Supplemental Document : BIG-IP 11.6.5 Fixes and Known Issues

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 11.6.5

BIG-IP APM

  • 11.6.5

BIG-IP GTM

  • 11.6.5

BIG-IP Link Controller

  • 11.6.5

BIG-IP Analytics

  • 11.6.5

BIG-IP LTM

  • 11.6.5

BIG-IP AFM

  • 11.6.5

BIG-IP PEM

  • 11.6.5

BIG-IP ASM

  • 11.6.5
Updated Date: 09/19/2019

BIG-IP Release Information

Version: 11.6.5
Build: 15.0

Cumulative fixes from BIG-IP v11.6.4 that are included in this release
Cumulative fixes from BIG-IP v11.6.3.4 that are included in this release
Cumulative fixes from BIG-IP v11.6.3.3 that are included in this release
Cumulative fixes from BIG-IP v11.6.3.2 that are included in this release
Cumulative fixes from BIG-IP v11.6.3.1 that are included in this release
Cumulative fixes from BIG-IP v11.6.3 that are included in this release
Cumulative fixes from BIG-IP v11.6.2 Hotfix 1 that are included in this release
Cumulative fixes from BIG-IP v11.6.2 that are included in this release
Cumulative fixes from BIG-IP v11.6.1 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v11.6.1 Hotfix 1 that are included in this release
Cumulative fixes from BIG-IP v11.6.1 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 8 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 7 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 6 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 5 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 4 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 3 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 1 that are included in this release
Known Issues in BIG-IP v11.6.x

Vulnerability Fixes

ID Number CVE Solution Article(s) Description
794413-6 CVE-2019-6471 K10092301 BIND vulnerability CVE-2019-6471
796469-5 CVE-2019-6649 K05123525 ConfigSync Hardening
797885-6 CVE-2019-6649 K05123525 ConfigSync Hardening
799589-6 CVE-2019-6649 K05123525 ConfigSync Hardening
799617-6 CVE-2019-6649 K05123525 ConfigSync Hardening
807477-5 CVE-2019-6650 K04280042 ConfigSync Hardening
810557-6 CVE-2019-6649 K05123525 ASM ConfigSync Hardening


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
794389-3 2-Critical   iControl REST endpoint response inconsistency


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
744937-5 3-Major K00724442 Make authenticated-denial-of-existence NSEC3 RR Types Bitmap reflect available Resource Records


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
679861-3 1-Blocking   Weak Access Restrictions on the AVR Reporting Interface



Cumulative fixes from BIG-IP v11.6.4 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
757025-5 CVE-2018-5744 K00040234 BIND Update
754944-5 CVE-2019-6626 K00432398 AVR reporting UI does not follow best practices
749879-6 CVE-2019-6611 K47527163 Possible interruption while processing VPN traffic
739970-4 CVE-2018-5390 K95343321 Linux kernel vulnerability: CVE-2018-5390
739947-4 CVE-2019-6610 K42465020 TMM may crash while processing APM traffic
737574-4 CVE-2019-6621 K20541896 iControl REST input sanitization
722677-2 CVE-2019-6604 K26455071 High-Speed Bridge may lock up
714181-1 CVE-2019-6603 K14632915 TMM may crash while processing TCP traffic
511589-2 CVE-2019-6602 K11818407 TMUI hardening
757027-5 CVE-2019-6465 K01713115 BIND Update
750460-5 CVE-2019-6639 K61002104 Subscriber management configuration GUI
745358-5 CVE-2019-6607 K14812883 ASM GUI does not follow best practices
745257-5 CVE-2018-14634 K20934447 Linux kernel vulnerability: CVE-2018-14634
745165-5 CVE-2019-6617 K38941195 Users without Advanced Shell Access are not allowed SFTP access
742226-4 CVE-2019-6635 K11330536 TMSH platform_check utility does not follow best security practices
703835-7 CVE-2019-6616 K82814400 When using SCP into BIG-IP systems, you must specify the target filename
702472-5 CVE-2019-6615 K87659521 Appliance Mode Security Hardening
691767-3 CVE-2019-6613 K27400151 SNMP does not follow best security practices
658557-1 CVE-2019-6606 K35209601 The snmpd daemon may leak memory when processing requests.
643554-11 CVE-2017-3731 CVE-2017-3732 CVE-2016-7055 K37526132 K44512851 K43570545 OpenSSL vulnerabilities - OpenSSL 1.0.2k library update
540186-1 CVE-2019-6605 K45353544 TMM may crash while processing SSL traffic


Functional Change Fixes

ID Number Severity Solution Article(s) Description
745387-5 3-Major   Resource-admin user roles can no longer get bash access
667257-1 3-Major   CPU Usage Reaches 100% With High FastL4 Traffic
348194-7 3-Major   Allow configuration of FIN_WAIT2 timeout
643034-3 4-Minor K52510343 Turn off TCP Proxy ICMP forwarding by default


TMOS Fixes

ID Number Severity Solution Article(s) Description
641390-4 1-Blocking K00216423 Backslash removal in LTM monitors after upgrade
738887-1 2-Critical   The snmpd daemon may leak memory when processing requests.
716391-4 2-Critical K76031538 High priority for MySQL on 2 core vCMP may lead to control plane process starvation
689437-3 2-Critical K49554067 icrd_child cores due to infinite recursion caused by incorrect group name handling
652877-2 2-Critical   Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades
546760-2 2-Critical K19887214 snmpd crashes when performing snmp query on ifXTable of ifMIB.
757026-5 3-Major   BIND Update
726409-2 3-Major   Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077
707740-2 3-Major   Failure deleting GTM Monitors when used on multiple virtual servers with the same ip:port combination
700757-3 3-Major   vcmpd may crash when it is exiting
651155-4 3-Major   HSB continually logs 'loopback ring 0 tx not active'
639619-4 3-Major   UCS may fail to load due to Master key decryption failure on EEPROM-less systems
633512-2 3-Major K20160253 HA Auto-failback will cause an Active/Active overlap, or flapping, on VIPRION.
628202-2 3-Major   Audit-forwarder can take up an excessive amount of memory during a high volume of logging
621314-2 3-Major K55358710 SCTP virtual server with mirroring may cause excessive memory use on standby device
589856-1 3-Major   IControl REST : possible to get duplicate transaction IDs when transactions are created by multiple clients
581921-1 3-Major K22327083 Required files under /etc/ssh are not moved during a UCS restore
558944-2 3-Major   HSB debug registers needed
551925-2 3-Major   Misdirected UDP traffic with hardware acceleration
523797-3 3-Major   Upgrade: file path failure for process name attribute in snmp.
624484-1 4-Minor K09023677 Timestamps not available in bash history on non-login interactive shells
573031-3 4-Minor   qkview may not collect certain configuration files in their entirety


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
739927-5 2-Critical   Bigd crashes after a specific combination of logging operations
686228-5 2-Critical K23243525 TMM may crash in some circumstances with VLAN failsafe
665732-5 2-Critical K45001711 FastHTTP may crash when receiving a fragmented IP packet
657713-3 2-Critical K05052273 Gateway pool action may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart.
513310-3 2-Critical   TMM might core when a profile is changed.
423629-4 2-Critical K08454006 bigd cores when route-domain tagged to a pool with monitor as gateway_ICMP is deleted
756270-6 3-Major   SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle
702450-5 3-Major   The validation error message generated by deleting certain object types referenced by a policy action is incorrect
700057-2 3-Major   LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved
695925-4 3-Major   tmm crash when showing connections for a CMP disabled virtual server
690042-4 3-Major K43412307 Potential Tcl leak during iRule suspend operation
689449-4 3-Major   Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured
685519-4 3-Major   Mirrored connections ignore the handshake timeout
662816-3 3-Major K61902543 Monitor node log fd leak for certain monitor types
661881-3 3-Major K00030614 Memory and performance issues when using certain ASN.1 decoding formats in iRules
657883-3 3-Major K34442339 tmm cache resolver should not cache response with TTL=0
654368-5 3-Major K15732489 ClientSSL/ServerSSL profile does not report an error when a certain invalid CRL is associated with it when authentication is set to require
651901-4 3-Major   Removed unnecessary ASSERTs in MPTCP code
610138-4 3-Major K23284054 STARTTLS in SMTPS filter does not properly restrict I/O buffering
605147-2 3-Major   No mirroring for TCP TIME-WAIT reconnections and new TCP flows after HA reconnections.
477950-3 3-Major K57310641 Displayed SSL profile statistics might be incorrect
345358-2 3-Major   OneConnect Transforms do not recognize Connection header if it contains extra Header tokens.
700433-3 4-Minor K10870739 Memory leak when attaching an LTM policy to a virtual server
627764-3 4-Minor   Prevent sending a 2nd RST for a TCP connection
625892-3 4-Minor   Nagle Algorithm Not Fully Enforced with TSO
549569-2 4-Minor   tmm may crash in the case of mem alloc fails.
523814-4 4-Minor   When iRule or Web-Acceleration profile demotes HTTP request from HTTP/1.1 to HTTP/1.0, OneConnect may not pool serverside connections
495242-2 4-Minor   mcpd log messages: Failed to unpublish LOIPC object


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
756774-2 2-Critical   Aborted DNS queries to a cache may cause a TMM crash
739846-5 2-Critical   Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection
721895-2 3-Major   Add functionality to configure the minimum TLS version advertised and accepted by big3d (iQuery)
659969-2 4-Minor   tmsh command for gtm-application disabled contexts does not work with none and replace-all-with


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
564320-1 2-Critical   ASM error prevents 4th-element version upgrades 'Invalid UCS. Cannot load configuration from newer version'


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
658278-4 3-Major   Network Access configuration with Layered-VS does not work with Edge Client
393817-1 3-Major   BIG-IP as IdP with SAML resources assigned to access policy requires webtop


WebAccelerator Fixes

ID Number Severity Solution Article(s) Description
706642-4 2-Critical   wamd may leak memory during configuration changes and cluster events


Wan Optimization Manager Fixes

ID Number Severity Solution Article(s) Description
546877-3 2-Critical K10934171 tmm assert 'tcp_set_persist: retransmit pending'


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
734446-4 2-Critical   TMM crash after changing LSN pool mode from PBA to NAPT



Cumulative fixes from BIG-IP v11.6.3.4 that are included in this release


Functional Change Fixes

None


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
750488-2 3-Major   Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
750484-2 3-Major   Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
750472-2 3-Major   Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
750457-2 3-Major   Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
749774-1 3-Major   EDNS0 client subnet behavior inconsistent when DNS Caching is enabled
749675-1 3-Major   DNS cache resolver may return a malformed truncated response with multiple OPT records



Cumulative fixes from BIG-IP v11.6.3.3 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
738119-4 CVE-2019-6589 K23566124 SIP routing UI does not follow best practices
722387-1 CVE-2019-6596 K97241515 TMM may crash when processing APM DTLS traffic
715923-2 CVE-2018-15317 K43625118 When processing TLS traffic TMM may terminate connections unexpectedly
704184-4 CVE-2018-5529 K52171282 APM MAC Client create files with owner only read write permissions
701253-2 CVE-2018-15318 K16248201 TMM core when using MPTCP
693810-4 CVE-2018-5529 K52171282 CVE-2018-5529: APM Linux Client Vulnerability
721924-4 2018-17539 K17264695 bgpd may crash processing extended ASNs
719554-4 CVE-2018-8897 K17403481 Linux Kernel Vulnerability: CVE-2018-8897
716900-5 CVE-2019-6594 K91026261 TMM core when using MPTCP
710827-5 CVE-2019-6598 K44603900 TMUI dashboard daemon stability issue
710148-5 CVE-2017-1000111
CVE-2017-1000112
K60250153 CVE-2017-1000111 & CVE-2017-1000112
705476-5 CVE-2018-15322 K28003839 Appliance Mode does not follow design best practices
699452-2 CVE-2019-6597 K29280193 Web UI does not follow current best coding practices
694901-1 CVE-2015-8710 K45439210 CVE-2015-8710: Libxml2 Vulnerability
677088-5 CVE-2018-15321 K01067037 BIG-IP tmsh vulnerability CVE-2018-15321
714879-5 CVE-2018-15326 K34652116 APM CRLDP Auth passes all certs
708653-4 CVE-2018-15311 K07550539 TMM may crash while processing TCP traffic
603658-3 CVE-2019-6601 K25359902 AAM security hardening
530775-5 CVE-2019-6600 K23734425 Login page may generate unexpected HTML output
701785-4 CVE-2017-18017 K18352029 Linux kernel vulnerability: CVE-2017-18017


Functional Change Fixes

ID Number Severity Solution Article(s) Description
590122-3 3-Major   Standard TLS version rollback detection for TLSv1 or earlier might need to be relaxed to interoperate with clients that violate TLS specification.
587107-2 3-Major   Allow iQuery to negotiate up to version TLS1.2
584471-2 3-Major K34343741 Priority order of clientssl profile selection of virtual server.
493250-2 3-Major K36428111 BGP disabling graceful-restart in ZebOS does not persist and is automatically enabled
246726-4 3-Major K8940 System continues to process virtual server traffic after disabling virtual address


TMOS Fixes

ID Number Severity Solution Article(s) Description
724680-2 2-Critical   OpenSSL Vulnerability: CVE-2018-0732
723130-5 2-Critical K13996 Invalid-certificate warning displayed when deploying BIG-IP VE OVA file
690819-2 2-Critical   Using an iRule module after a 'session lookup' may result in crash
624826-3 2-Critical K36404710 mgmt bridge takes HWADDR of guest vm's tap interface
563661-3 2-Critical   Datastor may crash
724319 3-Major   BIG-IP versions 11.6.3.x show 'Edition' as 'Final', not 'Point Release'
707445-1 3-Major K47025244 Nitrox 3 compression hangs/unable to recover
701626-4 3-Major K16465222 GUI resets custom Certificate Key Chain in child client SSL profile
687658-3 3-Major   Monitor operations in transaction will cause it to stay unchecked
672988-3 3-Major K03433341 MCP memory leak when performing incremental ConfigSync
669818-3 3-Major K64537114 Higher CPU usage for syslog-ng when a syslog server is down
663924-3 3-Major   Qkview archives includes Kerberos keytab files
633465 3-Major K09748643 Curl cannot be forced to use TLSv1.0 or TLSv1.1
631172-3 3-Major K54071336 GUI user logged off when idle for 30 minutes, even when longer timeout is set
614486-3 3-Major   BGP community lower bytes of zero is not allowed to be set in route-map
612721-3 3-Major   FIPS: .exp keys cannot be imported when the local source directory contains .key file
527206-3 3-Major   Management interface may flap due to LOP sync error
488180-3 3-Major   Mcpd may restart continuously when a new blade is inserted into a chassis running vCMP
424542-3 3-Major   tmsh modify net interface with invalid interface name or attributes will create an interface in cluster or VE environments
674145-4 4-Minor   chmand error log message missing data
660239-2 4-Minor   When accessing the dashboard, invalid HTTP headers may be present
556616-2 4-Minor K75634982 Unable to install from hotfix on platform with SSD via the GUI
530530-2 4-Minor K07298903 tmsh sys log filter is displayed in UTC time
477785-1 4-Minor   GUI LTM Profile ClientSSL Passphrase does not accept semicolons
464650-3 4-Minor   Failure of mcpd with invalid authentication context.


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
726239-2 2-Critical   interruption of traffic handling as sod daemon restarts TMM
708382 2-Critical   Multiple TMM cores in http_cookie_decrypt
700393-5 2-Critical K53464344 Under certain circumstances, a stale HTTP/2 stream can cause a tmm crash
609199-4 2-Critical   Debug TMM produces core when an MPTCP connection times out while a subflow is trying to join
536868-3 2-Critical   Packet Sizing Issues after Receipt of PMTU
452283-3 2-Critical   An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows
722363-4 3-Major   Client fails to connect to server when using PVA offload at Established
710028-5 3-Major   LTM SQL monitors may stop monitoring if multiple monitors querying same database
705794-4 3-Major   Under certain circumstances a stale HTTP/2 stream might cause a tmm crash
702443 3-Major K22510506 A pool can be deleted despite being referenced as a clone-pool by an LTM policy action
702151-3 3-Major   HTTP/2 can garble large headers
700889-1 3-Major K07330445 Software syncookies without TCP TS improperly include TCP options that are not encoded
691806-4 3-Major K61815412 RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state
676355-3 3-Major   DTLS retransmission does not comply with RFC in certain resumed SSL session
670816-3 3-Major K44519487 HTTP/HTTPS/TCP Monitor response code for 'last fail reason' can include extra characters
668521-1 3-Major   Bigd might stall while waiting for an external monitor process to exit
668196-3 3-Major   Connection limit continues to be enforced with least-connections and pool member flap, member remains down
657795-2 3-Major K51498984 Possible performance impact on some SSL connections
655432-4 3-Major K85522235 SSL renegotiation failed intermittently with AES-GCM cipher
651541-3 3-Major K83955631 Changes to the HTTP profile do not trigger validation for virtual servers using that profile
645058-1 3-Major   Modifying SSL profiles in GUI may fail when key is protected by passphrase
619849-2 3-Major   In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled.
611691-3 3-Major   Packet payload ignored when DSS option contains DATA_FIN
611482-1 3-Major K71450348 Local persistence record kept alive after owner persistence record times out (when using pool command in an iRule) .
607803-2 3-Major K33954223 DTLS client (serverssl profile) fails to complete resumed handshake.
603609-4 3-Major   Policy unable to match initial path segment when request-URI starts with "//"
593390-2 3-Major   Profile lookup when selected via iRule ('SSL::profile') might cause memory issues.
589400-3 3-Major K33191529 With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.
572234-3 3-Major   When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10.
563933-2 3-Major   [DNS] dns64-additional-section-rewrite v4-only does not rewrite v4 RRs
523973-1 3-Major K69614227 Deletion of key/cert/csr fails to update bigip.conf.
513202-2 3-Major   RPZ may not work as expected
507554-1 3-Major K13741128 Uneven egress traffic distribution on trunk with odd number of members
466875-4 3-Major K15586 SNAT automap may select source address that is not attached to egress VLAN/interface
393647-2 3-Major K17287 Objects configured with a connection rate-limit and yellow status
367226-1 3-Major   Outgoing RIP advertisements may have incorrect source port
716922-5 4-Minor   Reduction in PUSH flags when Nagle Enabled
692095-4 4-Minor K65311501 bigd logs monitor status unknown for FQDN Node/Pool Member
604272-2 4-Minor   SMTPS profile connections_current stat does not reflect actual connection count.
589039-2 4-Minor   Clearing masquerade MAC results in unexpected link-local self IP addresses.
560909-2 4-Minor   LTM policy is unable to disable SNAT
222034-7 4-Minor   HTTP::respond in LB_FAILED with large header/body might result in truncated response


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
649564-3 2-Critical   Crash related to GTM monitors with long RECV strings
671326-3 3-Major K81052338 DNS Cache debug logging might cause tmm to crash.
655807-3 3-Major K40341291 With QoS LB, packet rate score is calculated incorrectly and dominates the QoS score
632423-2 3-Major K40256229 DNS::query can cause tmm crash if AXFR/IXFR types specified.
628180-2 3-Major K68781474 DNS Express may fail after upgrade
624876-3 3-Major   Response Policy Zones can trigger even after entry removed from zone
605260-3 3-Major   [GUI] Changes can not be made to GTM listener in partition with default route domain <> 0
595293-3 3-Major   Deleting GTM links could cause gtm_add to fail on new devices.
370131-2 3-Major   Loading UCS with low GTM Autoconf Delay drops pool Members from config
366695-7 3-Major   Remove managers create/modify/delete ability from TMSH on GTM datacenters, links, servers, prober-pools, and topology errors incorrectly, and receive a database error when performed
657961-1 4-Minor K44031930 The edit button on the GSLB Wide IP create page does not place the pool name back into the select dropdown


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
701944-6 2-Critical K42284762 machine certificate check crash for 'match issuer' configuration on macOS Sierra 10.12.6
699267-3 3-Major   LDAP Query may fail to resolve nested groups


Service Provider Fixes

ID Number Severity Solution Article(s) Description
556031-1 3-Major   iRule execution error under virtual server with adaptation profile can crash tmm


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
591828-5 3-Major K52750813 For unmatched connection, TCP RST may not be sent for data packet


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
471835-1 2-Critical K95135255 Invalid port blocks are incorrectly counted as active zombie blocks.



Cumulative fixes from BIG-IP v11.6.3.2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
716992-4 CVE-2018-5539 K75432956 The ASM bd process may crash
695901-3 CVE-2018-5513 K46940010 TMM may crash when processing ProxySSL data
693744-2 CVE-2018-5531 K64721111 CVE-2018-5531: vCMP vulnerability
687193-3 CVE-2018-5533 K45325728 TMM may leak memory when processing SSL Forward Proxy traffic
686305-5 CVE-2018-5534 K64552448 TMM may crash while processing SSL forward proxy traffic
674189-2 CVE-2016-0718 K52320548 iControl-SOAP exposed to CVE-2016-0718 in Expat 2.2.0
630446-2 CVE-2016-0718 K52320548 Expat vulnerability CVE-2016-0718
710314-3 CVE-2018-5537 K94105051 TMM may crash while processing HTML traffic
704580-4 CVE-2018-5549 K05018525 apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP
703940-4 CVE-2018-5530 K45611803 Malformed HTTP/2 frame consumes excessive system resources
701359-3 CVE-2017-3145 K08613310 BIND vulnerability CVE-2017-3145
699455-2 CVE-2018-5523 K50254952 SAML export does not follow best practices
699346-1 CVE-2018-5524 K53931245 NetHSM capacity reduces when handling errors
688625-3 CVE-2017-11628 K75543432 PHP Vulnerability CVE-2017-11628
676457-2 CVE-2017-6153 K52167636 TMM may consume excessive resource when processing compressed data
675188-4 CVE-2017-9233 K03244804 CVE-2017-9233: Expat vulnerability
674486-3 CVE-2017-9233 K03244804 Expat Vulnerability: CVE-2017-9233
672124-2 CVE-2018-5541 K12403422 Excessive resource usage when BD is processing requests
662850-3 CVE-2015-2716 K50459349 Expat XML library vulnerability CVE-2015-2716
631204-2 CVE-2018-5521 K23124150 GeoIP lookups incorrectly parse IP addresses
617273-5 CVE-2016-5300 K70938105 Expat XML library vulnerability CVE-2016-5300
606710-15 CVE-2016-2834 CVE-2016-5285 CVE-2016-8635 K15479471 Mozilla NSS vulnerability CVE-2016-2834
582773-4 CVE-2018-5532 K48224824 DNS server for child zone can continue to resolve domain names after revoked from parent
524279-6 CVE-2015-4000 K16674 CVE-2015-4000: TLS vulnerability
353229-6 CVE-2018-5522 K54130510 Buffer overflows in DIAMETER
617901-3 CVE-2018-5525 K00363258 GUI to handle file path manipulation to prevent GUI instability.
605579-10 CVE-2012-6702 K65460334 iControl-SOAP expat client library is subjected to entropy attack
603758-3 CVE-2018-5540 K82038789 Big3D security hardening
673165-2 CVE-2017-7895 K15004519 CVE-2017-7895: Linux Kernel Vulnerability


Functional Change Fixes

ID Number Severity Solution Article(s) Description
225634-5 3-Major   The rate class feature does not honor the Burst Size setting.


TMOS Fixes

ID Number Severity Solution Article(s) Description
613415-4 2-Critical K22750357 Memory leak in ospfd when distribute-list is used
581851-4 2-Critical K16234725 mcpd process on secondary blades unexpectedly restarts when the system processes multiple tmsh commands
671447-3 3-Major   ZebOS 7 Byte SystemID in IS-IS Restart TLV may cause adjacencies to not form
631316-4 3-Major K62532020 Unable to load config with client-SSL profile error
622619-3 3-Major   BIG-IP 11.6.1 - "tmsh show sys log <item> range" can kill MCPD
622183-3 3-Major   The alert daemon should remove old log files but it does not.
615107-3 3-Major   Cannot SSH from AOM/SCCP to host without password (host-based authentication).
589338 3-Major   Linux host may lose dynamic routes on secondary blades
583502-1 3-Major K58243048 Considerations for transferring files from F5 devices
553776-2 3-Major K03365920 BGP may advertise default route with bad parameters
539832-3 3-Major   Zebos: extended community attributes are exchanged incorrectly in BGP updates.


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
708114-2 2-Critical K33319853 TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed
682682-5 2-Critical   tmm asserts on a virtual server-to-virtual server connection
676982-1 2-Critical K21958352 Active connection count increases over time, long after connections expire
670804-1 2-Critical K03163260 Hardware syncookies, verified-accept, and OneConnect can result in 'verify_accept' assert in server-side TCP
666401-1 2-Critical K03294104 Memory might become corrupted when a Standby device transitions to Active during failover
657463 2-Critical   SSL sends HUDEVT_SENT to TCP in wrong state which causes HTTP disconnect the handshake.
655211-2 2-Critical   bigd crash (SIGSEGV) when running FQDN node monitors
648320-1 2-Critical K38159538 Downloading via APM tunnels could experience performance downgrade.
647757-1 2-Critical K96395052 RATE-SHAPER:Fred not properly initialized may halt traffic
622856-3 2-Critical   BIG-IP may enter SYN cookie mode later than expected
619071-2 2-Critical   OneConnect with verified accept issues
613524-2 2-Critical   TMM crash when call HTTP::respond twice in LB_FAILED
571651-1 2-Critical   Reset Nitrox3 crypto accelerator queue if it becomes stuck.
537072-1 2-Critical   Fix ssl_session memory corruption when many sessions and heavy traffic.
491789-2 2-Critical   Better retransmit recovery in a lossy network.
713951-2 3-Major   tmm core files produced by nitrox_diag may be missing data
711281-2 3-Major   nitrox_diag may run out of space on /shared
677525-5 3-Major   Translucent VLAN group may use unexpected source MAC address
677119-1 3-Major   HTTP2 implementation incorrectly treats SETTINGS_MAX_HEADER_LIST_SIZE
664769-2 3-Major   TMM may restart when using SOCKS profile and an iRule
646443-3 3-Major K54432535 Ephemeral Node may be errantly created in bigd, causing crash
615143-4 3-Major   VDI plugin-initiated connections may select inappropriate SNAT address
604880-2 3-Major   tmm assert "valid pcb" in tcp.c
604811-1 3-Major   Under certain conditions TMM may crash while processing OneConnect traffic
603550-3 3-Major K63164073 Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats.
602136-3 3-Major   iRule drop/discard/reject commands causes tmm segfault or still sends 3-way handshake to the server.
596433-4 3-Major   Virtual with lasthop configured rejects request with no route to client.
590156-2 3-Major   Connections to an APM virtual server may be reset and fail on appliance and VE platforms.
584310-2 3-Major K83393638 TCP:Collect ignores the 'skip' parameter when used in serverside events
572895 3-Major   TCP forwarded flows are reset when time wait recycle of port happens
553521-1 3-Major   TMM crash when executing route lookup in tmsh for multicast destination
517456 3-Major K00254480 Resetting virtual server stat increments cur_conns stat in clientssl profile
516432-6 3-Major K21467711 DTLS may send corrupted records when the DB variable tmm.ssl.dtlsmaxcrs is not the default value 1.
248914-6 3-Major K00612197 ARP replies from BIG-IP on a translucent vlangroup use the wrong source MAC address
708249-5 4-Minor   nitrox_diag utility generates QKView files with 5 MB maximum file size limit
517202-4 4-Minor   Applications including Internet Explorer using Microsoft's Secure Channel (Schannel) may fail SSL/TLS handshakes


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
642039-3 2-Critical K20140595 TMM core when persist is enabled for wideip with certain iRule commands triggered.
562921-3 2-Critical   Cipher 3DES and iQuery encrypting traffic between BIG-IP systems
663310-4 3-Major   named reports "file format mismatch" when upgrading to versions with Bind 9.9.X versions for text slave zone files
654599-2 3-Major K74132601 The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed
487144-3 3-Major   tmm intermittently reports that it cannot find FIPS key


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
691670-2 2-Critical   Rare BD crash in a specific scenario
684312-3 2-Critical K54140729 During Apply Policy action, bd agent crashes, causing the machine to go Offline
679603-3 2-Critical K15460886 bd core upon request, when profile has sensitive element configured.
678462-1 2-Critical   after chassis failover: asmlogd CPU 100% on secondary
676416-3 2-Critical   BD restart when switching FTP profiles
675232-2 2-Critical   Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction
636669-2 2-Critical K37300224 bd log are full of 'Can't run patterns' messages
611154-2 2-Critical   BD crash
576123-2 2-Critical K23221623 ASM policies are created as inactive policies on the peer device
706304 3-Major   ASU and other Update Check services overload F5 download server
697303-4 3-Major   BD crash
696265-2 3-Major K60985582 BD crash
694922-2 3-Major   ASM Auto-Sync Device Group Does Not Sync
685207-3 3-Major   DoS client side challenge does not encode the Referer header.
683241-4 3-Major K70517410 Improve CSRF token handling
571593-1 3-Major   A BD core on specific server behavior with a specific configuration
504917-1 3-Major   In ASM Manual Sync Only group, policies do not stay deleted or inactive on secondary after sync is pushed
447319-5 3-Major K57527347 Requests Export: Japanese characters (SHIFT-JIS) unreadable in PDF


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
707738-5 1-Blocking K84747528 Network Access cannot be established on Windows 10 RS4
714716-4 2-Critical K10248311 Apmd logs password for acp messages when in debug mode
693739-5 2-Critical   VPN cannot be established on macOS High Sierra 10.13.1 if full tunneling configuration is enabled
672480 2-Critical   WebSSO plugin process may become unresponsive in rare situations for Kerberos SSO
666454-6 2-Critical K05520115 Edge client on Macbook Pro with touch bar cannot connect to VPN after OS X v10.12.5 update
702490-5 3-Major   Windows Credential Reuse feature may not work
684937-5 3-Major K26451305 [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users
683113-5 3-Major K22904904 [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users
668623-2 3-Major K85991425 macOS Edge client fails to detect correct system language for regions other than USA
640924-6 3-Major   On macOS Sierra (10.12) LED icons on Edge client's main UI buttons (connect, disconnect and auto-connect) are scaled incorrectly
632646-2 3-Major   APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server.
590345-3 3-Major   ACCESS policy running iRule event agent intermittently hangs
535131-1 3-Major   RelayState passed from IdP to SP is not used as a landing URI for IdP initiated SAML SSO


Service Provider Fixes

ID Number Severity Solution Article(s) Description
703515-6 2-Critical K44933323 MRF SIP LB - Message corruption when using custom persistence key
685708-5 2-Critical   Routing via iRule to a host without providing a transport from a transport-config created connection cores
700571-1 3-Major   SIP MR profile, setting incorrect branch param for CANCEL to INVITE
696049-4 3-Major   High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running
629663-2 3-Major K23210890 CGNAT SIP ALG will drop SIP INVITE
625542-4 3-Major   SIP ALG with Translation fails for REGISTER refresh.


