failovers between blades in a chassis.
Solution Article: K70543226
Component: Global Traffic Manager (DNS)
Symptoms:
zxfrd may fail and restart after multiple failovers between blades in a single chassis.
Conditions:
DNS Express must be configured in a multi-blade chassis. If a blade transitions from active to backup to active states and the DNS Express (tmmdns.bin) database has been re-created while the blade was in backup status, zxfrd may fail when attempting to reference old data.
Impact:
zxfrd will create a core file and restart, picking up where it left off.
Workaround:
None.
Fix:
The cause of the failure is now addressed.
645197-2 : Monitors receiving unique HTTP "success" response codes may stop monitoring after status change
Component: Local Traffic Manager
Symptoms:
Monitors that return unique HTTP/1.1 200 codes (indicating success) will accumulate in the monitor history; upon monitor status change (such as to "fail"), this history is sent (from 'bigd' to 'mcpd') to indicate that monitor's new-status, plus historical context. This history may grow too large if no monitor status is detected for an extended time (such as days or weeks) when unique status codes are returned from the web server and accumulated in the history. Upon a monitor status change (such as from "success" to "fail"), notification from 'bigd' to 'mcpd' will fail due to this too-large history, resulting in the monitor remaining in its previous state (i.e., "success"). 'bigd' properly records the monitor status and continues to monitor; but 'mcpd' was not notified of that status change (due to message-send failure from the history being too large).
This is typically not an issue when the web server returns the same HTTP/1.1 200 code (indicating "success"), as 'bigd' will elide/merge the response-value into the monitor history (so the history does not continue to grow). However, for web servers generating a unique value for each success code (for example, by appending an always-unique transaction ID to the end of the HTTP/1.1 200 response), the history will continue to grow for that monitor until a status-change is detected.
Conditions:
Web server returns unique HTTP/1.1 200 (success) codes, such as an included date/time stamp; and success history is accumulated for that monitor without status-change for extended time (typically days-or-weeks); followed by a monitor status change (such as from "success" to "fail").
Impact:
The monitor will remain in the "success" state, as the status-change will be "lost" ('bigd' properly recognizes the changed monitor status, but 'mcpd' is not notified of the change). The system may eventually self-correct, such as when 'bigd' detects further monitor status changes, and again forwards status-change notifications for that monitor to 'mcpd'.
Workaround:
Modify the web server configuration to not respond with unique HTTP/1.1 200 codes; thus, receiving the same return-code will elide/merge with previously accumulated values in the monitor history.
Fix:
HTTP/1.1 200 codes with unique values accumulate for limited history, rather than unbounded history, such that monitor status change notifications are always recorded.
645179-3 : Traffic group becomes active on more than one BIG-IP after a long uptime
Component: TMOS
Symptoms:
Traffic-groups become active/active for 30 seconds after a long uptime interval.
Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime.
For example:
-- For 7 traffic groups, the interval is ~710 days.
-- For 15 traffic groups, the interval is ~331 days.
Conditions:
-- Two or more BIG-IP systems defined in a device group for sync/failover.
-- There is one or more traffic groups configured.
-- The BIG-IP systems have a long uptime.
Impact:
Outage due to traffic-group members being active on both systems at the same time.
Workaround:
There is no workaround.
The only option is to reboot all the BIG-IP units in the device group on a regular interval. The interval is directly dependent on the number of traffic groups.
Fix:
Traffic groups no longer becomes active on more than one BIG-IP system in a device group after a long uptime interval.
645101-4 : OpenSSL vulnerability CVE-2017-3732
Solution Article: K44512851
645058-1 : Modifying SSL profiles in GUI may fail when key is protected by passphrase
Component: Local Traffic Manager
Symptoms:
When a client SSL profile has a Certificate Key Chain (CKC) entry with a passphrase-protected key, attempting to modify/update the profile via the GUI may fail, and produce an error similar to the following:
01070313:3: Error reading key PEM file <Key_File_Path> for profile <Profile_Name>: error:0906A068:PEM routines:PEM_do_header:bad password read.
This can occur even when the passphrase already in the SSL profile is correct.
Conditions:
Upgrading a BIG-IP system from a version prior to BIG-IP v11.5.0 to v11.5.0 or later, while having a passphrase-protected key specified in the profile.
Alternately, creating an SSL profile with a custom cert-key-chain name that references a passphrase-protected key, e.g.:
tmsh create ltm profile client-ssl example-profile defaults-from clientssl cert-key-chain replace-all-with { no { cert protected.crt key protected.key passphrase password } }
Impact:
User cannot update client SSL profile via the GUI.
Workaround:
Modifications to the profile can be made from tmsh. Alternately, delete the CKC and recreate it.
Fix:
User can now update client SSL profile after upgrading a BIG-IP system from a version prior to BIG-IP v11.5.0 to v11.5.0 or later, while having a passphrase-protected key specified in the profile.
645036-4 : Removing pool from virtual server does not update its status
Solution Article: K85772089
Component: Local Traffic Manager
Symptoms:
Removing a pool from a virtual server does not update the virtual server's status.
Conditions:
1) Create a pool and assign a monitor to it.
2) Ensure the pool goes green.
3) Create a virtual server without assigning the pool to it.
4) Ensure the virtual server stays blue (unknown).
5) Associate the pool to the virtual server.
6) Ensure the virtual server goes green (available).
7) Remove the pool from the virtual server.
8) The virtual server should go back to blue (unknown); however, it doesn't and stays green.
Impact:
The virtual will appear to be associated with a monitored pool when it is not. This should have no functional impact on the virtual server, since a virtual server without a pool has no traffic to pass, and associating a pool with the virtual server will reflect the pool status.
Workaround:
Restart the BIG-IP system. The status should be blue/unchecked once again after the BIG-IP is restarted.
Note: Restarting the BIG-IP system might have an impact on existing traffic. Because this issue is cosmetic, this workaround is not recommended for BIG-IP systems in production.
Fix:
Associating a pool with the virtual server now correctly updates the virtual server status.
644970-2 : Editing a virtual server config loses SSL encryption on iSession connections
Component: Wan Optimization Manager
Symptoms:
Editing a virtual server configuration causes iSession connection resets or unencrypted iSession connections to be established, because the virtual server's dynamically configured default server-ssl profile has been deleted.
Conditions:
A virtual server has a server-side iSession profile with data-encrypt enabled. This virtual server also lacks client-ssl and server-ssl profiles.
Impact:
After editing the virtual server, iSession connections fail to be established if the destination iSession listener has a client-ssl profile with allow-non-ssl disabled. If the destination iSession listener has allow-non-ssl enabled, unencrypted iSession connections are established.
Workaround:
Modify the virtual server's configured server-side iSession profile. For example toggle the iSession profile from A to B and then back to A.
Fix:
Editing a virtual server configuration no longer deletes
an iSession dynamically configured default server-ssl profile.
644904-4 : tcpdump 4.9
Solution Article: K55129614
644693-4 : Fix for multiple CVE for openjdk-1.7.0
Solution Article: K15518610
644489-2 : Unencrypted iSession connection established even though data-encrypt configured in profile
Solution Article: K14899014
Component: Wan Optimization Manager
Symptoms:
iSession connections may be intermittently established as unencrypted even though they are configured to be secure.
Conditions:
Either of two scenarios can result in an unencrypted iSession connection being established:
1) An error occurs during dynamic server-ssl profile replacement.
2) Both the WOM local-endpoint and destination WOM remote-endpoint lack server-ssl profiles.
In both cases the virtual server must have a server-side iSession profile with data-encrypt enabled and the remote virtual must have a client-ssl profile with allow-non-ssl enabled.
Impact:
An unencrypted iSession connection may be established which is inconsistent with configuring data-encrypt as enabled in the sever-side iSession profile.
Workaround:
Configure the client-ssl profile with allow-non-ssl disabled (the default value) to reject non-SSL connections.
Fix:
The outgoing connection is aborted if the server-side iSession profile is configured with data-encrypt enabled and either of the two following scenarios occurs:
1) The destination remote-endpoint and the local-endpoint lack server-ssl profiles.
2) An error occurs during dynamic server-ssl profile replacement.
644220-2 : Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page
Component: Global Traffic Manager (DNS)
Symptoms:
Under LTM :: Virtual Servers :: Properties, the "Link" value sometimes displays "none" when it should display an actual link name.
Conditions:
This happens under certain configuration of Self IP / GTM Servers / GTM Links / LTM Virtual Servers.
Impact:
When conditions are met, the Virtual Server's link information displayed is not correct.
Workaround:
None.
Fix:
Virtual Server's assigned Link on the LTM Virtual Server Properties page is now displayed correctly.
644184-1 : ZebOS daemons hang while AgentX SNMP daemon is waiting.
Solution Article: K36427438
Component: TMOS
Symptoms:
ZebOS daemons hang while AgentX SNMP daemon is unresponsive.
Conditions:
- Dynamic routing is enabled.
- SNMP is enabled.
- SNMP is unresponsive which could be caused by several issues such as snmpd calling an external script that takes several moments to return or mcpd is slow to respond to snmpd queries.
Impact:
Dynamic routing may be halted for the duration of AgentX daemon being busy.
Workaround:
If snmpd is calling external scripts that take several moments to return, then stop using the external script.
Fix:
ZebOS daemons no longer hangs while AgentX is waiting.
644112-4 : Permanent connections may be expired when endpoint becomes unreachable
Solution Article: K56150996
Component: Local Traffic Manager
Symptoms:
Permanent connections, such as those used between tunnel endpoints, can be deleted when the route to the remote endpoint is removed.
Conditions:
-- Permanent connection, such as a tunnel.
-- Routing updates, either from explicit static or dynamic routes, or modifying self IP addresses.
Impact:
Tunnel, or other affected connection, will not pass traffic.
Workaround:
Remove and re-add the affected connection: e.g., delete and re-configure tunnel.
Fix:
Routing updates can no longer lead to expired permanent connections.
643777-3 : LTM policies with more than one IP address in TCP address match may fail
Solution Article: K27629542
Component: Local Traffic Manager
Symptoms:
An LTM policy using a rule that attempts to match based on a list of IP addresses may fail if more than one IP address is used.
Conditions:
LTM policy rule with a 'tcp match address' statement that attempts to match against more than one IP address.
Impact:
The action configured with the match may not be taken.
Workaround:
Use one of the following workarounds:
- Use a subnet instead of single IP addresses.
- Use a datagroup with the list of IP addresses to match.
* Datagroup option available beginning in v13.0.0.
Fix:
The BIG-IP system now correctly matches several IP addresses in LTM policies.
643631-1 : Serverside connections on virtual servers using VDI may become zombies.
Solution Article: K70938130
Component: Local Traffic Manager
Symptoms:
Listing connections with "tmsh show sys connection all-properties" (please be cautious executing this command as it could have performance impact) will show connections with only a server side whose age is greater than the configured idle timeout. As more zombie connections accumulate, the BIG-IP may run out of memory.
Conditions:
APM provisioned and VDI (Virtual Desktop Infrastructure) is configured on the affected virtual.
Impact:
Zombie connections consume memory that cannot be reclaimed. Potential out-of-memory condition.
Workaround:
None.
Fix:
Expired serverside connections are properly torn down.
643582-1 : Config load with large ssl profile configuration may cause tmm restart
Component: Local Traffic Manager
Symptoms:
When doing a config load with a large number of ssl profiles tmm may become busy enough to cause mcp tcp connection to go down and cause tmm restart.
Conditions:
Doing a full config load with large number of ssl profiles.
Impact:
Possible tmm restart.
Workaround:
Doing incremental sync of changes can avoid this issue.
Fix:
A full configuration reload with large number of ssl profiles may cause tmm restart.
643375-2 : TMM may crash when processing compressed data
Solution Article: K10329515
643210-1 : Restarting MCPD on Secondary Slot of Chassis causes deletion of netHSM keys on SafeNet HSM
Solution Article: K45444280
Component: Local Traffic Manager
Symptoms:
When mcpd (re)starts on a secondary slot, part of the initialization process triggers the delete of any netHSM keys on the SafeNet HSM.
Conditions:
This occurs on a chassis that is configured to use a SafeNet netHSM.
Impact:
The key is removed from the HSM and must be reimported to the HSM from a backup, if it exists.
Workaround:
When rebooting a secondary blade, temporarily remove the BIG-IP from the network it uses to connect to the SafeNet HSM. Once the BIG-IP is Active, it is safe to reconnect it to the network.
Fix:
The BIG-IP no longer deletes keys from the Safenet HSM when the key is deleted from the BIG-IP system. Now, you must manually delete keys using fipskey.nethsm or 'cmu delete'.
Important! Delete operations cannot be undone. Before deleting keys on the HSM using one of these commands, make sure that the key is not used by any BIG-IP, because the key deletion on the HSM is irreversible.
Behavior Change:
Beginning with this release, the BIG-IP system will not delete a key from the SafeNet HSM when you delete the corresponding key on the BIG-IP system: You must manually delete the key on the HSM using either fipskey.nethsm or 'cmu delete'.
Important! Delete operations cannot be undone. Before deleting keys on the HSM using one of these commands, make sure that the key is not used by any BIG-IP, because the key deletion on the HSM is irreversible.
643187-3 : BIND vulnerability CVE-2017-3135
Solution Article: K80533167
642400-1 : Path MTU discovery occasionally fails
Component: Local Traffic Manager
Symptoms:
Connections using a TCP profile that receive an ICMP needsfrag message may incorrectly ignore the message. This may cause Path MTU discovery to fail.
Conditions:
TCP profile assigned to VIP. Smaller MTU on data path than on TCP endpoints.
Impact:
The connection may stall as large TCP segments are continually retransmitted.
Workaround:
Configure the MSS in the TCP profile to match the lowest MSS. Use or disable Path MTU discovery with the tm.pathmtudiscovery database key.
Fix:
Path MTU discovery functions correctly with the TCP profile.
642298-2 : Unable to create a bidirectional custom persistence record in MRF SIP
Component: Service Provider
Symptoms:
Setting a persistence key via iRule sets the persistence entry as uni-directional
Conditions:
Setting a persistence key via iRule sets the persistence entry as uni-directional
Impact:
Custom SIP persistence entries cannot be bidirectional.