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
503951-2 2-Critical   AFM policies not synced


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
546691-1 2-Critical   URLCAT stats cause crash without PEM URLCAT license



Cumulative fixes from BIG-IP v11.6.3.1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
704490-1 CVE-2017-5754 K91229003 CVE-2017-5754 (Meltdown)
704483-1 CVE-2017-5753
CVE-2017-9074
CVE-2017-7542
CVE-2017-11176
K91229003 CVE-2017-5753 (Spectre Variant 1)


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
707226-3 1-Blocking   DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
601828-2 2-Critical K13338433 An untrusted certificate can cause tmm to crash.



Cumulative fixes from BIG-IP v11.6.3 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
681710-5 CVE-2017-6155 K10930474 Malformed HTTP/2 requests may cause TMM to crash
677193-4 CVE-2017-6154 K38243073 ASM BD Daemon Crash.
671498-2 CVE-2017-3143 K02230327 BIND zone contents may be manipulated
670822-4 CVE-2017-6148 K55225440 TMM may crash when processing SOCKS data
648786-2 CVE-2017-6169 K31404801 TMM crashes when categorizing long URLs
671638-3 CVE-2018-5500 K33211839 TMM crash when load-balancing mptcp traffic
671497-2 CVE-2017-3142 K59448931 TSIG authentication bypass in AXFR requests
662663-3 CVE-2018-5507 K52521791 Decryption failure Nitrox platforms in vCMP mode
643375-2 CVE-2018-5508 K10329515 TMM may crash when processing compressed data
627907-3 CVE-2017-6143 K11464209 Improve cURL usage
627747-3 CVE-2017-6142 K20682450 Improve cURL Usage
621337-3 CVE-2016-7469 K97285349 XSS vulnerability in the BIG-IP and Enterprise Manager Configuration utilities CVE-2016-7469
605039-2 CVE-2016-2775 K92991044 lwresd and bind vulnerability CVE-2016-2775
572272-4 CVE-2018-5506 K65355492 BIG-IP - Anonymous Certificate ID Enumeration
609691-3 CVE-2014-4617 K21284031 GnuPG vulnerability CVE-2014-4617


Functional Change Fixes

ID Number Severity Solution Article(s) Description
686389-4 3-Major   APM does not honor per-farm HTML5 client disabling at the View Connection Server
651772-5 3-Major   IPv6 host traffic may use incorrect IPv6 and MAC address after route updates
620445-5 3-Major   New SIP::persist keyword to set the timeout without changing key
613023-6 3-Major   Update SIP::Persist to support resetting timeout value.
599839-7 3-Major   Add new keyords to SIP::persist command to specify how Persistence table is updated
441079-5 3-Major K55242686 BIG-IP 2000/4000: Source port on NAT connections are modified when they should be preserved


TMOS Fixes

ID Number Severity Solution Article(s) Description
667173-2 2-Critical   13.1.0 cannot join a device group with 13.1.0.1
448409-4 2-Critical K15491 'load sys config verify' commands cause loss of sync configuration and initiates a provisioning cycle
697794 3-Major   ROM layout file missing for Blade B2250 in BIG-IP VIPRION 2400 chassis
691485-2 3-Major K47635484 System fails to boot when syslog-ng is not running.
674320-3 3-Major K11357182 Syncing a large number of folders can prevent the configuration getting saved on the peer systems
623930-2 3-Major   vCMP guests with vlangroups may loop packets internally
623336-2 3-Major   After an upgrade, the old installation's CA bundle may be used instead of the one that comes with the new version of TMOS
610442-1 3-Major K75051412 vcmp_media_insert failed message and lind restart loop on vCMP guest when installing with block-device-image with bad permissions on .iso
610417-3 3-Major K54511423 Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported.
601709 3-Major K02314881 I2C error recovery for BIG-IP 4340N/4300 blades
584583-6 3-Major K18410170 Timeout error when using the REST API to retrieve large amount of data
577474-4 3-Major K35208043 Users with auditor role are unable to use tmsh list sys crypto cert
546145-4 3-Major   Creating local user for previously remote user results in incomplete user definition.
544906-1 3-Major K07388310 Issues when using remote authentication when users have different partition access on different devices
508556-1 3-Major K17035 CSR missing SAN when renewing cert in GUI
488417-2 3-Major K16977 Config load failure with 'Input error: can't create user' after upgrade
428876-1 3-Major   dtca-bundle.crt file version can be out of sync with config
423928-2 3-Major K42630383 syslog messages over 8 KB in length cause logstatd to exit
697904 4-Minor   GUI does not show Device names with <> properly.
551349-4 4-Minor K80203854 Non-explicit (*) IPv4 monitor destination address is converted to IPv6 on upgrade
545799-2 4-Minor K48550324 Dashboard fails to export derived throughput history
541550-1 4-Minor   Defining more than 10 remote-role groups can result in authentication failure
522632 5-Cosmetic K20301558 Qkview generates error-level message


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
621452-3 1-Blocking K58146172 Connections can stall with TCP::collect iRule
659899-5 2-Critical K10589537 Rare, intermittent system instability observed in dynamic load-balancing modes
646643-3 2-Critical K43005132 HA standby virtual server with non-default lasthop settings may crash.
644112-4 2-Critical K56150996 Permanent connections may be expired when endpoint becomes unreachable
643631-1 2-Critical K70938130 Serverside connections on virtual servers using VDI may become zombies.
615303-1 2-Critical K47381511 bigd crash with Tcl monitors
604926-1 2-Critical K50041125 The TMM may become unresponsive when using SessionDB data larger than ~400K
581746-3 2-Critical K42175594 MPTCP or SSL traffic handling may cause a BIG-IP outage
515915-4 2-Critical K47804233 Server side timewait close state causes long establishment under port reuse
487925-1 2-Critical   TMM "unexpected message" assert in diameter_tcl_handler()
698000-4 3-Major K04473510 Connections may stop passing traffic after a route update
680755-2 3-Major K27015502 max-request enforcement no longer works outside of OneConnect
662881-3 3-Major K10443875 L7 mirrored packets from standby to active might cause tmm core when it goes active.
658214-3 3-Major K20228504 TCP connection fail intermittently for mirrored fastl4 virtual server
650292-3 3-Major   DNS transparent cache can return non-recursive results for recursive queries
647165 3-Major   A monitor may unexpectedly transition from up to down and back to up.
645197-2 3-Major   Monitors receiving unique HTTP 'success' response codes may stop monitoring after status change
645036-4 3-Major K85772089 Removing pool from virtual server does not update its status
643777-3 3-Major K27629542 LTM policies with more than one IP address in TCP address match may fail
641512-3 3-Major K51064420 DNSSEC key generations fail with lots of invalid SSL traffic
640565-3 3-Major K11564859 Incorrect packet size sent to clone pool member
636149 3-Major   Multiple monitor response codes to single monitor probe failure
627246-2 3-Major K09336400 TMM memory leak when ASM policy configured on virtual server
618254 3-Major   Non-zero Route domain is not always used in HTTP explicit proxy
607246-2 3-Major   Encrypted cookie insert persistence with fallback may not honor cookie after fallback expires
591666-2 3-Major   TMM crash in DNS processing on TCP virtual with no available pool members
587705-7 3-Major K98547701 Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools.
557667-1 3-Major K73162091 Some monitor types may fail to probe when the monitor definition is changed
542009-2 3-Major K01162427 tmm might loop and get killed by sod when the system tries to process an invalid-message-length MPI message.
538705-1 3-Major K01545350 tmm assert 'valid private'
536563-2 3-Major   Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' or 'No flow found for ACK' on subsequent packets.
528198-2 3-Major   reject in iRule event FLOW_INIT may not respond with a RST
520604-8 3-Major K52431550 Route domain creation may fail if simultaneously creating and modifying a route domain
517756-7 3-Major   Existing connections can choose incorrect route when crossing non-strict route-domains
494333-2 3-Major   In specific cases, persist cookie insert fails to insert a session cookie when using an iRule
483653-2 3-Major   In some traffic situations, virtuals using SSL can excessively buffer client data instead of closing the TCP window
483257-1 3-Major K17051 Cannot delete keys without extension .key (and certificates without .crt) using iControl SOAP
475681-1 3-Major K17021 Changing virtual server type from Standard to Performance (HTTP) can make it impossible to connect to VIP
467551-6 3-Major K17011 TCP syncookie and Selective NACK (profile option) causes traffic to be dropped
462881-1 3-Major K17006 Configuration utility allows for mismatch in IP protocol and transport profile
435055-1 3-Major K17291 ECDHE-ECDSA ciphers with hybrid certificate (RSA signed EC cert)
352957-1 3-Major K03005026 Route lookup after change in route table on established flow ignores pool members
530877-4 4-Minor K13887095 TCP profile option Verified Accept might cause iRule processing to run twice in very specific circumstances.


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
645615-3 2-Critical K70543226 zxfrd may fail and restart after multiple failovers between blades in a chassis.
584374-1 2-Critical K67622400 iRule cmd: RESOLV::lookup causes tmm crash when resolving an IP address.
636853-1 3-Major K19401488 Under some conditions, a change in the order of GTM topology records does not take effect.
629530-3 3-Major K53675033 Under certain conditions, monitors do not time out.
625671-2 3-Major   The diagnostic tool dnsxdump may crash with non-standard DNS RR types.
527387-1 3-Major K06611108 Timeout config settings can result in incorrect monitoring


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
694073-4 3-Major   All signature update details are shown in 'View update history from previous BIG-IP versions' popup
669394 3-Major K23432927 CS redirects to incorrect URL


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
652004-4 2-Critical K45320415 Show /apm access-info all-properties causes memory leaks in tmm
649234-4 2-Critical K64131101 TMM crash from a possible memory corruption.
685857 3-Major   Memory consumption of tmm slowly increases.
684325-4 3-Major   APMD Memory leak when applying a specific access profile
678976-5 3-Major K24756214 Do not print all HTTP headers to avoid printing user credentials to /var/log/apm.
677058-4 3-Major K31757417 Citrix Logon prompt with two factor auth or Logon Page agent with two password type variables write password in plain text
675866-3 3-Major   WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO
670918-1 3-Major   Flash AS3 wrappers should have an additional check for the activation object
670910-1 3-Major   Flash AS3 flash.external.ExternalInterface.call() wrapper can fail when loaderInfo object is undefined
655146-5 3-Major   APM Profile access stats are not updated correctly
654513-5 3-Major K11003951 APM daemon crashes when the LDAP query agent returns empty in its search results.
648083-1 3-Major K83700745 APM rewrite process may incorrectly handle the eval() function.
610582-5 3-Major   Device Guard prevents Edge Client connections
576350-2 3-Major K32581271 External input from client doesn't pass to policy agent if it is not the first in the chain.
565347-1 3-Major   Rewrite engine behaves improperly in case of AS2 SWF with a badly formatted 'push' instruction
436489-4 3-Major   Session variables defined within the "Relay State" parameter of an SP initiated SSO session may fail.


Wan Optimization Manager Fixes

ID Number Severity Solution Article(s) Description
682281 2-Critical   iSession tunnels are not reused and idle tunnels are not terminated by the sweeper
549327-3 3-Major   iSession remote endpoint connection not re-established
479183-2 3-Major K01749002 Unexpected iSession tunnel state transition causes TMM to restart.


Service Provider Fixes

ID Number Severity Solution Article(s) Description
640407-4 2-Critical   Usage of iRule commands that try to get or set connection state during CLIENT_CLOSED iRule event may core with MRF
639236-3 2-Critical K66947004 Parser doesn't accept Contact header with expires value set to 0 that is not the last attribute
559953-2 2-Critical   tmm core on long DIAMETER::host value
679114-1 3-Major   Persistence record expires early if an error is returned for a BYE command
674747-1 3-Major K30837366 sipdb cannot delete custom bidirectional persistence entries.
673814-2 3-Major K37822302 Custom bidirectional persistence entries are not updated to the session timeout
642298-2 3-Major   Unable to create a bidirectional custom persistence record in MRF SIP
625098-1 3-Major   SCTP::local_port iRule not supported in MRF events
624023-1 3-Major   TMM cores in iRule when accessing a SIP header that has no value
620929-5 3-Major   New iRule command, MR::ignore_peer_port
620759-5 3-Major   Persist timeout value gets truncated when added to the branch parameter.
609328-1 3-Major K53447441 SIP Parser incorrectly parsers empty header
603019-5 3-Major   Inserted SIP VIA branch parameter not unique between INVITE and ACK
598700-8 3-Major   MRF SIP Bidirectional Persistence does not work with multiple virtual servers
493020-1 3-Major K21254213 MRF SIP iRules events not raised if previous message's event is still running
632658-5 4-Minor   Enable SIP::persist command to operate during SIP_RESPONSE event
617690-2 4-Minor   enable SIP::respond iRule command to operate during MR_FAILED event


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
673029-1 2-Critical   Debug image TMM crash
624744-4 2-Critical   Potential crash in a multi-blade chassis during CMP state changes.
623922-1 2-Critical K64388805 TMM failure in PEM while processing Service-Provider Disaggregation
622220-3 2-Critical   Disruption during manipulation of PEM data with suspected flow irregularity
616008-4 2-Critical K23164003 TMM core may be seen when using an HSL format script for HSL reporting in PEM
678822-5 3-Major   Gx/Gy stats display provision pending sessions if there is no route to PCRF or the app is unlicensed
642068-2 3-Major   PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens
641482-5 3-Major   Subscriber remains in delete pending state until CCR-t ack has success as result code is received
623037-1 3-Major   delete of pem session attribute does not work after a update
680729-5 4-Minor K64307999 DHCP Trace log incorrectly marked as an Error log.
628869-1 4-Minor   Unconditional logs seen due to the presence of a PEM iRule.



Cumulative fixes from BIG-IP v11.6.2 Hotfix 1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
693211-4 CVE-2017-6168 K21905460 CVE-2017-6168


Functional Change Fixes

None



Cumulative fixes from BIG-IP v11.6.2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
684879-3 CVE-2017-6164 K02714910 TMM may crash while processing TLS traffic
653993-2 CVE-2017-6132 K12044607 A specific sequence of packets to the HA listener may cause tmm to produce a core file
653880-1 CVE-2017-6214 K81211720 Kernel Vulnerability: CVE-2017-6214
652516-1 CVE-2016-10088 CVE-2016-10142 CVE-2016-2069 CVE-2016-2384 CVE-2016-6480 CVE-2016-7042 CVE-2016-7097 CVE-2016-8399 CVE-2016-9576 K31603170 Multiple Linux Kernel Vulnerabilities
649907-3 CVE-2017-3137 K30164784 BIND vulnerability CVE-2017-3137
649904-3 CVE-2017-3136 K23598445 BIND vulnerability CVE-2017-3136
648865-1 CVE-2017-6074 K82508682 Linux kernel vulnerability: CVE-2017-6074
644904-4 CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925, CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7929, CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933, CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937, CVE-2016-7938, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973, CVE-2016-7986, CVE-2016-7992, CVE-2016-7993, CVE-2016-8574, CVE-2016-8575, CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984, CVE-2016-7985
CVE-2017-5202, CVE-2017-5203, CVE-2017-5204, CVE-2017-5205, CVE-2017-5341, CVE-2017-5342, CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485, CVE-2017-5486
K55129614 tcpdump 4.9
644693-4 CVE-2016-2183, CVE-2017-3272, CVE-2017-3289, CVE-2017-3253, CVE-2017-3261, CVE-2017-3231,CVE-2016-5547,CVE-2016-5552, CVE-2017-3252, CVE-2016-5546, CVE-2016-5548, CVE-2017-3241 K15518610 Fix for multiple CVE for openjdk-1.7.0
643187-3 CVE-2017-3135 K80533167 BIND vulnerability CVE-2017-3135
641360-3 CVE-2017-0303 K30201296 SOCKS proxy protocol error
638556-3 CVE-2016-10045 K73926196 PHP Vulnerability: CVE-2016-10045
636702-2 CVE-2016-9444 K40181790 BIND vulnerability CVE-2016-9444
636700-3 CVE-2016-9147 K02138183 BIND vulnerability CVE-2016-9147
636699-4 CVE-2016-9131 K86272821 BIND vulnerability CVE-2016-9131
630475-4 CVE-2017-6162 K13421245 TMM Crash
626360-5 CVE-2017-6163 K22541983 TMM may crash when processing HTTP2 traffic
624903-3 CVE-2017-6140 K55102452 Improved handling of crypto hardware decrypt failures on 2000s/2200s or 4000s/4200v platforms.
624526-1 CVE-2017-6159 K10002335 TMM core in mptcp
610255-2 CVE-2017-6161 K62279530 CMI improvement
563154-2 CVE-2015-2925 CVE-2015-5307 CVE-2015-7613 CVE-2015-7872 CVE-2015-8104 K31026324 K94105604 K90230486 Multiple Linux Kernel vulnerabilities
560109-3 CVE-2017-6160 K19430431 Client capabilities failure
540174-3 CVE-2015-5364 CVE-2015-5366 K17307 K17309 CVE updates from https://rhn.redhat.com/errata/RHSA-2015-1623.html
655059-2 CVE-2017-6134 K37404773 TMM Crash
648879-1 CVE-2016-6136 CVE-2016-9555 K90803619 Linux kernel vulnerabilities: CVE-2016-6136 CVE-2016-9555
645101-4 CVE-2017-3731, CVE-2017-3732 K44512851 OpenSSL vulnerability CVE-2017-3732
640768-1 CVE-2016-10088
CVE-2016-9576
K05513373 Kernel vulnerability: CVE-2016-10088
638137-1 CVE-2016-7117 CVE-2016-4998 CVE-2016-6828 K51201255 CVE-2016-7117 CVE-2016-4998 CVE-2016-6828
637666-3 CVE-2016-10033 K74977440 PHP Vulnerability: CVE-2016-10033
635314-4 CVE-2016-1248 K22183127 vim Vulnerability: CVE-2016-1248
631688-4 CVE-2016-9311 CVE-2016-9310 CVE-2016-7427 CVE-2016-7428 CVE-2016-9312 CVE-2016-7431 CVE-2016-7434 CVE-2016-7429 CVE-2016-7426 CVE-2016-7433 K55405388 K87922456 K63326092 K51444934 K80996302 Multiple NTP vulnerabilities
625372-2 CVE-2016-2179 K23512141 OpenSSL vulnerability CVE-2016-2179
623119-6 CVE-2016-4470 K55672042 Linux kernel vulnerability CVE-2016-4470
622496-6 CVE-2016-5829 K28056114 Linux kernel vulnerability CVE-2016-5829
622178-3 CVE-2017-6158 K19361245 Improve flow handling when Autolasthop is disabled
622126-3 CVE-2016-7124 CVE-2016-7125 CVE-2016-7126 CVE-2016-7127 K54308010 PHP vulnerability CVE-2016-7124
614147-3 CVE-2017-6157 K02692210 SOCKS proxy defect resolution
613225-3 CVE-2016-2180, CVE-2016-6306, CVE-2016-6302 K90492697 OpenSSL vulnerability CVE-2016-6306
613127-6 CVE-2016-5696 K46514822 Linux TCP Stack vulnerability CVE-2016-5696
607314-3 CVE-2016-3500 CVE-2016-3508 K25075696 Oracle Java vulnerability CVE-2016-3500, CVE-2016-3508
600232-4 CVE-2016-2177 K23873366 OpenSSL vulnerability CVE-2016-2177
600223-4 CVE-2016-2177 K23873366 OpenSSL vulnerability CVE-2016-2177
600069-3 CVE-2017-0301 K54358225 Portal Access: Requests handled incorrectly
592485-2 CVE-2015-5157 CVE-2015-8767 K17326 Linux kernel vulnerability CVE-2015-5157
592001-2 CVE-2016-4071 CVE-2016-4073 K64412100 CVE-2016-4073 PHP vulnerabilities
540018-2 CVE-2014-3940 CVE-2014-3184 CVE-2015-0239 K16429 K15685 K15912 Multiple Linux Kernel Vulnerabilities
533413-4 CVE-2011-5321 CVE-2015-3636 CVE-2015-1593 CVE-2015-2830 CVE-2015-2922 K51518670 CVE updates from https://rhn.redhat.com/errata/RHSA-2015-1221.html
527563-6 CVE-2015-1805 CVE-2015-3331 CVE-2014-9419 CVE-2014-9420 CVE-2014-9585 K17458 K16819 K17551 K17543 K17241 Kernel Vulnerabilities
600205-4 CVE-2016-2178 K53084033 OpenSSL Vulnerability: CVE-2016-2178
598002-3 CVE-2016-2178 K53084033 OpenSSL vulnerability CVE-2016-2178
591438-2 CVE-2015-8865 K54924436 PHP vulnerability CVE-2015-8865
569355-3 CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494 K50118123 Java vulnerabilities CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494
492732-2 CVE-2014-3184 K15912 Linux kernel driver vulnerabilities CVE-2014-3184, CVE-2014-3185, CVE-2014-3611, CVE-2014-3645, and CVE-2014-3646
655021-3 CVE-2017-3138 K23598445 BIND vulnerability CVE-2017-3138
621935-3 CVE-2016-6304 K54211024 OpenSSL vulnerability CVE-2016-6304
606771-4 CVE-2016-5399 CVE-2016-6288 CVE-2016-6289 CVE-2016-6290 CVE-2016-5385 CVE-2016-6291 CVE-2016-6292 CVE-2016-6207 CVE-2016-6294 CVE-2015-8879 CVE-2016-6295 CVE-2016-6296 CVE-2016-6297 K35799130 Multiple PHP vulnerabilities
601268-1 CVE-2015-8874 CVE-2016-5770 CVE-2016-5772 CVE-2016-5768 CVE-2016-5773 CVE-2016-5769 CVE-2016-5766 CVE-2016-5771 CVE-2016-5767 CVE-2016-5093 CVE-2016-5094 K43267483 PHP vulnerability CVE-2016-5766


Functional Change Fixes

ID Number Severity Solution Article(s) Description
643210-1 2-Critical K45444280 Restarting MCPD on Secondary Slot of Chassis causes deletion of netHSM keys on SafeNet HSM
633723-2 3-Major   New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot
609674-2 3-Major   machine certificate check creates issuer string with DC with reverse order
545263-4 3-Major   Add SSL maximum aggregate active handshakes per profile and per global


TMOS Fixes

ID Number Severity Solution Article(s) Description
534824-1 1-Blocking K02954921 Incorrect key/certificate when creating clientSSL profile and modifying key/cert in the same transaction.
480073-1 1-Blocking   Adding a new chassis and syncing the configuration cause mcpd to restart.
638935-7 2-Critical   Monitor with send/receive string containing double-quote may cause upgrade to fail.
625824-3 2-Critical   iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory
610354-2 2-Critical   TMM crash on invalid memory access to loopback interface stats object
542898-3 2-Critical   Virtual Edition: Disk partition /var shows 100% after live install to 12.0.0
528343-2 2-Critical   Loading cli preference that does not contain the user attribute will fail
514514-1 2-Critical   Running gtm_add can result in error message about encrypted attributes.
513151-8 2-Critical   VIPRION B2150 blades show up as unknown when SNMP queries the OID sysObjectID.
483373-2 2-Critical   Incorrect bash prompt for created admin role users
667278-4 3-Major   DSC connections between BIG-IP units may fail to establish
650002-3 3-Major   tzdata bug fix and enhancement update
648316 3-Major K10776106 Flows using DEFLATE decompresion can generate error message during flow tear-down.
647944-3 3-Major   MCP may crash when making specific changes to a FIX profile attached to more than one virtual server
645179-3 3-Major   Traffic group becomes active on more than one BIG-IP after a long uptime
644184-1 3-Major K36427438 ZebOS daemons hang while AgentX SNMP daemon is waiting.
631627-5 3-Major   Applying BWC over route domain sometimes results in tmm not becoming ready on system start
628164-2 3-Major K20766432 OSPF with multiple processes may incorrectly redistribute routes
622133-4 3-Major   VCMP guests may incorrectly obtain incorrect MAC addresses
621273-4 3-Major   DSR tunnels with transparent monitors may cause TMM crash.
619060-2 3-Major   Reduction in boot time in BIG-IP Virtual Edition platforms
617628-2 3-Major   SNMP reports incorrect value for sysBladeTempTemperature OID
491406-1 3-Major   TMM SIGSEGV in sctp_output due to NULL snd_dst
485164-2 3-Major K40794733 MCPD cores when the Check Service Date in the license is not current.
393270-4 3-Major   Configuration utility may become non-responsive or fail to load.
655691-1 4-Minor   GUI image list contains misleading 'MD5 Sum Verified' field
654566-1 4-Minor K94822416 Incomplete files still linked in /shared/vmisolinks
634371-3 4-Minor   Cisco ethernet NIC driver
442322-2 4-Minor   vCMP guest names in statistics limited to 32 characters


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
618905-3 1-Blocking   tmm core while installing Safenet 6.2 client
646604-3 2-Critical K21005334 Client connection may hang when NTLM and OneConnect profiles used together
642400-1 2-Critical   Path MTU discovery occasionally fails
637181-3 2-Critical   VIP-on-VIP traffic may stall after routing updates
635274-3 2-Critical K21514205 SSL::sessionid command may return invalid values
634259 2-Critical K50166002 IP tuple nexthop object can be freed while still referenced by another structure
625198-3 2-Critical   TMM might crash when TCP DSACK is enabled
603667-3 2-Critical   TMM may leak or corrupt memory when configuration changes occur with plugins in use
600982-1 2-Critical   TMM crashes at ssl_cache_sid() with "prf->cache.sid == 0"
597978-4 2-Critical   GARPs may be transmitted by active going offline
581829-1 2-Critical   Traffic that uses a network HSM for crypto services can fail to recover.
566071-1 2-Critical   network-HSM may not be operational on secondary slots of a standby chassis.
503125-4 2-Critical   Excessive MPI net traffic can cause tmm panics on chassis systems
477195-3 2-Critical   OSPFv3 session gets stuck in loading state
474797 2-Critical   Nitrox crypto hardware may attempt soft reset while currently resetting
663326-3 3-Major   Thales HSM: "fipskey.nethsm --export" fails to make stub keys
654109-3 3-Major K01102467 Configuration loading may fail when iRules calling procs in other iRules are deleted
648954-3 3-Major K01102467 Configuration validation (e.g., ConfigSync) may fail after an iRule is deleted, if the iRule made procedure calls
643582-1 3-Major   Config load with large ssl profile configuration may cause tmm restart
613369-1 3-Major   Half-Open TCP Connections Not Discoverable
612694-3 3-Major   TCP::close with no pool member results in zombie flows
608551-4 3-Major   Half-closed congested SSL connections with unclean shutdown might stall.
604496-2 3-Major   SQL (Oracle) monitor daemon might hang.
508486-2 3-Major   TCP connections might stall if initialization fails
499615-3 3-Major K49031780 RAM cache serves zero length documents.
423392-5 3-Major   tcl_platform is no longer in the static:: namespace
511985-4 4-Minor   Large numbers of ERR_UNKNOWN appearing in the logs


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
624193-1 3-Major   Topology load balancing not working as expected
468503-1 3-Major   The Update Check operation reports a different version of IP geolocation database than what is installed.
644220-2 4-Minor   Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
618771-2 2-Critical   Some Social Security Numbers are not being masked
577668-1 2-Critical   ASM Remote logger doesn't log 64 KB request.
569583-1 2-Critical   Secondary Blade Rejects All Traffic after being added to the chassis
568347-2 2-Critical   BD Memory corruption
665905-1 3-Major K83305000 Signature System corruption from specific ASU prevents ASU load after upgrade
664930-1 3-Major   Policy automatic learning mode changes to manual after failover
625832-2 3-Major   A false positive modified domain cookie violation
616169-2 3-Major   ASM Policy Export returns HTML error file
604923-3 3-Major   REST id for Signatures change after update
572885-2 3-Major   Policy automatic learning mode changes to manual after failover
427644-2 3-Major   asm_config_server_rpc might crash during ASM policy sync
366605-1 3-Major   response_log_size_limit does not limit the log size.
557098-1 4-Minor K80251813 Correlation is continuously restarted with 'An instance with pid xxxx is already running' error in the ltm log


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
602654-3 2-Critical   TMM crash when using AVR lookups
639617 3-Major   When AVR collect Page load time and/or session data the Content-Length can be set incorrectly
635561-3 3-Major   Heavy URLs statistics are not shown after upgrade.
631722-2 3-Major   Some HTTP statistics not displayed after upgrade
573764-3 3-Major   In some cases, only primary blade retains it's statistics after upgrade on multi bladed system
570926-1 3-Major   Provide a way to configure where in payload the CSPM JS is injected.
560114-7 3-Major   Monpd is being affected by an I/O issue which makes some of its threads freeze
512303-1 3-Major   Install does not complete (stays at 0%) because the UCS save operation hangs while backing up the AVR database.
639395-1 4-Minor K91614278 AVR does not display 'Max read latency' units.