Fix:
This change adds a new SIP::persist key to set or reset the persistence entry as bidirectional.
642068-2 : PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens
Component: Policy Enforcement Manager
Symptoms:
PEM sessions stay in the marked-for-delete state if CCR-T times out.
Conditions:
This occurs if PCRF does not respond to CCR-T packets from the BIG-IP system during session termination.
Impact:
PEM sessions remain in the marked-for-delete state.
Workaround:
Configure the required timeout value in the sys db variable tmm.pem.session.timeout.endpointdeleteresponse.
Note: The value must be greater than 0 (zero).
Fix:
PEM sessions no longer stay in the marked-for-delete state if CCR-T times out.
642039-3 : TMM core when persist is enabled for wideip with certain iRule commands triggered.
Component: Global Traffic Manager (DNS)
Symptoms:
tmm cores with SIGSEGV.
Conditions:
This occurs when persist is enabled for wideip, and an iRule with the following commands triggered:
forward
reject
drop
discard
noerror
host
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable persist on wideip.
Note: Although this is not an ideal workaround, it provides a way that to use those iRule commands without causing a tmm core.
Fix:
TMM no longer coreswhen persist is enabled for wideip with certain iRule commands triggered.
641512-3 : DNSSEC key generations fail with lots of invalid SSL traffic
Solution Article: K51064420
Component: Local Traffic Manager
Symptoms:
DNSSEC keys can rollover periodically. This will fail, leading to no keys to sign DNSSEC queries (no RRSIG records) when the BIG-IP is handling a lot of SSL traffic with invalid certificates.
The system posts the following log signature in /var/log/ltm:
err tmm1[12393]: 01010228:3: DNSSEC: Could not initialize cipher context for key /Common/x1-zsk.
Conditions:
DNSSEC keys configured with periodic rollover. The certificate path queues an error (situations include but not limited to lots of SSL traffic with invalid certificates).
Impact:
DNSSEC key generations fail to be accepted by the TMM so that when the prior generation expires there is no valid certificate to sign DNSSEC queries.
Workaround:
Restart the TMM after the new key generation is created.
Fix:
DNSSEC key generations now complete successfully, even with a lot of SSL traffic with invalid certificates.
641482-5 : Subscriber remains in delete pending state until CCR-t ack has success as result code is received
Component: Policy Enforcement Manager
Symptoms:
BIG-IP subscriber session will remain in delete pending (stale) state if the Result-code received Acknowledgement from Gx or Gy and is marked as Failure for CCR-T request.
Conditions:
The stale session happens, during subscriber termination and if any CCR-T request for Gx or Gy receives an acknowledgement with non-SUCCESS in Result-code AVP
Impact:
The subscriber session in BIG-IP will stay in delete pending state (stale)
Workaround:
A tmm restart will cleanup all the stale sessions
Fix:
Fix will cleanup the session if a CCR-T acknowledgement is received irrespective of the Result-code AVP
641360-3 : SOCKS proxy protocol error
Solution Article: K30201296
640924-6 : On macOS Sierra (10.12) LED icons on Edge client's main UI buttons (connect, disconnect and auto-connect) are scaled incorrectly
Component: Access Policy Manager
Symptoms:
On macOS Sierra (10.12) LED icons on Edge client's main UI, the buttons (Auto-Connect, Connect, Disconnect) are scaled incorrectly.
Conditions:
macOS Sierra (10.12.x) and Edge client application.
Impact:
This is a display issue only. There is no functional impact to the system.
Workaround:
None.
Fix:
On macOS Sierra (10.12) LED icons on Edge client's main UI buttons (connect, disconnect and auto-connect) are now scaled correctly.
640768-1 : Kernel vulnerability: CVE-2016-10088
Solution Article: K05513373
640565-3 : Incorrect packet size sent to clone pool member
Solution Article: K11564859
Component: Local Traffic Manager
Symptoms:
Cloned packets do not obey the egress interface MTU, and clone pool members may get traffic exceeding the link MTU.
Conditions:
Clone pool is configured on a virtual server.
Impact:
Clone pool members may get traffic exceeding the link MTU.
Workaround:
Disable TSO using the following tmsh command:
tmsh modify sys db tm.tcpsegmentationoffload value disable.
640407-4 : Usage of iRule commands that try to get or set connection state during CLIENT_CLOSED iRule event may core with MRF
Component: Service Provider
Symptoms:
A core may occur with message routing framework (MRF) virtuals or transport-config connections if trying to use certain iRule commands during CLIENT_CLOSED event.
Conditions:
Use of an iRule command that gets or sets state in a MRF protocol filter or MR proxy during CLIENT_CLOSED iRule event may core. This is because CLIENT_CLOSED event is raised after all state has been freed for the current connection.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use iRule command to get or set state during CLIENT_CLOSED iRule event.
639617 : When AVR collect Page load time and/or session data the Content-Length can be set incorrectly
Component: Application Visibility and Reporting
Symptoms:
When the analytics profile with 'Page Load Time' and 'User Sessions' options is attached to a virtual server, sometimes it can incorrectly modify Content-Length for HTML responses. This might happen due to memory corruption.
Conditions:
AVR collect session and/or 'page load time' statistic.
Impact:
The response 'Content-Length' can be wrong.
Workaround:
Uncheck collect 'Page load time' and sessions on analytics profile.
Fix:
Potential memory corruption has been fixed. AVR sets the 'Content-Length' to the right value.
639395-1 : AVR does not display 'Max read latency' units.
Solution Article: K91614278
Component: Application Visibility and Reporting
Symptoms:
AVR does not display units for 'Max Read Latency'.
Conditions:
AVR, ASM, DoS, or AFM are provisioned.
Impact:
No units are displayed.
Workaround:
1. Edit the following file: /etc/avr/monpd/monp_disk_info_measures.cfg.
2. Add the following line at line 63: units=microsecond.
3. Restart monpd.
Fix:
Added units (microsecond) to AVR report.
639236-3 : Parser doesn't accept Contact header with expires value set to 0 that is not the last attribute
Solution Article: K66947004
Component: Service Provider
Symptoms:
Incoming SIP REGISTER messages are rejected by the SIP MRF parser when they contain Contact header expires value set to 0 that is not the last attribute
Conditions:
If the Contact header has an expires value of 0 and it's not the last attribute, for example:
Contact: <sip:+414000400@10.0.0.42:5060>;expires=0;q=0.1.
Impact:
REGISTER is rejected with a '400 Bad request' error message
Workaround:
None.
Fix:
Updated SIP parser to handle a Contact header with an expires value set to 0 that is not the last attribute.
638935-7 : Monitor with send/receive string containing double-quote may cause upgrade to fail.★
Component: TMOS
Symptoms:
When you upgrade from an affected version, the config gets saved before moving to the new version, thus dropping the enclosing quotes and causing a load failure when booting into the new version.
Conditions:
Configuration where monitor string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.
Impact:
Configuration fails to load.
Workaround:
Manually edit each string in the bigip.conf to include enclosing quotes in order to get the config to load the first time.
Fix:
Configs load successfully after upgrade. Surrounding quotes, if missing, are added to strings in the bigip.conf file after upgrade. For example:
\"service_status\":\"on\".+\"maintenance\":\"off\" in the recv, send recv-disable and username fields. Output of list ltm monitor and bigip.conf match. Reloading the same config via tmsh does not cause unintentional changes, such as losing a level of escape in monitor strings.
If you have an escaped quote in your configuration, and are moving to a configuration with this the dependency of this fix, you cannot reload the configuration or the license which also reloads the configuration. Doing so, will cause the config load to fail.
638780-1 : Handle 302 redirects for VMware Horizon View HTML5 client
Component: Access Policy Manager
Symptoms:
Starting from v4.4, Horizon View HTML5 client is using new URI for launching remote sessions, and supports 302 redirect from old URI for backward compatibility.
Conditions:
APM webtop with a VMware View resource assigned.
HTML5 client installed on backend is of version 4.4 or later.
Impact:
This fix allows for VMware HTML5 clients v4.4 or later to work properly through APM.
Workaround:
For versions 11.6.x and 12.x:
===============================
priority 2
when HTTP_REQUEST {
regexp {(/f5vdifwd/vmview/[0-9a-f\-]{36})/} [HTTP::uri] vmview_html5_prefix dummy
}
when HTTP_RESPONSE {
if { ([HTTP::status] == "302") && ([HTTP::header exists "Location"]) } {
if { [info exists vmview_html5_prefix] } {
set location [HTTP::header "Location"]
set location_path [URI::path $location]
if { $location_path starts_with "/portal/" } {
set path_index [string first $location_path $location]
set new_location [substr $location $path_index]
regsub "/portal/" $new_location $vmview_html5_prefix new_location
HTTP::header replace "Location" $new_location
}
unset vmview_html5_prefix
}
}
}
======================
For version 13.0:
priority 2
when HTTP_REQUEST {
regexp {(/f5vdifwd/vmview/[0-9a-f\-]{36})/} [HTTP::uri] dummy vmview_html5_prefix
}
when HTTP_RESPONSE {
if { ([HTTP::status] == "302") && ([HTTP::header exists "Location"]) } {
if { [info exists vmview_html5_prefix] } {
set location [HTTP::header "Location"]
set location_path [URI::path $location]
if { $location_path starts_with "/portal/" } {
set path_index [string first $location_path $location]
set new_location "$vmview_html5_prefix[substr $location $path_index]"
HTTP::header replace "Location" $new_location
}
unset vmview_html5_prefix
}
}
}
Fix:
Handle 302 redirects for VMware View HTML5 client are now handled properly.
638570-2 : "ACCESS::session remove" hangs in ACCESS_POLICY_COMPLETED
Component: Access Policy Manager
Symptoms:
When "ACCESS:session remove" can hang if it is used within the the ACCESS_POLICY_COMPLETED event. Other commands within the event may not execute.
Conditions:
when ACCESS_POLICY_COMPLETED {
ACCESS::session remove
}
This iRule was also observed to hang, with the client not receiving the 401 response:
when ACCESS_POLICY_COMPLETED {
ACCESS::respond 401 content "Error denied..."
ACCESS:session remove
}
Impact:
ACCESS::session remove cannot be used in the ACCESS_POLICY_COMPLETED event, which may break some use cases. Some Access Exchange iRules are broken from this.
Fix:
Processing of "ACCESS::session remove" was reverted to an earlier version that does not exhibit this behavior.
638556-3 : PHP Vulnerability: CVE-2016-10045
Solution Article: K73926196
638137-1 : CVE-2016-7117 CVE-2016-4998 CVE-2016-6828
Solution Article: K51201255
637666-3 : PHP Vulnerability: CVE-2016-10033
Solution Article: K74977440
637181-3 : VIP-on-VIP traffic may stall after routing updates
Component: Local Traffic Manager
Symptoms:
After a routing update traffic for an existing connection sent to a VIP-on-VIP virtual server may be sent directly to the destination address instead of to the inner virtual server.
Conditions:
VIP-on-VIP configuration and static or dynamic routing changes.
Impact:
Existing connections to the outer VIP may stall.
Workaround:
None.
Fix:
Connections to VIP-on-VIP virtual servers no longer stall after routing updates.
636853-1 : Under some conditions, a change in the order of GTM topology records does not take effect.
Component: Global Traffic Manager (DNS)
Symptoms:
A change in the order of topology records does not take effect in GTM until the configuration is reloaded or a topology record is added or deleted.
Conditions:
This occurs only when Longest Match is disabled and the order of topology records is changed without adding or deleting records.
Impact:
In certain configurations, the topology load balancing decision may not be made correctly.
Workaround:
Reload the GTM configuration or add/delete a topology record.
Fix:
Changes in the order of topology records now take effect immediately.
636702-2 : BIND vulnerability CVE-2016-9444
Solution Article: K40181790
636700-3 : BIND vulnerability CVE-2016-9147
Solution Article: K02138183
636699-4 : BIND vulnerability CVE-2016-9131
Solution Article: K86272821
636669-2 : bd log are full of 'Can't run patterns' messages
Solution Article: K37300224
Component: Application Security Manager
Symptoms:
The bd log are getting filled up with 'Can't run patterns' messages. A core might occur due to the i/o outage. General traffic disturbance/slowness might occur.
Conditions:
Configuration change that relates to attack patterns happens while there is heavy traffic.
Impact:
Potential traffic outage/slowness. 'Can't run patterns' messages filling up the bd log file.
Workaround:
None.
Fix:
Fixed log throttling issue related to attack patterns configuration change.
636149 : Multiple monitor response codes to single monitor probe failure
Component: Local Traffic Manager
Symptoms:
A monitor probe failure to a monitor (such as HTTP) will be logged to '/var/log/ltm' when the probed resource is unavailable. In some cases for a probe resulting in an 'Unable to connect' error, multiple log entries will be made, with the *last* log entry being the error that triggered the log entry. The other monitor entries made during this event are not specifically relevant, as they are "stale" and due to previous monitor probe behavior that was previously logged.
This is due to an error where the 'Could not connect' event appends a previous error message, rather than overwriting a possibly-present previous error message.
Conditions:
A monitor probe to a monitor is attempted (such as over HTTP), resulting in an "Unable to connect" failure; and where that specific monitor previously reported an error (which is now appended).
Impact:
No system behavior is affected, but multiple log entries are made. The *final* log entry of "Could not connect" or "Unable to connect" is relevant, while the possible multiple log entries immediately above are "stale" and not relevant (as they are due to a previous issue that was previously successfully logged).
Workaround:
For an external monitor that generates a 'Could not connect' or 'Unable to connect' error, user should consider only the last-line for the '/var/log/ltm' log entry, and ignore possibly-present log entries associated with that specific monitor that might be appear immediately above the 'Could not connect' line.
Fix:
The code fix is to "clear" previous monitor-log errors when reporting a 'Could not connect' error, rather than appending a previous error that might be present.
635933-1 : The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable
Solution Article: K23440942
635561-3 : Heavy URLs statistics are not shown after upgrade.
Component: Application Visibility and Reporting
Symptoms:
Heavy URLs statistics are not shown after upgrade.
Conditions:
Upgrading to newer version
Impact:
Missing statistics.
Workaround:
No workaround
Fix:
Upgrade and verify all heavy URLs statistics are shown.
635412-2 : Invalid mss with fast flow forwarding and software syn cookies
Solution Article: K82851041
635314-4 : vim Vulnerability: CVE-2016-1248
Solution Article: K22183127
635274-3 : SSL::sessionid command may return invalid values
Solution Article: K21514205
Component: Local Traffic Manager
Symptoms:
The SSL::sessionid iRule command might return random, invalid values. This also causes high CPU usage on TMM. This occurs when the SSL ID retrieved from SSL is on the stack and gets overwritten prior to use, resulting in a persist lookup loop which causes the high CPU. The issue is also associated with the SSL::sessionid iRule command because SSL::sessionid and SSL persistence use the same internal mechanism to retrieve the SSL session ID.
Conditions:
This issue occurs when either of the following conditions exists:
-- An iRule exists that queries the SSL::sessionid.
-- An SSL persist profile is configured on the virtual server.
Impact:
The iRule might not work as expected.
High CPU usage.
Workaround:
Do not use the SSL:sessionid iRule.
Fix:
The SSL::sessionid iRule returns the session ID as expected.
634371-3 : Cisco ethernet NIC driver
Component: TMOS
Symptoms:
The Cisco Ethernet NIC driver is version 2.1.1.67
Conditions:
N/A
Impact:
Cisco recommends using the updated version 2.3.0.12
Fix:
Cisco VIC Ethernet NIC Driver 2.3.0.12 is now used.
634259 : IP tuple nexthop object can be freed while still referenced by another structure
Solution Article: K50166002
Component: Local Traffic Manager
Symptoms:
IP tuple nexthop object can be freed while still referenced by another structure.
Conditions:
This can happen if LSN is in use and the proxy connection takes some time to complete, creating a large enough time window where the nexthop object might be freed.
Impact:
The BIG-IP system might crash. This is a very timing/memory-usage dependent issue that is rarely encountered.
Workaround:
None.
Fix:
Management of IP tuple nexthop object reference counting is more consistent.
634001-1 : ASM restarts after deleting a VS that has an ASM security policy assigned to it
Component: Application Security Manager
Symptoms:
ASM restarts with the following errors:
'ltm' log error:
--------
err mcpd[9458]: 0107102e:3: gtm_vs_score refers to nonexistent virtual server (/<partition>/<app>/<vsname>).
--------
'ts_debug.log' error:
--------
asm|INFO|0107102e:3: gtm_vs_score refers to nonexistent virtual server (/<partition>/<app>/<vsname>).
--------
Conditions:
ASM provisioned
Deleting a virtual server that has an ASM security policy assigned to it.
Impact:
ASM restart
Workaround:
None.
Fix:
ASM no longer restarts when deleting a virtual server that has an ASM security policy assigned to it.
633723-2 : New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot
Component: Local Traffic Manager
Symptoms:
A new db variable has been added to print diagnostic information when Cavium Nitrox devices encounter a 'request queue stuck' error. When this occurs, the system posts a log message such as:
crit tmm1[19936]: 01010260:2: Hardware Error(Co-Processor): cn1 request queue stuck.
Conditions:
-- A Cavium Nitrox 'request queue stuck' error occurs.
-- The db variable 'crypto.ha.action' is set to reboot.
Impact:
The system will automatically run 'nitrox_diag' to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.
The system immediately fails over to the standby system, but will then spend approximately one minute gathering diagnostic information before rebooting.
See https://support.f5.com/csp/article/K95944198 for more information about nitrox_diag.
Workaround:
None.
Fix:
The system now automatically gathers nitrox data collection when request queue stuck errors occur.
Behavior Change:
Under rare conditions, the system will take approximately one additional minute to reboot.
If a Cavium Nitrox 'request queue stuck' error occurs and the db variable 'crypto.ha.action' is set to reboot, the system will automatically run 'nitrox_diag' to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.
When the error happens, failover to the standby system will still happen immediately. The delay occurs only on rebooting the system that has already gone to standby mode.
633465 : Curl cannot be forced to use TLSv1.0 or TLSv1.1
Solution Article: K09748643
Component: TMOS
Symptoms:
Curl fails when connecting to server that does not accept TLSv1.1 or TLSv1.2 handshakes. This occurs even if the "--tlsv1.0" or "--tlsv1.1" options to the curl command are used.
Conditions:
Curl is used to attempt to connect to a server that does not understand TLSv1.1 and/or TLSv1.2 handshakes. This occurs when using software v11.5.4 HF2 through 11.5.6 or v11.6.1 HF1 through 11.6.3.
Impact:
Curl will fail.
Workaround:
Use "curl-apd" rather than "curl". curl-apd does not currently implement TLSv1.1 or TLSv1.2.
Fix:
Curl now honors the tlsv version flag, so the system correctly uses TLSv1.0, TLSv1.1, or TLSv1.2, as specified.
632798-1 : Double-free may occur if Access initialization fails
Solution Article: K30710317
Component: Access Policy Manager
Symptoms:
Double-free may occur if Access initialization fails.
Conditions:
Access initialization failure occurs, possibly due to license issues.
Impact:
tmm crashes and cores. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This release fixes a double free condition so that the associated tmm crash no longer occurs.
632658-5 : Enable SIP::persist command to operate during SIP_RESPONSE event
Component: Service Provider
Symptoms:
Without this change, it is not possible to change the timeout of a SIP persistence entry during SIP response message processing.
Conditions:
It is not possible to change the timeout of a SIP persistence entry during SIP response message processing.
Impact:
it is not possible to change the timeout of a SIP persistence entry during SIP response message processing.
Workaround:
NA
Fix:
It is possible to change the timeout of a SIP persistence entry during SIP response message processing.
632646-2 : APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server.
Component: Access Policy Manager
Symptoms:
APM - OAM login with invalid ObSSOCookie results in error page instead of redirecting to login page.
Conditions:
This happens occasionally if a session cookie (ObSSOCookie) is deleted from OAM server, or an OAM session is deleted from server.
Impact:
OAM login with invalid ObSSOCookie results in error page. However, expected behavior is that user is redirected to login page if login with ObSSOCokkie fails.
Workaround:
No Workaround
Fix:
Issue is fixed - On authenticate with ObSSOCookie, read getStatus() API call to check the ObSSOCookie status and redirect to IDP if it is not 1 (LOGGEDIN, AWAITINGLOGIN). With this fix user will be redirected to IDP on logging with cookie that is deleted manually from the OAM server.
632423-2 : DNS::query can cause tmm crash if AXFR/IXFR types specified.
Solution Article: K40256229
Component: Global Traffic Manager (DNS)
Symptoms:
Passing "AXFR" or "IXFR" as the type to the DNS::query iRule command can cause a tmm crash.
Conditions:
DNS Express must be enabled when one of the XFR types is used in the DNS::query iRule command.
Impact:
tmm will crash and restart every time this command is issued. Traffic disrupted while tmm restarts.
Workaround:
Do not explicitly use AXFR or IXFR query types.
If the [DNS::question type] command is being used to dynamically pass in the type, add a preceding check similar to the following:
if { not [DNS::question type] ends_with "XFR" } {
set rrs [DNS::query dnsx [DNS::question name] [DNS::question type]]
}
Fix:
The iRule now provides an error message in /var/log/ltm indicating that AXFR and IXFR are not valid types to use with the DNS::query command, and no tmm crash occurs as a result.
631722-2 : Some HTTP statistics not displayed after upgrade
Component: Application Visibility and Reporting
Symptoms:
Some statistics will disappear after upgrade due to bug in HTTP statistics backup.
Conditions:
Upgrading to newer version
Impact:
Not all statistics are shown.
Workaround:
No workaround
Fix:
Fixed an issue where some ASM HTTP statistics would disappear after upgrade.
631688-4 : Multiple NTP vulnerabilities
Solution Article: K55405388 K87922456 K63326092 K51444934 K80996302
631627-5 : Applying BWC over route domain sometimes results in tmm not becoming ready on system start
Component: TMOS
Symptoms:
Rebooting after applying BWC to route domain stops vlan traffic on VCMP guest. You will experience connection failures when bandwidth Controller (bwc) and Web Accelerator are enabled.
Running the tmsh show sys ha-status all-properties command will indicate that tmm is in "ready-for-world", but the Fail status will read "Yes" when this is triggered.
Conditions:
BWC enabled and associated with a route domain, Web Accelerator is enabled, and the system is rebooted.
Impact:
The system does not comes up fully. TMM does not reach a ready state and will not pass traffic.
Workaround:
Remove BWC from route domain and then reapply the BWC back.
Fix:
BWC enabled and associated with a route domain, Web Accelerator enabled, and the system is rebooted, now results in the system and TMM coming up fully and passing traffic.
631582-4 : Administrative interface enhancement
Solution Article: K55792317
631316-4 : Unable to load config with client-SSL profile error★
Solution Article: K62532020
Component: TMOS
Symptoms:
Config loading fails with an error similar to the following: 'Client SSL profile cannot contain more than one set of same certificate/key type.'
Conditions:
This occurs when both of the following conditions are met:
-- The system is loading config.
-- The config contains a client SSL profile which has an RSA cert-key-chain whose key is default (/Common/default.key), but whose chain is non-empty, or the cert is different from /Common/default.crt. For example:
cert-key-chain {
cert /Common/default.crt <==== default cert
chain /Common/chainCA.crt <==== non-empty
key /Common/default.key <==== default key
rsa {
cert /Common/default.crt <==== default cert
chain /Common/chainCA.crt <==== non-empty
key /Common/default.key <==== default key
}
}
Impact:
Configuration can not be loaded.
Workaround:
Remove or adjust the problematic client SSL profile by editing the appropriate bigip.conf file (/config/bigip.conf or /config/partitions/<name>/bigip.conf, depending on the partition the profile resides in), and then load the configuration again.
Steps:
1. Open the configuration file in a text editor.
2. Load the file /config/bigip.conf (or /config/partitions/<name>/bigip.conf, if the client SSL profile is in a partition).
3. Update the client SSL profile by setting .crt and .key to non-default, as shown in the following example:
cert-key-chain {
cert /Common/kc.crt <==== changed to non-default
chain /Common/chainCA.crt
key /Common/kc.key <==== changed to non-default
rsa {
cert /Common/kc.crt <==== changed to non-default
chain /Common/chainCA.crt
key /Common/kc.key <==== changed to non-default
}
}
4. Save your changes, and then run the following command:
tmsh load sys conf
631204-2 : GeoIP lookups incorrectly parse IP addresses
Solution Article: K23124150
631172-3 : GUI user logged off when idle for 30 minutes, even when longer timeout is set
Component: TMOS
Symptoms:
GUI user is auto-logged off when idle for 30 minutes, even though the configured idle timeout is longer.
Conditions:
User logged in to gui and idle for 20-30 minutes
Impact:
User is logged out of the GUI.
Workaround:
None.
Fix:
GUI user is no longer auto-logged off when idle for 30 minutes when the configured idle timeout is longer.
630475-4 : TMM Crash
Solution Article: K13421245
630446-2 : Expat vulnerability CVE-2016-0718
Solution Article: K52320548
629663-2 : CGNAT SIP ALG will drop SIP INVITE
Solution Article: K23210890
Component: Service Provider
Symptoms:
SIP INVITE message is dropped.
Conditions:
Subscriber registers and then attempts to call out.
Impact:
Subscriber not able to make calls.
Workaround:
None.
Fix:
The system now uses the expiration value from the SIP message i.e. either from expires parameter or the Expire header to update the timeout of the registration record.
629530-3 : Under certain conditions, monitors do not time out.
Solution Article: K53675033
Component: Global Traffic Manager (DNS)
Symptoms:
Some monitored resources are marked as "Unknown" when the actual status is "offline".
Conditions:
This can rarely occur when the monitor timeout period elapses when either no response has been received, or a response has been received indicating that the resource is "down" and the monitor is configured to ignore down responses. It is more likely to occur when many monitor timeout periods elapse at the same time, and the monitor timeout value is evenly divisible by the monitor's monitor interval.
Impact:
The status of the monitored resource is incorrect. This does not materially affect the operation of the system since resources marked "Unknown" will not be used.
Workaround:
Disable the affected resources, and then enable them again.
Fix:
The resource status is now correct under all monitor timeout conditions.
628869-1 : Unconditional logs seen due to the presence of a PEM iRule.
Component: Policy Enforcement Manager
Symptoms:
TMM log files will fill up.
Conditions:
Execution of an iRule with the following iRule command:
PEM::subscriber config policy get <subscriber-id> <e164 | imsi | nai | private | mac-address | dhcp | mac-dhcp | dhcp-custom | sip-uri>.
Impact:
Limits the gathering and traversal of relevant data from the TMM logs if the condition is encountered several times.
Workaround:
Do not use an iRule containing the following iRule command: PEM::subscriber config policy get.
Fix:
Unconditional logs are no longer seen in response to the presence of a PEM iRule.
628180-2 : DNS Express may fail after upgrade★
Component: Global Traffic Manager (DNS)
Symptoms:
TMM may not answer DNSX zones without TMM restart / DNSX zone refresh on upgrade.
Conditions:
Upgrading from previous version.
Impact:
DNS Express may fail after TMM.
Workaround:
Restart TMM, or force TMM to reload the DNS express database by running "tmsh load ltm dns dns-express-db".
Fix:
TMM now answers DNSX zones without requiring TMM restart / DNSX zone refresh on upgrade.
628164-2 : OSPF with multiple processes may incorrectly redistribute routes
Solution Article: K20766432
Component: TMOS
Symptoms:
When OSPF is configured with multiple processes that each redistribute different type routes, LSAs may be created in a process for a route of the type other than the one configured for redistribution into that process.
Conditions:
OSPF routing with multiple processes configured. Each OSPF process configured with a different route type redistributed.
Impact:
Incorrect routing information in the network when OSPF converges.
Workaround:
Redistribute the leaked route type into the affected OSPF process and use a route map that filters out all routes.
Fix:
OSPF no longer leaks LSAs between processes redistributing different types of routes.