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
679235-4 2-Critical   Inspection Host NPAPI Plugin for Safari can not be installed
638570-2 2-Critical   "ACCESS::session remove" hangs in ACCESS_POLICY_COMPLETED
632798-1 2-Critical K30710317 Double-free may occur if Access initialization fails
499800-1 2-Critical   Customized logout page is not displayed after logon failure
481481-1 2-Critical   APM on a multi blade chassis: On an idle machine 'rewrite' processes can takes up to half CPU cycles.
676300-6 3-Major K04551025 EPSEC binaries may fail to upgrade in some cases
658852-1 3-Major   Empty User-Agent in iSessions requests from APM client on Windows
649613-1 3-Major   Multiple UDP/TCP packets packed into one DTLS Record
645684-1 3-Major   Flash application components are loaded into wrong ApplicationDomain after Portal Access rewriting.
638780-1 3-Major   Handle 302 redirects for VMware Horizon View HTML5 client
620829-4 3-Major K34213161 Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
619486-1 3-Major   Scripts on rewritten pages could fail with JavaScript exception if application code modifies window.self
618170-1 3-Major   Some URL unwrapping functions can behave bad
615970-2 3-Major   SSO logging level may cause failover
601420-2 3-Major   Possible SAML authentication loop with IE and multi-domain SSO.
597214-2 3-Major   Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
583272-1 3-Major   "Corrupted Connect Error" when using IPv6 and On-Demand Cert Auth
559402-1 3-Major   Client initiated form based SSO fails when username and password not replaced correctly while posting the form
557841-1 3-Major   Policy sync fails when adding host to AppTunnel on LSO resolve
557399-2 3-Major   Browser could become unresponsive when page with specific script constructions is accessed through Portal Access
508699-1 3-Major   Import with reuse is failing if profile and resource are sharing the same name
474606-1 3-Major   [Flash AS3] ApplicationDomain matching fails for relative URLs
611968-1 4-Minor   JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow


WebAccelerator Fixes

ID Number Severity Solution Article(s) Description
476460-6 4-Minor   WAM Range HTTP header limited to 8 ranges


Wan Optimization Manager Fixes

ID Number Severity Solution Article(s) Description
644970-2 2-Critical   Editing a virtual server config loses SSL encryption on iSession connections
644489-2 3-Major K14899014 Unencrypted iSession connection established even though data-encrypt configured in profile


Service Provider Fixes

ID Number Severity Solution Article(s) Description
649933-3 3-Major   Fragmented RADIUS messages may be dropped


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
652400-1 3-Major   During blade changes, PBA may cause a TMM restart



Cumulative fixes from BIG-IP v11.6.1 Hotfix 2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
631582-4 CVE-2016-9250 K55792317 Administrative interface enhancement
624570-3 CVE-2016-8864 K35322517 BIND vulnerability CVE-2016-8864
624457-3 CVE-2016-5195 K10558632 Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195
616864-3 CVE-2016-2776 K18829561 BIND vulnerability CVE-2016-2776
612128 CVE-2016-6515 K31510510 OpenSSH vulnerability CVE-2016-6515
611469-2 CVE-2016-7467 K95444512 Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector
597394-1 CVE-2016-9252 K46535047 Improper handling of IP options
596340-3 CVE-2016-9244 K05121675 F5 TLS vulnerability CVE-2016-9244
591329-2 CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 K36488941 CVE-2016-2108 fixed in Oracle Access Manager library used by BIG-IP APM
588496-3 CVE-2009-3555 K10737 SSL Renegotiation vulnerability - CVE-2009-3555 / VU#120541
586131-3 CVE-2014-3566 K15702 SSLv3 vulnerability CVE-2014-3566
580026-3 CVE-2017-6165 K74759095 HSM logging error
635412-2 CVE-2017-6137 K82851041 Invalid mss with fast flow forwarding and software syn cookies
618261-3 CVE-2016-2182 K01276005 OpenSSL vulnerability CVE-2016-2182
604442-1 CVE-2016-6249 K12685114 iControl log
599536-2 CVE-2017-6156 K05263202 IPsec peer with wildcard selector brings up wrong phase2 SAs
597023-4 CVE-2016-4954 K82644737 NTP vulnerability CVE-2016-4954
594496-3 CVE-2016-4539 K35240323 PHP Vulnerability CVE-2016-4539
591455-2 CVE-2016-1550 CVE-2016-1548 CVE-2016-2516 CVE-2016-2518 K24613253 NTP vulnerability CVE-2016-2516
591447-3 CVE-2016-4070 K42065024 PHP vulnerability CVE-2016-4070
520924-4 CVE-2016-5020 K00265182 Restricted roles for custom monitor creation
475743-4 CVE-2017-6128 K92140924 Improve administrative login efficiency
635933-1 CVE-2004-0790 K23440942 The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable
600198-4 CVE-2016-2178 CVE-2016-6306 CVE-2016-6302 CVE-2016-2216 K53084033 OpenSSL vulnerability CVE-2016-2178
599285-4 CVE-2016-5094 CVE-2016-5095 CVE-2016-5096 K51390683 PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095
597010-4 CVE-2016-4955 K03331206 NTP vulnerability CVE-2016-4955
596997-4 CVE-2016-4956 K64505405 NTP vulnerability CVE-2016-4956
591767-3 CVE-2016-1547 K11251130 NTP vulnerability CVE-2016-1547
573343-3 CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 CVE-2015-8158 K01324833 NTP vulnerability CVE-2015-8158


Functional Change Fixes

ID Number Severity Solution Article(s) Description
620712-1 3-Major   Added better search capabilities on the Pool Members Manage & Pool Create page.
597797-1 3-Major K78449695 Allow users to disable enforcement of RFC 7057
581840 3-Major K46576869 Cannot use Administrator account other than 'admin' to manage BIG-IP systems through BIG-IQ.
564876-1 3-Major   New DB variable log.lsn.comma changes CGNAT logs to CSV format
561348-4 3-Major   krb5.conf file is not synchronized between blades and not backed up
541549-4 3-Major   AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination.
530109-5 3-Major   OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.
454492-1 3-Major   Improved handling of signature_algorithms extension to avoid using SHA1 in TLS handshake signatures
451433-7 3-Major   HA group combined with other failover (e.g., VLAN Failsafe or Gateway Failsafe)
609084-1 4-Minor K03808942 Max number of chunks not configurable above 1000 chunks
591733-2 4-Minor K83175883 Save on Auto-Sync is missing from the configuration utility.


TMOS Fixes

ID Number Severity Solution Article(s) Description
624263-3 2-Critical   iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response
624245 2-Critical   Hung tasks leading to system problems and lack of management access via ssh/GUI
614865-2 2-Critical   Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.
613536-2 2-Critical   tmm core while running the iRule STATS:: command
605476-2 2-Critical   statsd can core when reading corrupt stats files.
601527-3 2-Critical   mcpd memory leak and core
591104-3 2-Critical   ospfd cores due to an incorrect debug statement.
587698-2 2-Critical   bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured
583516-3 2-Critical   tmm ASSERT's "valid node" on Active, after timer fire..
574055-3 2-Critical   TMM crash after changing raccoon log level
570881-4 2-Critical   IPsec configuration mismatch in IKEv2 causes TMM crash in isakmp_parse_proposal ()
570663-3 2-Critical   Using iControl get_certificate_bundle_v2 causes a memory leak
570419-2 2-Critical   Use of session DB on multi-process appliances and blades may core.
567457-3 2-Critical   TMM may crash when changing the IKE peer config.
460833-1 2-Critical   MCPD sync errors and restart after multiple modifications to file object in chassis
457252-1 2-Critical   tmm crash when using sip_info persistence without a sip profile
440752-1 2-Critical   qkview might loop writing output file if MCPD fails during execution
355806-3 2-Critical   Starting mcpd manually at the command line interferes with running mcpd
623401-4 3-Major   Intermittent OCSP request failures due to non-optimal default TCP profile setting
621417-1 3-Major   sys-icheck error for /usr/share/defaults/bigip_base.conf in AWS.
621242 3-Major   Reserve enough space in the image for future upgrades.
616242-2 3-Major K39944245 basic_string::compare error in encrypted SSL key file if the first line of the file is blank
615934-2 3-Major   Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.
609119-5 3-Major   Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3:
608320-4 3-Major   iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response
604931-1 3-Major K42028295 bgpd might core on restarting process with BGP debug enabled.
603149-1 3-Major   Large ike-phase2-lifetime-kilobytes values in racoon ipsec-policy
601502-1 3-Major   Excessive OCSP traffic
600558-3 3-Major   Errors logged after deleting user in GUI
597729-1 3-Major   Errors logged after deleting user in GUI
597601-4 3-Major   Improvement for a previous issue regressed NAT-T
596814-3 3-Major   HA Failover fails in certain valid AWS configurations
592870-3 3-Major   Fast successive MTU changes to IPsec tunnel interface crashes TMM
590904-5 3-Major   New HA Pair created using serial cable failover only will remain Active/Active
586878-2 3-Major   During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.
585485-4 3-Major   inter-ability with "delete IPSEC-SA" between AZURE, ASA, and the BIG-IP system
583285-7 3-Major K24331010 BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
577440-1 3-Major   audit logs may show connection to hagel.mnet
571344-3 3-Major   SSL Certificate with special characters might cause exception when GUI retrieves items list page.
566507-2 3-Major   Wrong advertised next-hop in BGP for a traffic group in Active-Active deployment
560510-6 3-Major   Invalid /etc/resolv.conf when more than one DNS servers are set and MCPD is down.
557059-2 3-Major   When a virtual server has an Anti-Fraud Profile and a Web Acceleration profile, POST requests to non-protected URLs hang
543208 3-Major   Upgrading to v12.x or later in a sync-failover group might cause mcpd to become unresponsive.
534021-5 3-Major   HA on AWS uses default AWS endpoint (EC2_URL).
533813-3 3-Major   Internal Virtual Server in partition fails to load from saved config
528498-5 3-Major   Recently-manufactured hardware may not be identified with the correct model name and SNMP OID
523642-5 3-Major   Power Supply status reported incorrectly after LBH reset
523527-6 3-Major K43121346 Upgrade from 10.x to 11.2.0 or later does not add existing routing protocols to RD0.
516540-3 3-Major K17501 devmgmtd file object leak
509400-1 3-Major K36089384 vCMP VIPRION: internal flooded unicast packets with multi-slot trunks impact performance
502714-4 3-Major K75031635 Deleting files and file object references in a single transaction might cause validation errors
481089-7 3-Major   Request group incorrectly deleted prior to being processed
479660-2 3-Major   tmm crash in ipsec when ipsec-policy and ike-peer do not match.
460176-4 3-Major   Hardwired failover asserts active even when standalone
400456-3 3-Major   HTTP monitors with long send or receive strings may not save or update
339825-3 3-Major   Management.KeyCertificate.install_certificate_from_file failing silently
598498-4 4-Minor   Cannot remove Self IP when an unrelated static ARP entry exists.
585097-3 4-Minor   Traffic Group score formula does not result in unique values.
581835-3 4-Minor   Command failing: tmsh show ltm virtual vs_name detail.
551208-1 4-Minor   Nokia alarms are not deleted due to the outdated alert_nokia.conf.
542347-1 4-Minor   Denied message in audit log on first time boot
541320-6 4-Minor K50973424 Sync of tunnels might cause restore of deleted tunnels.
535544-5 4-Minor   Enhancement: ltm virtual translate-port, translate-address are not listed if they are enabled
477700-1 4-Minor K04116117 Detail missing from power supply 'Bad' status log messages
470627-2 5-Cosmetic   Incorrect and benign log message of bandwidth utilization exceeded when licensed with rate limit in VE
442231-2 5-Cosmetic   Pendsect log entries have an unexpected severity


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
622166 2-Critical K75571433 HTTP GET requests with HTTP::cookie iRule command receive no response
619528-2 2-Critical   TMM may accumulate internal events resulting in TMM restart
616215-2 2-Critical   TMM can core when using LB::detach and TCP::notify commands in an iRule
613088-1 2-Critical   pkcs11d thread has session initialization problem.
612229-2 2-Critical   TMM may crash if LTM a disable policy action for 'LTM Policy' is not last
607360-2 2-Critical   Safenet 6.2 library missing after upgrade
605865-2 2-Critical   Debug TMM produces core on certain ICMP PMTUD packets
604223-1 2-Critical   pkcs11d signal handler improvement to turn off all threads at time of "SIGTERM"
603082-2 2-Critical   Ephemeral pool members are getting deleted/created over and over again.
603032-2 2-Critical   clientssl profiles with sni-default enabled may leak X509 objects
602326-3 2-Critical   Intermittent pkcs11d core when stopping or restarting pkcs11d service
597966 2-Critical   ARP/neighbor cache nexthop object can be freed while still referenced by another structure
588351-2 2-Critical   IPv6 fragments are dropped when packet filtering is enabled.
574153-2 2-Critical   If an SSL client disconnects while data is being sent to SSL client, the connection may stall until TCP timeout.
526367-3 2-Critical   tmm crash
509646-7 2-Critical   Occasional connections reset when using persistence
480009-2 2-Critical   OSPFv2 Redistributed routes are deleted after blade failover with Graceful Restart
624616-3 3-Major   Safenet uninstall is unable to remove libgem.so
618517-2 3-Major K61255401 bigd may falsely complain of a file descriptor leak when it cannot open its debug log file; bigd stops monitoring
617862-1 3-Major   Fastl4 handshake timeout is absolute instead of relative
617858-1 3-Major   bigd core when using Tcl monitors
617824-2 3-Major   "SSL::disable/enable serverside" + oneconnect reuse is broken
613673-1 3-Major K48693281 Pool members may not be marked up and/or there might be a slight delay in monitors
610609-1 3-Major   Total connections in bigtop, SNMP are incorrect
610429-3 3-Major   X509::cert_fields iRule command may memory with subpubkey argument
607304-2 3-Major   TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.
606575-3 3-Major   Request-oriented OneConnect load balancing ends when the server returns an error status code.
604977-3 3-Major K08905542 Wrong alert when DTLS cookie size is 32
603606 3-Major   tmm core
603236-2 3-Major   1024 and 4096 size key creation issue with SafeNet 6.2 with 6.10.9 firmware
602366-2 3-Major   Safenet 6.2 HA performance
602358-2 3-Major   BIG-IP ServerSSL connection may reset during rengotiation with some SSL/TLS servers due to ClientHello version
601496-1 3-Major   iRules and OCSP Stapling
601178-3 3-Major   HTTP cookie persistence 'preferred' encryption
600827-5 3-Major K21220807 Stuck Nitrox crypto queue can erroneously be reported
600593-4 3-Major   Use of HTTP Explicit Proxy and OneConnect can lead to an issue with CONNECT HTTP requests
598874-3 3-Major   GTM Resolver sends FIN after SYN retransmission timeout
595275-2 3-Major   Virtual IP address change might cause VIP state to go from GREEN to RED to GREEN
594642-1 3-Major   Stream filter may require large allocations by Tcl leading TMM to core on allocation failure.
592871-2 3-Major   Cavium Nitrox PX/III stuck queue diagnostics missing.
592497-2 3-Major   Idle timeout ineffective for FIN_WAIT_2 when server-side expired and HTTP in fallback state.
591789-1 3-Major   IPv4 fragments are dropped when packet filtering is enabled.
591659-3 3-Major K47203554 Server shutdown is propagated to client after X-Cnection: close transformation.
591476-8 3-Major K53220379 Stuck crypto queue can erroneously be reported
591343-2 3-Major K03842525 SSL::sessionid output is not consistent with the sessionid field of ServerHello message.
588115-3 3-Major   TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw
586738-2 3-Major   The tmm might crash with a segfault.
584029-2 3-Major   Fragmented packets may cause tmm to core under heavy load
578971-1 3-Major   When mcpd is restarted on a blade, cluster members may be temporarily marked as failed
576224-1 3-Major   NetHSM does not come back after TCP connection to device is reset
573402-2 3-Major   'C_GetAttributeValue error' with netHSM
572281-2 3-Major   Variable value in the nesting script of foreach command get reset when there is parking command in the script
571573-2 3-Major K20320811 Persistence may override node/pmbr connection limit
570057-3 3-Major   Can't install more than 16 SafeNet HSMs in its HA group
569642-4 3-Major   Deleting all routes on a unit with a mirroring fastL4 Virtual may cause TMM to core
569288-2 3-Major   Different LACP key may be used in different blades in a chassis system causing trunking failures
569206-2 3-Major K47952434 After connectivity loss and restoration between HSM and pkcs11d, SSL fails on some blades.
568743-3 3-Major   TMM core when dnssec queries to dns-express zone exceed nethsm capacity
568543-3 3-Major   Syncookie mode is activated on wildcard virtuals
567862-1 3-Major   intermittent SSL traffic failure with Safenet HSM on BIG-IP chassis and appliance
565799-2 3-Major   CPU Usage increases when using masquerade addresses
563227-3 3-Major K31104342 When a pool member goes down, persistence entries may vary among tmms
557358-1 3-Major   TMM SIGSEGV and crash when memory allocation fails.
556117-2 3-Major   client-ssl profile is case-sensitive when checking server_name extension
555432-1 3-Major   Large configuration files may go missing on secondary blades
550669-1 3-Major K06263705 Monitors stop working - throttling monitor instance probe because file descriptor limit 65436 reached
549329-1 3-Major K02020031 L7 mirrored ACK from standby to active box can cause tmm core on active
545450-3 3-Major   Log activation/deactivation of TM.TCPMemoryPressure
541126-4 3-Major   Safenet connection may fail on restarting pkcs11d or HSM reboot or if the connection to HSM is lost and then resumed
537553-6 3-Major   tmm might crash after modifying virtual server SSL profiles in SNI configuration
528736-1 3-Major   When tcp connection is aborting tmm can crash with "hud_oob consumed" message
525675 3-Major   SSL with forward proxy can leak memory
522310-3 3-Major   ICMP errors cause the associated FastL4/TCP connection to be reset
519746-1 3-Major   ICMP errors may reset FastL4 connections unexpectedly
518086-6 3-Major   Safenet HSM Traffic failure after system reboot/switchover
505705-7 3-Major   Expired mirrored persistence entries not always freed using intra-chassis mirroring
501984-2 3-Major   TMM may experience an outage when an iRule fails in LB_SELECTED.
500003-4 3-Major   Incoming NTP packets from configured NTP server to non-local IP breaks outgoing NTP
494977-2 3-Major   Rare outages possible when using config sync and node-based load balancing
490740-10 3-Major   TMM may assert if HTTP is disabled by another filter while it is parked
475677-3 3-Major   Connections may hang until timeout if a LTM policy action failed
464801-2 3-Major   Intermittent tmm core
442539-1 3-Major   OneConnect security improvements.
587966-3 4-Minor K77283304 LTM FastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port
574020-4 4-Minor   Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}')
538708-3 4-Minor   TMM may apply SYN cookie validation to packets before generating any SYN cookies
513288-5 4-Minor   Management traffic from nodes being health monitored might cause health monitors to fail.
499795-2 4-Minor   "persist add" in server-side iRule event can result in "Client Addr" being pool member address
446830-3 4-Minor   Current Sessions stat does not increment/decrement correctly.


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
603598-2 2-Critical   big3d memory under extreme load conditions
587656-3 2-Critical   GTM auto discovery problem with EHF for ID574052
587617-3 2-Critical   While adding GTM server, failure to configure new IP on existing server leads to gtmd core
621239-1 3-Major   Certain DNS queries bypass DNS Cache RPZ filter.
620215-3 3-Major   TMM out of memory causes core in DNS cache
619398-4 3-Major   TMM out of memory causes core in DNS cache
613576-2 3-Major   QOS load balancing links display as gray
613045 3-Major   Interaction between GTM and 10.x LTM results in some virtual servers marked down
601180-1 3-Major K73505027 Link Controller base license does not allow DNS namespace iRule commands.
589256-3 3-Major K71283501 DNSSEC NSEC3 records with different type bitmap for same name.
588289-4 3-Major   GTM is Re-ordering pools when adding pool including order designation
574052-2 3-Major   GTM autoconf can cause high CPU usage for gtmd
491801 3-Major   GTM iRule command [LB::status up] gives error
615187-1 4-Minor   Missing hyperlink to GSLB virtual servers and servers on the pool member page.


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
634001-1 2-Critical   ASM restarts after deleting a VS that has an ASM security policy assigned to it
582003-2 2-Critical   BD crash on startup or on XML configuration change
515728-5 2-Critical   Repeated BD cores.
514571-1 2-Critical   Apply policy operation hangs
511187-1 2-Critical   The BIG-IP ASM bd process may produce a core file when a large BIG-IP ASM configuration is modified on a loaded system
499347-3 2-Critical   JSON UTF16 content could be blocked by ASM as Malformed JSON
621524-3 3-Major   Processing Timeout When Viewing a Request with 300+ Violations
614563-1 3-Major   AVR TPS calculation is inaccurate
605921 3-Major   scriptd and mcpd cores following multiple failovers due to bd (asm)
605616-3 3-Major   Creating 256 Fundamental Security policies will result in an out of memory error
603945-1 3-Major   BD config update should be considered as config addition in case of update failure
603479-1 3-Major   "ASM starting" while it's already running, causing the restart of all ASM daemons
602221-3 3-Major   Wrong parsing of redirect Domain
600174-1 3-Major   Wildcard "*" redirection domain cannot be deleted if list is scrollable
582683-5 3-Major   xpath parser doesn't reset a namespace hash value between each and every scan
580460-1 3-Major   Client side integrity defense or proactive may break application
580168-2 3-Major   Information missing from ASM event logs after a switchboot and switchboot back
576591-4 3-Major   Support for some future credit card number ranges
573406-3 3-Major   ASU cannot be completed if license was last activated more than 18 months before
559541-2 3-Major   ICAP anti virus tests are not initiated on XML with when should
553976-1 3-Major   AJAX File uploads don't work in IE (import policy doesn't work)
528071-1 3-Major   ASM periodic updates (cron) write errors to log
521204-1 3-Major   Include default values in XML Policy Export
508957-1 3-Major   ASM REST Slowness Viewing Policy List
392121-1 3-Major   TMSH Command to retrieve the memory consumption of the bd process
609496-1 4-Minor   Improved diagnostics in BD config update (bd_agent) added
603071-1 4-Minor   XHTML validation fails on obfuscated JavaScript
471766-2 4-Minor   Number of decoding passes configuration


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
565085-2 3-Major   Analytics profile allows invalid combination of entities for Alerts setup
488989-3 3-Major   AVRD does not print out an error message when the external logging fails
474613-1 3-Major   Upgrading from previous versions


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
622830 2-Critical   LDAP type CRLDP is parsed incorrectly
622244-1 2-Critical   Edge client can fail to upgrade when always connected is selected
618324-2 2-Critical   Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor
617310-1 2-Critical   Edge client can fail to upgrade when Always Connected is selected
614322-3 2-Critical K31063537 TMM might crash during handling of RDG-RPC connection when APM is used as RD Gateway
608408-4 2-Critical   TMM may restart if SSO plugin configuration initialization fails due to internal error in tmconf library
582440-2 2-Critical   Linux client does not restore route to the default GW on Ubuntu 15.10
625376-1 3-Major   In some cases, download of PAC file by edge client may fail
623562-1 3-Major   Large POSTs rejected after policy already completed
621202-1 3-Major   Portal Access: document.write() with very long string as argument may be handled incorrectly.
620614-2 3-Major   Citrix PNAgent replacement mode: iOS Citrix receiver fails to add new store account
619879-3 3-Major   HTTP iRule commands could lead to WEBSSO plugin being invoked
617316-1 3-Major   Desktop title is garbled for Citrix Storefront integration mode with non-sta configuration
617002-3 3-Major   SWG with Response Analytics agent in a Per-Request policy fails with some URLs
616838 3-Major   Citrix Remote desktop resource custom parameter name does not accept hyphen character
614891-4 3-Major   Routing table doesn't get updated when EDGE client roams among wireless networks
613613-1 3-Major   Incorrect handling of form that contains a tag with id=action
612419-2 3-Major   APM 11.4.1 HF10 - suspected memory leak (umem_alloc_32/network access (variable))
611669-1 3-Major   Mac Edge Client customization is not applied on macOS 10.12 Sierra
610248 3-Major   IE 11 browser does not display VDI profile columns properly
610243 3-Major   HTML5 access fails for Citrix Storefront integration mode with gateway pass through authentication
610224-1 3-Major   APM client may fetch expired certificate when a valid and an expired certificate co-exist
610180-3 3-Major   SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin.
604767-4 3-Major   Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object.
603293-3 3-Major   Incorrect handling of L4 Dynamic ACL when it is processed together with L7 ACLs
601905-4 3-Major   POST requests may not be forwarded to backend server when EAM plugin is enabled on the virtual server
600116-1 3-Major   DNS resolution request may take a long time in some cases
598211-2 3-Major   Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode.
591268-3 3-Major   VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions
583113-3 3-Major   NTLM Auth cannot be disabled in HTTP_PROXY_REQUEST event
582752-2 3-Major   Macrocall could be topologically not connected with the rest of policy.
569309-1 3-Major   Clientside HTML parser does not recognize HTML event attributes without value
567503-5 3-Major K03293396 ACCESS::remove can result in confusing ERR_NOT_FOUND logs
566998-2 3-Major   Edge client upgrade fails if client was configured in locked mode
559082-1 3-Major   Tunnel details are not shown for MAC Edge client
554458 3-Major   No Session Variables displayed when click on "View Session Variables" link in APM "All Sessions" reports with reduced zeros in Session ID
509595-1 3-Major   Start uri is blank when going through portal in ie, but loads fine in firefox
451301-1 3-Major   HTTP iRules break Citrix HTML5 functionality
389484-4 3-Major   OAM reporting Access Server down with JDK version 1.6.0_27 or later
366149-1 3-Major   ACL support for VPN tunnels
238444-2 3-Major K14219 An L4 ACL has no effect when a layered virtual server is used.
620922-1 4-Minor   Online help for Network Access needs update


WebAccelerator Fixes

ID Number Severity Solution Article(s) Description
472942-2 2-Critical K04924125 tmm crash while changing acceleration policy
596569-2 3-Major   Memory leak on Central device in Symmetric deployment
506315-5 3-Major   WAM/AAM is honoring OWS age header when not honoring OWS maxage.
474445-2 3-Major   TMM crash when processing unexpected HTTP response in WAM


Wan Optimization Manager Fixes

ID Number Severity Solution Article(s) Description
619757-3 2-Critical   iSession causes routing entry to be prematurely freed


Service Provider Fixes

ID Number Severity Solution Article(s) Description
607713-4 3-Major   SIP Parser fails header with multiple sequential separators inside quoted string.
601255-3 3-Major   RTSP response to SETUP request has incorrect client_port attribute
599521-2 3-Major   Persistence entries not added if message is routed via an iRule
598854-1 3-Major   sipdb tool incorrectly displays persistence records without a pool name
597835-1 3-Major K12228503 Branch parameter in inserted VIA header not consistent as per spec
583010-9 3-Major   Sending a SIP invite with 'tel' URI fails with a reset


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
619710 3-Major   GUI gives error when clicking "Update" making changes to VS in Security-Policies
618902-3 3-Major   PCCD memory usage increases on configuration changes and recompilation due to small amount of memory leak on each compilation
605427-2 3-Major   TMM may crash when adding and removing virtual servers with security log profiles
592113-1 3-Major   tmm core on the standby unit with dos vectors configured
495390-4 3-Major   An error occurs on Active Rules page after attempting to reorder Rules in a Policy


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
553735-3 2-Critical K30332053 TMM core on HTTP response with steering action.
527992-2 2-Critical   tmm might crash with 'DHCP:dhcp_server_flow_connect' error when the server flow is already connected to a different client.
624091 3-Major   DHCP relay is not forwarding all of the DHCPOFFERS to clients
611355 3-Major   tmm core with PEM
608742-4 3-Major K48561135 DHCP: DHCP renew ACK messages from server are getting dropped by BIG-IP in Forward mode.
592070-1 3-Major   DHCP server connFlow when created based on the DHCP client connFlow does not have the traffic group ID copied
551303-3 3-Major K75280116 TMM may core during processing of a CCA-T.
472122-4 3-Major   DHCPv4: When configured in forwarding mode, BIG-IP will support client messages that use either UDP 67 or 68 as the source port.