OSPF routes are now created synchronously when the LSA database is updated. If routes are rapidly deleted and re-added, OSPF will send maxage LSAs followed by new LSAs. This is potentially a behavior change where, previously, only a single updated LSA would have been sent.
627907-3 : Improve cURL usage
Solution Article: K11464209
627747-3 : Improve cURL Usage
Solution Article: K20682450
627246-2 : TMM memory leak when ASM policy configured on virtual server
Solution Article: K09336400
Component: Local Traffic Manager
Symptoms:
TMM memory leak in hud_oob when ASM policy configured on virtual server.
Conditions:
-- ASM policy is configured on a virtual server.
-- URL access via the virtual server.
Impact:
System leaks 64 bytes of memory. TMM might run out of memory and eventually crash.
Workaround:
None. But disabling ASM policy configuration on the virtual server can alleviate the problem.
Fix:
A memory leak in hud_oob when ASM policy configured on virtual server has been fixed.
626360-5 : TMM may crash when processing HTTP2 traffic
Solution Article: K22541983
625832-2 : A false positive modified domain cookie violation
Component: Application Security Manager
Symptoms:
An unexpected modified domain cookie violation on system that has more than 127 policies configured.
Conditions:
This occurs when more than 127 policies are configured. The violation modified domain cookie is turned on and there are enforced cookies.
Impact:
A false positive violation.
Workaround:
Remove the modified domain cookie violation from blocking.
Fix:
Fixed a false positive modified domain cookie violation.
625824-3 : iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory
Component: TMOS
Symptoms:
iControl calls related to Management::KeyCertificate might leak memory slowly, that causes swap space to increase continuously and might lead to exhaustion of swap space
Conditions:
This occurs with the iControl command bigip.Management.KeyCertificate.certificate_export_to_pem
Impact:
iControlPortal.cgi memory increases
Workaround:
Restart httpd to reload the iControl daemon.
Fix:
Fixed a memory leak associated with iControl
625671-2 : The diagnostic tool dnsxdump may crash with non-standard DNS RR types.
Component: Global Traffic Manager (DNS)
Symptoms:
If the dnsxdump diagnostic tool is run when the DNS Express database has a DNS resource record using a non-standard type, the process may crash providing incomplete diagnostic output.
Conditions:
Running dnsxdump with a DNS Express database containing non-standard resource record types.
Impact:
dnsxdump provide incomplete diagnostic output, stopping on the zone containing the resource record with the non-standard type.
Workaround:
This is primarily known to be caused by non-standard RR types created for WINS records. Removing the WINS records from the master nameserver, will allow dnsxdump to work again after the next zone transfer.
Fix:
dnsxdump handles non-standard resource record types.
625542-4 : SIP ALG with Translation fails for REGISTER refresh.
Component: Service Provider
Symptoms:
SIP-MBLB-ALG-Translation mode doesn't translate SIP REGISTER refresh message when arriving on the original flow.
Conditions:
1. LSN Pool selected on CLIENT_ACCEPTED event.
2. SIP REGISTER request refresh happens on the original flow.
Impact:
SIP Register message egressed will not have translation applied i.e. the CONTACT and VIA header will not be translated.
Workaround:
None
Fix:
SIP REGISTER refresh processing identifies the translation used for the original SIP REGISTER and applies that translation to the SIP REGISTER refresh message.
625376-1 : In some cases, download of PAC file by edge client may fail
Component: Access Policy Manager
Symptoms:
Edge client may fail to download PAC file and incorrectly apply proxy configuration after VPN connection.
Conditions:
- User machine proxy configuration points to a proxy auto configuration file.
- Network access proxy configuration points to a proxy auto configuration file.
- PAC file URI in either case has uppercase characters.
- PAC file is hosted on a server where resource names are case sensitive.
Impact:
PAC file download will fail and client will use incorrect proxy settings due to unavailability of PAC file.
Workaround:
Use only lowercase characters in PAC file URI.
Fix:
Now Edge client can download PAC files from URIs that have uppercase as well as lowercase characters.
625372-2 : OpenSSL vulnerability CVE-2016-2179
Solution Article: K23512141
625198-3 : TMM might crash when TCP DSACK is enabled
Component: Local Traffic Manager
Symptoms:
TMM crashes
Conditions:
All of the below are required to see this behavior:
DSACK is enabled
MPTCP, rate-pace, tail-loss-probe, and fast-open are disabled.
cmetrics-cache-timeout is set to zero; congestion control is high-speed, new-reno, reno, or scalable; AND Nagle is not set to 'auto'.
an iRule exists that changes any of the conditions above besides DSACK.
various client packet combinations interact in certain ways with the iRule logic.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Change any of the conditions above.
Fix:
TCP maintains state appropriately to avoid crash.
625098-1 : SCTP::local_port iRule not supported in MRF events
Component: Service Provider
Symptoms:
SCTP::local_port iRule not supported in MRF events
Conditions:
If MRF events are used, such as MR_INGRESS, MR_EGRESS and MR_FAILED events are used.
Impact:
SCTP::local_port won't work under MR events.
Fix:
After the fix, SCTP::local_port iRule will be supported in MRF events.
624903-3 : Improved handling of crypto hardware decrypt failures on 2000s/2200s or 4000s/4200v platforms.
Solution Article: K55102452
624876-3 : Response Policy Zones can trigger even after entry removed from zone
Component: Global Traffic Manager (DNS)
Symptoms:
If an entry (resource record) is removed from a response policy zone it is possible that it may still trigger as a match for RPZ.
Conditions:
-- An RPZ zone contains an entry, for example badzone.example.com.
-- That entry is subsequently removed.
Impact:
The badzone.example.com entries will continue to be blocked by RPZ, even though the item has been removed.
Workaround:
Delete /var/db/zxfrd.bin and /var/db/tmmdns.bin and restart the system using the following command: bigstart restart zxfrd.
This recreates the databases without the remnants of the deleted entries.
Fix:
The deleted entries are now properly handled and no longer trigger incorrect matches.
624826-3 : mgmt bridge takes HWADDR of guest vm's tap interface
Component: TMOS
Symptoms:
MGMT interface becomes unreachable and stops responding to traffic. Whenever guest is in provisioned state MAC address assigned to mgmt is correct (taken from base MAC). Whenever guest is in deployed state MAC address on host mgmt interface changes and is exactly the same as mgmt_vm_tap MAC.
Conditions:
The platform shipped with a "low" F5 base_mac
A Linux bridge by default takes as its mac the lowest mac of its constituent interfaces. This did not cause a problem before because F5 Networks systems' baseMacs have historically been "low", e.g., with legacy_baseMacs in {00:01:D7, 00:0A:49, 00:23:E9}.
When a guest tap interface is added to the mgmt bridge, the bridge takes its Linux default action, which is to take as its mac the lowest mac address of its constituent interfaces. With the comparison min(eth0's mac, guestTap's mac) returning guestTap's mac, the mgmt bridge incorrectly assumes a guestTapIntfc mac.
Impact:
Connectivity to the vCMP host platform is lost when the guest is deployed.
Workaround:
Use ifconfig to ensure that the mac address of the mgmt bridge never changes from eth0. For example, the following command sets as the mac of this bridge, the value passed in Mac.
ifconfig <bridgeName= mgmt> hw ether <Mac of Eth0>
Note: This assumes that eth0 will always be contained in the mgmt bridge.
Fix:
The system now uses ifconfig to assign the mac of interface eth0 to bridge mgmt.
624744-4 : Potential crash in a multi-blade chassis during CMP state changes.
Component: Policy Enforcement Manager
Symptoms:
Potential TMM crash resulting in flows being impacted.
Conditions:
A multi-blade chassis with PEM needs to undergo a CMP state change with flows on the active blade.
Impact:
Traffic disrupted while tmm restarts.
Fix:
NULL check has been added prior to calling a callback for asynchronous handling.
624616-3 : Safenet uninstall is unable to remove libgem.so
Component: Local Traffic Manager
Symptoms:
When uninstalling Safenet client 6.2 from a BIG-IP chassis, it can't remove libgem.so and generates the following error:
rm: cannot remove `/usr/lib64/openssl/engines/libgem.so': Read-only file system.
Conditions:
This can be triggered when uninstalling the safenet client using the command safenet-sync.sh -u.
Impact:
Uninstall is unable to complete.
Workaround:
None.
Fix:
When uninstalling Safenet client 6.2 from a BIG-IP chassis, the system can now remove libgem.so, so there is no error condition, and uninstall can complete as expected.
624570-3 : BIND vulnerability CVE-2016-8864
Solution Article: K35322517
624526-1 : TMM core in mptcp
Solution Article: K10002335
624457-3 : Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195
Solution Article: K10558632
624263-3 : iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response
Component: TMOS
Symptoms:
For profiles, iControl REST does not provide visibility for profile property override when "none" is specified, including references, passwords, and array of strings.
Conditions:
-- Use iControl REST API.
-- string, enum, or vector of enum/string property explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf.
Impact:
The iControl REST API response skips these elements. iControl REST does not provide visibility for profile property overrides.
Workaround:
None.
Fix:
iControl REST API now returns elements (i.e., string, enum, or vector of enum/string property that is explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf) with a value "none". The exclusion to this policy is the secured attributes. Secured attributes are always excluded from the iControl REST API response.
624245 : Hung tasks leading to system problems and lack of management access via ssh/GUI
Component: TMOS
Symptoms:
Problems with bigd, snmpd and other daemons. System becomes inaccessible via ssh and GUI.
Hung tasks recorded in kern logs, typically snmpd, bigd, chmand, big3d hung.
Caused by Centos kernel bug in netlink code where mutex is left locked on error path.
Conditions:
Seen when a system is handling heavy SNMP traffic and memory is low.
Impact:
SNMP traffic fails with hung tasks. Reboot required.
Workaround:
Apparently reducing SNMP load helps avoid/postpone the problem.
624193-1 : Topology load balancing not working as expected
Component: Global Traffic Manager (DNS)
Symptoms:
Under certain conditions, load balancing decisions can result in an unequal or unexpected distribution.
Conditions:
Occurs when topology load balancing is used for a wide IP and more than one pool share the highest assigned score for a particular load balancing decision.
Impact:
The resulting load balancing decisions can lead to an unequal or unexpected distribution of pool selections.
Workaround:
Topology records and pools can be configured to avoid the conditions which cause the condition.
Fix:
A system DB variable, gtm.wideiptoporandom, has been added. When this system DB variable is assigned the value of "enable" and more than one pool shares the highest assigned score for a given load balancing decision, a random pool is selected.
624091 : DHCP relay is not forwarding all of the DHCPOFFERS to clients
Component: Policy Enforcement Manager
Symptoms:
When upgrading from v11.5.3 to v11.6.1, DHCPOFFER packets got silently dropped.
Conditions:
If DHCP clients send broadcast DHCP packets with non-zero unicast source IP address via BIG-IP, and regular DHCP discovery packets(0.0.0.0 source IP addrees), multiple client connection flows are created, after some are aged out, BIG-IP may stop relay DHCP server replies back to clients.
Impact:
BIG-IP will stop to relay DHCPOFFER and DHCPACK back
to DHCP clients
Workaround:
Manually delete all system connection flows by doing "delete sys conn" under tmsh.
624023-1 : TMM cores in iRule when accessing a SIP header that has no value
Component: Service Provider
Symptoms:
When used an iRule to access a SIP header attribute with no value, TMM cores.
Conditions:
Use iRule to access the value of SIP message header attribute with no value.
Eg:
"Supported: " IEOL
"Session-Expires:" IEOL
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No Workaround.
Fix:
Fix includes adjusting the buffer offset properly to handle the empty header attributes while parsing the SIP message.
623930-2 : vCMP guests with vlangroups may loop packets internally
Component: TMOS
Symptoms:
If a vlangroup is configured within a vCMP guest, under some circumstances unicast packets may be looped between the switchboard and the BIG-IP guest. This is most likely to occur when the guest is part of an HA pair.
Conditions:
vCMP guest, vlangroups.
Impact:
High CPU utilization and potentially undelivered packets.
Workaround:
Correctly configure proxy ARP excludes on the vlangroup and increase the FDB timeout by setting the vlan.fdb.timeout database key to a larger value such as 3600.
Fix:
Packets are no longer looped between vlangroup children on vCMP guests.
623922-1 : TMM failure in PEM while processing Service-Provider Disaggregation
Solution Article: K64388805
Component: Policy Enforcement Manager
Symptoms:
TMM failure in PEM while processing Service-Provider Disaggregation.
Conditions:
System crashes when traffic flows and rules get executed on the flow.
Impact:
System crashes.
Workaround:
Set Service-Provider Disaggregation to sp as suggested by documentation.
Fix:
There is no longer a TMM failure in PEM while processing Service-Provider Disaggregation.
623562-1 : Large POSTs rejected after policy already completed
Component: Access Policy Manager
Symptoms:
When the policy has already completed, access still rejects POSTs greater than 64k. Client will see a reset, and these error messages will appear on the BIG-IP:
/var/log/ltm
Oct 18 19:10:04 bigip6 err tmm[14242]: 01230140:3: RST sent from 10.2.61.80:8080 to 10.2.61.10:55280, [0x1d4cb2c:2863] APM HTTP body too big
/var/log/apm
Oct 19 09:42:37 bigip3922mgmt err tmm1[7636]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: hud_access_process_ingress, Line: 2960
Conditions:
Policy has already been fully evaluated to allow. Then the client sends a large POST. Only applies to POSTs made to '/'. Would not apply if the URL is something else like '/test'. Also does not apply to clientless modes, where the db key tmm.access.maxrequestbodysize can be used to increase the maximum POST body size allowed.
Impact:
Clients are unable to send POST bodies to '/' that are larger than 64kb, even though the policy has already been evaluated to allow.
Workaround:
Move the resource from '/' to another URL.
Fix:
The logic of '/' in this area was changed to be consistent with other URLs.
623401-4 : Intermittent OCSP request failures due to non-optimal default TCP profile setting
Component: TMOS
Symptoms:
The connection between BIG-IP and OCSP responder is not reliable since it uses the default internal TCP configuration which doesn't fit the usage well.
Conditions:
When the OCSP stapling option is enabled in the clientSSL profile that is in use by a virtual server.
Impact:
The BIG-IP as a SSL server fails to staple the OCSP response to the SSL client. In other words, the certificate status messages are not added in the Server Hello message in the TLS handshakes to the SSL client.
Workaround:
The fix proposed an optimal TCP configuration used by the connection between BIG-IP and OCSP responder which makes the connection reliable now. Therefore the virtual server can now always correctly staple the certificate status in the Server Hello message to the SSL client.
623336-2 : After an upgrade, the old installation's CA bundle may be used instead of the one that comes with the new version of TMOS★
Component: TMOS
Symptoms:
When installing a new version of TMOS, the installer will choose the bundle by looking at the current installation and what came with the target version, choosing the newer one. This check is performed incorrectly, and the old bundle may accidentally be chosen.
Conditions:
This happens when /config/ssl/ssl.crt/ca-bundle.crt in the old version contains an RCS revision number near the top of the file, and the newer TMOS version does not contain a revision number. (This is a change in the format of the file generated by the organization providing F5 with this bundle.)
Impact:
Upgrades to versions that ship the "non-RCS" files will incorrectly retain the ca-bundle.crt from the previous version, instead of keeping the newer version that shipped with those versions.
This can result in certificate verification failures (e.g. for an OCSP stapling profile), or a BIG-IP creating an inconsistent/incomplete certificate chain for a virtual server.
Workaround:
On every device affected by this, or on every blade in a VIPRION system affected by this:
1. Update /config/ssl/ssl.crt/ca-bundle.crt with the version that ships with this software version:
cp /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt
2. Reboot the system and clear the MCPD binary database. Refer to SOL13030, but essentially:
touch /service/mcpd/forceload && reboot
3. After reboot, verify that the two files match (they should have the same checksum):
md5sum /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt
Fix:
When installing a new version of TMOS, the installer will choose the bundle by looking at the current installation and what came with the target version, choosing the newer one. This check was performed incorrectly, and the old bundle could accidentally have been chosen. This has been fixed, and the newer version of the file is correctly chosen.
623135 : BIG-IP virtual server TCP sequence numbers vulnerability (CVE-2002-1463)
Solution Article: K68401558
Component: Local Traffic Manager
Symptoms:
For more information, see SOL68401558: BIG-IP virtual server TCP sequence numbers vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/68/sol68401558.html
Conditions:
For more information, see SOL68401558: BIG-IP virtual server TCP sequence numbers vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/68/sol68401558.html
Impact:
For more information, see SOL68401558: BIG-IP virtual server TCP sequence numbers vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/68/sol68401558.html
Fix:
For more information, see SOL68401558: BIG-IP virtual server TCP sequence numbers vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/68/sol68401558.html
623119-6 : Linux kernel vulnerability CVE-2016-4470
Solution Article: K55672042
623037-1 : delete of pem session attribute does not work after a update
Component: Policy Enforcement Manager
Symptoms:
it will not be possible to delete the session attribute through rules.
Conditions:
rules with session attribute update & delete
Impact:
unable to delete session attribute
622856-3 : BIG-IP may enter SYN cookie mode later than expected
Component: Local Traffic Manager
Symptoms:
BIG-IP entry to SYN cookie mode may not occur even though traffic pattern would dictate that it should.
Conditions:
Verified accept enabled on a Virtual IP.
Large volume of traffic being processed by BIG-IP.
Impact:
BIG-IP does not enter SYN cookie mode at the expected time.
Workaround:
Disable verified accept on all VIP TCP profiles.
Fix:
BIG-IP correctly enters SYN cookie mode when traffic pattern
dictates that it should.
622830 : LDAP type CRLDP is parsed incorrectly
Component: Access Policy Manager
Symptoms:
After upgrading to 11.6.1 HF1, CRLDP authentication stopped working.
It can be seen from following sample log that the URL is not parsed correctly:
warning apd[15314]: 0149015e:4: fc98d22d: CRLDP Auth agent: CRL lookup failed for LDAP url 'ldap::::389//crl.certificate.../..../certificaterevocationlist?certificateRevocationList' reason 'Invalid CRLDP URL.
Conditions:
The problem occurs only when LDAP type CRLDP is available in the client certificate and it is used from the CRL Distribution Points list.
Impact:
Users may fail access policy evaluation when client certification is used.
Workaround:
Configure other than LDAP type distribution points in the Certificate or if multiple distribution points are present in the client certificate, make sure other than LDAP type scheme succeeds before hitting LDAP CRLDP.
Fix:
The system now parses LDAP type CRLDP URL correctly, so after upgrading, CRLDP authentication now works as expected.
622619-3 : BIG-IP 11.6.1 - "tmsh show sys log <item> range" can kill MCPD
Component: TMOS
Symptoms:
MCPd cpu utilization is high and renders it unresponsive.
Conditions:
A ranged log query where the log files are excessively large, e.g., 1 GB uncompressed.
Impact:
MCPd is killed due to being unresponsive, which restarts multiple daemons.
Workaround:
Lower the logging level, thereby decreasing the size of the file which must be parsed.
622496-6 : Linux kernel vulnerability CVE-2016-5829
Solution Article: K28056114
622244-1 : Edge client can fail to upgrade when always connected is selected
Component: Access Policy Manager
Symptoms:
Attempt to upgrade an Edge client may fail if the Always Connected mode is enabled
Conditions:
Always Connected is selected in BIG-IP when upgrading the client
Impact:
Upgrade will fail
Workaround:
Disable the Always Connected mode
Fix:
Upgrade functions as intended regardless of connection mode
622220-3 : Disruption during manipulation of PEM data with suspected flow irregularity
Component: Policy Enforcement Manager
Symptoms:
tmm crashes.
Conditions:
It is not known exactly what conditions trigger this; it was observed with Policy Enforcement Manager configured. It may occur when a new blade is added or HA event occurs and flows get rebalanced before the session is established.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed a tmm crash related to manipulating Policy Enforcement Manager data.
622183-3 : The alert daemon should remove old log files but it does not.
Component: TMOS
Symptoms:
When the utilization of the log filesystem goes above the configuration setting 'sys db logcheck.alertthres' (default 90%), it is intended that the alert daemon should delete old log files. It does not.
Conditions:
System activity generates a high number of log messages, and/or a user puts large files in /var/log.
Impact:
The log filesystem may become completely full, and new log messages cannot be saved.
Fix:
The alert daemon will now remove old log files as intended.
622178-3 : Improve flow handling when Autolasthop is disabled
Solution Article: K19361245
622166 : HTTP GET requests with HTTP::cookie iRule command receive no response
Component: Local Traffic Manager
Symptoms:
HTTP GET requests to virtual servers using the command "HTTP::cookie <name> <value>" in HTTP_REQUEST iRule event handlers do not get a response.
Conditions:
An LTM virtual server with an iRule including the HTTP::cookie command.
Impact:
No response is received by the client.
Workaround:
None.
Fix:
HTTP GET requests to virtual servers using the command "HTTP::cookie <name> <value>" in HTTP_REQUEST iRule event handlers now get a response as expected.
622133-4 : VCMP guests may incorrectly obtain incorrect MAC addresses
Component: TMOS
Symptoms:
vCMP guests may be re-configured to use MAC addresses based off an all zero MAC address (00:00:00:00:00:00).
The 'tmsh show net vlan' command will show the vlan interfaces having mostly 0's in the MAC address:
-------------------------------------
Net::Vlan: external
-------------------------------------
Interface Name external
Mac Address (True) 00:00:00:00:00:01
MTU 1500
Tag 3702
Customer-Tag
-------------------------------------
Net::Vlan: internal
-------------------------------------
Interface Name internal
Mac Address (True) 00:00:00:00:00:02
MTU 1500
Tag 3703
Customer-Tag
Conditions:
For this to manifest the vCMP host vcmpd process will have to have had a prior crash or be killed.
In this scenario vcmpd on restart uses a default zero-base MAC address for the guests.
The guests will not use the new zero-based MAC until services are restarted on the guest, on which the new MAC address will take effect.
Impact:
This can cause network issues and conflicts if occurring on multiple guests in the same VLAN as the same MAC addresses will be used.
Workaround:
Restart the guest from the hypervisor.
Fix:
vCMP no longer uses zero-based MACs on vcmpd crash/kill.
622126-3 : PHP vulnerability CVE-2016-7124
Solution Article: K54308010
621935-3 : OpenSSL vulnerability CVE-2016-6304
Solution Article: K54211024
621524-3 : Processing Timeout When Viewing a Request with 300+ Violations
Component: Application Security Manager
Symptoms:
When attempting to view a request that triggered hundreds or thousands of violations, a timeout is encountered.
Conditions:
Attempting to view a request that triggered hundreds or thousands of violations
Impact:
A timeout is encountered.
Workaround:
increase the "max_execution_time" timeout in /usr/loca/lib/php.ini from 30 to 240 seconds.
Fix:
Processing high violation requests is now more efficient.
621452-3 : Connections can stall with TCP::collect iRule
Solution Article: K58146172
Component: Local Traffic Manager
Symptoms:
Connection does not complete.
Conditions:
-- A TCP::collect command is in use.
-- The first packet received after the SYN carries data.
The Initial Sequence number in the SYN, plus the length of the data in the first packet, plus 1, is greater than-or equal to 2^31.
Note: APM VDI profiles internally use TCP::collect, so virtual servers with VDI profiles may be affected as well.
Impact:
-- Connection fails.
-- This issue can also cause the Configuration Utility's Device Management :: Overview page to stop responding.
Workaround:
There is no workaround at this time.
Fix:
The system now properly sets state variables associated with TCP::collect, so this issue no longer occurs.
621417-1 : sys-icheck error for /usr/share/defaults/bigip_base.conf in AWS.
Component: TMOS
Symptoms:
On a BIG-IP deployed in AWS cloud, sys-icheck reports size an md5 errors for /usr/share/defaults/BIG-IP_base.conf file as following:
ERROR: S.5...... c /usr/share/defaults/BIG-IP_base.conf (no backup)
Conditions:
BIG-IP deployed in AWS cloud.
Impact:
sys-icheck reports "rpm --verify" size and md5 errors for /usr/share/defaults/BIG-IP_base.conf. This doesn't have any functional impact on the product but looks like factory config file was modified incorrectly by a user/application.
Workaround:
No workaround exists for this issue.
Fix:
sys-icheck error for /usr/share/defaults/BIG-IP_base.conf in AWS.
621337-3 : XSS vulnerability in the BIG-IP and Enterprise Manager Configuration utilities CVE-2016-7469
Solution Article: K97285349
621273-4 : DSR tunnels with transparent monitors may cause TMM crash.
Component: TMOS
Symptoms:
The TMM may crash if the BIG-IP system is configured with a DSR tunnel with a transparent monitor.
Conditions:
The BIG-IP system is configured with a DSR tunnel with a transparent monitor and the DB variable tm.monitorencap is set to "enable".
Impact:
Traffic disrupted while tmm restarts.
Fix:
The TMM does not crash.
621242 : Reserve enough space in the image for future upgrades.
Component: TMOS
Symptoms:
Increased the reserved free space in VM image from 15% to 30% to accommodate upgrades to future versions. Each next version tends to be bigger and require more disk space to install. The increased reserved space will allow upgrading to at least next 2 versions.
Conditions:
VE in local hypervisors and VE in the Cloud (AWS, Azure).
Impact:
Extends the disk image to reserve more disk space for upgrades.
Workaround:
N/A
Fix:
Increased the reserved free space on VE images.
621239-1 : Certain DNS queries bypass DNS Cache RPZ filter.
Component: Global Traffic Manager (DNS)
Symptoms:
A DNS query with the DO-bit set to 1 will bypass the RPZ filter on a DNS Cache.
Conditions:
A DNS Cache configured with RPZ.
Impact:
Queries with DO-bit set to 1 will bypass the RPZ filter and be answered normally.
Fix:
The DO-bit is now ignored with respect to RPZ filtering.
621202-1 : Portal Access: document.write() with very long string as argument may be handled incorrectly.
Component: Access Policy Manager
Symptoms:
JavaScript code may include document.write() calls with very long strings (> 60K). In some cases these strings may be rewritten incorrectly.
Conditions:
- document.write() with very long string as argument.
- argument string contains HTML tags with quoted attribute values which include '>' inside.
Impact:
rewritten HTML page may not work correctly.
Fix:
Now document.write() calls with long HTML strings are handled correctly by Portal Access.
620929-5 : New iRule command, MR::ignore_peer_port
Component: Service Provider
Symptoms:
For incoming connections where the client used a ephemeral source port, subsequents connections from the same client may connect using a different ephemeral port. Without being able to identify the current connection as equivalents to other connections from the same IP, it will not be discoverable as an equivalent connection.
Conditions:
For incoming connections where the client used a ephemeral source port, subsequents connections from the same client may connect using a different ephemeral port.
Impact:
Without being able to identify the current connection as equivalents to other connections from the same IP, it will not be discoverable as an equivalent connection.
Workaround:
Without this change, a new connection would need to be created to the client.
Fix:
New iRule command allow script author to identify the current connection as equivalent to other connections of the IP and route domain ID matches.
620922-1 : Online help for Network Access needs update
Component: Access Policy Manager
Symptoms:
Online help for advanced network settings does not tell users that if they fill in the DNS Address Space setting, they also need to install the DNS Relay Proxy service on Windows-based systems to get the desired result.
Conditions:
Split tunneling configured. Windows-based system in use. DNS Address Space setting filled in.
Impact:
Use of DNS Address Space setting does not provide the expected result.
Workaround:
Install the DNS Relay Proxy server on Windows-based systems.
Fix:
Network Access online help now states that for DNS Address Space to work properly on a Windows-based system, the DNS Relay Proxy service must be installed and running on the client.
620829-4 : Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
Component: Access Policy Manager
Symptoms:
JavaScript code with literal object definition containing field names equal to reserved keywords is not handled correctly by Portal Access.
Conditions:
JavaScript code with literal object definition containing fields with reserved keywords as a name, for example:
var a = { default: 1, continue: 2 };
Impact:
JavaScript code is not rewritten and may not work correctly.
Workaround:
None.