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
532365-1 3-Major   lsndb cores with "Assertion `size < bin_key_size' failed"
504828-2 3-Major   "translate address" and "translate port" are enabled by default when configure from GUI
481948-1 3-Major   LSN_DELETE messages may not be logged in PBA mode


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
615260 2-Critical   out of memory condition when URL categorization is configured to work with large feedlists


Device Management Fixes

ID Number Severity Solution Article(s) Description
522268-2 2-Critical   hostagentd memory leak on VCMP hosts



Cumulative fixes from BIG-IP v11.6.1 Hotfix 1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
596488-4 CVE-2016-5118 K82747025 GraphicsMagick vulnerability CVE-2016-5118.
591806-3 CVE-2016-3714 K03151140 ImageMagick vulnerability CVE-2016-3714
591328-2 CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 K36488941 OpenSSL vulnerability CVE-2016-2106
591327-2 CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 K36488941 OpenSSL vulnerability CVE-2016-2106
591325-2 CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 K75152412 OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109
591042-5 CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 K23230229 OpenSSL vulnerabilities
579955-2 CVE-2016-7475 K01587042 BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475
577826-4 CVE-2016-1286 K62012529 BIND vulnerability CVE-2016-1286
573778-7 CVE-2016-1714 K75248350 QEMU vulnerability CVE-2016-1714
573124-2 CVE-2016-5022 K06045217 TMM vulnerability CVE-2016-5022
563670-11 CVE-2015-3194, CVE-2015-3195, CVE-2015-3196 K86772626 OpenSSL vulnerabilities
601938-3 CVE-2016-7474 K52180214 MCPD stores certain data incorrectly
593447-2 CVE-2016-5024 K92859602 BIG-IP TMM iRules vulnerability CVE-2016-5024
591918-4 CVE-2016-3718 K61974123 ImageMagick vulnerability CVE-2016-3718
591908-4 CVE-2016-3717 K29154575 ImageMagick vulnerability CVE-2016-3717
591894-4 CVE-2016-3715 K10550253 ImageMagick vulnerability CVE-2016-3715
591881-4 CVE-2016-3716 K25102203 ImageMagick vulnerability CVE-2016-3716
587077-3 CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2115 CVE-2016-2118 K37603172 Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118
585424-3 CVE-2016-1979 K20145801 Mozilla NSS vulnerability CVE-2016-1979
582813-1 CVE-2016-0774 K08440897 Linux Kernel CVE-2016-0774
579220-3 CVE-2016-1950 K91100352 Mozilla NSS vulnerability CVE-2016-1950
564111-1 CVE-2015-8395 CVE-2015-8384 CVE-2015-8392 CVE-2015-8394 CVE-2015-8391 CVE-2015-8390 CVE-2015-8389 CVE-2015-8388 CVE-2015-8387 CVE-2015-8386 CVE-2015-8385 CVE-2015-8383 CVE-2015-8382 CVE-2015-8381 CVE-2015-8380 CVE-2015-2328 CVE-2015-2327 CVE-2015-8393 K05428062 Multiple PCRE vulnerabilities
541231-2 CVE-2014-3613 CVE-2014-3707 CVE-2014-8150 CVE-2015-3143 CVE-2015-3148 K16704 K16707 Resolution of multiple curl vulnerabilities
486791-2 CVE-2014-6421 CVE-2014-6422 CVE-2014-6423 CVE-2014-6424 CVE-2014-6425 CVE-2014-6426 CVE-2014-6427 CVE-2014-6428 CVE-2014-6429 CVE-2014-6430 CVE-2014-6431 CVE-2014-6432 K16939 Resolution of multiple wireshark vulnerabilities
416734-1 CVE-2012-5195 CVE-2012-5526 CVE-2012-6329 CVE-2013-1667 K15867 Multiple Perl Vulnerabilities
580340-3 CVE-2016-2842 K52349521 OpenSSL vulnerability CVE-2016-2842
580313-3 CVE-2016-0799 K22334603 OpenSSL vulnerability CVE-2016-0799
579975-3 CVE-2016-0702 K79215841 OpenSSL vulnerability
579829-3 CVE-2016-0702 K79215841 OpenSSL vulnerability CVE-2016-0702
579237-3 CVE-2016-0705 K93122894 OpenSSL Vulnerability CVE-2016-0705
579085-4 CVE-2016-0797 K40524634 OpenSSL vulnerability CVE-2016-0797
578570-2 CVE-2016-0705 K93122894 OpenSSL Vulnerability CVE-2016-0705
577828-5 CVE-2016-2088 K59692558 BIND vulnerability CVE-2016-2088
577823-4 CVE-2016-1285 K46264120 BIND vulnerability CVE-2016-1285
567379-1 CVE-2013-4397 K16015326 libtar vulnerability CVE-2013-4397
565895-4 CVE-2015-8389 CVE-2015-8388 CVE-2015-5073 CVE-2015-8395 CVE-2015-8393 CVE-2015-8390 CVE-2015-8387 CVE-2015-8391 CVE-2015-8383 CVE-2015-8392 CVE-2015-8386 CVE-2015-3217 CVE-2015-8381 CVE-2015-8380 CVE-2015-8384 CVE-2015-8394 CVE-2015-3210 K17235 Multiple PCRE Vulnerabilities
553454-2 CVE-2015-2730 K15955144 Mozilla NSS vulnerability CVE-2015-2730
551287-4 CVE-2010-2596 CVE-2013-1960 CVE-2013-1961 CVE-2013-4231 CVE-2013-4232 CVE-2013-4243 CVE-2013-4244 K16715 Multiple LibTIFF vulnerabilities
481806-2 CVE-2013-4002 K16872 Java Runtime Environment vulnerability CVE-2013-4002
479431-4 CVE-2014-3596 K16821 Apache Axis vulnerability CVE-2014-3596
416372-4 CVE-2012-2677 K16946 Boost memory allocator vulnerability CVE-2012-2677
570667-16 CVE-2016-0701 CVE-2015-3197 K64009378 OpenSSL vulnerabilities
517048-1 CVE-2015-2305 K16831 BSD regex library vulnerability CVE-2015-2305


Functional Change Fixes

ID Number Severity Solution Article(s) Description
532685-6 3-Major   PAC file download errors disconnect the tunnel
490936-2 3-Major   SSLv2/TLSv1-based handshake causing handshake failures
544325-3 4-Minor K83161025 BIG-IP UDP virtual server may not send ICMP Destination Unreachable message Code 3 (port unreachable).
483508-1 4-Minor K70333230 Large values may display as negative numbers for 32-bit integer variables in the MIB


TMOS Fixes

ID Number Severity Solution Article(s) Description
538761-4 1-Blocking   scriptd may core when MCP connection is lost
583936-3 2-Critical   Removing ECMP route from BGP does not clear route from NSM
574116-2 2-Critical   MCP may crash when syncing configuration between device groups
570973-2 2-Critical   L7 hardware syn cookie feature is broken in BIG-IP v12.0.0 hf1 and hf2
569634 2-Critical   Aced process is not able to listen to port 6000
568889-2 2-Critical K22989000 Some ZebOS daemons do not start on blade transition secondary to primary.
563064-1 2-Critical   Bringing up and tearing down an IPsec tunnel will slowly leak tmm memory
561814-1 2-Critical   TMM Core on Multi-Blade Chassis
560683-3 2-Critical   HA IPSEC: tmm core/crash on standby in function ikev2_child_delete_outbound()
559034-1 2-Critical   Mcpd core dump in the sync secondary during config sync
557144-3 2-Critical   Dynamic route flapping may lead to tmm crash
542097-2 2-Critical   Update to RHEL6 kernel
530903-1 2-Critical   HA pair in a typical Active/Standby configuration becomes Active/Active after a software upgrade
529141-5 2-Critical K95285012 Upgrade from 10.x fails on valid clientssl profile with BIGpipe parsing error
506274-2 2-Critical   TMM crash/core seen when a traffic-selector is created Action discard
493053-2 2-Critical   Route domains' firewall policies may be removed after sync
481647-5 2-Critical   OSPF daemon asserts and generates core
477611-4 2-Critical   ICMP monitor does not work on DAG Round Robin enabled VLANs
473527-2 2-Critical   IPsec interop problem when using AES-GCM.
420438-3 2-Critical   Default routes from standby system when HA is configured in NSSA
598039-3 3-Major   MCP memory may leak when performing a wildcard query
595773-3 3-Major   Cancellation requests for chunked stats queries do not propagate to secondary blades
579284 3-Major   Potential memory corruption in MCPd
576305-3 3-Major   Potential MCPd leak in IPSEC SPD stats query code
575735-2 3-Major   Potential MCPd leak in global CPU info stats code
575726-2 3-Major   MCPd might leak memory in vCMP interface stats.
575716-2 3-Major   MCPd might leak memory in VCMP base stats.
575708-2 3-Major   MCPd might leak memory in CPU info stats.
575671-2 3-Major   MCPd might leak memory in host info stats.
575660-2 3-Major K50219995 Potential MCPd leak in TMM rollup stats stats
575649-2 3-Major   MCPd might leak memory in IPFIX destination stats query
575619-2 3-Major   Potential MCPd leak in pool member stats query code
575608-2 3-Major   MCPd might leak memory in virtual server stats query.
575595-1 3-Major   Potential MCPd leak in eviction policy stats.
575591-2 3-Major   Potential MCPd leak in IKE message stats query code
575589-1 3-Major   Potential MCPd leak in IKE event stats query code
575587-2 3-Major   Potential MCPd leak in BWC policy class stats query code
575027-2 3-Major   Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.
574045-2 3-Major   BGP may not accept attributes using extended length
571210-4 3-Major   Upgrade, load config, or sync might fail on large configs with large objects.
571019-3 3-Major   Topology records can be ordered incorrectly.
570818-2 3-Major   Address lease-pool in IKEv2 might interfere with IKEv2 negotiations.
570053-2 3-Major K78448635 HA peer's certkeychain of clientssl profile is unexpectedly either removed or re-named after config sync.
569356-2 3-Major K91428939 BGP ECMP learned routes may use incorrect VLAN for nexthop
569236-4 3-Major K24331010 BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
565534-2 3-Major K40254066 Some failover configuration items may fail to take effect
562044-2 3-Major   Statistics slow_merge option does not work
559939-2 3-Major K30040319 Changing hostname on host sometimes causes blade to go RED / HA TABLE offline
558858-4 3-Major K80079953 Unexpected loss of communication between slots of a vCMP Guest
558779-6 3-Major   SNMP dot3 stats occassionally unavailable
557281-2 3-Major   The audit_forwarder process fails to exit normally causing the process to consume CPU to near 100%
555039-2 3-Major K24458124 VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration
553795-4 3-Major   Differing cert/key after successful config-sync
549971-5 3-Major   Some changes to virtual servers' profile lists may cause secondary blades to restart
548385-3 3-Major K25231211 iControl calls that query key/cert from parent folder, and the name is missing the extension, result in incorrect results
546410-2 3-Major K02151433 Configuration may fail to load when upgrading from version 10.x.
545745-2 3-Major   Enabling tmm.verbose mode produces messages that can be mistaken for errors.
542860-4 3-Major   TMM crashes when IPsec SA are deleted during HA Active to Standby or vice versa event
542742-2 3-Major K07038540 SNMP reports invalid data from global_stat, avg server-side cur_conns (for 5s, 1m, 5m).
542320-1 3-Major   no login name may appear when running ssh commands through management port
541316-3 3-Major K41175594 Unexpected transition from Forced Offline to Standby to Active
539199-3 3-Major   HTML filter is truncating the server response when sending it to client
538133-4 3-Major   Only one action per sensor is displayed in sensor_limit_table and system_check
537326-2 3-Major   NAT available in DNS section but config load fails with standalone license
532559-4 3-Major   Upgrade fails to 11.5.0 and later if 'defaults-from none' is under profile '/Common/clientssl'.
526974-1 3-Major   Data-group member records map empty strings to 'none'.
521270-2 3-Major   Hypervisor might replace vCMP guest SYN-Cookie secrets
519081-1 3-Major   Cannot use tmsh to load valid configuration created using the GUI.
516995-3 3-Major   NAT traffic group inheritance does not sync across devices
513649-4 3-Major   Transaction validation errors on object references
512954-2 3-Major   ospf6d might leak memory distribute-list is used
511900-2 3-Major   'sessiondump -allkeys' command hangs
510580-5 3-Major   Interfaces might be re-enabled unexpectedly when loading a partition
508076-2 3-Major   Cannot successfully create a key/cert via tmsh or the GUI of the form name.key1, where extension is in the name.
504803-5 3-Major   GUI Local Traffic Pool list does not show certain Pools with name containing 'mam'.
502049-1 3-Major   Qkview may store information in the wrong format
502048-1 3-Major   Qkview may store information in the wrong format
487625-3 3-Major   Qkview might hang
486725-2 3-Major   GUI creating key files with .key extensions in the name causing errors
486712-3 3-Major   GUI PVA connection maximum statistic is always zero
485702-4 3-Major   Default SNMP community 'public' is re-added after the upgrade
484534-4 3-Major   interface STP state stays in blocked when added to STP as disabled
481696-2 3-Major   Failover error message 'sod out of shmem' in /var/log/ltm
479553-4 3-Major   Sync may fail after deleting a persistence profile
479543-6 3-Major   Transaction will fail when deleting pool member and related node
478215-2 3-Major   The command 'show ltm pool detail' returns duplicate members in some cases
477888-4 3-Major   ESP ICSA support is non-functional on versions 11.4.0 and up
455651-5 3-Major K40300934 Improper regex/glob validation in web-acceleration and http-compression profiles
451494-2 3-Major   SSL Key/Certificate in different partition with Subject Alternative Name (SAN)
425980-3 3-Major   Blade number not displayed in CPU status alerts
421971-9 3-Major   Renewing certificates with SAN input in the GUI leads to error.
418664-4 3-Major K21485342 Configuration utility CSRF vulnerability
405611-3 3-Major K61045143 Configuration utility CSRF vulnerability
375246-1 3-Major   Clarification of pool member session enabling versus pool member monitor enabling
372118-3 3-Major   import_all_from_archive_file and import_all_from_archive_stream does not create file objects.
601927-3 4-Minor K52180214 Security hardening of control plane
551481-3 4-Minor   'tmsh show net cmetrics' reports bandwidth = 0
536746-3 4-Minor K88051173 LTM : Virtual Address List page uses LTM : Nodes List search filter.
533480-5 4-Minor K43353404 qkview crash
532086-3 4-Minor K68631333 Local Traffic Policy Rules Condition List select value to update with existing values.
478922-3 4-Minor   ICSA logging issues on versions 11.4.0 and later
466612-1 4-Minor   Missing sys DeviceModel OID for VIPRION C2200 chassis
487084-2 5-Cosmetic   GUI iFile delete confirmation page lists incorrect items to be deleted


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
596619 2-Critical K00539510 Some 10.2.x client SSL configurations fail to upgrade to 11.6.1.
579919-1 2-Critical   TMM may core when LSN translation is enabled
575011-4 2-Critical K21137299 Memory leak. Nitrox3 Hang Detected.
565409-4 2-Critical   Invalid MSS with HW syncookies and flow forwarding
559973-2 2-Critical   Nitrox can hang on RSA verification
558612-4 2-Critical   System may fail when syncookie mode is activated
558534-3 2-Critical   The TMM may crash if http url rewrite is used with APM
549868-4 2-Critical K48629034 10G interoperability issues reported following Cisco Nexus switch version upgrade.
534795-1 2-Critical   Swapping VLAN names in config results in switch daemon core and restart.
521548-6 2-Critical   Possible crash in SPDY
517613-1 2-Critical   ClientSSL profile might have the wrong key/certificate/chain when created with a specific set of steps
489217-1 2-Critical   "cipher" memory can leak
488686-1 2-Critical K24980114 Large file transfer hangs when HTTP is in passthrough mode
483665-2 2-Critical   Restrict the permissions for private keys
466007-2 2-Critical K02683895 DNS Express daemon, zxfrd, can not start if its binary cache has filled /var
459671-2 2-Critical   iRules source different procs from different partitions and executes the incorrect proc.
600535 3-Major   TMM may core while exiting if MCPD connection was previously aborted
597089-5 3-Major   Connections are terminated after 5 seconds when using ePVA full acceleration
593530-1 3-Major K26430211 In rare cases, connections may fail to expire
592854-4 3-Major   Protocol version set incorrectly on serverssl renegotiation
592784-4 3-Major   Compression stalls, does not recover, and compression facilities cease.
589223-3 3-Major   TMM crash and core dump when processing SSL protocol alert.
588442-3 3-Major   TMM can core in a specific set of conditions.
587892-1 3-Major   Multiple iRule proc names might clash, causing the wrong rule to be executed.
585412-2 3-Major   SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines
583957-4 3-Major   The TMM may hang handling pipelined HTTP requests with certain iRule commands.
580303-3 3-Major   When going from active to offline, tmm might send a GARP for a floating address.
579843-3 3-Major   tmrouted may not re-announce routes after a specific succession of failover states
579371-2 3-Major K70126130 BIG-IP may generate ARPs after transition to standby
576296-2 3-Major   MCPd might leak memory in SCTP profile stats query.
575626 3-Major K04672803 Minor memory leak in DNS Express stats error conditions
575612-3 3-Major   Potential MCPd leak in policy action stats query code
575347-2 3-Major   Unexpected backslashes remain in monitor 'username' attribute after upgrade
572025-2 3-Major   HTTP Class profile using a path selector upgrade to a policy that does not match the entire path
571183-2 3-Major   Bundle-certificates Not Accessible via iControl REST.
569349-2 3-Major   Packet's vlan priority is not preserved for CMP redirected flows when net cos feature is enabled
566361-8 3-Major K11543589 RAM Cache Key Collision
563591-2 3-Major   reference to freed loop_nexthop may cause tmm crash.
563419-5 3-Major   IPv6 packets containing extended trailer are dropped
563232-2 3-Major   FQDN pool in resource prevents Access Policy Sync.
554295-3 3-Major   CMP disabled flows are not properly mirrored
551189 3-Major   Modifying an HTTP cookie value via the HTTP::cookie iRule API may yield to incorrect HTTP header data
548583-3 3-Major   TMM crashes on standby device with re-mirrored SIP monitor flows.
547657-1 3-Major   A TCL error in a DNS_RESPONSE iRule event can cause a tmm crash.
545704-2 3-Major   TMM might core when using HTTP::header in a serverside event
543993-3 3-Major   Serverside connections may fail to detach when using the HTTP and OneConnect profiles
540893-2 3-Major   Unevenly loaded tmms while using syncookies may cause occasional spurious connection resets.
540213-2 3-Major   mcpd will continually restart on newly inserted secondary blades when certain configuration exists on the primary
536191-2 3-Major   Transparent inherited TCP monitors may fail on loading configuration
534111-1 3-Major   [SSL] Config sync problems when modifying cert in default client-ssl profile
530812-1 3-Major   Legacy DAG algorithm reuses high source port numbers frequently
530795-3 3-Major   In FastL4 TCP virtual servers, ICMP might send wrong SEQ number/ACK number.
528734-2 3-Major K04711825 TCP keeps retransmitting when ICMP Destination Unreachable-Fragmentation Required messages are received.
527742-4 3-Major K15550890 The inherit-certkeychain field of a clientSSL profile is not synchronized correctly on a standby BIG-IP system
523513-3 3-Major   COMPRESS::enable keeps compression enabled for a subsequent HTTP request.
521711-4 3-Major K14555354 HTTP closes connection if client sends non-keepalive request and server responds with 200 OK on One-Connect enabled virtual
521036-2 3-Major   Dynamic ARP entry may replace a static entry in non-primary TMM instances.
520405-4 3-Major   tmm restart due to oversubscribed DNS resolver
517510-1 3-Major   HTTP monitor might add extra CR/LF pairs to HTTP body when supplied
513530-4 3-Major   Connections might be reset when using SSL::disable and enable command
513319-4 3-Major   Incorrect of failing sideband connections from within iRule may leak memory
504396-2 3-Major   When a virtual's ARP or ICMP is disabled, the wrong mac address is used
503257-7 3-Major   Persistence, connection limits and HTTP::respond or HTTP::redirect may result in RST
502747-1 3-Major   Incoming SYN generates unexpected ACK when connection cannot be recycled
495588-5 3-Major   Configuration fails with Syntax Error after upgrading from pre-11.5.0 releases
490174-2 3-Major   Improved TLS protocol negotiation with clients supporting TLS1.3
472748-1 3-Major   SNAT pool stats are reflected in global SNAT stats
472571-6 3-Major   Memory leak with multiple client SSL profiles.
468790-2 3-Major   Inconsistent SafeNet key deletion in BIG-IP and Safenet HSM
463202-7 3-Major   BIG-IP system drops non-zero version EDNS requests
623135 4-Minor K68401558 BIG-IP virtual server TCP sequence numbers vulnerability (CVE-2002-1463)
572015-3 4-Minor   HTTP Class profile is upgraded to a case-insensitive policy
532799-2 4-Minor K14551525 Static Link route to /32 pool member can end using dst broadcast MAC
531979-3 4-Minor   SSL version in the record layer of ClientHello is not set to be the lowest supported version.
472051-1 4-Minor   Manually adding username/password in ZebOS can cause imi to core


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
569972-2 2-Critical   Unable to create gtm topology records using iControl REST
569521-4 2-Critical   Invalid WideIP name without dots crashes gtmd.
539466-2 2-Critical   Cannot use self-link URI in iControl REST calls with gtm topology
569472-2 3-Major   TMM segfault in lb_why_pmbr_str after GTM/BIG-IP DNS disables a GTM pool and LB why log is enabled
561539-2 3-Major   [Upgrade] GTM pool member ratio setting to 0 is not honored when upgrading from v10.2.4 to v11.5.3.
559975-5 3-Major   Changing the username or password used for HTTP monitor basic auth may break HTTP basic auth
517582-3 3-Major   [GUI] [GTM] Cannot delete Region if attempting to delete another region referenced by a record.
510888-1 3-Major   [LC] snmp_link monitor is not listed as available when creating link objects


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
578334-3 2-Critical   Policy Import (REST, inline XML import) in HA pair (CMI) fails on the peer device, remaining with a stub (default) policy.
583686-3 3-Major   High ASCII meta-characters can be disallowed on UTF-8 policy via XML import
579524-2 3-Major   DBD::mysql::db do failed: Duplicate entry '/Common/xxx' for key 'name'
577664-2 3-Major   Policy import, to inactive policies list, results in different policies on the sync-failover peers
572922-2 3-Major   Upgrade causes an ASM subsystem error of PL_PARAM_ATTRIBUTES.
568670-2 3-Major   ASM fails to start with error - ndefined subroutine &F5::CRC::get_crc32
559055-1 3-Major   Staging is not disabled on wildcard parameter "*" when Learn New Parameters is set to "Add All"
554324-1 3-Major K32359424 Signatures cannot be updated after Signature Systems have become corrupted in database
539704-2 3-Major   Large ASM REST response causes all REST to hang
531566-2 3-Major   A partial response arrives to the client when response logging is turned on
521370-3 3-Major   Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8
498433-1 3-Major   Upgrading with ASM iRule and virtual server with no websecurity profile
521183-1 4-Minor   Upgrade from 11.2.x (or earlier) to 11.5.x/11.6.x can fail when an active DoS profile exists with 'Prevention Duration' set to a value less than 5


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
579049-1 2-Critical   TMM core due to wrong assert
578353 2-Critical   Statistics data aggregation process is not optimized
575170-3 2-Critical   Analytics reports may not identify virtual servers correctly
598909-1 3-Major   SQL produces errors. AVR does not display any statistics.
596945-2 3-Major   AVR DNS record lost after upgrade.
582029-1 3-Major   AVR might report incorrect statistics when used together with other modules.
569958-2 3-Major   Upgrade for application security anomalies
567355-1 3-Major   Scheduled report lost after loading configuration
559060-3 3-Major   AVR reads BIG-IP system's cookie incorrectly in multiple BIG-IP configuration.
557062-2 3-Major   The BIG-IP ASM configuration fails to load after an upgrade.
525448-1 3-Major   Max TPS is always 0


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
581770-2 1-Blocking   Network Access traffic does not pass IPv6 traffic if a Network Access resource contains IPv4&IPv6
592868-4 2-Critical   Rewrite may crash processing HTML tag with HTML entity in attribute value
591117-1 2-Critical   APM ACL construction may cause TMM to core if TMM is out of memory
580817-3 2-Critical   Edge Client may crash after upgrade
579909-2 2-Critical   Secondary MCPD exits for APM Sandbox warning improperly treated as configuration error
578844-2 2-Critical   tmm cores when switching to IPv6 virtual server while connected to IPv4 virtual server with Edge Client.
575609-3 2-Critical   Zlib accelerated compression can result in a dropped flow.
571090 2-Critical   When BIG-IP is used as SAML IdP, tmm may restart under certain conditions
562919-2 2-Critical   TMM cores in renew lease timer handler
513083-1 2-Critical   d10200: tmm core when using ASM-FPS-AVR-APM-DOS on virtual server.
511478-2 2-Critical   Possible TMM crash when evaluating expression for per-request policy agents.
428068-3 2-Critical   Insufficiently detailed causes for session deletion.
598981-2 3-Major K06913155 APM ACL does not get enforced all the time under certain conditions
597431-4 3-Major   VPN establishment may fail when computer wakes up from sleep
596116-2 3-Major   LDAP Query does not resolve group membership, when required attribute(s) specified
592591-1 3-Major   Deleting/Modifying access profile prompts for apply access policy for other untouched access profiles
592414-2 3-Major   IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed
590820-2 3-Major   Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.
589794 3-Major   APD might crash if LDAP Query agent fails to retrieve primary group for a user
589118 3-Major K81314569 Horizon View client throws an exception when connecting to Horizon 7 VCS through APM.
588888-2 3-Major K80124134 Empty URI rewriting is not done as required by browser.
586718-3 3-Major   Session variable substitutions are logged
586006-3 3-Major   Failed to retrieve CRLDP list from client certificate if DirName type is present
585562-1 3-Major   VMware View HTML5 client shipped with Horizon 7 does not work through BIG-IP APM in Chrome/Safari
582526-2 3-Major   Unable to display and edit huge policies (more than 4000 elements)
581834-4 3-Major   Firefox signed plugin for VPN, Endpoint Check, etc
580893-1 3-Major K08731969 Support for Single FQDN usage with Citrix Storefront Integration mode
580421-3 3-Major   Edge Client may not register DLLs correctly
577939-1 3-Major   DNS suffixes on user's machine may not be restored correctly in some cases
576069-2 3-Major   Rewrite can crash in some rare corner cases
575499-1 3-Major   VPN filter may leave renew_lease timer active after teardown
575292-4 3-Major   DNS Relay proxy service does not respond to SCM commands in timely manner
574781-2 3-Major   APM Network Access IPV4/IPV6 virtual may leak memory
573643-2 3-Major   flash.utils.Proxy functionality is not negotiated
573581-4 3-Major   DNS Search suffix are not restored properly in some cases after VPN establishment
573429-1 3-Major   APM Network Access IPv4/IPv6 virtual may leak memory
572887-2 3-Major   DNS doesn't work properly on Ubuntu 15.10 when using f5fpc CLI client
570640-2 3-Major   APM Cannot create symbolic link to sandbox. Error: No such file or directory
570064-3 3-Major   IE gives a security warning asking: "Do you want to run ... InstallerControll.cab"
567660-2 3-Major   Disabling global Auto Last Hop setting breaks APM's Remote Desktop Gateway (RDG) feature
566646-4 3-Major   Portal Access could respond very slowly for large text files when using IE < 11
565231-2 3-Major   Importing a previously exported policy which had two object names may fail
564521-3 3-Major   JavaScript passed to ExternalInterface.call() may be erroneously unescaped
564482-2 3-Major   Kerberos SSO does not support AES256 encryption
563349-4 3-Major   On MAC, Network Access proxy settings are not applied to tun adapter after VPN is established
559218-2 3-Major   Iframes could be inaccessible to a parent window on a page accessed through Portal Access
558946-4 3-Major   TMM may core when APM is provisioned and access profile is attached to the virtual
556597-5 3-Major   CertHelper may crash when performing Machine Cert Inspection
551999-2 3-Major   Edge client needs to re-authenticate after lost network connectivity is restored
551454-5 3-Major   Edge client sends repeated HTTP probe to captive portal probe URL for mis-configured server
551260-2 3-Major   When SAML IdP-Connector Single Sign On Service URL contains ampersand, redirect URL may be truncated
549086-8 3-Major   Windows 10 is not detected when Firefox is used
547546-3 3-Major   Add support for auto-update of MachineCertService
541622-6 3-Major   APD/APMD Crashes While Verifying CAPTCHA
536575-1 3-Major   Session variable report can be blank in many cases
534901-1 3-Major   VMware View HTML5 client may load/initialize with delays
534373-5 3-Major   Some Text on French Localized Edge client on windows has grammatical error
533422-2 3-Major   sessiondump is not reusing connections
528701-2 3-Major   Sessiondump does not accept single dash options
528548-2 3-Major   @import "url" is not recognized by client-side CSS patcher
525429-12 3-Major   DTLS renegotiation sequence number compatibility
519059-3 3-Major   [PA] - Failing to properly patch webapp link, link not working
516219-4 3-Major   User failed to get profile license in VIPRION 4800 chassis if slot 1 is not enabled
508337-4 3-Major   In Chrome, parent.document.write() from frame may cause errors on pages accessed through Portal Access
493106-4 3-Major   HTTP Basic authentication module logs clear text password in /var/log/apm at debug level
479715-3 3-Major   Multi-tab protection problems with multi-domain SSO
409323-3 3-Major   OnDemand cert auth redirect omits port information
584373-3 4-Minor   AD/LDAP resource group mapping table controls are not accessible sometimes
580429-5 4-Minor   CTU does not show second Class ID for InstallerControll.dll
572543-2 4-Minor   User is prompted to install components repeatedly after client components are updated.
554690-3 4-Minor   VPN Server Module generates repeated Error Log "iface eth0 "... every 2 secs
541156-2 4-Minor   Network Access clients experience delays when resolving a host