Fix:
Now JavaScript with literal object definition containing reserved keywords as field names is handled correctly by Portal Access.
620759-5 : Persist timeout value gets truncated when added to the branch parameter.
Component: Service Provider
Symptoms:
Persist timeout value gets truncated when added to the branch parameter due to difference in storage type.
Conditions:
If the persist timeout value was higher that 65535 then the value gets truncated.
Impact:
Incorrect persist timeout get into affect for the call other than the value set in the config.
Workaround:
None.
Fix:
Persist timeout value no longer gets truncated when added to the branch parameter.
620712-1 : Added better search capabilities on the Pool Members Manage & Pool Create page.
Component: Global Traffic Manager (DNS)
Symptoms:
Large amount of virtual servers were hard to manage on the GSLB Pool Member Manage page.
Conditions:
Having large amount of virtual servers/wide ips
Impact:
Poor usability.
Workaround:
No workaround.
Fix:
The GSLB Pool Member Manage page now has a new search feature in the form of a combo box to allow for better management of large amount of virtual servers.
Behavior Change:
The GSLB Pool Member Manage page now has the new search feature to allow for better management of large amount of virtual servers.
620614-2 : Citrix PNAgent replacement mode: iOS Citrix receiver fails to add new store account
Component: Access Policy Manager
Symptoms:
iOS Citrix receiver fails to add new store account and touching on the Save option after providing the credentials displays "Loading" and comes back to previous save option.
/var/log/apm displays "An exception is thrown: EVP_CipherFinal_ex failed: EVP_DecryptFinal_ex:bad decrypt" from VDI.
The above error, otherwise, below error which deletes the session id abruptly.
Oct 24 16:33:12 slot2/vip-guest7-test notice tmm[11547]: 01490567:5: /Common/mvdi-r_ap:Common:e19516fd: Session deleted (internal_cause).
Conditions:
APM is configured with Citrix replacement mode. Provide wrong passcode values for RSA SecurId auth for continuously three times which trigger the next token input for the fourth time entering the right passcode. APM rotate session is enabled.
Impact:
iOS Citrix receiver could not add the account after providing wrong token values for two factor auth
Workaround:
Kill the iOS Citrix receiver application and click on the receiver again to add the account.
Fix:
Use the right session id for decrypting the password.
620445-5 : New SIP::persist keyword to set the timeout without changing key
Component: Service Provider
Symptoms:
Setting the SIP persistence key's timeout using SIP::persist <new_key> <new_timeout> disables bidirectional persistence.
Conditions:
Setting the SIP persistence key's timeout using SIP::persist <new_key> <new_timeout>.
Impact:
Disables bidirectional persistence. Persistence entry only records destination (not source) of the session.
Workaround:
None.
Fix:
New keyword, SIP::persist timeout <new_timeout> allows changing the timeout without changing the key.
Behavior Change:
There is a new keyword, SIP::persist timeout <new_timeout> allows changing the timeout without changing the key. Previously, if you changed the timeout, it disabled bidirectional persistence.
620215-3 : TMM out of memory causes core in DNS cache
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM crashes and service is lost until it restarts. You may see several "aggressive mode sweeper" messages in /var/log/ltm prior to the crash.
Conditions:
This can occur when the TMM memory is exhausted.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Provision sufficient memory for the TMM or reduce load.
Fix:
The fix was to properly handle the failure allocating memory.
619879-3 : HTTP iRule commands could lead to WEBSSO plugin being invoked
Component: Access Policy Manager
Symptoms:
With SSO logs set to 'Debug' in Access log configuration, the following log messages are seen in '/var/log/apm':
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: constructor
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: webssoContext constructor ...
Sep 30 12:46:17 BIG-IP3900mgmt err websso.3[14520]: 014d0005:3: Unsupported SSO Method
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: ctx: 0x914b510, SERVER: TMEVT_REQUEST
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: ctx: 0x914a718, CLIENT: TMEVT_ABORT_PROXY
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: webssoContext destructor ...
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: webssoConfig destructor
With 'rstcause' enabled, the following log message is seen in '/var/log/ltm':
Sep 30 12:46:17 BIG-IP3900mgmt err tmm2[13116]: 01230140:3: RST sent from 172.17.90.92:57611 to 127.0.0.1:10001, [0x24ccbbc:820] Internal error (APM::WEBSSO requested abort (Unsupported SSO Method))
Conditions:
HTTP::disable followed by HTTP::enable.
when CLIENT_ACCEPTED {
HTTP::disable
// do some other stuff
HTTP::enable
}
Impact:
client receives a HTTP 503 reset
Workaround:
When the access profile is added to the virtual server, the websso plugin profile is automatically added. Manually removing the websso plugin fixes this bug.
Fix:
The server-side access hudfilter was mistakenly enabling the websso plugin. The logic has been updated so that this does not happen.
619849-2 : In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled.
Component: Local Traffic Manager
Symptoms:
TMM crashes with a SIGABRT (killed by sod)
Conditions:
TCP (full proxy) virtual servers with verified-accept enabled in the TCP profiles, that must be handling traffic.
This issue occurs extremely rarely.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
disable verify accept.
Fix:
the loop is fixed.
619757-3 : iSession causes routing entry to be prematurely freed
Component: Wan Optimization Manager
Symptoms:
iSession may cause TMM to prematurely free a routing entry resulting in memory corruption and TMM restarting.
Conditions:
iSession-enabled virtual.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
No reasonable workaround short of not using iSession functionality.
Fix:
iSession no longer causes routing entries to be prematurely freed.
619710 : GUI gives error when clicking "Update" making changes to VS in Security-Policies
Component: Advanced Firewall Manager
Symptoms:
GUI times out and generates an error when ASM policy takes longer time to update (in Virtual Server Security page)
Conditions:
When the same ASM policy is attached to hundreds of virtual servers, it takes longer to update.
Impact:
GUI times out before the changes are saved. Users will be able to see the updated changes only after refreshing the page.
Workaround:
Refresh the page in the browser once the error shows up.
Fix:
GUI doesn't time out when ASM policy is updated.
619528-2 : TMM may accumulate internal events resulting in TMM restart
Component: Local Traffic Manager
Symptoms:
Under some uncommon circumstances, long-lived connections may cause internal events to be accumulated causing excessive memory usage potentially resulting in TMM restarting.
Conditions:
HTTP virtual with long-lived connections.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
The issue can be mitigated by setting the HTTP 'max-requests' profile option to a reasonably low value - this value will depend on application requirements.
Fix:
Internal events are no longer accumulated thus avoiding low memory conditions.
619486-1 : Scripts on rewritten pages could fail with JavaScript exception if application code modifies window.self
Component: Access Policy Manager
Symptoms:
Attempts to call some JavaScript methods (such as XMLHttpRequest.open) on a page accessed through Portal Access could fail if application modifies window.self builtin object. As a result, the application will stop working and optionally log an undefined variable/reference exception into Developer Tools console.
To verify that window.self is modified, run 'window.self == window' command in Developer Tools console of the page with error and check if it returns 'false'.
Conditions:
This can occur if a web application has javascript that modifies the value of window.self.
Impact:
Affected web-applications will not work when accessed through Portal Access.
Workaround:
None
Fix:
Scripts on pages accessed through Portal Access are no longer failing when web application code modifies window.self.
619398-4 : TMM out of memory causes core in DNS cache
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM crashes and service is lost until it restarts. You may see several "aggressive mode sweeper" messages in /var/log/ltm prior to the crash.
Conditions:
This can occur when the TMM memory is exhausted.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Provision sufficient memory for the TMM or reduce load.
Fix:
The fix was to properly handle the failure allocating memory.
619071-2 : OneConnect with verified accept issues
Component: Local Traffic Manager
Symptoms:
System may experience an outage.
Conditions:
Verified Accept enabled in TCP profile
hardware syncookies enabled
OneConnect profile on VIP
Syncookie threshold crossed
Impact:
System outage.
Workaround:
Disabled verified accept when used with OneConnect on a VIP.
Fix:
Verified accept, OneConnect and hardware syncookies work
correctly together.
619060-2 : Reduction in boot time in BIG-IP Virtual Edition platforms
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) version has experienced increased boot time.
Conditions:
The increased boot time occurs each time a VE is booted.
Impact:
Long boot time, longer than previous releases.
Workaround:
None.
Fix:
Reduction in boot time in BIG-IP Virtual Edition platforms.
618905-3 : tmm core while installing Safenet 6.2 client
Component: Local Traffic Manager
Symptoms:
tmm core while installing Safenet 6.2 client.
Conditions:
Safenet 6.2 client installation
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed a tmm core related to Safenet 6.2 client installation.
618902-3 : PCCD memory usage increases on configuration changes and recompilation due to small amount of memory leak on each compilation
Component: Advanced Firewall Manager
Symptoms:
Each time the Packet Classification Compiler Daemon (PCCD) process recompiles rules due to configuration changes, it loses approximately 20 bytes or more (depends on the rule complexity) due to small memory leak.
Conditions:
This occurs when making changes to the firewall configuration when AFM is configured.
Impact:
This can potentially lead to an out-of-memory situation if the system runs for a long time without reboot and PCCD continuously recompiles due to frequent configuration changes.
Workaround:
None.
Fix:
The PCCD memory leak was identified and fixed.
618771-2 : Some Social Security Numbers are not being masked
Component: Application Security Manager
Symptoms:
ASM does not block or mask some SSN numbers.
Conditions:
The Data Guard feature is turned on and set to Block, Alarm or Mask. The responses contains social security numbers with specific ranges.
Impact:
The traffic passes neither masked nor blocked to the end client.
Workaround:
None.
Fix:
The system now correctly masks and/or blocks all relevant social security numbers.
618517-2 : bigd may falsely complain of a file descriptor leak when it cannot open its debug log file; bigd stops monitoring
Solution Article: K61255401
Component: Local Traffic Manager
Symptoms:
- In v11.6.1, bigd reports pool members were marked down that are not actually down, and logs messages similar to the following in the ltm log file:
warning bigd[7413]: 01060154:4: Bigd PID 7413 throttling monitor instance probe because file descriptor limit 65436 reached.
- Because of changes in the v12.1.x software, although the problem is still present, it has negligible impact.
Conditions:
-- Monitoring is in use.
-- bigd debug logging is enabled.
-- The bigd debug log file (/var/log/bigdlog) is full.
Impact:
- On v11.6.1 this can cause bigd to stop monitoring, resulting in pool members being marked down erroneously.
- In v12.1.x, some of the underlying logging code changed, and there is no real impact.
Workaround:
Prevent the log file from getting full. To do so, rotate the log file using the following command:
logrotate -f bigdlog
Fix:
Stopped bigd from thinking it was out of file descriptors when it was unable to open its debug log file.
618324-2 : Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor
Component: Access Policy Manager
Symptoms:
When upgrading from OPSWAT SDK V3 to V4, opening Access Policy in VPE if one of the opswat checker (e.g. Anti-Virus checker) contains an Undefined (i.e. previously defined but out of support) ID it will display as "Any." The correct display should be "Unsupported" or "Invalid" product.
Conditions:
Wrongful information displayed.
Impact:
Wrongful information displayed.
Workaround:
N/A
Fix:
Correct (*** Invalid ***) information displayed.
618261-3 : OpenSSL vulnerability CVE-2016-2182
Solution Article: K01276005
618254 : Non-zero Route domain is not always used in HTTP explicit proxy
Component: Local Traffic Manager
Symptoms:
You may experience connectivity failure in certain situations where a sideband communications are required as part of the transaction.
Conditions:
BIG-IP has http-explicit configuration, where a sideband connection is required, say in the case of getting an OCSP response or a DNS resolver response when those services are associated with a different route domain.
Impact:
End-to-end connectivity failure.
Workaround:
Change configuration so that all services required are on the default route domain, 0.
618170-1 : Some URL unwrapping functions can behave bad
Component: Access Policy Manager
Symptoms:
Some URL unwrapping functions can behave incorrectly with different web application malfunctions as a result.
Conditions:
JavaScript with "location.pathname" like fields at the right side of an expression.
Impact:
Different web application malfunctions. One example is SharePoint 2010 using IE11, clicking the Edit button results in "Only secure content is displayed" at the bottom of the page.
Fix:
Fixed.
617901-3 : GUI to handle file path manipulation to prevent GUI instability.
Solution Article: K00363258
617862-1 : Fastl4 handshake timeout is absolute instead of relative
Component: Local Traffic Manager
Symptoms:
TCP connections that are pending completion of the three-way handshake are expired based on the absolute value of handshake timeout. For example, if handshake timeout is 5 seconds, then the connection is reset after 5 seconds of receiving the initial SYN from the client.
Conditions:
A TCP connection in three-way handshake.
Impact:
Connections are expired prematurely if they are still in three-way handshake.
Workaround:
Disable handshake timeout.
Impact of workaround: Your TCP handshake will not prematurely timeout and connections remains open until the Idle Timeout expires.
Fix:
The handshake timeout now expires based on idleness of the connection, taking into consideration of any SYN retransmissions, etc., that might occur.
617858-1 : bigd core when using Tcl monitors
Component: Local Traffic Manager
Symptoms:
If a Tcl monitor encounters an error, it may exit with an assert which causes bigd to core.
Conditions:
This can occur rarely when Tcl monitors are in use (specifically, SMTP, FTP, IMAP, POP3 monitors).
Impact:
bigd can core, which temporarily suspends monitoring while bigd restarts.
Workaround:
None.
Fix:
Now, when a Tcl monitor encounters an error, it no longer exits with an assert, so bigd no longer cores.
617824-2 : "SSL::disable/enable serverside" + oneconnect reuse is broken
Component: Local Traffic Manager
Symptoms:
If "SSL::disable/enable serverside" is configured in an iRule and oneConnect is configured in the iRule or in the Virtual Server profile, BIG-IP may not receive the backend server's HTTP response for every client's HTTP Request.
Conditions:
1. "SSL::disable/enable serverside" exists in the iRule
2. OneConnect is configured in the iRule or in the VS profile
3. apply the iRule and oneConnect Profile to the VS.
Impact:
The oneConnect behavior is unexpected, and may not get the backend Server's HTTP response for every client's HTTP Request.