WebAccelerator Fixes

ID Number Severity Solution Article(s) Description
575631-3 3-Major   Potential MCPd leak in WAM stats query code
562644-4 3-Major   TMM may crash when AAM receives a pipelining HTTP request while shutting down the connection
506557-3 3-Major K45240941 IBR tags might occasionally be all zeroes.
501714-2 3-Major   System does not prevent low quality JPEGs from optimizing to higher quality (becoming larger) does not work when AAM image optimization enabled and JPEG quality in policy is higher than JPEGs on OWS.
476476-7 3-Major   Occasional inability to cache optimized PDFs and images


Service Provider Fixes

ID Number Severity Solution Article(s) Description
578564-3 3-Major   ICAP: Client RST when HTTP::respond in HTTP_RESPONSE_RELEASE after ICAP REQMOD returned HTTP response
573075-2 3-Major   ADAPT recursive loop when handling successive iRule events
572224-4 3-Major   Buffer error due to RADIUS::avp command when vendor IDs do not match
570363-2 3-Major   Potential segfault when MRF messages cross from one TMM to another.
566576-2 3-Major   ICAP/OneConnect reuses connection while previous response is in progress
550434-5 3-Major   Diameter connection may stall if server closes connection before CER/CEA handshake completes
561500-1 4-Minor   ICAP Parsing improvement


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
484013-4 2-Critical K12435402 tmm might crash under load when logging profile is used with packet classification
575571-2 3-Major   MCPd might leak memory in FW DOS SIP attack stats query.
569337-2 3-Major   TCP events are logged twice in a HA setup


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
593070-5 2-Critical   TMM may crash with multiple IP addresses per session
577863-2 3-Major K56504204 DHCP relay not forwarding server DHCPOFFER and DHCPACK message after some time
577814-4 3-Major   MCPd might leak memory in PEM stats queries.
566061-3 3-Major   Subscriber info missing in flow report after subscriber has been deleted


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
515736-4 3-Major   LSN pool with small port range may not use all ports


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
561623-3 2-Critical   Realtime encryption causes high CPU usage in older browsers
593667 3-Major   Dashboard displays incomplete alert details when Polish characters are included
583445 3-Major   Alert dashboard does not correctly display Hebrew characters in alerts.
556162-3 3-Major   Default obfuscator configuration causes very slow javascript in some browsers


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
595270 2-Critical   Memory leaks when session DB tables gets updated
554928-1 2-Critical K03353647 tmm eventually crashes when Classification profile is configured on the virtual server


Device Management Fixes

ID Number Severity Solution Article(s) Description
580686-1 3-Major K70973444 Hostagentd might leak memory on vCMP hosts.



Cumulative fixes from BIG-IP v11.6.1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
570716-3 CVE-2016-5736 K10133477 BIG-IP IPsec IKE peer listener vulnerability CVE-2016-5736
565169 CVE-2013-5825 CVE-2013-5830 K48802597 Multiple Java Vulnerabilities
542314-5 CVE-2015-8099 K35358312 TCP vulnerability - CVE-2015-8099
572495-3 CVE-2016-5023 K19784568 TMM may crash if it receives a malformed packet CVE-2016-5023
570535 CVE-2011-5321 CVE-2012-6657 CVE-2013-4483 CVE-2014-3184 CVE-2014-3185 CVE-2014-3611 CVE-2014-3940 CVE-2014-6410 CVE-2014-8160 CVE-2014-9420 CVE-2014-9529 CVE-2014-9584 CVE-2015-1593 CVE-2015-1805 CVE-2015-3636 CVE-2015-5307 CVE-2015-5364 CVE-2015-5366 CVE-2015-7613 CVE-2015-7872 CVE-2015-8104 K15685 K15912 K31300371 K16011 K21632201 K31026324 K17239 K17543 K17121 K41739114 K17246 K17458 K17244 K17245 K90230486 K17309 K17307 K31026324 K94105604 Multiple Kernel Vulnerabilities
567475-5 CVE-2015-8704 K53445000 BIND vulnerability CVE-2015-8704
560925-2 CVE-2015-3194 K86772626 OpenSSL Vulnerability fix
560910-2 CVE-2015-3194 K86772626 OpenSSL Vulnerability fix
560180-2 CVE-2015-8000 K34250741 BIND Vulnerability CVE-2015-8000
554624-2 CVE-2015-5300 CVE-2015-7704 K10600056 K17566 NTP CVE-2015-5300 CVE-2015-7704
553902-2 CVE-2015-5300 CVE-2015-7704 CVE-2015-7871 CVE-2015-7855 CVE-2015-7853 CVE-2015-7852 CVE-2015-7850 CVE-2015-7701 CVE-2015-7691 CVE-2015-7692 CVE-2015-7702 CVE-2015-5196 K17516 Multiple NTP Vulnerabilities
546080-5 CVE-2016-5021 K99998454 Path sanitization for iControl REST worker
545786-4 CVE-2015-7393 K75136237 Privilege escalation vulnerability CVE-2015-7393
545762 CVE-2015-7394 K17407 CVE-2015-7394
540767-2 CVE-2015-5621 K17378 SNMP vulnerability CVE-2015-5621
539923-1 CVE-2016-1497 K31925518 BIG-IP APM access logs vulnerability CVE-2016-1497
534090-2 CVE-2015-5380 K17238 Node.js vulnerability CVE-2015-5380
518275-2 CVE-2016-4545 K48042976 The BIG-IP system may stop the normal processing of SSL traffic and dump a TMM core file
508057-1 CVE-2015-0411 K44611310 MySQL Vulnerability CVE-2015-0411
497065-1 CVE-2013-6435 K16383 Linux RPM vulnerability CVE-2013-6435
488015-1 CVE-2014-3669 CVE-2014-3670 CVE-2014-3668 K15866 Multiple PHP vulnerabilities
472093-1 CVE-2015-8022 K12401251 APM TMUI Vulnerability CVE-2015-8022
556383-1 CVE-2015-7181 CVE-2015-7182 CVE-2015-7183 K31372672 Multiple NSS Vulnerabilities
550596-3 CVE-2016-6876 K52638558 RESOLV::lookup iRule command vulnerability CVE-2016-6876
534633-3 CVE-2015-5600 K17113 OpenSSH vulnerability CVE-2015-5600
527762-1 CVE-2015-4000 K16674 TLS vulnerability CVE-2015-4000
525232-1 CVE-2015-4024 CVE-2014-8142 K16826 PHP vulnerability CVE-2015-4024
500089-1 CVE-2015-0206 K16124 OpenSSL vulnerability CVE-2015-0206
472696-1 CVE-2014-1544 K16716 Multiple Mozilla Network Security Services vulnerabilities
470842-1 CVE-2012-5784 K14371 Apache Axis vulnerability CVE-2012-5784
427174-7 CVE-2013-1620 CVE-2013-0791 K15630 SOL15630: TLS in Mozilla NSS vulnerability CVE-2013-1620
560969-2 CVE-2015-3196 K55540723 OpenSSL vulnerability fix
560962-2 CVE-2015-3196 K55540723 OpenSSL Vulnerability CVE-2015-3196
560948-2 CVE-2015-3195 K12824341 OpenSSL vulnerability CVE-2015-3195
527639-2 CVE-2015-1791 K16914 CVE-2015-1791 : OpenSSL Vulnerability
527638-2 CVE-2015-1792 K16915 OpenSSL vulnerability CVE-2015-1792
527637-2 CVE-2015-1790 K16898 PKCS #7 vulnerability CVE-2015-1790
527633-2 CVE-2015-1789 K16913 OpenSSL vulnerability CVE-2015-1789
500094-1 CVE-2014-3570 K16120 OpenSSL vulnerability CVE-2014-3570
500093-1 CVE-2014-8275 K16136 OpenSSL vulnerability CVE-2014-8275
500092-1 CVE-2015-0205 K16135 OpenSSL vulnerability CVE-2015-0205
500090-1 CVE-2014-3572 K16126 OpenSSL vulnerability CVE-2014-3572
494735-1 CVE-2014-3566 K15702 SSLv3 vulnerability CVE-2014-3566
479897-1 CVE-2014-2497 CVE-2014-3538 CVE-2014-3597 CVE-2014-4670 CVE-2014-4698 CVE-2014-5120 CVE-2014-0238 K15761 Multiple PHP 5.x vulnerabilities
567484-5 CVE-2015-8705 K86533083 BIND Vulnerability CVE-2015-8705


Functional Change Fixes

ID Number Severity Solution Article(s) Description
470715-5 2-Critical K16019 Excessive IP fragmentation on tmm_bp vlan causes ftp data loss with vlan name >= 16 characters long
539130-6 3-Major K70695033 bigd may crash due to a heartbeat timeout
530133-3 3-Major   Support for New Platform: BIG-IP 10350 FIPS
520277-2 3-Major   Components validation alert
497395-1 3-Major   Correctly assign severity to check component alerts
493507-1 3-Major   License checks for fictive URLs and injected tags
490537-6 3-Major   Persistence Records display in GUI might cause system crash with large number of records
382157-3 3-Major K17163 Stats presented by the MIB sysVlanStatTable does not match sflow vlan stats


TMOS Fixes

ID Number Severity Solution Article(s) Description
492460-3 1-Blocking K17320 Virtual deletion failure possible when using sFlow
572086 2-Critical K49725838 Unable to boot v11.6.0 on 7250 or 10250 platforms
564427-3 2-Critical   Use of iControl call get_certificate_list_v2() causes a memory leak.
562959-2 2-Critical   In some error scenarios, IPsec might send packets not intended for the IPsec over the tunnel.
562122-5 2-Critical   Adding a trunk might disable vCMP guest
557680-1 2-Critical   Fast successive MTU changes to IPsec tunnel interface crashes TMM
556380-2 2-Critical   mcpd can assert on active connection deletion
555686-5 2-Critical   Copper SFPs OPT-0015 on 10000-series appliance may cause interfaces to not come up and/or show corrupted serial numbers
554609-4 2-Critical K87381045 Kernel panics during boot when RAM spans multiple NUMA nodes.
552481 2-Critical   Disk provisioning error after restarting ASM service.
551661-2 2-Critical   Monitor with send/receive string containing double-quote may fail to load.
544913-6 2-Critical K17322 tmm core while logging from TMM during failover
544481-5 2-Critical   IPSEC Tunnel fails for more than one minute randomly.
543924 2-Critical   Update kernel to latest public RHEL6.4 kernel: 2.6.32-358.61.1.el6
520380-6 2-Critical K41313442 save-on-auto-sync can spawn multiple invocations of tmsh, starving system of memory
511527-2 2-Critical   snmpd segmentation fault at get_bigip_profile_user_stat()
510559-6 2-Critical   Add logging to indicate that compression engine is stalled.
505071-5 2-Critical   Delete and create of the same object can cause secondary blades' mcpd processes to restart.
504508-5 2-Critical K16773 IPsec tunnel connection from BIG-IP to some Cisco ASA does not stay up when DPD (Dead Peer Detection) is enabled
503600-6 2-Critical K17149 TMM core logging from TMM while attempting to connect to remote logging server
502841-2 2-Critical K17580 REST API hangs due to icrd startup issues
490801-2 2-Critical   mod_ssl: missing support for TLSv1.1 and TLSv1.2
484453-6 2-Critical K15853 Messages logged when registering with LOP daemon (lopd) or CAN daemon (cand)
365219-2 2-Critical   Trust upgrade fails when upgrading from version 10.x to version 11.x.
606540-1 3-Major K33064211 DB variable changed via GUI does not sync across HA group
567774-1 3-Major   ca-devices and non-ca-devices addition/deletion has been removed from restart cm trust-domain Root
563475-3 3-Major K00301400 ePVA dynamic offloading can result in immediate eviction and re-offloading of flows.
562928 3-Major   Curl connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled
560423-2 3-Major   VxLAN tunnel IP address modification is not supported
560220-1 3-Major   Missing partition and subPath fields for some objects in iControl REST
559584-2 3-Major K23410869 tmsh list/save configuration takes a long time when config contains nested objects.
558573-2 3-Major K65352421 MCPD restart on secondary blade after updating Pool via GUI
556284-5 3-Major K55622762 iqsyncer: GTM/LC config sync failure with error from local mcpd Monitor parent not found
555905-3 3-Major   sod health logging inconsistent when device removed from failover group or device trust
554563-3 3-Major   Error: Egress CoS queue packet drop counted against both Drops In and Drops Out statistics.
554340-4 3-Major   IPsec tunnels fail when connection.vlankeyed db variable is disabled
553649-3 3-Major   The SNMP daemon might lock up and fail to respond to SNMP requests.
553576-3 3-Major K17356 Intermittent 'zero millivolt' reading from FND-850 PSU
552585-3 3-Major K32030059 AAA pool member creation sets the port to 0.
551927-2 3-Major   ePVA snoop header's transform vlan should be set properly under asymmetric routing condition
551742-2 3-Major   Hardware parity error mitigation for the SOURCE_VP table on 10000s/10200v/10250v platforms and B4300/B4340N and B2250 blades
550694-3 3-Major K60222549 LCD display stops updating and Status LED turns/blinks Amber
550536-3 3-Major   Incorrect information/text (in French) is displayed when the Edge Client is launched
549543-3 3-Major K37436054 DSR rejects return traffic for monitoring the server
548239-3 3-Major K04844213 BGP routing using route-maps cannot match route tags
547532-2 3-Major   Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades
541569-3 3-Major K59519340 IPsec NAT-T (IKEv1) not working properly
540996-2 3-Major   Monitors with a send attribute set to 'none' are lost on save
540871-1 3-Major K01418954 Update/deletion of SNMPv3 user does not work correctly
539822-4 3-Major   tmm may leak connflow and memory on vCMP guest.
539784-4 3-Major   HA daemon_heartbeat mcpd fails on load sys config
538663-3 3-Major   SSO token login does not work due to remote role update failures.
538024-3 3-Major K60507424 Configuration containing a virtual server with a named wildcard destination address ('any6') may fail to load
534582-4 3-Major K10397582 HA configuration may fail over when standby has only base configuration loaded.
534076-2 3-Major K34873265 SNMP configured trap-source might not be used in v1 snmp traps.
533826-5 3-Major   SNMP Memory Leak on a VIPRION system.
531986-3 3-Major   Hourly AWS VE license breaks after reboot with default tmm route/gateway.
531705-2 3-Major K53725847 List commands on non-existent iRules incorrectly succeeds.
530242-3 3-Major K08654415 SPDAG on VIPRION B2250 blades might cause traffic imbalance among TMMs
529977-1 3-Major   OSPF may not process updates to redistributed routes
529484-4 3-Major   Virtual Edition Kernel Panic under load
528987-3 3-Major   Benign warning during formatting installation
528276-7 3-Major K39167163 The device management daemon can crash with a malloc error
526817-4 3-Major   snmpd core due to mcpd message timer thread not exiting
526031-2 3-Major K38429933 OSPFv3 may not completely recover from "clear ipv6 ospf process"
524300-2 3-Major K71003856 The MOS boot process appears to hang.
523867-3 3-Major   'warning: Failed to find EUDs' message during formatting installation
522871-1 3-Major K13764703 [TMSH] nested wildcard deletion will delete all the objects (matched or not matched)
522837-1 3-Major   MCPD can core as a result of another component shutting down prematurely
522332-1 3-Major K81374736 Configuration upgrade of httpclass which has the 'hosts' attribute done incorrectly
521144-5 3-Major K16799 Network failover packets on the management interface sometimes have an incorrect source-IP
517388-7 3-Major   Parsing the DN (for subject or issuer) in a certificate does not take into account all the possible RDNs.
517209-7 3-Major K81807474 tmsh save sys config file /var/tmp or /shared/tmp can make some BIG-IP functionality unusable
517020-5 3-Major   SNMP requests fail and subsnmpd reports that it has been terminated.
516322-7 3-Major   The BIG-IP system may erroneously remove an iApp association from the virtual server.
513974-7 3-Major K16691 Transaction validation errors on object references
513659-3 3-Major K72841425 AAM Policy not all regex characters can be used via the GUI
512130-4 3-Major   Remote role group authentication fails with a space in LDAP attribute group name
510381-3 3-Major   bcm56xxd might core when restarting due to bundling config change.
503246-4 3-Major   TMM crashes when unable to allocate large amount of provisioned memory
496679-5 3-Major   Configuration loads may fail because the 'default-device' on a traffic-group object does not contain a valid value.
495865-2 3-Major K15116582 iApps/tmsh cannot reconfigure pools that have monitors associated with them.
491727-2 3-Major K17029 Upgrade can fail to load config due to tcp profile no longer allowing time-wait-timeout of 4294967295 (indefinite).
482373-3 3-Major   Can not delete and re-create a new virtual server that uses the same virtual address in the same transaction
480246-4 3-Major K17080 Message: Data publisher not found or not implemented when processing request
473415-1 3-Major K93511901 ASM Standalone license has to include URL and HTML Rewrite
449453-5 3-Major K17368 Loading the default configuration may cause the mcpd process to restart and produce a core file.
439559-2 3-Major K16262 APM policy sync resulting in failover device group sync may make the failover sync fail
433466-4 3-Major   Disabling bundled interfaces affects first member of associated unbundled interfaces
421012-3 3-Major K73028377 scriptd incorrectly reports that it is running on a secondary blade
405635-2 3-Major   Using the restart cm trust-domain command to recreate certificates required by device trust.
553174-4 4-Minor   Unable to query admin IP via SNMP on VCMP guest
533790-4 4-Minor   Creating multiple address entries in data-group might result in records being incorrectly deleted
519216-4 4-Minor   Abnormally high CPU utilization from external SSL/OpenSSL monitors
480071-2 4-Minor K75451516 Backslashes in policy rule added/duplicated when modified in GUI.
401893-3 4-Minor   Allowing tilde in HTTP Profile fields Response Headers Allowed and Encrypt Cookies
223884 4-Minor   Module not licensed message appears when APM is provisioned and APML is licensed.
572133-2 5-Cosmetic   tmsh save /sys ucs command sends status messages to stderr
413708-5 5-Cosmetic K31302478 BIG-IP system may use an ephemeral source port when sending SNMP IPv6 UDP response.
388274-3 5-Cosmetic   LTM pool member link in a route domain is wrong in Network Map.
291469-2 5-Cosmetic K10643 SNMP query fails to return ARP entries when the ARP table exceeds 2,048 entries.


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
536690-4 1-Blocking K82591051 Occasional host-tmm connections within a chassis will fail (affects APM processes trying to connect to a tmm)
476386-2 1-Blocking   DHE-RSA-AES256-SHA256 and DHE-RSA-AES128-SHA256 should only be supported for tls1.2
576314-2 2-Critical   SNMP traps for FIPS device fault inconsistent among versions.
565810-2 2-Critical K93065637 OneConnect profile with an idle or strict limit-type might lead to tmm core.
562566-2 2-Critical K39483533 Mirrored persistence entries retained after expiration
554967-3 2-Critical   Small Client EDNS0 Limits can Sometimes Truncate DNSSEC or iRule DNS Packets
552151-2 2-Critical   Continuous error report in /dev/log/ltm: Device error: n3-compress0 Nitrox 3, Hang Detected
549782-1 2-Critical   XFV driver can leak memory
545810-1 2-Critical K14304373 TMM halts and restarts
544375-1 2-Critical   Unable to load certificate/key pair
542564-3 2-Critical   bigd detection and logging of load and overload
540568-2 2-Critical   TMM core due to SIGSEGV
540473-6 2-Critical   peer/clientside/serverside script with parking command may cause tmm to core.
537988-5 2-Critical K76135297 Buffer overflow for large session messages
534804-2 2-Critical   TMM may core with rate limiting enabled and service-down-action reselect on poolmembers
534052-3 2-Critical K17150 VLAN failsafe triggering on standby leaks memory
530505-4 2-Critical   IP fragments can cause TMM to crash when packet filtering is enabled
529920-7 2-Critical   Connection mirroring with OneConnect on a virtual server can cause TMM crash on standby unit
528739-1 2-Critical K47320953 DNS Cache might use cached data from ADDITIONAL sections in ANSWER responses.
527011-6 2-Critical   Intermittent lost connections with no errors on external interfaces
525882-2 2-Critical K29113720 SSL client certificate verification during SSL handshake might leak a reference to the issuer certificate.
524605-2 2-Critical   Requests/responses may not be fully delivered to plugin in some circumstances
523995-2 2-Critical   IPv4 link-local addresses can cause TMM crash when used in conjunction with ECMP routes
521336-6 2-Critical   pkcs11d initialization retry might post misleading error messages and eventually result in a pkcs11d core
520105-3 2-Critical   Possible segfault during hardware accelerated compression.
517465-4 2-Critical   tmm crash with ssl
509284-2 2-Critical   Improved reliability of a module interfacing with HSM
507611-4 2-Critical K17151 On BIG-IP 2000- and 4000-series platforms BGP sessions with TCP MD5 enabled might fail to establish connection to neighbors.
489451-3 2-Critical K17278 TMM might panic due to OpenSSL failure during handshake generation
489329-6 2-Critical   Memory corruption can occur with SPDY/HTTP2 profile(s)
484214-2 2-Critical   Nitrox got stuck when processed certain SSL records
483719-2 2-Critical K16260 vlan-groups configured with a single member VLAN result in memory leak
341928-4 2-Critical   CMP enabled virtual servers which target CMP disabled virtual servers can crash TMM.
570617-4 3-Major   HTTP parses fragmented response versions incorrectly
564371-2 3-Major   FQDN node availability not reset after removing monitoring
562308-2 3-Major   FQDN pool members do not support manual-resume
562292-1 3-Major   Nesting periodic after with parking command could crash tmm
560685 3-Major   TMM may crash with 'tmsh show sys conn'.
559933-2 3-Major K83032815 tmm might leak memory on vCMP guest in SSL forward proxy
558517-3 3-Major   Upgrading results in additional escaping for monitor send/recv strings in /config/bigip.conf.
557783-2 3-Major K14147369 TMM generated traffic to external IPv6 global-addr via ECMP routes might use link-local addr
556568-2 3-Major   TMM can crash with ssl persistence and fragmented ssl records
556560-2 3-Major K80741043 DNS messages may become malformed if the Additional section contains an OPT record followed by multiple records.
556103-3 3-Major   Abnormally high CPU utilization for external monitors
554769-4 3-Major   CPM might crash when TCLRULE_HTTP_RESPONSE is triggered.
554761-5 3-Major   Unexpected handling of TCP timestamps under syncookie protection.
553688-4 3-Major   TMM can core due to memory corruption when using SPDY profile.
553613-3 3-Major   FQDN nodes do not support session user-disable
552931-4 3-Major   Configuration fails to load if DNS Express Zone name contains an underscore
552865-4 3-Major K34035224 SSL client authentication should ignore invalid signed Certificate Verify message when PCM is set to 'request'.
550782-4 3-Major   Cache Lookups for Validating Resolvers ignore the query's DNSSEC OK (DO) bit
550689-2 3-Major   Resolver H.ROOT-SERVERS.NET Address Change
549800-2 3-Major K53086012 Renaming a virtual server with an attached plugin can cause buffer overflow
549406-5 3-Major K63010180 Destination route-domain specified in the SOCKS profile
548680-2 3-Major   TMM may core when reconfiguring iApps that make use of iRules with procedures.
548678-2 3-Major   ASM blocking page does not display when using SPDY profile
548563-2 3-Major   Transparent Cache Messages Only Updated with DO-bit True
547732-1 3-Major   TMM may core on using SSL::disable on an already established serverside connection
544028-5 3-Major K21131221 Verified Accept counter 'verified_accept_connections' might underflow.
543220-1 3-Major K12153351 Global traffic statistics does not include PVA statistics
542724-1 3-Major K29441414 If there is OCSP Stapling enabled on a clientSSL profile, under certain remote conditions, TMM could crash
542640-2 3-Major   bigd intentionally cores when it should shutdown cleanly
541571-3 3-Major K97140208 FQDN ephemeral nodes not repopulated after recreating with swapped IP addresses
538639-3 3-Major   P-256 ECDH performance improvements
538603-2 3-Major K03383492 TMM core file on pool member down with rate limit configured
537964-4 3-Major K17388 Monitor instances may not get deleted during configuration merge load
535759-3 3-Major K99840695 SMTP monitor might mark the server down even if the server answers the HELO message.
534457-2 3-Major   Dynamically discovered routes might fail to remirror connections.
533820-5 3-Major   DNS Cache response missing additional section
532911-2 3-Major K03753124 Setting 'Untrusted Certificate Response Control' to ignore in server SSL profile does not ignore self-signed untrusted certificates.
532107-2 3-Major K16716213 [LTM] [DNS] Maximum RTT value for nameserver cache still exists after nameserver cache is deleted
530761-1 3-Major   TMM crash in DNS processing on a TCP virtual
529899-1 3-Major   Installation may fail with the error "(Storage modification process conflict.)".
528407-4 3-Major K72235143 TMM may core with invalid lasthop pool configuration
528007-6 3-Major   Memory leak in ssl
527149-3 3-Major K57034242 FQDN template node transitions to 'unknown' after configuration reload
527027-4 3-Major   DNSSEC Unsigned Delegations Respond with Parent Zone Information
527024-3 3-Major   DNSSEC Unsigned Delegations Respond with Parent Zone Information
525989-2 3-Major K17165 A disabled blade is spontaneously re-enabled
525958-11 3-Major   TMM may crash if loadbalancing to node's IP in iRule routed towards an unreachable nexthop.
525672-2 3-Major   tmm memory leak with SSL forward proxy virtual server having CLIENTSSL_CLIENTHELLO with SNI lookup.
525322-7 3-Major   Executing tmsh clientssl-proxy cached-certs crashes tmm
524960-2 3-Major K17434 'forward' command does not work if virtual server has attached pool
524641-1 3-Major K11504283 Wildcard NAPTR record after deleting the NAPTR records
523471-2 3-Major   pkcs11d core when connecting to SafeNet HSM
519217-4 3-Major K89004553 tmm crash: valid proxy
517282-7 3-Major K63316585 The DNS monitor may delay marking an object down or never mark it down
517053-2 3-Major   bigd detection and logging of load and overload
516816-4 3-Major   RSA key with DSA-signed or ECDSA-signed certificate silently fails handshake.
515759-3 3-Major K92401129 Configuration objects with more than four vlans in vlan list may cause memory utilization to increase over time
513213-5 3-Major   FastL4 connection may get RSTs in case of hardware syncookie enabled.
513142-3 3-Major   FQDN nodes with a default monitor may cause configuration load failure
512119-2 3-Major   Improved UDP DNS packet truncation
511057-5 3-Major K60014038 Config sync fails after changing monitor in iApp
510264-1 3-Major   TMM core associated with smtps profile.
509641-3 3-Major K46511710 Ephemeral pool members may not inherit attributes from FQDN parent
507410-2 3-Major   Possible TMM crash when handling certain types of traffic with SSL persistence enabled
507109-4 3-Major   inherit-certkeychain attribute of child Client SSL profile can unexpectedly change during upgrade
505089-4 3-Major   Spurious ACKs result in SYN cookie rejected stat increment.
504545-2 3-Major K17419 FQDN: node without service checking reported as 'service checking enabled, no results yet'
502480-1 3-Major   Mirrored connections on standby device do not get closed when Verified Accept is enabled
500786-6 3-Major   Heavy memory usage while using fastL4/BIGTCP virtual with HTTP profile
499430-2 3-Major K16623 Standby unit might bridge network ingress packets when bridge_in_standby is disabled
488921-2 3-Major   BIG-IP system sends unnecessary gratuitous ARPs
476567-5 3-Major K16561 fastL4: acceleration state is incorrectly reported on show sys conn
476564-5 3-Major K16884 ePVA FIX: no RST for an unaccelerated flow targeting a network virtual
475701-2 3-Major   FastL4 with FIX late-bind enabled may not honor client-timeout
472532-4 3-Major   Cipher dhe-rsa-aes256-sha256 is missing from the SSL cipher list
460946-2 3-Major   NetHSM key is displayed as normal in GUI
458348-2 3-Major   RESOLV:: iRule commands and sFlow don't function correctly when using non-default CMP hashing.
455762-1 3-Major K17094 DNS cache statistics incorrect
452443-2 3-Major   DNS cache resolver cannot send egress traffic on a VLAN with src-ip or dst-ip cmp hash configured
452439-5 3-Major K15574 TMM may crash when enabling DOS sweep/flood if a TMM process has multiple threads
446526-7 3-Major   TCP virtual server/UDP virtual server without datagram-LB mode enabled running DNS cache and suspending iRules might cause TMM crash.
441058 3-Major K17366 TMM can crash when a large number of SSL objects are created
424831-6 3-Major K14573 State Mirroring does not work for an HA pair that uses only hardwired (serial) failover, without network failover
418890-2 3-Major K92193116 OpenSSL bug can prevent RSA keys from rolling forward
406001-3 3-Major   Host-originated traffic cannot use a nexthop in a different route domain
372473-2 3-Major   mcp error 0x1020003 may be logged to /var/log/tmm when TMM crashes
554774-2 4-Minor   Persist lookup across services might fail to return a matching record when multiple records exist.
551614-2 4-Minor K10607444 MTU Updates should erase all congestion metrics entries
546747-2 4-Minor K72042050 SSL connections may fail with a handshake failure when the ClientHello is sent in multiple packets
541134-2 4-Minor K51114681 HTTP/HTTPS monitors transmit unexpected data to monitored node.
534458-6 4-Minor K17196 SIP monitor marks down member if response has different whitespace in header fields.
452482-7 4-Minor   HTTP virtual servers with cookie persistence might reset incoming connections
558053-2 5-Cosmetic   Pool's 'active_member_cnt' attribute may not be updated as expected.
529897-1 5-Cosmetic   Diameter monitor logging displays hex when monitor failing instead of the AVP which the monitor is failing on.