Workaround:
You can work around the problem by disabling oneConnect.
617690-2 : enable SIP::respond iRule command to operate during MR_FAILED event
Component: Service Provider
Symptoms:
When an message fails to route, it is not possible to return an error status back to the client.
Conditions:
When a message fails to route, the MR_FAILED event is raised for the message.
Impact:
Without this change, it is not possible for the script author to generate a response message to the client based on the routing failure.
Workaround:
NA
Fix:
SIP::respond command now works during MR_FAILED event.
617628-2 : SNMP reports incorrect value for sysBladeTempTemperature OID
Component: TMOS
Symptoms:
SNMP reports incorrect value for sysBladeTempTemperature OID, while TMSH reports the corresponding value correctly.
# snmpwalk -v2c -c public localhost .1.3.6.1.4.1.3375.2.1.3.2.4.2.1.2.8.1
F5-BIGIP-SYSTEM-MIB::sysBladeTempTemperature.8.1 = Gauge32: 4294967245
# tmsh show sys hardware
Sys::Hardware
Blade Temperature Status
Slot Index Lo Limit(C) Temp(degC) Hi Limit(C) Location
...
1 8 0 -48 0 Blade CPU #1 TControl Delta tem
...
The negative "Blade CPU #1 TControl Delta" temperature is being incorrectly reported as a large positive temperature by SNMP.
Impact:
A negative temperature may be incorrectly reported by SNMP as an impossibly high positive value.
Workaround:
Use tmsh show sys hardware to view blade temperatures. Negative temperatures are properly reported.
config # tmsh show /sys hardware
Sys::Hardware
Blade Temperature Status
Slot Index Lo Limit(C) Temp(degC) Hi Limit(C) Location
1 1 0 19 49 Blade air outlet temperature 1
1 2 0 14 41 Blade air inlet temperature 1
1 3 0 21 57 Blade air outlet temperature 2
1 4 0 16 41 Blade air inlet temperature 2
1 5 0 25 60 Mezzanine air outlet temperatur
1 6 0 27 72 Mezzanine HSB temperature 1
1 7 0 17 63 Blade PECI-Bridge local tempera
1 8 0 -48 0 Blade CPU #1 TControl Delta tem
1 9 0 25 68 Mezzanine BCM56846 proximity te
1 10 0 22 69 Mezzanine BCM5718 proximity tem
1 11 0 19 57 Mezzanine Nitrox3 proximity tem
1 12 0 16 46 Mezzanine SHT21 Temperature
617316-1 : Desktop title is garbled for Citrix Storefront integration mode with non-sta configuration
Component: Access Policy Manager
Symptoms:
Desktop launched from browser or from native receiver has garbled title.
Conditions:
Citrix storefront integration mode through APM with no STA configured. Double byte language such as Japanese character set is used in the backend.
Impact:
Desktop title is not shown properly.
Workaround:
None
Fix:
Double byte character language title is shown properly
617310-1 : Edge client can fail to upgrade when Always Connected is selected★
Component: Access Policy Manager
Symptoms:
Attempt to upgrade from an Edge client version to a current version fails when Always Connected is enabled
Conditions:
Always Connected is selected in BIG-IP when upgrading the client.
Impact:
Upgrade fails. Must turn off Always Connected to upgrade client.
Workaround:
Turn off Always Connected before upgrading.
Fix:
Edge client now succeeds during upgrade when Always Connected is selected.
617273-5 : Expat XML library vulnerability CVE-2016-5300
Solution Article: K70938105
617002-3 : SWG with Response Analytics agent in a Per-Request policy fails with some URLs
Component: Access Policy Manager
Symptoms:
SWG with Response Analytics agent in a Per-Request policy fails with some URLs
Conditions:
Response analytics agent is added to per-request policy and per-request policy is attached to the virtual. APM and SWG are provisioned and licensed.
Impact:
Client might receive resets for some URLs when response analytics doesn't function correctly.
Workaround:
Remove response analytics agent from the per-request policy and perform categorization based only on URLs.
Fix:
Correctly handle the response analytics for these URLs and dont send resets to client.
616864-3 : BIND vulnerability CVE-2016-2776
Solution Article: K18829561
616838 : Citrix Remote desktop resource custom parameter name does not accept hyphen character
Component: Access Policy Manager
Symptoms:
While adding the custom parameter in Citrix Resource would give parser error as following,
01070734:3: Configuration error: apm resource remote-desktop /Common/ctx_resource: Parse error on line 1: DesktopViewer-ForceFullScreenStartup=On"
Conditions:
Having Citrix resource with custom parameter name with hyphen character
Impact:
Custom parameter can not be used with hyphen character
Workaround:
None
Fix:
Accept custom parameter name with hyphen character
616242-2 : basic_string::compare error in encrypted SSL key file if the first line of the file is blank★
Solution Article: K39944245
Component: TMOS
Symptoms:
Trying to load a configuration that references an encrypted SSL key file may fail if the first line of the SSL key file is blank. When this occurs, the system will report a vague error message:
01070711:3: basic_string::compare
If this happens during an upgrade, the system will not load the configuration under the new software version, and will remain inoperative.
Conditions:
This can occur if an affected configuration is present on a system running BIG-IP v11.3.0 or earlier, and is upgraded to BIG-IP v11.4.0 through v12.1.1.
Impact:
Configuration fails to load on upgrade with extremely unhelpful error message, and absolutely no indication as to what file was being processed at the time (or that this relates to a filestore file).
Workaround:
Remove the newlines at the beginning of any SSL key files that begin with a newline. During an upgrade scenario, edit the files in the filestore.
616215-2 : TMM can core when using LB::detach and TCP::notify commands in an iRule
Component: Local Traffic Manager
Symptoms:
TMM cores when running an iRule that has the LB::detach command before the TCP::notify command.
Conditions:
A virtual server with an iRule that has the LB::detach command executed before the TCP::notify command.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid the combination of the TCP::notify and LB::detach commands.
Fix:
TMM no longer cores in this instance.
616169-2 : ASM Policy Export returns HTML error file
Component: Application Security Manager
Symptoms:
When attempting to export an ASM Policy the resulting file contains an HTML error page.
Conditions:
It is not known what triggers this condition.
Impact:
Unable to export ASM Policies.
Workaround:
Delete all files in /ts/dms/policy/upload_files/. All files are transient and can safely be deleted.
Fix:
Permissions are now explicitly set on exported ASM Policies so the GUI PHP process can successfully download it.
616008-4 : TMM core may be seen when using an HSL format script for HSL reporting in PEM
Solution Article: K23164003
Component: Policy Enforcement Manager
Symptoms:
TMM core resulting in potential loss of service.
Conditions:
Requires a PEM HSL reporting action with an HSL format script against a virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
In an iRule against the virtual server, set a Tcl variable in the first line after an iRule event. Unset the same Tcl variable in the last line of the iRule event.
Fix:
TMM core no longer occurs when using an HSL format script for HSL reporting in PEM.
615970-2 : SSO logging level may cause failover
Component: Access Policy Manager
Symptoms:
SSO logging level may cause failover.
Conditions:
SSO logging level set to "Debug".
Impact:
TMM may crash. Core file may be generated.
Workaround:
Lower the SSO log level from "Debug" to either "Info" or "Notice".
Fix:
The SSO logging level of "Debug" no longer causes failover.
615934-2 : Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.
Component: TMOS
Symptoms:
Overwrite flag in key/certificate management iControl functions is ignored and might result in errors.
Conditions:
If there is an existing key/certificate, and the key/certificate management iControl functions are used to overwrite the key/certificate by setting the overwrite flag, the flag is ignored, and an error is returned.
Impact:
Key/certificate overwrite using iControl operations might fail.
Fix:
The fix honors the overwrite flag, so that the key/certificate is overwritten when the flag is set to true.
615303-1 : bigd crash with Tcl monitors
Solution Article: K47381511
Component: Local Traffic Manager
Symptoms:
bigd crashes after logging an error similar to the following:
emerg bigd: PID: 38611 Received invalid magic '1213486160' in the stream
Conditions:
-- Tcl Monitors: FTP, SMTP, POP3, IMAP.
-- This issue might also occur if the Tcl worker is in a stuck state, due to pool member not responding within the configured timeout.
-- May be particularly likely if the monitor is configured with an interval value of 1 second.
Note: Although less frequent, this issue might still occur with proper monitor configurations (timeout: 3*interval + 1).
Impact:
bigd crashes and error messages.
Possible interruption of monitoring status, pool members going down, interruption of traffic.
Workaround:
For the case where a Tcl monitor is configured with a 1-second interval value, increase the interval value to 2 seconds. Also increase the timeout value to 7 seconds (3*interval + 1). This reduces the chances of this issue occurring but does not eliminate it entirely.
Fix:
Monitor works as expected under the conditions described.
615260 : out of memory condition when URL categorization is configured to work with large feedlists
Component: Traffic Classification Engine
Symptoms:
out of memory condition when URL categorization is configured to work with large (millions of records) feedlists.
Conditions:
In order to hit this issue user would have to load and unload large feedlist multiple times
Impact:
SWAP memory will increase and will eventually lead the box to run out of memory
Fix:
This problem is fixed in v12.1
615187-1 : Missing hyperlink to GSLB virtual servers and servers on the pool member page.
Component: Global Traffic Manager (DNS)
Symptoms:
Hyperlinks to to GSLB virtual servers and servers on the pool member page were removed in 11.x.
Conditions:
Have a GSLB pool with pool members set up.
Impact:
Must manually note of the member's virtual or server.
Workaround:
Manually take note of virtual or server and search for it.
Fix:
Added hyperlink to GSLB virtuals and servers on the pool member page.
615143-4 : VDI plugin-initiated connections may select inappropriate SNAT address
Component: Local Traffic Manager
Symptoms:
When the VDI plugin makes outgoing connections, the source address is selected from a SNAT pool. Should the connection pass through another matching virtual server before reaching the external network, the selected SNAT address may be inappropriate for the egress VLAN.
Conditions:
-- APM configuration.
-- VDI functionality enabled.
-- Additional virtual server matching the VDI-initiated connections.
Impact:
Return traffic from destination may not be able to return to the BIG-IP, thus breaking the VDI functionality.
Workaround:
No workaround short of removing the additional virtual server matching the VDI traffic.
Fix:
Outgoing VDI connections now select an appropriate SNAT address even when passing through additional matching virtual servers before reaching the external network.
615107-3 : Cannot SSH from AOM/SCCP to host without password (host-based authentication).
Component: TMOS
Symptoms:
Issuing commands from the AOM/SCCP menu to the host do not function, or password is required when SSH from AOM/SCCP to the host.
Conditions:
Presence of /etc/ssh directory on host.
Impact:
AOM/SCCP unable to connect to host without password.
Workaround:
None.
Fix:
Can now SSH from AOM/SCCP to host without password (host-based authentication).
614891-4 : Routing table doesn't get updated when EDGE client roams among wireless networks
Component: Access Policy Manager
Symptoms:
Clients using the EDGE client report that they are unable to reach the VPN when they switch wifi networks.
Conditions:
This is triggered when a device running the EDGE client is on a wifi network, then roams to another wifi network that has a different default route.
Impact:
Clients have an incorrect route to the VPN and are forced to re-connect.
614865-2 : Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.
Component: TMOS
Symptoms:
Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.
Specifically, the functions are:
key_import_from_pem()
certificate_import_from_pem()
key_import_from_pem_v2()
certificate_import_from_pem_v2()
Conditions:
When there is an existing key or certificate on the BIG-IP system, and you want to overwrite them using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls, it results in errors stating that the key or certificate already exists on the BIG-IP system.
Impact:
Cannot overwrite the key/certificate file-objects using these iControl calls.
Workaround:
There are two workarounds:
- Delete and import the key/certificate using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls.
- Use key_import_from_file and certificate_import_from_file iControl calls as an alternative to import key/certificate from a file.
Fix:
Overwrite flag in iControl functions key/certificate_import_from_pem_v2() functions are now processed correctly and no longer produce errors.
614563-1 : AVR TPS calculation is inaccurate
Component: Advanced Firewall Manager
Symptoms:
The TPS that AVR calculates for DoS is 11% more than the real TPS.
Conditions:
DoS profile attached to the virtual server.
Impact:
Attack can wrongly be detected.
Workaround:
None.
Fix:
TPS that AVR calculates for DoS now reflects the actual TPS.
614486-3 : BGP community lower bytes of zero is not allowed to be set in route-map
Component: TMOS
Symptoms:
The bgpd process does not accept community attributes that contain values of the form ASN:0.
Conditions:
set the BGP community value to a value of form ASN:0
Impact:
if you attempt to configure a BGP daemon community attribute with a value of the form ASN:0, the system does not set the community value. This could also impact upgrading from the old versions to the version that doesn't support community values of the form ASN:0.
Workaround:
None
Fix:
BGP community can be set to values of the form ASN:0.
614322-3 : TMM might crash during handling of RDG-RPC connection when APM is used as RD Gateway
Solution Article: K31063537
Component: Access Policy Manager
Symptoms:
TMM might crash during handling of RDG-RPC connection when APM is used as RD Gateway.
Conditions:
RDP client uses RDG-RPC protocol to connect via APM's RD Gateway implementation.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
N/A
Fix:
Fixed TMM crash, which occurred during RDG-RPC protocol handling.
614147-3 : SOCKS proxy defect resolution
Solution Article: K02692210
613673-1 : Pool members may not be marked up and/or there might be a slight delay in monitors
Solution Article: K48693281
Component: Local Traffic Manager
Symptoms:
A UDP monitor might fail to mark a pool member up even when the pool member is up.
Other monitor types may mark a pool member down.
A slight delay (less than 0.1 seconds) might be noticed in monitor traffic sent by the BIG-IP.
Conditions:
To experience the incorrect pool member status issue, there is generally some other monitor on the system that is legitimately down.
To experience the delay, run an affected version. The issue has been observed with TCP, HTTP, and HTTPS monitors.
Impact:
Incorrect pool member status or pool member flapping.
Connections to monitored pool members might last slightly longer than necessary.
Workaround:
None.
Fix:
In this release, the system now correctly sets pool member status and connections to monitored pool members no longer last longer than necessary.
613613-1 : Incorrect handling of form that contains a tag with id=action
Component: Access Policy Manager
Symptoms:
In some cases, a form with an absolute path in the action is handled incorrectly in Internet Explorer (IE) versions 7, 8, and 9. The resulting action path is wrong and the form cannot be submitted.
Conditions:
This issue occurs under these conditions:
-- HTML Form with absolute action path.
-- A tag with id=action inside this form.
-- A submit button in the form.
-- IE versions 7 through 9.
Impact:
The impact of this issue is that the web application can not work as expected.
Workaround:
This issue has no workaround at this time.
Fix:
Forms with absolute action paths and tag with id=action inside are handled correctly.
613576-2 : QOS load balancing links display as gray
Component: Global Traffic Manager (DNS)
Symptoms:
All links in all data centers appear gray. After this patch all link appear to be green and the functional of load balancing to the first available link in each pool is restored.
Conditions:
This bug only affects devices licensed after 9/1/2016 which contain the gtm_lc: disabled field.
Impact:
Any GTM/LC devices licensed after 9/1/2016 and using links as part of their configuration will have the links reported as gray.
Workaround:
Remove all ilnks from configuration or install this hotfix.
613536-2 : tmm core while running the iRule STATS:: command
Component: TMOS
Symptoms:
With an iRule that runs the STATS::set command inside the ACCESS_SESSION_CLOSED event, tmm cores.
Conditions:
STATS:: command invoked inside the ACCESS_SESSION_CLOSED event. This event does not have all of the connection information so invoking STATS:: to store data from the connection will fail and cause tmm to crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use STATS::set inside ACCESS_SESSION_CLOSED
613524-2 : TMM crash when call HTTP::respond twice in LB_FAILED
Component: Local Traffic Manager
Symptoms:
TMM core-dumps when these conditions are met:
- LB_FAILED event
- irule script must use a "delay" (parked) statement together with two HTTP::respond statements.
Conditions:
- LB_FAILED event must be triggered by good IP address and bad port so that the serverside connflow is establish. you will not see this bug if no pool member is used or invalid IP address is used.
- irule script must use a "delay" (parked) statement. the delay together with http response creates the right timing for the client side connflow to go away while proxy is pushing Abort event down to both clientside and serverside.
Impact:
Traffic disrupted while tmm restarts.
Fix:
This fix rectifies the problem.
613415-4 : Memory leak in ospfd when distribute-list is used
Solution Article: K22750357
Component: TMOS
Symptoms:
Memory might be leaked when a distribute-list is used to filter routes between OSPFv2 and the Routing Information Base (RIB). The leak may lead to a the daemon being terminated via the oom-killer.
Conditions:
OSPFv2 in use with a distribute-list, and Link State Advertisements (LSAs) in the database whose prefixes will be filtered by the distribute-list.
Impact:
ospfd may leak memory until the system terminates the process via the oom-killer.
Workaround:
Position the BIG-IP system in the network so there are no LSAs that need to be filtered using a distribute-list, such as in a stub area.
Fix:
ospfd no longer leaks memory when a distribute-list is configured.
613369-1 : Half-Open TCP Connections Not Discoverable
Component: Local Traffic Manager
Symptoms:
New TCP connection requests are reset after a specific sequence of TCP packets.
Conditions:
A TCP connection in half-open state.
Impact:
Half-open TCP connections are not discoverable
Fix:
Properly acknowledge half-open TCP connections.
613225-3 : OpenSSL vulnerability CVE-2016-6306
Solution Article: K90492697
613127-6 : Linux TCP Stack vulnerability CVE-2016-5696
Solution Article: K46514822
613088-1 : pkcs11d thread has session initialization problem.
Component: Local Traffic Manager
Symptoms:
pkcs11d does not initialize, especially in the secondary slot(s). SafeNet connections cannot be established on the secondary blades.
Conditions:
This occurs when SafeNet is configured with VIPRION chassis
Impact:
When this occurs, BIG-IP is unable to establish SafeNet connections from the secondary blades.
Workaround:
None.
Fix:
Fixed a pkcs11d thread session initialization problem that prevented SafeNet connections.
613045 : Interaction between GTM and 10.x LTM results in some virtual servers marked down
Component: Global Traffic Manager (DNS)
Symptoms:
Some GTM virtual servers are never marked up when interacting with 10.x LTM.
Conditions:
1. On a GTM server, with autoconf off, manually create a virtual server that is using translated IP/port and either no LTM virtual server name or an incorrect LTM virtual server name.
2. Make sure the LTM virtual server is available.
Impact:
On the GTM side, that LTM virtual server will never get marked up.
Workaround:
None.
Fix:
Interaction between GTM and 10.x LTM now works, so virtual servers are correctly marked up.
613023-6 : Update SIP::Persist to support resetting timeout value.
Component: Service Provider
Symptoms:
SIP::persist needs improvement to support long-lived SIP sessions. Having a long timeout for persistence entries globally does not seem efficient for resource usage.
Conditions:
Efficiently using long-lived SIP sessions.
Impact:
Smaller persist timeouts will result in messages being delivered to the wrong entity in the case of supporting long lived SIP sessions.
Workaround:
Set a higher persist timeout value globally.
Note: This workaround might result in memory issues, depending on the BIG-IP system setup and traffic.
Fix:
New SIP Persist iRule commands allow persistence key and an additional parameter to redefine lifetime of the persistence entry to any new value.
Behavior Change:
In previous versions, the SIP Persist iRule command allowed only the persistence key as the parameter to store the persistence entry in the table.
New SIP Persist iRule commands allows persistence key and an additional parameter to define the lifetime of persistence entry. BIG-IP systems now can have better control on the persistence entry for long lived SIP sessions.
612721-3 : FIPS: .exp keys cannot be imported when the local source directory contains .key file
Component: TMOS
Symptoms:
*.exp exported FIPS keys cannot be imported from local directory when the directory contains any file named *.key with matching name. For example, if the directory /shared/abc/ contains an exported FIPS key named xyz.exp and another file named xyz.key, the user will fail to import xyz.exp as a FIPS key into the system.
Conditions:
When the local source directory of the exported FIPS key (xyz.exp) also contains a file with matching name (xyz.key).
Impact:
Unable to import the FIPS key
Workaround:
Remove the same name *.key file from the local directory before importing the FIPS exported key *.exp.
612694-3 : TCP::close with no pool member results in zombie flows
Component: Local Traffic Manager
Symptoms:
'tmsh show sys conn all-properties' shows connections whose idle time exceeds the timeout.
Conditions:
There is no pool member, and a TCP::close iRule activates (typically after a TCP::respond).
Impact:
Connection does not tear itself down.
Workaround:
Make TCP::close conditional on pool failure, and rely on the pool failure to RST the connection rather than perform a clean TCP close.
Fix:
The system now properly handles TCP teardown when TCP::close has already torn down the rest of the stack.
612419-2 : APM 11.4.1 HF10 - suspected memory leak (umem_alloc_32/network access (variable))
Component: Access Policy Manager
Symptoms:
When there are multiple network access resources, and users switch between them within the same connection, a small memory leak happens.
Conditions:
Network access; full webtop, multiple Network Access resources.
Impact:
Memory usage increases over time.
Workaround:
There is no workaround. It is a relatively slow leak though. In the case where it was observed, the leak was about 130MB per month.
Fix:
Fixed a memory leak related to network access.
612229-2 : TMM may crash if LTM a disable policy action for 'LTM Policy' is not last
Component: Local Traffic Manager
Symptoms:
TMM may crash while processing an LTM policy.
Conditions:
- VIP with LTM policy attached.
- LTM policy contains rule with 2 or more actions.
- Policy action of disable - LTMN Policy is not the last one in the list of actions.
Impact:
TMM crash with the following in one of the /var/log/tmm log files:
notice ** SIGABRT **
Traffic disrupted while tmm restarts.
Workaround:
Ensure any LTM policy disable action is the last in the list of actions.
Fix:
TMM no longer crashes if LTM a disable policy action for 'LTM Policy' is not last in the list of actions in the rule.
612128 : OpenSSH vulnerability CVE-2016-6515
Solution Article: K31510510
611968-1 : JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow
Component: Access Policy Manager
Symptoms:
JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow.
Conditions:
- IE8 only.
- Significant number of links: >1000.
- JavaScript event handlers presence.
Impact:
Web application performance slowdown.
Workaround:
None
Fix:
Fixed.
611691-3 : Packet payload ignored when DSS option contains DATA_FIN
Component: Local Traffic Manager
Symptoms:
The payload of a packet is ignored when an MPTCP DSS option has DATA_FIN set.
Conditions:
A packet contains both a payload and an MPTCP DSS option with DATA_FIN set. This has been observed when uploading files from a Linux client to a server.
Impact:
The last packet of data is not received.
Workaround:
Disable MPTCP.
Fix:
Accept data when a packet contains both a payload and an MPTCP DSS option with DATA_FIN set.
611669-1 : Mac Edge Client customization is not applied on macOS 10.12 Sierra
Component: Access Policy Manager
Symptoms:
Mac Edge Client's Icon, application name, company name, amongst other things can be customized on BIG-IP before deploying on end user's machine. But on Mac Edge Client on macOS 10.12 Sierra this customization is not applied.
Conditions:
macOS Sierra 10.12, Edge client, customization
Impact:
Mac Edge Client customization is not applied on macOS 10.12 Sierra. Functionally there should be no impact except that user will see default application visually.
Workaround:
run following command on Terminal and re-launch Edge client:
For English:
$ defaults write -globalDomain AppleLanguages -array "en" "en-US"
For German:
$ defaults write -globalDomain AppleLanguages -array "de" "de-US"
For Korean:
$ defaults write -globalDomain AppleLanguages -array "ko" "ko-US"
For Japanese
$ defaults write -globalDomain AppleLanguages -array "ja" "ja-US"
For French
$ defaults write -globalDomain AppleLanguages -array "fr" "fr-US"
For spanish
$ defaults write -globalDomain AppleLanguages -array "es" "es-US"
For Chinese traditional
$ defaults write -globalDomain AppleLanguages -array "zh-Hant" "zh-Hant-TW" "zh-Hant-US"
For Chinese simplified
$ defaults write -globalDomain AppleLanguages -array "zh-Hans" "zh-Hans-US"
Fix:
Edge client honors customization on macOS Sierra 10.12 now.
611482-1 : Local persistence record kept alive after owner persistence record times out (when using pool command in an iRule) .
Component: Local Traffic Manager
Symptoms:
Local persistence record kept alive after owner persistence record times out (when using pool command in an iRule).
Conditions:
Universal persistence is configured. A loop of HTTP request is sent to tmm which doesn't own the record. Persistence lookup is performed, but finally the pool command is used for load-balancing pick.
Impact:
Discrepancy between persistence records.
Workaround:
Use persist, not pool command, to bind persistence record to a flow.
Fix:
Fixed keeping alive the owner record.
611469-2 : Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector
Solution Article: K95444512
611355 : tmm core with PEM
Component: Policy Enforcement Manager
Symptoms:
tmm cores intermittently on SIGSEGV.
Conditions:
A background job processing HA session information might rarely trigger this. No external factor is causing this.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This release fixes the rarely encountered issue in which a background job processing HA session information might have triggered a tmm core.
611154-2 : BD crash
Component: Application Security Manager
Symptoms:
BD crashes.
Conditions:
An iRule (or other non-ASM module) that adds or delete the server headers. Especially if it touches the Set-Cookies header
Impact:
Failover, traffic disrupted while TMM restarts.
Workaround:
No workaround at this time.
Fix:
Added checking for bad dictionary on the response side.
610609-1 : Total connections in bigtop, SNMP are incorrect
Component: Local Traffic Manager
Symptoms:
While looking at total connections for the active BIG-IP using bigtop or SNMP, the connections are reported too high. For example if you sent a single connection through BIG-IP it is reported as 2 connections. Meanwhile, the standby device with mirroring configured accurately shows the number of connections.
Conditions:
This occurs on PVA-enabled hardware platforms.
Impact:
The total connection count statistic is incorrect.
610582-5 : Device Guard prevents Edge Client connections
Component: Access Policy Manager
Symptoms:
When Device Guard is enabled, BIG-IP Edge Client cannot establish a VPN connection.
Conditions:
-- Clients running Windows 10.
-- Device Guard enabled.
-- Attempting to connect using the Edge client.
Impact:
Clients are unable to establish a VPN connection.
Workaround:
As a workaround, have the affected Edge Client users disable Device Guard.
Note: Previously, Device Guard was disabled by default. Starting with the Windows 10 Creators Update, however, Device Guard is enabled by default.
Fix:
The F5 VPN Driver is recertified and is now compliant with Microsoft Device Guard, so that Edge Client users can now establish a VPN connection as expected.
610442-1 : vcmp_media_insert failed message and lind restart loop on vCMP guest when installing with block-device-image with bad permissions on .iso★
Solution Article: K75051412
Component: TMOS
Symptoms:
On a vCMP guest, If a user attempts to install using the block-device-image argument (e.g., install sys software block-device-image <some.iso>), and the .iso file has incorrect file permissions (e.g., $chmod 600 <some.iso>), then the lind process on the guest will enter a restart loop, and the system posts the following error:
lind[23565]: 013c0004:3: Fatal error: vcmp_media_insert failed
Conditions:
-- vCMP guest.
-- Run a command similar to the following:
install sys software block-device-image <some.iso>.
-- <some.iso> has bad permissions, e.g., -r--------.
Impact:
On the guest, lind restarts continuously, logging its restart to /var/log/ltm each time and posting the vcmp_media_insert failed error message.
Workaround:
Use either of the following workarounds:
-- Avoid installing block-device-images known to have bad permissions.
-- From the host, attempt to repair the file with bad permissions, copy the repaired file to /shared/images/, and try the install again. To do so, follow this procedure, running these commands from the host:
1. To repair the file, run the following command:
chmod 644 <some.iso>
2. To copy the file, run the following command:
scp <some.iso> mysystem:/shared/images/
3. To install the guest, run the following commands:
bigstart restart lind
tmsh install sys software block-device-image <some.iso>