Performance Fixes

ID Number Severity Solution Article(s) Description
489816-1 1-Blocking   F5 Enterprise MIB attribute sysTmmStatMemoryTotal returning zero
548796-2 2-Critical   Avrd is at CPU is 100%


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
533658-5 2-Critical   DNS decision logging can trigger TMM crash
471467 2-Critical   gtmparse segfaults when loading wideip.conf because of duplicate virtual server names
469033 2-Critical   Large big3d memory footprint.
551767-3 3-Major K03432500 GTM server 'Virtual Server Score' not showing correctly in TMSH stats
546640 3-Major   tmsh show gtm persist <filter option> does not filter correctly
529460-7 3-Major K17209 Short HTTP monitor responses can incorrectly mark virtual servers down.
526699-6 3-Major K40555016 TMM might crash if BIG-IP DNS iRule nodes_up references invalid IP/Port.
481328-2 3-Major K50139533 Many 'tmsh save sys config gtm-only partitions all' stack memory issue.
552352-2 4-Minor K18701002 tmsh list display incorrectly for default values of gtm listener translate-address/translate-port
494796 4-Minor   Unable to create GTM Listener with non-default protocol profile.


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
565463-2 1-Blocking   ASM-config consumes 1.3GB RAM after repeated Policy Import via REST
566758-2 2-Critical   Manual changes to policy imported as XML may introduce corruption for Login Pages
555057-3 2-Critical   ASM REST: Removing a Signature Set From One Security Policy Removes It From All Security Policies.
555006-3 2-Critical   ASM REST: lastUpdateMicros is not updated when changing a Custom Signature
552139-2 2-Critical K61834804 ASM limitation in the pattern matching matrix builtup
478351-1 2-Critical K17319 Changing management IP can lead to bd crash
475551-1 2-Critical   Flaw in CSRF protection mechanism
474252-1 2-Critical K17344 Applying ASM security policy repeatedly fills disk partition on a chassis
574451-2 3-Major K90243258 ASM chassis sync occasionally fails to load on secondary slot
563237 3-Major   ASM REST: name for ipIntelligenceReference is incorrect
562775-2 3-Major   Memory leak in iprepd
558642-1 3-Major   Cannot create the same navigation parameter in two different policies
554367-1 3-Major   BIG-IQ ASM remote logger: Requests are not be logged.
553146-2 3-Major K95632194 BD memory leak
547000-4 3-Major K47219203 Enforcer application might crash on XML traffic when out of memory
542511-2 3-Major K97242554 'Unhandled keyword ()' error message in GUI and/or various ASM logs
541852-1 3-Major   ASM REST: PATCH to XML Profiles with unmodified "validationFiles" fails
541406-1 3-Major   ASM REST: XML Profile Validation File Associations are Removed on a Partial PATCH Request
540390-2 3-Major   ASM REST: Attack Signature Update cannot roll back to older attack signatures
538195-1 3-Major   Incremental Manual sync does not allow overwrite of 'newer' ASM config
535188-3 3-Major   Response Pages custom content with \n instead of \r\n on policy import.
534246-2 3-Major   rest_uuid should be calculated from the actual values inserted to the entity
531809-2 3-Major   FTP/SMTP traffic related bd crash
530598-1 3-Major   Some Session Tracking data points are lost on TMM restart
529610-1 3-Major K32565535 On HA setups ASM session tracking page display an empty list when in fact there are asm entries in session db
529535-4 3-Major   MCP validation error while deactivating a policy that is assigned to a virtual server
526162-7 3-Major K52335623 TMM crashes with SIGABRT
520732-3 3-Major   XML policy import adds default entities if the relevant element list (in policy xml doc) is specified and empty
514313-1 3-Major K00884154 Logging profile configuration is updated unnecessarily
514061-4 3-Major K17562 False positive scenario causes SMTP transactions to hang and eventually reset.
503696-1 3-Major   BD enforcer updates may be stuck after BD restart
491371-1 3-Major K17285 CMI: Manual sync does not allow overwrite of 'newer' ASM config
491352-3 3-Major   Added ASM internal parameter to add more XML memory
489379-1 3-Major   Bot signature is not matched
481530-1 3-Major K86019555 Signature reporting details for sensitive data violation
538837-1 4-Minor   REST: Filtering login pages or parameters by their associated URL does not work


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
529900-1 2-Critical K88373692 AVR missing some configuration changes in multiblade system
519257-2 2-Critical   cspm script isn't injected in text/html chuncked response
470559 2-Critical   TMM crash after traffic stress with rapid changes to Traffic capturing profiles
552488-1 3-Major K73600514 Missing upgrade support for AFM Network DoS reports.
549393-3 3-Major K73435148 SWG URL categorization may cause the /var/lib/mysql file system to fill.
535246-6 3-Major K17493 Table values are not correctly cleaned and can occupy entire disk space.
530952-1 3-Major   MySql query fails with error number 1615 'Prepared statement needs to be re-prepared'
529903-1 3-Major   Incorrect reports on multi-bladed systems
528031-3 3-Major K10097225 AVR not reporting the activity of standby systems.
491185-1 3-Major   URL Latencies page: pagination limited to 180 pages
490999-2 3-Major   Subscriber-level AVR statistics display the subscriber-type as "Unknown" for subscribers created using Radius Acct-Start
537435-1 4-Minor   Monpd might core if asking for export report by email while monpd is terminating
495744-1 4-Minor   Some user defined ASM reports are not loading correctly after upgrade from 11.4 upwards


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
553330-3 1-Blocking   Unable to create a new document with SharePoint 2010
579559-2 2-Critical   DTLS Networks Access may not work with some hardware platforms with Nitrox hardware acceleration
572563-3 2-Critical   PWS session does not launch on Internet Explorer after upgrade
569306-3 2-Critical   Edge client does not use logon credentials even when "Reuse Windows Logon Credentials" is selected
565056-3 2-Critical K87617654 Fail to update VPN correctly for non-admin user.
555507-2 2-Critical K88973987 Under certain conditions, SSO plugin can overrun memory not owned by the plugin.
555272-8 2-Critical   Endpoint Security client components (OPSWAT, EPSEC) may fail to upgrade
551764-3 2-Critical K14954742 [APM] HTTP status 500 response of successful Access Policy in clientless mode on chassis platform
530622-1 2-Critical   EAM plugin uses high memory when serving very high concurrent user load
522997-3 2-Critical K52553016 Websso cores when it tries to shutdown
491080-5 2-Critical K92821195 Memory leak in access framework
571003-1 3-Major   TMM Restarts After Failover
570563-2 3-Major K35470551 CRL is not being imported/exported properly
569255-3 3-Major K81130213 Network Access incorrectly manipulates routing table when second adapter being connected if "Allow Local subnet access' is set to ON
566908-5 3-Major K54435973 Webserver listening on local Wifi or ethernet IP cannot be accessed after VPN with proxy.pac file
565527-3 3-Major K94548429 Static proxy settings are not applied if NA configuration
564496-3 3-Major   Applying APM Add-on License Does Not Change Effective License Limit
564493 3-Major K74284318 Copying an access profile appends an _1 to the name.
564262-4 3-Major K21518043 Network Access does not work if DNS cannot be resolved on client and PAC file contains DNS resolution code
564253-5 3-Major   Firefox signed plugin for VPN, Endpoint Check, etc
563474-2 3-Major K51244380 SNMP F5-BIGIP-APM-MIB::apmPmStatConfigSyncState returns 0 for edited access profile
561976 3-Major K55561335 Values of high-water and low-water mark for 'apd' pending request queue might not handle requests completely.
558870-3 3-Major K12012384 Protected workspace does not work correctly with third party products
558631-2 3-Major K81306414 APM Network Access VPN feature may leak memory
555457-5 3-Major K16415235 Reboot is required, but not prompted after F5 Networks components have been uninstalled
555435-2 3-Major K34742242 AD Query fails if cross-domain option is enabled and administrator's credentials are not specified
554993-2 3-Major   Profile Stats Not Updated After Standby Upgrade Followed By Failover
554899-2 3-Major K57540380 MCPD core with access policy macro during config sync in HA configuration
554626-1 3-Major K14263316 Database logging truncates log values greater than 1024
554228-5 3-Major   OneConnect does not work when WEBSSO is enabled/configured.
554041-5 3-Major   No connectivity inside enterprise network for "Always Connected" client if Network Location Awareness is enabled
553734-1 3-Major   Issue with assignment of non-string value to Form.action in javascript.
553063-1 3-Major   Epsec version rolls back to previous version on a reboot
552498-1 3-Major   APMD basic authentication cookie domains are not processed correctly
549588-2 3-Major   EAM memory leak when cookiemap is destroyed without deleting Cookie object in it
549108-1 3-Major K52519223 RDP resource 'Custom parameters' fail to accept parameters containing spaces or colon in the value
548361 3-Major   Performance degradation when adding VDI profile to virtual server
543222-3 3-Major   apd may crash if an un-encoded session variable contains "0x"
539270-6 3-Major   A specific NTLM client fails to authenticate with BIG-IP
539229-7 3-Major   EAM core while using Oracle Access Manager
531983-5 3-Major   [MAC][NA] Routing table is not updated correctly in connected state when new adapter is added
528808-3 3-Major   Source NAT translation doesn't work when APM is disabled using iRule
526637-4 3-Major   tmm crash with APM clientless mode
522791-2 3-Major K45123459 HTML rewriting on client might leave 'style' attribute unrewritten.
520088-2 3-Major   Citrix HTML5 Receiver does not properly display initial tour and icons
518550-3 3-Major   Incorrect value of form action attribute inside 'onsubmit' event handler in some cases
517846-2 3-Major K25627866 View Client cannot change AD password in Cross Domain mode
511893-5 3-Major   Client connection timeout after clicking Log In to Access Policy Manager on a Chassis
492122-5 3-Major K42635442 Now Windows Logon Integration does not recreate temporary user for logon execution each time
488811-5 3-Major   F5-prelogon user profile folder are not fully cleaned-up
482177-4 3-Major K16777 Accessing Sharepoint web application portal interferes with IdP initiated SAML SSO
472446-2 3-Major   Customization group template file might cause mcpd to restart
471318-1 3-Major K22671941 AD/LDAP group name matching should be case-insensitive
467256-2 3-Major K25633150 Deleting OPSWAT/Epsec packages from GUI does not delete files from disk causing UCS packages to bloat
462598-4 3-Major K17184 Failover triggered due to a TMM crash resulting from unavailable APM renderer pool members.
462258-8 3-Major   AD/LDAP server connection failures might cause apd to stop processing requests when service is restored
461084-3 3-Major K48281763 Kerberos Auth might fail if client request contains Authorization header
389328-7 3-Major   RSA SecurID node secret is not synced to the standby node


WebAccelerator Fixes

ID Number Severity Solution Article(s) Description
551010-7 3-Major   Crash on unexpected WAM storage queue state
525478-2 3-Major K80413728 Requests for deflate encoding of gzip documents may crash TMM


Wan Optimization Manager Fixes

ID Number Severity Solution Article(s) Description
552198-5 3-Major K27590443 APM App Tunnel/AM iSession Connection Memory Leak
547537-3 3-Major   TMM core due to iSession tunnel assertion failure


Service Provider Fixes

ID Number Severity Solution Article(s) Description
538784-3 3-Major K91532102 ICAP implementation incorrect when HTTP request or response is missing a payload
523854-1 3-Major K35305250 TCP reset with RTSP Too Big error when streaming interleaved data
545985-3 4-Minor   ICAP 2xx response (except 200, 204) is treated as error


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
561433-3 3-Major   TMM Packets can be dropped indiscriminately while under DoS attack


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
529634-2 2-Critical   Crash observed with HSL logging
512069-2 2-Critical   TMM restart while relicensing the BIG-IP using the base license.
510923-2 2-Critical   TMM crashes on the disabled secondary blade and bigstart restart or reboot is triggered.
565765-3 3-Major   Flow reporting does not occur for unclassified flows.
564263-3 3-Major   PEM: TMM asserts when Using Debug Image when Gy is being used
560607-3 3-Major   Resource Limitation error when removing predefined policy which has multiple rules
559382-1 3-Major   Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers
557675-3 3-Major   Failover from PEM to PCRF can cause session lookup inconsistency
549283-3 3-Major   Add a log message to indicate transition in the state of Gx and Gy sessions.


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
555369-3 2-Critical K43151094 CGNAT memory leak when non-TCP/UDP traffic directed at public addresses
545783-3 2-Critical   TMM crashes when forwarding an inbound connection on Large Scale NAT (LSN) pool
540571-2 2-Critical   TMM cores when multicast address is set as destination IP via iRules and LSN is configured
540484-2 2-Critical K04005785 "show sys pptp-call-info" command can cause tmm crash
535101-1 2-Critical   Connections to LSN pools in PBA mode may cause tmm core if used in conjunction with udp_gtm_dns profile.


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
564039-3 2-Critical   WebSafe "Missing component" check gets applied on request with different referrer domain.
563554-3 2-Critical   Accept-language in alerts
559129-3 2-Critical   Update Generic Malware Signatures to detect new Dyre variant
554540 2-Critical   RAT detection failure
554537-2 2-Critical   Failed alerts on Internet Explorer
541670-1 2-Critical   Memory leak and potential crash bug in secure channel cookie handling
537106-3 2-Critical   Component checks wait for page load
564040-4 3-Major   Differentiation of missing component alerts
560069-1 3-Major   Default obfuscator configuration causes very slow javascript in some browsers
558255-2 3-Major   Filtering encryption alerts
555818-3 3-Major   Bait failure alerts do not give details of the cause of failure
554546-2 3-Major   Only first entry in 'Mandatory Words' list is effective
552476-2 3-Major   Use of JavaScript's 'eval' function may be prohibited by site's content security policy
551893-2 3-Major   Alerts send from FPS plugin via HSL are sent in a malformed HTTP format
542586-3 3-Major   Fallback alert mechanism can result in page refresh in Internet Explorer 8
542581-3 3-Major   WebSafe alerts with HTML attached cause the page to run slowly
542472 3-Major   SSL::disable for alerts does not take effect and first alert fails
503160-3 3-Major   FPS malicious words doesn't trigger alert when ignore list is defined
560791 4-Minor   FPS doesn't encrypt inputs of type "hidden"
555827-2 4-Minor   No fallback for alerts.
547038-2 4-Minor   In very fast transactions, some detection data is missing


Device Management Fixes

ID Number Severity Solution Article(s) Description
538722-3 3-Major K06150134 Configurable maximum message size limit for restjavad


iApp Technology Fixes

ID Number Severity Solution Article(s) Description
546082-5 2-Critical   Special characters might change input.



Cumulative fixes from BIG-IP v11.6.0 Hotfix 8 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
600662-4 CVE-2016-5745 K64743453 NAT64 vulnerability CVE-2016-5745
599168-4 CVE-2016-5700 K35520031 BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
598983-4 CVE-2016-5700 K35520031 BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
569467-11 CVE-2016-2084 K11772107 BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.
580596-9 CVE-2013-0169 CVE-2016-6907 CVE-2019-6593 K14190 K39508724 K10065173 TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907


Functional Change Fixes

ID Number Severity Solution Article(s) Description
557221-7 2-Critical K36385016 Inbound ISP link load balancing will use pool members for only one ISP link per data center


TMOS Fixes

ID Number Severity Solution Article(s) Description
596603-11 2-Critical   AWS: BIG-IP VE doesn't work with c4.8xlarge instance type.
547047 2-Critical K31076445 Older cli-tools unsupported by AWS
595874-4 3-Major   Upgrading 11.5.x/11.6.x hourly billing instances to 12.1.0 fails due to license SCD.
556277-6 3-Major   Config Sync error after hotfix installation (chroot failed rsync error)
499537-3 3-Major K58243048 Qkview may store information in the wrong format


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
557645-5 3-Major   Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms.



Cumulative fixes from BIG-IP v11.6.0 Hotfix 7 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
591857 1-Blocking   10-core vCMP guest with ASM may not pass traffic



Cumulative fixes from BIG-IP v11.6.0 Hotfix 6 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
532522-3 CVE-2015-1793 K16937 CVE-2015-1793
536984 CVE-2015-8240 K06223540 Ensure min_path_mtu is functioning as designed.
536481-9 CVE-2015-8240 K06223540 F5 TCP vulnerability CVE-2015-8240
534630-5 CVE-2015-5477 K16909 Upgrade BIND to address CVE 2015-5477
530829 CVE-2015-5516 K00032124 UDP traffic sent to the host may leak memory under certain conditions.
529509-5 CVE-2015-4620 K16912 BIND Vulnerability CVE-2015-4620
527799-9 CVE-2015-4000 CVE-2015-1792 CVE-2015-1791 CVE-2015-1790 CVE-2015-1789 CVE-2015-1788 CVE-2014-8176 K16674 K16915 K16914 OpenSSL library in APM clients updated to resolve multiple vulnerabilities
527630-1 CVE-2015-1788 K16938 CVE-2015-1788 : OpenSSL Vulnerability
506034-3 CVE-2014-9297 CVE-2014-9298 CVE-2014-9750 CVE-2014-9751 K16393 NTP vulnerabilities (CVE-2014-9297,CVE-2014-9298)
540849-5 CVE-2015-5986 K17227 BIND vulnerability CVE-2015-5986
540846-5 CVE-2015-5722 K17181 BIND vulnerability CVE-2015-5722
531576-1 CVE-2016-7476 K87416818 TMM vulnerability CVE-2016-7476
520466-2 CVE-2015-3628 K16728 Ability to edit iCall scripts is removed from resource administrator role
516618-5 CVE-2013-7424 K16472 glibc vulnerability CVE-2013-7424
526514-1 CVE-2016-3687 K26738102 Open redirect via SSO_ORIG_URI parameter in multi-domain SSO
522878-1 CVE-2016-3686 K82679059 Hide the cleartext Session ID (MRHSessionCookie) visible as part of URL query param to prevent unauthorized access.
515345-1 CVE-2015-1798 K16505 NTP Vulnerability


Functional Change Fixes

ID Number Severity Solution Article(s) Description
503652-4 2-Critical K17162 Some SIP UDP connections are lost immediately after enabling a blade on the Active HA unit.
502443-4 2-Critical K16457 After enabling a blade/HA member, pool members are marked down because monitoring starts too soon.
520705-5 3-Major   Edge client contains multiple duplicate entries in server list
498992-6 3-Major   Troubleshooting enhancement: improve logging details for AWS failover failure.
471042-6 3-Major   Datastor High Velocity Traffic Pattern Changes
224903-5 3-Major K71296207 CounterBasedGauge64 MIB values do not work with Network Management Systems. The MIB should be Gauge32.


TMOS Fixes

ID Number Severity Solution Article(s) Description
544980-3 1-Blocking   BIG-IP Virtual Edition may have minimal disk space for the /var software partition when deploying from the OVA file for the Better or Best license bundle.
535806-2 1-Blocking   Not enough free disk space for live install of BIG-IP 12.0.0 from 11.5.3 VE
507312-1 1-Blocking   icrd segmentation fault
477218-5 1-Blocking   Simultaneous stats query and pool configuration change results in process exit on secondary.
473033-5 1-Blocking   Datastor Now Uses Syslog-ng
529510-2 2-Critical   Multiple Session ha state changes may cause TMM to core
523434 2-Critical K85242410 mcpd on secondary blades will restart with an error message about a sflow_http_virtual_data_source object
513454-3 2-Critical   An snmpwalk with a large configuration can take too long, causing snmpd or mcpd restarts
510979-1 2-Critical   Password-less SSH access after tmsh load of UCS may require password after install.
509503-4 2-Critical   tmsh load sys config merge file 'filename' takes signficant time for firewall rulelist configuration
507602-1 2-Critical K17166 Data packet over IPsec tunnel might be looping between cores after rekey if IPsec lifebyte is enabled
506199-4 2-Critical   VCMP guests on VDAG platforms can experience excessive tmm redirects after multiple guest provisioning cycles
504496-3 2-Critical   AAA Local User Database may sync across failover groups
497078-1 2-Critical   Modifying an existing ipsec policy configuration object might cause tmm to crash
479460-5 2-Critical   SessionDb may be trapped in wrong HA state during initialization
473105 2-Critical   FastL4 connections reset with pva-acceleration set to guaranteed
471860-3 2-Critical K16209 Disabling interface keeps DISABLED state even after enabling
470813-1 2-Critical   Memory corruption in f5::rest::CRestServer::g_portToServerMap
468473-2 2-Critical K16193 Monitors with domain username do not save/load correctly
464870-7 2-Critical K94275315 Datastor cores and restarts.
438674-5 2-Critical K14873 When log filters include tamd, tamd process may leak descriptors
429018-2 2-Critical K17438 tmipsecd cores when deleting a non-existing traffic selector
420107-2 2-Critical   TMM could crash when modifying HTML profile configuration
364978-1 2-Critical   Active/standby system configured with unit 2 failover objects
544888-5 3-Major K17426 Idle timeout changes to five seconds when using PVA full or Assisted acceleration.
534251-1 3-Major   Live update with moving config breaks password-less ssh access
533458-4 3-Major   Insufficient data for determining cause of HSB lockup.
533257-2 3-Major   tmsh config file merge may fail when AFM security log profile is present in merged file
528881 3-Major   NAT names with spaces in them do not upgrade properly
528310 3-Major K17384 Upgrade failure when CertKeyChain exists in non-Common partition
527537 3-Major   CGNAT experiences increased CPU utilization with a high concurrent connection load and persistence enabled
527145-4 3-Major K53232218 On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown.
527094-1 3-Major K17295 iControl REST: the records collection in tm/ltm/data-group/internal/ may show wrong partition and subPath metadata.
527021-1 3-Major   BIG-IQ iApp statistics corrected for empty pool use cases
526419-1 3-Major   Deleting an iApp service may fail
524791-3 3-Major   non_blocking_send/receive do not correctly handle EINTR situation for poll() == 0
524753-1 3-Major   IPsec interface is not forwarding TCP flow to the host when the destination is tunnel self-ip
524490-4 3-Major K17364 Excessive output for tmsh show running-config
524326-4 3-Major   Can delete last ip address on a gtm server but cannot load a config with a gtm server with no ips
523922-4 3-Major   Session entries may timeout prematurely on some TMMs
523125 3-Major K17350 Disabling/enabling blades in cluster can result in inconsistent failover state
520640-2 3-Major K31002924 The iControl Management.Zone.get_zone() method can return zone options in a format inconsistent for use with the Management.Zone.set_zone_option() method.
519510-3 3-Major K17164 Throughput drop and rxbadsum stat increase in tagged VLAN with LRO/GRO on BIG-IP VE running on ESX platforms with particular network hardware
519372 3-Major K55273152 vCMP guest memory growth due to large number of /var/run/tmstats-rsync.* files.
519068-3 3-Major   device trust setup can require restart of devmgmtd
518283 3-Major K16524 Cookie rewrite mangles 'Set-Cookie' headers
518039-1 3-Major   BIG-IQ iApp statistics corrected for partition use cases
517580-3 3-Major K16787 OPT-0015 on 10000-series appliance may cause bcm56xxd restarts
517178-2 3-Major K29660332 BIG-IP system as SAML Service Provider cannot process some messages from SimpleSAMLphp under certain conditions
516669-1 3-Major K34602919 Rarely occurring SOD core causes failover.
515667-4 3-Major   Unique truncated SNMP OIDs.
514726-4 3-Major K17144 Server-side DSR tunnel flow never expires
514724-1 3-Major   crypto-failsafe fail condition not cleared when crypto device restored
513916-5 3-Major K80955340 String iStat rollup not consistent with multiple blades
513294-8 3-Major   LBH firmware v3.07 update for BIG-IP 5000-/7000-series appliances
510159-1 3-Major   Outgoing MAP tunnel statistics not updated
510119-4 3-Major   HSB performance can be suboptimal when transmitting TSO packets.
509782-3 3-Major K16780 TSO packets can be dropped with low MTU
509504-5 3-Major K17500 Excessive time to save/list a firewall rule-list configuration
509037-1 3-Major K17058 BIG-IP systems allows creating wild-card IPIP tunnels with the same local-address and tunnel-type
507853-1 3-Major   MCP may crash while performing a very large chunked query and CPU is highly loaded
507575-1 3-Major   An incorrectly formated NAPTR creation via iControl can cause an error.
506041-2 3-Major K01256304 Folders belonging to a device group can show up on devices not in the group
505045-1 3-Major K56700956 MAP implementation not working with EA bits length set to 0.
504494-2 3-Major K43624250 Upgrading to 11.5.0 and later might associate a disabled HA group to traffic groups.
502238-3 3-Major K16736 Connectivity and traffic interruption issues caused by a stuck HSB transmit ring
501437-3 3-Major   rsync daemon does not stop listening after configsync-ip set to none
500234-4 3-Major   TMM may core during failover due to invalid memory access in IPsec components
499260-3 3-Major   Deleting trust-domain fails when standby IP is in ha-order
497564-2 3-Major   Improve High Speed Bridge diagnostic logging on transmit/receive failures
497304-1 3-Major   Unable to delete reconfigured HTTP iApp when auto-sync is enabled
495526-1 3-Major   IPsec tunnel interface causes TMM core at times
493246-2 3-Major K17414 SNMP error: Unknown Object Identifier (Index out of range:0 ) for sysCpuSensorSlot
493213-1 3-Major   RBA eam and websso daemons segfaulting while provisioning
491716-2 3-Major   SNMP attribute type incorrect for certain OIDs
491556-7 3-Major K16573 tmsh show sys connection output is corrected
489084-1 3-Major   Validation error in MCPD for FQDN nodes
484706-2 3-Major K16460 Incremental sync of iApp changes may fail
483104-3 3-Major K17365 vCMP guests report platform type as 'unknown'
481648-8 3-Major   mib-2 ipAddrTable interface index does not correlate to ifTable
480679-1 3-Major K16858 The big3d daemon does not receive config updates from mcpd
473348-6 3-Major K16654 SNMP hbInterval value not set to 300 sec after upgrade from 11.2.x to 11.3.0 or later
473088-4 3-Major K17091 Virtual server with RequestAdapt/ResponseAdapt profiles along with a OneConnect profile
470756-6 3-Major   snmpd cores or crashes with no logging when restarted by sod
468837-5 3-Major   SNAT translation traffic group inheritance does not sync across devices
464252-2 3-Major   Possible tmm crash when modifying html pages with HTML profile.
464024-4 3-Major K16455 File descriptor leak when running some TMSH commands through scriptd
458104-3 3-Major K16795 LTM UCS load merge trunk config issue
455264-3 3-Major K54105052 Error messages are not clear when adding member to device trust fails
442871-1 3-Major K17185 BIG-IP VE instances created using OpenStack interfaces may fail to detect the KVM hypervisor
441297-3 3-Major K16493 Trunk remains down and interface's status is 'uninit' after mcpd restart
416388-1 3-Major   vCMPD will not reattach to guest
410398-3 3-Major   sys db tmrouted.rhifailoverdelay does not seem to work
405752-1 3-Major   TCP Half Open monitors sourced from specific source ports can fail
383784-5 3-Major K17289 Remote Auth user names containing blank space cannot login through TMSH.
362267-3 3-Major K17488 Configuring network failover on a VIPRION cluster using the blade management addresses results in 'Cannot assign requested address' errors
359774-6 3-Major   Pools in HA groups other than Common
355661-3 3-Major K85476133 sod logs error 010c003b:3: bind fails on recv_sock_fd, Cannot assign requested address
524606-1 4-Minor   SElinux violations prevent cpcfg from touching /service/mcpd/forceload
524185 4-Minor   Unable to run lvreduce
523863-2 4-Minor   istats help not clear for negative increment
492163-3 4-Minor K12400 Applying a monitor to pool and pool member may cause an issue.
475647-2 4-Minor   VIPRION Host PIC firmware version 7.02 update
473163-2 4-Minor   RAID disk failure and alert.conf log message mismatch results in no trap
471827-1 4-Minor   Firstboot early syslog-ng log: /var/run/httpd.pipe does not exist
465675-3 4-Minor K07816405 Invalid MAX-ACCESS clause for deprecated variables: ltmNodeAddrNewSessionEnable and ltmPoolMemberNewSessionEnable.
465317-1 4-Minor K10890804 Failure notice from '/usr/bin/set-rsync-mgmt-fw close' seen on each boot.
464043-3 4-Minor   Integration of Firmware for the 2000 Series Blades
443298-2 4-Minor   FW Release: Incorporate VIPRION 2250 LOP firmware v1.20
356658-2 5-Cosmetic K28234602 Message logged when remote authenticated users do not have local account login


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
522784-2 1-Blocking   After restart, system remains in the INOPERATIVE state
420341-6 1-Blocking K17082 Connection Rate Limit Mode when limit is exceeded by one client also throttles others
552937-1 2-Critical   HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the next pipelined request to fail.
539344-1 2-Critical   SPDY child flow aborted while stalled leaves freed SPDY stream in SPDY stalled list
538255 2-Critical   SSL handshakes on 4200/2200 can cause TMM cores.
533388-1 2-Critical   tmm crash with assert "resume on different script"
530963-4 2-Critical   BIG-IP TLS doesn't correctly verify Finished.verify_data on non-Cavium platforms
528432-2 2-Critical   Control plane CPU usage reported too high
523079-2 2-Critical   Merged may crash when file descriptors exhausted
514108-1 2-Critical   TSO packet initialization failure due to out-of-memory condition.
510837-2 2-Critical   Server initiated renegotiation fails with dhe_dss/ecdhe_ecdsa and ecdh_ecdsa ciphers. BIG-IP sends bad client key exchange.
509346-2 2-Critical   Intermittent or complete SSL handshake failure with netHSM keys
506304-2 2-Critical   UDP connections may stall if initialization fails
505331-1 2-Critical K17092 SASP Monitor may core
505222-2 2-Critical   DTLS drops egress packets when traffic is sufficiently heavy.
503343-7 2-Critical   TMM crashes when cloned packet incorrectly marked for TSO
499422-1 2-Critical K31310380 An optimistic ACK sent by a server in response to a BIG-IP FIN/ACK packet result in a FIN/ACK storm.
497299-5 2-Critical   Thales install fails if the BIG-IP system is also configured as the RFS
492352-3 2-Critical   SSL profiles using password protected SSL keys cause config utility error
481677-2 2-Critical   A possible TMM crash in some circumstances.
481162-2 2-Critical K16458 vs-index is set differently on each blade in a chassis
474601-5 2-Critical   FTP connections are being offloaded to ePVA
450814-10 2-Critical   Early HTTP response might cause rare 'server drained' assertion
431283-7 2-Critical   iRule binary scan may core TMM when the offset is large
426328-8 2-Critical K14654 Updating iRule procs while in use can cause a core
402412-8 2-Critical   FastL4 tcp handshake timeout is not honored, connection lives for idle timeout.
551612 3-Major   BIG-IP SSL does not support sending multiple certificate verification requests to the hardware accelerator at the same time in 11.6.0.
530431 3-Major K17537 FQDN nodes: ephemeral nodes not being created for resolved FQDN hosts
526810-5 3-Major   Crypto accelerator queue timeout is now adjustable
525557 3-Major   FQDN ephemeral nodes not re-populated after deleted and re-created
524666-3 3-Major   DNS licensed rate limits might be unintentionally activated.
522147-2 3-Major   'tmsh load sys config' fails after key conversion to FIPS using web GUI
521774-3 3-Major K17420 Traceroute and ICMP errors may be blocked by AFM policy
521538-2 3-Major K08025400 Keep-alive transmissions do not resume after failover of flows on an L4 virtual, when the sequence number is known
521522-3 3-Major K21981142 Traceroute through BIG-IP may display destination IP address at BIG-IP hop
521408-3 3-Major   Incorrect configuration in BigTCP Virtual servers can lead to TMM core
520540-1 3-Major   Specific iRule commands may generate a core file
518020-11 3-Major K16672 Improved handling of certain HTTP types.
517790-1 3-Major   When non-HTTP traffic causes the server-side to receive unexpected data, the connection will be dropped
517556-3 3-Major   DNSSEC unsigned referral response is improperly formatted
516598-1 3-Major K82721850 Multiple TCP keepalive timers for same Fast L4 flow
516320-2 3-Major   TMM may have a CPU spike if match cross persist is used.
515817-2 3-Major   TMM may not reset connection when receiving an ICMP error
515322-1 3-Major   Intermittent TMM core when using DNS cache with forward zones
515072-4 3-Major K17101 Virtual servers with priority groups reset incoming connections when a non-zero connection limit is increased
514246-3 3-Major   connflow_precise_check_begin does not check for NULL
512383-3 3-Major K68275911 Hardware flow stats are not consistently cleared during fastl4 flow teardown.
512148-1 3-Major K17154 Self IP address cannot be deleted when its VLAN is associated with static route
512062-2 3-Major K21528300 A db variable to disable verification of SCTP checksum when ingress packet checksum is zero
510921-1 3-Major K23548911 Database monitors do not support IPv6 nodes
510720-1 3-Major K81614705 iRule table command resumption can clear the header buffer before the HTTP command completes
510638-1 3-Major K37513511 [DNS] Config change in dns cache resolver does not take effect until tmm restart
507529-1 3-Major   Active crash with assert: tmm failed assertion, non-zero ha_unit required for mirrored flow
506282-1 3-Major K16168 GTM DNSSEC keys generation is not sychronized upon key creation
505059-1 3-Major   Some special characters are not properly handled for username and password fields in TCL monitors
504899-2 3-Major   Duplicated snat-translation addresses are possible (a named and an anonymous (created by snatpool) one)
504306-2 3-Major   https monitors might fail to re-use SSL sessions.
504105-4 3-Major   RR-DAG enabled UDP ports may be used as source ports for locally originated traffic
503979-1 3-Major   High CPU usage when DNS cache resolver sends a large number of DNS queries to the backend name server.
503384-1 3-Major K17394 SMTP monitor fails on multi line greeting banner in SMTP server
501516-5 3-Major   If a very large number of monitors is configured, bigd can run out of file descriptors when it is restarted.
497742-3 3-Major   Some TCP re-transmits on translucent vlangroup skip bit-flip on source MAC address
496758-5 3-Major K16465 Monitor Parameters saved to config in a certain order may not construct parameters correctly
495836-2 3-Major   SSL verification error occurs when using server side certificate.
495557-1 3-Major   Ephemeral node health status may report as 'unknown' rather than the expected 'offline'
490713-3 3-Major   FTP port might occasionally be reused faster than expected
490429-2 3-Major K17206 The dynamic routes for the default route might be flushed during operations on non-default route domains.
488600-2 3-Major   iRule compilation fails on upgrade
488581 3-Major K17539 The TMM process may restart and produce a core file when using the SSL::disable clientside iRule command within a HTTP_REQUEST event
485472-3 3-Major   iRule virtual command allows for protocol mismatch, resulting in crash
479674-1 3-Major K16629 bigd crash on improper monitor configuration (timeout less than the interval) for Tcl monitors.
478617-6 3-Major K16451 Don't include maximum TCP options length in calculating MSS on ICMP PMTU.
478439-6 3-Major K16651 Unnecessary re-transmission of packets on higher ICMP PMTU.
478257-7 3-Major   Unnecessary re-transmission of packets on ICMP notifications even when MTU is not changed
476097-1 3-Major K15274113 TCP Server MSS option is ignored in verified accept mode
474356-1 3-Major   Client SSL on partition other than /Common does not load if no key/cert/inherit-certkeychain
471059-4 3-Major   Malformed cookies can break persistence
465607-7 3-Major K15966 TMM cores with TMM log error 'Assertion "flow in use" failed.' when isuing FastHTTP.
465590-9 3-Major K17531 Mirrored persistence information is not retained while flows are active
465052-6 3-Major K16060 Some HTTP::cookie iRule commands can cause TMM to core if required arguments are missing
462714-2 3-Major K66236389 Source address persistence record times out even while traffic is flowing on FastL4 profile virtual server
460627-3 3-Major K17059 SASP monitor starts a new connection to the Group Workload Manager (GWM) server when a connection to it already exists
447874-5 3-Major   TCP zero window suspends data transfer
447043-3 3-Major K17095 Cannot have 2 distinct 'contains' conditions on the same LTM policy operand
422107-8 3-Major K17415 Responses from DNS transparent cache will no longer contain RRSIG for queries without DO bit set
422087-5 3-Major K16326 Low memory condition caused by Ram Cache may result in TMM core
375887-4 3-Major K17282 Cluster member disable or reboot can leak a few cross blade trunk packets
374339-4 3-Major   HTTP::respond/redirect might crash TMM under low-memory conditions
364994-7 3-Major K16456 TMM may restart or disabled connections may be reused when a OneConnect profile is configured and OneConnect reuse is disabled be an iRule.
352925-2 3-Major K16288 Updating a suspended iRule and TMM process restart
348000-1 3-Major   HTTP response status 408 request timeout results in error being logged.
342013-6 3-Major K27445955 TCP filter doesn't send keepalives in FIN_WAIT_2
226892-13 3-Major K12831 Packet filter enabled, default action discard/reject and IP fragment drop
486485-1 4-Minor   TCP MSS is incorrect after ICMP PMTU message.
454692-4 4-Minor K16235 Assigning 'after' object to a variable causes memory leaks
442647-5 5-Cosmetic K04311130 IP::stats iRule command reports incorrect information past 2**31 bits


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
515797-1 2-Critical   Using qos_score command in RULE_INIT event causes TMM crash
513464-1 2-Critical   Some autodiscovered virtuals may be removed from pools.
471819-2 2-Critical   The big3d agent restarts periodically when upgrading the agent on a v11.4.0 or prior system and Common Criteria mode is enabled.
517083-1 3-Major   Some auto-discovered virtual servers may be removed from pools.
516685-2 3-Major   ZoneRunner might fail to load valid zone files.
516680-2 3-Major   ZoneRunner might fail when loading valid zone files.
515033 3-Major   [ZRD] A memory leak in zrd
515030-1 3-Major K74820030 [ZRD] A memory leak in Zrd
514236-1 3-Major   [GUI][GTM] GUI does not prefix partition to device-name for BIG-IP DNS Server IP addresses
496775-3 3-Major K16194 [GTM] [big3d] Unable to receive mark LTM virtual server up if there is another VS with same ltm_name for the bigip monitor
479142-1 3-Major K16173 Deleting a virtual server does not delete the resource record (RR) in ZoneRunner Daemon (ZRD)
465951-2 3-Major K12562945 If net self description size =65K, gtmd restarts continuously
479084-1 4-Minor   ZoneRunner can fail to respond to commands after a VE resume.
353556-4 4-Minor   big3d https monitor is unable to correctly monitor the web server when SSL protocol is changed


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
524428-1 2-Critical   Adding multiple signature sets concurrently via REST
524004-1 2-Critical   Adding multiple signatures concurrently via REST
520280-1 2-Critical   Perl Core After Apply Policy Action
513822-1 2-Critical   ASM REST: Expected Content Value Is Not Set When Setting The responseActionType For A Response Page
511196-1 2-Critical   UMU memory is not released when remote logger can't reach its detination
532030-3 3-Major   ASM REST: Custom Signature Set Created via REST is Different Than When Created From GUI
531761-1 3-Major   Web navigation flow may be reset when main page responds with non-HTML content
531539-1 3-Major K05113177 The NTLM login is not recognized as failed login.
527861 3-Major   When Many entities are displayed on the "Illegal Meta Character in Value" manual traffic learning screen, the Configuration utility becomes unresponsive.
526856-1 3-Major   "Use of uninitialized value" warning appears on UCS installation due to ASM signature inconsistency
525522 3-Major   Redirect loop when Proactive Bot Defense is enabled and deployment has multiple domains
523261-1 3-Major   ASM REST: MCP Persistence is not triggered via REST actions
523260-1 3-Major K52028045 Apply Policy finishes with coapi_query failure displayed
523201-2 3-Major   Expired files are not cleaned up after receiving an ASM Manual Synchronization
520585-2 3-Major   Changing Security Policy Application Language Is Not Validated or Propagated Properly
519053-1 3-Major   Request is forwarded truncated to the server after answering challenge on a big request
516522-1 3-Major K04420402 After upgrade from any pre-11.4.x to 11.4.x through 12.0.0, the configured redirect URL location is empty.
486829-1 3-Major K17512 HTTP Protocol Compliance options should not be modified during import/upgrade
467930-1 3-Major K47335122 Searching ASM Request Log for requests with specific violations
514117-1 4-Minor   Store source port higher than 32767 in Request Log record


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
531526-2 3-Major K17560 Missing entry in SQL table leads to misleading ASM reports
530356-2 3-Major   Some AVR tables that hold ASM statistics are not being backed up in upgrade process.
526277-1 3-Major   AFM attack may never end on AVR dos overview page in a chassis based BIG-IP
525708-1 3-Major K17555 AVR reports of last year are missing the last month data
519022-2 3-Major K01334306 Upgrade process fails to convert ASM predefined scheduled-reports.
518663-1 3-Major   Client waits seconds before page finishes load
499315-1 3-Major   Added "Collect full URL" functionality.
485251-1 3-Major   AVR core witch include tmstat backtrace
479334-5 3-Major   monpd/ltm log errors after Hotfix is applied
472117-2 3-Major   Analytics scheduled report: "predefinedReportName" and "multiLeveledReport" are mutually exclusive


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
492149-3 1-Blocking   Inline JavaScript with HTML entities may be handled incorrectly
488736-5 1-Blocking   Fixed problem with iNotes 9 Instant Messaging
482266-3 1-Blocking   Windows 10 support for Network Access / BIG-IP Edge Client
482241-1 1-Blocking   Windows 10 cannot be properly detected
439880-2 1-Blocking   NTLM authentication does not work due to incorrect NetBIOS name
405769-3 1-Blocking   APM Logout page is not protected against CSRF attack.
532340-1 2-Critical   When FormBased SSO or SAML SSO are configured, tmm may restart at startup
526754-2 2-Critical   F5unistaller.exe crashes during uninstall
525562-1 2-Critical   Debug TMM Crashes During Initialization
523313-1 2-Critical K17574 aced daemon might crash on exit
520298-2 2-Critical   Java applet does not work
520145-3 2-Critical   [Policy Sync] OutOfMemoryError exception when syncing big and complex APM policy
519864-3 2-Critical   Memory leak on L7 Dynamic ACL
518260-1 2-Critical   Missing NTLMSSP_TARGET_INFO flag on NTLMSSP_CHALLENGE message
517988-2 2-Critical   TMM may crash if access profile is updated while connections are active
514220-1 2-Critical   New iOS-based VPN client may fail to create IPv6 VPN tunnels
509490-2 2-Critical   [IE10]: attachEvent does not work
507681-5 2-Critical   Window.postMessage() does not send objects in IE11
506223-2 2-Critical   A URI in request to cab-archive in iNotes is rewritten incorrectly
502269-1 2-Critical   Large post requests may fail using form based SSO.
493993-6 2-Critical K15914 TMM crashes on the standby when starting up in HA config and Active processing traffic in APM module
492287-1 2-Critical   Support Android RDP client 8.1.3 with APM remote desktop gateway
480272-6 2-Critical K17117 During OAM SDK initialization, ObConfig initialization returns wrong accessgate ID
540778-3 3-Major   Multiple SIGSEGV with core and failover with no logged indicator
539013-6 3-Major   DNS resolution does not work on a Windows 10 desktop with multiple NICs after VPN connection has been established in some cases
537614-1 3-Major   Machine certificate checker fails to use Machine cert check service if Windows has certain display languages
537000-2 3-Major   Installation of Edge Client can cause Windows 10 crash in some cases
534755-1 3-Major   Deleting APM virtual server produces ERR_NOT_FOUND error
533566-1 3-Major   Support for View HTML5 client v3.5 shipped with VCS 6.2
532761 3-Major   APM fails to handle compressed ICA file in integration mode
532096-2 3-Major   Machine Certificate Checker is not backward compatible with 11.4.1 (and below) when MatchFQDN rule is used
531910-1 3-Major   apmd, apd, localmgr random crash
531883-2 3-Major   Windows 10 App Store VPN Client must be detected by BIG-IP APM
531541-1 3-Major   Support Citrix Receiver 4.3 for Windows in PNAgent mode
531529-1 3-Major   Support for StoreFront proxy
531483-2 3-Major   Copy profile might end up with error
530800-1 3-Major   Messages can't be sent from OWA2010 via Portal Access if form-based SSOv2 is in use.
530773 3-Major   per-request policy logs frequently in apm logs
530697-2 3-Major   Windows Phone 10 platform detection
529392-2 3-Major   Win10 and IE11 is not determined in case of DIRECT rule of proxy autoconfig script
528768-1 3-Major   Relaxing validation against "_" character for ActiveDirectory server FQDN for NTLM authentication
528727-1 3-Major   In some cases HTML body.onload event handler is not executed via portal access.
528726-3 3-Major   AD/LDAP cache size reduced
528675-2 3-Major   BIG-IP EDGE Client can indefinitely stay "disconnecting..." state when captive portal session expired
526677-1 3-Major   VMware Horizon HTML5 View access client can not connect when using View Connection Server running version 6.1.1
526617-1 3-Major   TMM crash when logging a matched ACL entry with IP protocol set to 255
526578-1 3-Major   Network Access client proxy settings are not applied on German Windows
526492-2 3-Major   DNS resolution fails for Static and Optimized Tunnels on Windows 10
526275-1 3-Major   VMware View RSA/RADIUS two factor authentication fails
526084-3 3-Major   Windows 10 platform detection for BIG-IP EDGE Client
525384-2 3-Major   Networks Access PAC file now can be located on SMB share
524909-2 3-Major   Windows info agent could not be passed from Windows 10
523431-2 3-Major   Windows Cache and Session Control cannot support a period in the access profile name
523390-2 3-Major   Minor memory leak on IdP when SLO is configured on bound SP connectors.
523327-2 3-Major   In very rare cases Machine Certificate service may fail to find private key
523305-1 3-Major   Authentication fails with StoreFront protocol
523222-6 3-Major   Citrix HTML5 client fails to start from Storefront in integration mode when Access Policy is configured with Redirect ending.
521835-2 3-Major   [Policy Sync] Connectivity profile with a customized logo fails
521773-2 3-Major K10105099 Memory leak in Portal Access
521506-2 3-Major   Network Access doesn't restore loopback route on multi-homed machine
520642-3 3-Major   Rewrite plugin should check length of Flash files and tags
520390-1 3-Major   Reuse existing option is ignored for smtp servers
520205-3 3-Major   Rewrite plugin could crash on malformed ActionScript 3 block in Flash file
520118-2 3-Major   Duplicate server entries in Server List.
519966-2 3-Major   APM "Session Variables" report shows user passwords in plain text
519415-3 3-Major   apm network access tunnel ephemeral listeners ignore irules (related-rules from main virtual )
519198-3 3-Major   [Policy Sync] UI General Exception Error when sync a policy in non-default partition as non-default admin user
518981-2 3-Major   RADIUS accounting STOP message may not include long class attributes
518583-2 3-Major   Network Access on disconnect restores redundant default route after looped network roaming for Windows clients
518573 3-Major   The -decode option should be added to expressions in AD and LDAP group mapping.
518432 3-Major   [Mac][Linux][NA] TLS tunnel freezes on Mac and Linux in case of SSL renegotiation
517564-1 3-Major   APM cannot get groups from an LDAP server, when LDAP server is configured to use non-default port
517441-5 3-Major   apd may crash when RADIUS accounting message is greater than 2K
516839-3 3-Major   Add client type detection for Microsoft Edge browser
516462-2 3-Major   Gateways for excluded address space routes are not adjusted correctly during roaming between networks on Windows machines
515943-2 3-Major   "Session variables" report may show empty if session variable value contains non-English characters
514912-3 3-Major   Portal Access scripts had not been inserted into HTML page in some cases
513969-3 3-Major   UAC prompt is shown for machine cert check for non-limited users, even if machine cert check service is running
513953-1 3-Major K17122 RADIUS Auth/Acct might fail if server response size is more than 2K
513706-2 3-Major K16958 Incorrect metric restoration on Network Access on disconnect (Windows)
513545-1 3-Major   '-decode' option produce incorrect value when it decodes a single value
513283-1 3-Major   Mac Edge Client doesnt send client data if access policy expired
513098-1 3-Major K17180 localdb_mysql_restore.sh failed with exit code
512345-2 3-Major K17380 Dynamic user record removed from memcache but remains in MySQL
512245-7 3-Major   Machine certificate agent on OS X 10.8 and OS X 10.9 uses local host name instead of hostname
511854-4 3-Major K85408112 Rewriting URLs at client side does not rewrite multi-line URLs
510709-1 3-Major   Websso start URI match fails if there are more than 2 start URI's in SSO configuration.
509722-1 3-Major   BWC traffic blocked
509677-1 3-Major   Edge-client crashes after switching to network with Captive Portal auth
504031-1 3-Major   document.write()/document.writeln() redefinition does not work
501494-1 3-Major   if window.onload is assigned null, then null should be retrieved
500938-3 3-Major   Network Access can be interrupted if second NIC is disconnected
500450-1 3-Major   ASM and APM on same virtual server caused Set-Cookie header modification done by ASM not honored by APM websso.
495336-1 3-Major K39768154 Logon page is not displayed correctly when 'force password change' is on for local users.
494637-2 3-Major K80550446 localdbmgr process in constant restart/core loop
494565-4 3-Major K65181614 CSS patcher crashes when a quoted value consists of spaces only
493023-3 3-Major   Export of huge policies might ends up with 'too many pipes opened' error
492701-3 3-Major   Resolved LSOs are overwritten by source device in new Policy Sync with new LSO
492305-1 3-Major   Recurring file checker doesn't interrupt session if client machine has missing file
490830-4 3-Major   Protected Workspace is not supported on Windows 10
488105-3 3-Major   TMM may generate core during certain config change.
483792-5 3-Major   when iSession control channel is disabled, don't assign app tunnel, MSRDP, opt tunnel resources
483501-1 3-Major   Access policy v2 memory leak during object deletion in tmm.
483286-3 3-Major   APM MySQL database full as log_session_details table keeps growing
483020-1 3-Major K17533 [SWG] Policy execution hang when using iRule event in VPE
482699-4 3-Major   VPE displaying "Uncaught TypeError"
482251-3 3-Major K95824957 Portal Access. Location.href(url) support.
481987-6 3-Major   Allow NTLM feature to be enabled with APM Limited license
481663-5 3-Major   Disable isession control channel on demand.
480761-1 3-Major   Fixed issue causing TunnelServer to crash during reconnect
478751-6 3-Major K35826411 OAM10g form based AuthN is not working for a single/multiple domain.
478492-7 3-Major K17476 Incorrect handling of HTML entities in attribute values
475735-4 3-Major K30145457 Failed to load config after removing peer from sync-only group
475403-2 3-Major   Tunnel reconnect with v2.02 does not occur
474779-1 3-Major   EAM process fails to register channel threads (MPI channel) with TMM, and subsequent system call fails.
473488-6 3-Major K17376 In AD Query agent, resolving of nested groups may cause apd to spin
473255-3 3-Major K41869058 Javascript sibmit() method could be rewritten incorrectly inside of 'with' statement.
472256-3 3-Major K17259 tmsh and tmctl report unusually high counter values
472062-3 3-Major K17480 Unmangled requests when form.submit with arguments is called in the page
471117-4 3-Major K17546 iframe with JavaScript in 'src' attribute not handled correctly in IE11
468137-6 3-Major   Network Access logs missing session ID
466745-3 3-Major   Cannot set the value of a session variable with a leading hyphen.
462514-1 3-Major K91196715 Support for XMLHttpRequest is extended
461189-5 3-Major K16563 Generated assertion contains HEX-encoded attributes
458450-2 3-Major K16941 The ECA process may produce a core file when processing HTTP headers
457760-5 3-Major   EAM not redirecting stdout/stderr from standard libraries to /var/log/apm
452010-3 3-Major K16609 RADIUS Authentication fails when username or password contain non-ASCII characters
446860-4 3-Major   APM Exchange Proxy does not honor tmm.access.maxrequestbodysize DB variable and is subject to ID 405348
442698-10 3-Major   APD Active Directory module memory leak in exception
431467-1 3-Major   Mac OS X support for nslookup and dig utilities to use VPN DNS
426209-2 3-Major   exporting to a CSV file may fail and the Admin UI is inaccessible
423282-8 3-Major K17116 BIG-IP JavaScript includes can be improperly injected in case of conditional commment presence
408851-7 3-Major   Some Java applications do not work through BIG-IP server
402793-12 3-Major   APM Network Accces tunnel slows down and loses data in secure renegotiation on Linux and Mac clients
340406-10 3-Major   Localization of BIG-IP Edge Client for Macintosh
533723-4 4-Minor   [Portal Access] Client side HTML rewriter should not rewrite content within "textarea" tag.
524756 4-Minor   APM Log is filled with errors about failing to add/delete session entry
523158-2 4-Minor   In vpe if the LDAP server returns "cn=" (lower case) dn/group match fails
517872-1 4-Minor   Include proxy hostname in logs in case of name resolution failure
513201-6 4-Minor   Edge client is missing localization of some English text in Japanese locale
510459-1 4-Minor   In some cases Access does not redirect client requests
507321-3 4-Minor   JavaScript error if user-defined object contains NULL values in 'origin' and/or 'data' fields
497627-3 4-Minor K58125050 Tmm cores while using APM network access and no leasepool is created on the BIG-IP system.
486661-3 4-Minor   Network Access should provide client IP address on reconnect log records
482145-3 4-Minor   Text in buttons not centered correctly for higher DPI settings
478658-6 4-Minor   Window.postMessage() does not send objects
478261-2 4-Minor   WinInet handle leak in Edge Client on Windows
473685-1 4-Minor   Websso truncates cookie domain value


WebAccelerator Fixes

ID Number Severity Solution Article(s) Description
522231-3 3-Major   TMM may crash when a client resets a connection
521455-2 3-Major K16963 Images transcoded to WebP format delivered to Edge browser


Wan Optimization Manager Fixes

ID Number Severity Solution Article(s) Description
497389-1 3-Major   Extraneous dedup_admin core
485182-2 3-Major K19303084 wom_verify_config does not recognize iSession profile in /Common sub-partition
480910 3-Major   A TCP profile with 'Rate Pace" or 'Tail Loss Probe' enabled fails to successfully establish a connection.
442884-1 3-Major   TMM assert 'spdy pcb initialized' in spdy_process()


Service Provider Fixes

ID Number Severity Solution Article(s) Description
521556-1 2-Critical   Assertion "valid pcb" in TCP4 with ICAP adaptation
516057-3 2-Critical   Assertion 'valid proxy' can occur after a configuration change with active IVS flows.
480311-1 3-Major K47143123 ADAPT should be able to work with OneConnect
489957-5 4-Minor   RADIUS::avp command fails when AVP contains multiple attribute (VSA).
478920 4-Minor   SIP::discard is not invoked for all request messages


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
524748-1 2-Critical   PCCD optimization for IP address range
506286-1 2-Critical   TMSH reset of DOS stats
534886-1 3-Major   AFM Security checks were not being done for DNS over TCP
532022-1 3-Major   tmm can crash when the reply pkt to a service flow request is a DoS pkt
530865-2 3-Major   AFM Logging regression for Global/Route Domain Rules incorrectly using virtual server logging profile (if it exists)
526774 3-Major   Search in FW policy disconnects GUI users
523465-2 3-Major   Log an error message when firewall rule serialization fails due to maximum blob limit being hit.
521763-1 3-Major   Attack stopped and start messages should not have source/dst ip addresses in log messages
515112-1 3-Major   Delayed ehash initialization causes crash when memory is fragmented.
510224-2 3-Major   All descriptions for address-list members are flushed after the address-list was updated
509934-1 3-Major   Blob activation fails due to counter revision
509919-2 3-Major   Incorrect counter for SelfIP traffic on cluster
509600-1 3-Major   Global rule association to policy is lost after loading config.
481706-2 3-Major   AFM DoS Sweep Vector could log attack detected msgs from a non-attacking src IP
533808-1 4-Minor   Unable to create new rule for virtual server if order is set to "before"/"after"
533336-2 4-Minor   Display 'description' for port list members
528499 4-Minor   AFM address lists are not sorted while trying to create a new rule.
510226-2 4-Minor   All descriptions for ports-list's members are flushed after the port-list was updated
491165-1 4-Minor   Legal IP addresses sometimes logged in Attack Started/Stopped message.
495432-2 5-Cosmetic   Add new log messages for AFM rule message load/activation in datapath.


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
545558-1 1-Blocking   Send RAA when RAR is sent by PCRF and session is deleted immediately after its created.
533929 1-Blocking   PEM::subscriber info irule command can cause tmm core
525175-1 1-Blocking   Fix a crash issue when querying SSP with multi-ip.
524780-1 1-Blocking   TMM crash when quering the session information
522933-1 1-Blocking   diam_app_process_async_lookup may cause TMM crash
534490 2-Critical   Fixed TMM crash when iRule configuration is modified.
534018-1 2-Critical   Memory leak while running some of PEM::session and PEM::subscriber commands.
533734-1 2-Critical K82536069 DHCPv6 packets arriving via tunnel are not forwarded to backend server on VIPRION
533203 2-Critical K98322810 TMM may core on resuming iRule if the underlying flow has been deleted.
528715-1 2-Critical   rare tmm crash when ipother irule parks
527016-1 2-Critical   CLASSIFICATION_DETECTED irule event results in tmm core
524374-1 2-Critical   TMM may crash if PEM report format script with iRule are executed on top of existing parked iRule
523296-1 2-Critical   TMM may core when using iRule custom actions in PEM policies
519506-1 2-Critical   Flows dropped with initiate data from sever on virtual servers with HTTP
491771-2 2-Critical   Parking command called from inside catch statement
541592-1 3-Major   PEM : Diameter virtual reconfiguration might stop CCR-I/U/T going out for subscriber sessions
537034 3-Major K13145204 PEM: CPU spike seen when iRule tries to update nonexistent sessions.
534323-1 3-Major   Session will be replaced rather than re-created when we update a new IP addr along with the existing IP addr.
533513-1 3-Major   Data plane Listener summary does not show LSN translation correctly
529414-1 3-Major   PEM: After Diameter Fatal-Grace time expiry, Some subscriber sessions might be deleted very soon
528787-1 3-Major   PEM: RAR after session being deleted from Radius/TMSH when connection down will return RAA with success code.
528247-1 3-Major   PEM: New Requested units empty for when used units matches granted service units
528238-1 3-Major   Quota Policy Added multiple times will lead to reset of Subscriber flows
527725-1 3-Major   BIG-IP crash caused by PSC::ip_address iRule is fixed
527292-1 3-Major   BIG-IP crash caused by PSC::user_name iRule is fixed
527289-1 3-Major   TMM crashes with core when PSC::ip_address iRule is used to list IPs
527076-1 3-Major   TMM crashes with core when PSC::policy iRule is used to set more than 32 policies
526786-1 3-Major   Session lookup fails
526368-1 3-Major   The number of IPv4 addresses per Gx session exceeds the limit of 1
526295-3 3-Major   BIG-IP crashes in debug mode when using PEM iRule to create session with calling-station-id and called-station-id
525860-2 3-Major   PEM: Duplicate sessions formed with same IP
525633-1 3-Major K02093894 Configurable behavior if PCRF returns unknown session ID in middle of session.
525416-1 3-Major   List of IPs in "tmsh show pem sessiondb subscriber-id " may be reversed.
524409-1 3-Major   Fix TMSH show and reset-stats commands for multi-ip sessions defect.
524198-1 3-Major   PEM: Invalid HSL log generated when when session with static subscriber deleted.
522934 3-Major   Provide an option to encode subscription ID in CCR-U/CCR-T messages over Gx/Gy
522579-1 3-Major   TMM memory leak when RAR messages received from PCRF to delete for a non-existing sessions in PEM
522141-1 3-Major   Tmm cores while changing properties of PEM policies and rules.
522140-1 3-Major   Multiple IP is not added through iRule after setting the state of a session to provision by iRule
521683-1 3-Major   PEM: Session is not replaced by third and subsequent RADIUS start messages containing specific multiple IPs
521655-2 3-Major   Session hangs when trying to switch state to provisioned
504627-1 3-Major   Valid RADIUS sessions deleted on no session inactivity if no subscriber traffic exists during session timeout period.
499778-1 3-Major   A static subscriber's session is not deleted if master-IP is deleted from the subscriber's list of IPs
471926-1 3-Major   Static subscriber sessions lost after bigstart restart
539677-1 4-Minor   The file /etc/wr_urldbd/bcsdk.cfg needs to be included in the .ucs file


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
533562-1 2-Critical K15320373 Memory leak in CGNAT can result in crash
515646-1 2-Critical K17339 TMM core when multiple PPTP calls from the same client
509108-1 2-Critical   CGNAT PBA may log port-block allocation and port-block release log messages for a port-block which is already allocated to a different subscriber
494743-1 2-Critical K17389 Port exhaustion errors on VIPRION 4800 when using CGNAT
494122-2 2-Critical K02533962 Deterministic NAT state information from HSL is not usable on VIPRION B4300 blades
490893-4 2-Critical K16762 Determinstic NAT State information incomplete for HSL log format
505097-1 3-Major   lsn-pool backup-member not propagated to route table after tmrouted restart
504021-1 3-Major   lsn-pool member routes not properly propagated to routing table when lsn-pool routing-advertisement is enabled
500424-2 3-Major   dnatutil exits when reverse mapping one of the snippet results in "No tmms on the blade" error
486762-1 3-Major K05172346 lsn-pool connection limits may be invalid when mirroring is enabled
480119-2 3-Major K16112 Vague error - Error ERR_BOUNDS connflow ... processing pullup of control message.
455020-1 3-Major   RTSP profile idle timeout is not applied if it is longer than the TCP profile timeout


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
526124 2-Critical   Parameter matching inconsistency
520090-1 2-Critical K17546 Flows are closed as expired rather than closed gracefully.
529573 3-Major   CSS attribute name
527075 3-Major   Update domain availability default settings
525283-1 3-Major   Add obfuscator tuning tools
524032-1 3-Major   Control sending alerts during the source integrity learning process
513860-1 3-Major   Incomplete support for special characters in input field names
503461-1 3-Major K88491629 Intermittent JavaScript failure on Safari on Macintosh computer or device.
529587 4-Minor   Errornous JS injections


Device Management Fixes

ID Number Severity Solution Article(s) Description
525595 1-Blocking K38134424 Memory leak of inbound sockets in restjavad.
509273 2-Critical   hostagentd consumes memory over time
533307 3-Major   Increasing memory usage due to continual creation of authentication tokens
521272 3-Major K16751 Fixed memory leak in restjavad's Authentication Token worker


iApp Technology Fixes

ID Number Severity Solution Article(s) Description
495525-1 4-Minor   iApps fail when using FQDN nodes in pools



Cumulative fixes from BIG-IP v11.6.0 Hotfix 5 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
523032-6 CVE-2015-3456 K16620 qemu-kvm VENOM vulnerability CVE-2015-3456
513034-1 CVE-2015-4638 K17155 TMM may crash if Fast L4 virtual server has fragmented packets
511651-3 CVE-2015-5058 K17047 CVE-2015-5058: Performance improvement in packet processing.
477281-4 CVE-2014-6032 K15605 Improved XML Parsing
477278-5 CVE-2014-6032 K15605 XML Entity Injection vulnerabilities CVE-2014-6032 and CVE-2014-6033
476157-3 CVE-2014-4341 CVE-2014-4342 K15547 MIT Kerberos 5 vulnerability CVE-2014-4342
507842-2 CVE-2015-1349 K16356 Patch for BIND Vulnerability CVE-2015-1349
513382-13 CVE-2015-0286 CVE-2015-0287 CVE-2015-0289 CVE-2015-0293 CVE-2015-0209 CVE-2015-0288 K16317 Resolution of multiple OpenSSL vulnerabilities
485917-3 CVE-2004-1060 K15792 BIG/IP is vulnerable to Path MTU discovery attack (CVE-2004-1060)
476738-1 CVE-2007-6199 K15549 rsync daemon may be configured to listen on a public port
430799-3 CVE-2010-5107 K14741 CVE-2010-5107 openssh vulnerability


Functional Change Fixes

ID Number Severity Solution Article(s) Description
500303-3 2-Critical K17302 Virtual Address status may not be reliably communicated with route daemon
499947 2-Critical   Improved performance loading thousands of Virtual Servers
497433-2 2-Critical   SSL Forward Proxy server side now supports all key exchange methods.
487552-3 2-Critical   triplets-not-allowed threshold too high because LTM minimum requirements for 6G guests are coming from 8G table
361367-3 2-Critical   Create 8 MB-aligned partitions/volumes for VE images to improve disk I/O.
523803 3-Major   Support two-factor authentication for Citrix Receivers in StoreFront proxy mode
512016-1 3-Major   DB variable added to determine DNS UDP truncation behavior.
504348-1 3-Major K53152418 iRules in event ADAPT_REQUEST_RESULT or ADAPT_RESPONSE_RESULT cannot see modified headers
502770-2 3-Major   clientside and serverside command crashes TMM
495273-1 3-Major   LDAP extended error info only available at debug log level which could affect Branch rules
480811-2 3-Major K25171635 qkview will not collect lib directories.
474465-3 3-Major   Analysis processes appear to use high CPU though not affecting data plane
471103-1 3-Major   Ignoring null values for parameters with different content types


TMOS Fixes

ID Number Severity Solution Article(s) Description
510393-1 1-Blocking   TMM may occasionally restart with a core file when deployed VCMP guests are stopped
504490-1 1-Blocking K16789 The BIG-IP system sometimes takes longer on boot up to become Active.
468175-8 1-Blocking   IPsec interop with Cisco systems intermittent outages
520349 2-Critical   iControl portal restarts
509475 2-Critical   SPDY profile with activation-mode always may not load on upgrade to 11.6.0 or later
509276-4 2-Critical   VXLAN tunnels with floating local addresses generate incorrect gratuitous ARPs on standby device
507487-1 2-Critical   ZebOS Route not withdrawn when VAddr/VIP down and no default pool
505323-1 2-Critical K17349 NSM hangs in a loop, utilizing 100% CPU
502675-1 2-Critical   Improve reliability of LOP/LBH firmware updates
501343-3 2-Critical   In FIPS HA setup, peer may use the FIPS public-handle instead of the FIPS private-handle
495335-1 2-Critical K17436 BWC related tmm core
492458-1 2-Critical   BIOS initial release
487233-1 2-Critical K16747 vCMP guests are unable to access NTP or RSYNC via their management network.
484733-4 2-Critical   aws-failover-tgactive.sh doesn't skip network forwarding virtuals
474751-1 2-Critical   IKEv1 daemon crashes when flushing SAs
474323 2-Critical   ePVA IPv6 feature is not available
467646 2-Critical K16184 IDE DMA timeouts can result in stuck processes
467196-5 2-Critical K16015 Log files limited to 24 hours
466266-1 2-Critical   In rare cases, an upgrade (or a restart) can result in an Active/Active state
460730-7 2-Critical   On systems with multiple blades, large queries can cause TMM to restart
452293-4 2-Critical K16186 Tunneled Health Monitor traffic fails on Standby device
445911-6 2-Critical   TMM fast forwarded flows are offloaded to ePVA
430323-4 2-Critical   VXLAN daemon may restart when 8000 VXLAN tunnels are configured
422460-8 2-Critical   :
376120-4 2-Critical K15726 tmrouted restart after reconfiguration of previously deleted route domain
519877 3-Major   External pluggable module interfaces not disabled correctly.
516073 3-Major   Revised AWS Setup Guide
514450-4 3-Major   VXLAN: Remote MAC address movement does not trigger ARL updates across TMMs.
512485-3 3-Major   Forwarding of flooded VXLAN-encapsulated unicast frames may introduce additional forwarding
510597-3 3-Major   SNAT Origin Address List is now stored correctly when first created
507461-6 3-Major   Net cos config may not persist on HA unit following staggered restart of both HA pairs.
507327-1 3-Major   Programs that read stats can leak memory on errors reading files
506281 3-Major   F5 Internal tool change to facilitate creating Engineering Hotfixes.
505878 3-Major K17355 Configuration load failure on secondary blades may occur when the chassis is rebooted
504572-4 3-Major K30038035 PVA accelerated 3WHS packets are sent in wrong hardware COS queue
503875-1 3-Major K81433151 Configure bwc policy category max rate
503604-3 3-Major   Tmm core when switching from interface tunnel to policy based tunnel
501953-2 3-Major   HA failsafe triggering on standby device does not clear next active for that device.
501371-4 3-Major K39672730 mcpd sometimes exits while doing a file sync operation
495862-1 3-Major   Virtual status becomes yellow and gets connection limit alert when all pool members forced down
494978-1 3-Major   The hostagentd daemon should not be running in non-vcmp mode.
494367-2 3-Major   HSB lockup after HiGig MAC reset
491791-3 3-Major   GET on non-existent pool members does not show error
490414-1 3-Major   /shared/vmisolinks present on systems running versions where block-devices are not present
489750-3 3-Major K16696 Deletion of FIPS keys by-handle may delete key in FIPS-card even if key exists in BIG-IP config
488916 3-Major   CIDR can now be used for SNAT Origin Address List
488374-2 3-Major K17019 Mismatched IPsec policy configuration causes racoon to core after failed IPsec tunnel negotiation
486512-7 3-Major   audit_forwarder sending invalid NAS IP Address attributes
485939-1 3-Major K16822 OSPF redistributing connected subnets that are configured in the network element with infinity metric in a HA pair.
485833-7 3-Major   The mcpd process may leak memory when using tmsh to modify user attributes
484861-5 3-Major K16919 A standby-standby state can be created when auto failback acts in a CRC disagreement scenario
483762-3 3-Major K15790 Overlapping vCMP guest MAC addresses
483751-1 3-Major K16729 Internal objects can have load failures on restarted blades
483699-1 3-Major K16888 No Access error when trying to access iFile object in Local Traffic :: iRules : iFile list
483683-3 3-Major K16210 MCP continues running after "Unexpected exception caught in MCPProcessor::rm_DBLowHighWide" error
482434 3-Major   Possible performance degradation in AWS cloud
481082-2 3-Major   Software auto update schedule settings can be reset during a full sync
478761-1 3-Major   load sys config default does not work with iCR
477859-1 3-Major   ZebOS config load may fail if password begins with numeric character
477789-4 3-Major   SSL Certificate can accommodate & (ampersand) in the Common Name, Organization Name, Division and SAN.
476288-1 3-Major   Tmrouted restarted after a series of creating/deleting route domains and adding/deleting protocols due to seg fault
473200-2 3-Major   Renaming a virtual server causes unexpected configuration load failure
473037-1 3-Major K16896 BIG-IP 2000/4000 platforms do not support RSS with L4 data on SCTP
472365-4 3-Major   The vCMP worker-lite system occasionally stops due to timeouts
471496-2 3-Major   Standby node sends a summary LSA for the default route into a stub area with the same metric value as that of Active node.
468517-5 3-Major K16249 Multi-blade systems can experience active/standby flapping after both units rebooted
464132-2 3-Major K15665 Serverside SSL cannot be disabled if Rewrite profile is attached
463715-3 3-Major   syscalld logs erroneous and benign timeout messages
447075-1 3-Major   CuSFP module plugged in during links-down state will cause remote link-up
440346-5 3-Major K16265 Monitors removed from a pool after sync operation
440154-3 3-Major   When IKEv2 is in use, user can only associate one Traffic Selector object with the IKE Peer object
439343 3-Major   Client certificate SSL authentication unable to bind to LDAP server
436682-5 3-Major   Optical SFP modules shows a higher optical power output for disabled switch ports
431634-6 3-Major   tmsh: modify gtm server 'xxx' virtual-servers replace-all-with 'yyy' fails
420204-3 3-Major   FIPS key deletion by-handle does not post an error if corresponding key object exists but the keyname is more than 32 characters long
416292-1 3-Major   MCPD can core as a result of another component shutting down prematurely
394236-3 3-Major   MCP unexpectedly exits, "failure has occurred, There is no active database transaction, status: 0 -
510049 4-Minor   Revised BIG-IP CGNAT Implementations content
493223-3 4-Minor   syscalld core dumps now keep more debugging information
490171-1 4-Minor K61258430 Cannot add FQDN node if management route is not configured
477111-5 4-Minor   Dual management routes in the main routing table
475592-2 4-Minor   Per-core and system CPU usage graphs do not match
473517-2 4-Minor   'OID not increasing error' during snmpwalk
463959-1 4-Minor   stpd attempts to connect to slots in a chassis that are empty
492422-4 5-Cosmetic K24508323 HTTP request logging reports incorrect response code
466116-3 5-Cosmetic   Intermittent 'AgentX' warning messages in syslog/ZebOS log files


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
511873 1-Blocking   TMM core observed during SSL cert-related tmsh execution.
507490-1 1-Blocking   Invalid HTTP/2 input can cause the TMM to hang
507139-1 1-Blocking   Invalid HTTP/2 input can cause the TMM to hang
504225-2 1-Blocking   Virtual creation with the multicast IPv6 address returns error message
488931-1 1-Blocking   TMM may restart when MPTCP traffic is being handled.
520413 2-Critical   TMM may crash when using woodside congestion control
516408-1 2-Critical   SSL reports certificate verification OK even verification returns failure for pcm=request.
516179-1 2-Critical K16420 Woodside falsely detects congestion
514521 2-Critical   Rare TMM Cores with TCP SACK and Early Retransmit
509310-5 2-Critical   Bad outer IPv4 UDP checksum observed on egressing VxLAN traffic on VIPRION chassis and 5000 series appliances
503620-3 2-Critical   ECDHE_ECDSA and DHE_DSS ciphers do not work with OpenSSL 1.0.1k and later
495875-2 2-Critical K16204 Connection limit on nodes causes TMM infinite loop and heartbeat failure with heavy traffic
495030-1 2-Critical   Segfault originating from flow_lookup_nexthop.
494319-1 2-Critical K16811 Proxy SSL caused tmm to core by dereferencing a null pointer
491030-6 2-Critical   Nitrox crypto accelerator can sometimes hang when encrypting SSL records
489796-2 2-Critical K16298 TMM cores when Woodside congestion control is used.
488908-1 2-Critical K16808 In client-ssl profile which serves as server side, BIG-IP SSL does not initialize in initialization function.
486450-2 2-Critical   iApp re-deployment causes mcpd on secondaries to restart
485189-3 2-Critical   TMM might crash if unable to find persistence cookie
480699-2 2-Critical K15728 HA mirroring can overflow buffer limits on larger platforms
480370-6 2-Critical K17147 Connections to virtual servers with port-preserve property will cause connections to leak in TMM
480299-1 2-Critical K16627 Delayed update of Virtual Address might not always happen.
480113-4 2-Critical   Install of FIPS exported key files (.exp) causes device-group sync failure
479171-3 2-Critical K15613 TMM might crash when DSACK is enabled
478983-1 2-Critical K16809 TMM core during certificate verification against CRL
478592-1 2-Critical K16798 When using the SSL forward proxy feature, clients might be presented with expired certificates.
477064-1 2-Critical K17268 TMM may crash in SSL
476683-2 2-Critical   Suspended DNS_RESPONSE events are not resumed
476599-4 2-Critical   TMM may panic when resuming DNS_REQUEST iRule event
475408-1 2-Critical   SSL persistence profile does not find the server certificate.
475231-5 2-Critical   TCP::close in CLIENTSSL_CLIENTCERT iRule event may result in tmm crash
474974-3 2-Critical   Fix ssl_profile nref counter problem.
474388-3 2-Critical K16957 TMM restart, SIGSEGV messages, and core
472585-3 2-Critical   tmrouted crashes after a series configuration changes
470191-2 2-Critical K15760 Virtual with FastL4 with loose initiation and close enabled might result in TMM core
417068-6 2-Critical   Key install or deletion failure on FIPS key names longer than 32 chars on some platforms
517124 3-Major   HTTP::retry incorrectly converts its input
516292-1 3-Major K17023 Incorrect handling of repeated headers
515482 3-Major K93258439 Multiple teardown conditions can cause crash
514604-1 3-Major   Nexthop object can be freed while still referenced by another structure
513243-1 3-Major K17561 Improper processing of crypto error condition might cause memory issues.
512490-3 3-Major   Increased latency during connection setup when using FastL4 profile and connection mirroring.
511517-1 3-Major K17111 Request Logging profile cannot be configured with HTTP transparent profile
511130-3 3-Major   TMM core due to invalid memory access while handling CMP acknowledgement
509416 3-Major   Suspended 'after' commands may result in unexpected behaviors
508716-4 3-Major   DNS cache resolver drops chunked TCP responses
507127-2 3-Major   DNS cache resolver is inserted to a wrong list on creation.
506702-4 3-Major   TSO can cause rare TMM crash.
506290-4 3-Major   MPI redirected traffic should be sent to HSB ring1
505964 3-Major   Invalid http cookie handling can lead to TMM core
505056-5 3-Major   BIG-IP system might send an egress packet with a priority different from that of ingress packet on the same flow.
504633-1 3-Major   DTLS should not update 'expected next sequence number' when the record is bad.
503741-2 3-Major K16662 DTLS session should not be closed when it receives a bad record.
503214-3 3-Major   Under heavy load, hardware crypto queues may become unavailable.
503118-2 3-Major   clientside and serverside command crashes TMM
502959-2 3-Major   Unable get response from virtual server after node flapping
502683-3 3-Major   Traffic intermittently dropped in syncookie mode, especially when hardware syncookie is on
502149-3 3-Major K06334742 Archiving EC cert/key fails with error 'EC keys are incompatible for Webserver/EM/iQuery.'
501690-3 3-Major   TMM crash in RESOLV::lookup for multi-RR TXT record
499950-5 3-Major   In case of intra_cluster ha, node flapping may still lead to inconsistent persistence entries across TMMs
499946-3 3-Major K16801 Nitrox might report bad records on highly fragmented SSL records
499478-2 3-Major K16850453 Bug 464651 introduced change-in-behavior for SSL server cert chains by not including the root certificate
499280-1 3-Major   Client side or server side SSL handshake may fail if it involves SHA512-signed certificates in TLS1.2
499150-3 3-Major K16721 OneConnect does not reuse existing connections in VIP targeting VIP configuration
498334-2 3-Major K16867 DNS express doesn't send zone notify response
498269-1 3-Major K16856 5200 does not forward STP BPDUs across VLAN groups when in PASSTHRU mode
497584-2 3-Major   The RA bit on DNS response may not be set
496950-1 3-Major   Flows may not be mirrored successfully when static routes and gateways are defined.
496588-1 3-Major   HTTP header that is larger than 64K can be analyzed incorrectly, leading to TMM crash
495574-3 3-Major K16111 DB monitor functionality might cause memory issues
495443-4 3-Major K16621 ECDH negotiation failures logged as critical errors.
495253-1 3-Major K16603 TMM may core in low memory situations during SSL egress handling
494322-6 3-Major   The HTTP_REQUEST iRule event may cause the TMM to crash if the explicit proxy is used
493673-2 3-Major K12352524 DNS record data may have domain names compressed when using iRules
493140-1 3-Major K16969 Incorrect persistence entries are created when invoking cookie hash persistence within an iRule using offset and length parameters.
493117-6 3-Major K16986 Changing the netmask on an advertised virtual address causes it to stop being advertised until tmrouted is restarted
491518-2 3-Major   SSL persistence can prematurely terminate TCP connection
491454-6 3-Major   SSL negotiation may fail when SPDY profile is enabled
490817-1 3-Major   SSL filter might report codec alerts repeatedly
490480-3 3-Major   UCS load may fail if the UCS contains FIPS keys with names containing dot
490129-1 3-Major K16740 SMTP monitor could not create socket on IPv6 node address
488598-1 3-Major K16631 SMTP monitor on non-default route domain fails to create socket
487757 3-Major   Hybrid higig/front panel port packet discard (Ingress back-pressure v.s. Egress queue discard) counts can be expected during bursty or severe MMU traffic congestion on B4300/B2200/10000/12000-family platforms.
487592 3-Major K65442255 Change in the caching duration of OCSP response when there is an error
487587-2 3-Major   The allowed range of 'status-age' in OCSP Stapling Parameters (for clientSSL OCSP Stapling) might not be wide enough for some of the scenarios
487554-2 3-Major K41581381 System might reuse TCP source ports too quickly on the server side.
486724-3 3-Major K16750 After upgrading from v10 to v11 in a FIPS HA setup, config-sync fails
484305-2 3-Major K16733 Clientside or serverside command with parking command crashes TMM
483539-1 3-Major   With fastL4, incorrect MSS value might be used if SYN has options without MSS specified
483353-1 3-Major   HTTP compression might cause TMM crash in low-memory conditions
481880-5 3-Major   SASPD monitor cores
481216-1 3-Major   Fallback may be attempted incorrectly in an abort after an Early Server Response
480686-7 3-Major K15781 Packet loop in VLAN Group
480443-1 3-Major K17464 Internal misbehavior of the SPDY filter
479682-4 3-Major K16862 TMM generates hundreds of ICMP packets in response to a single packet
479176-1 3-Major K16824 TMM hangs and receives SIGABRT due to race condition during DNS db load
478840-1 3-Major K17014 Cannot delete keys in subfolders using the BIG-IP GUI
478734-5 3-Major   Incorrect 'FIPS import for failed for key' failure when operation actually succeeds
478195-4 3-Major   Installation of FIPS .exp key files sets incorrect public exponent.
477375-5 3-Major   SASP Monitor may core
475791-4 3-Major K16171 HTTP caching configured in a Web Acceleration profile may dispatch internal messages out-of-order, leading to assert
475322-2 3-Major   cur_conns number different in tmstat and snmp output.
474584-2 3-Major K16261 igbvf driver leaks xfrags when partial jumbo frame received
474226-2 3-Major   LB_FAILED may not be triggered if persistence member is down
474002-4 3-Major K15972 Server SSL profile unable to complete SSL handshake when server selects DHE-based key exchange, and is configured with 2048-bit or larger DH keys
473759-1 3-Major   Unrecognized DNS records can cause mcpd to core during a DNS cache query
472148-7 3-Major   Highly fragmented SSL records can result in bad record errors on Nitrox based systems
471821-1 3-Major   Compression.strategy "SIZE" is not working
471625-8 3-Major   After deleting external data-group, importing a new or editing existing external data-group does not propagate to TMM
470394-2 3-Major K16242 Priority groups may result in traffic being load balanced to a single pool member.
469705-4 3-Major   TMM might panic when processing SIP messages due to invalid route domain
469115-3 3-Major K75513721 Management client-ssl profile does not support multiple key/cert pair.
468472-7 3-Major   Unexpected ordering of internal events can lead to TMM core.
467868-3 3-Major K15959 Leak due to monitor status reporting
464651-2 3-Major K16636 Multiple root certificates with same 'subject' and 'issuer' may cause the tmm to core.
464163-3 3-Major K15988 Customized cert-key-chain of a client ssl profile might be reverted to its parent's.
457934-4 3-Major   SSL Persistence Profile Causing High CPU Usage
456763-5 3-Major   L4 forwarding and TSO can cause rare TMM outages
456413-5 3-Major   Persistence record marked expired though related connection is still active
455840-7 3-Major   EM analytic does not build SSL connection with discovered BIG-IP system
449891-7 3-Major   Fallback source persistence entry is not used when primary SSL persistence fails
447272-2 3-Major K17288 Chassis with MCPD audit logging enabled will sync updates to device group state
444710-6 3-Major   Out-of-order TCP packets may be dropped
443006-1 3-Major   In low memory situations initializing the HTTP parser will cause the TMM to crash
438792-5 3-Major   Node flapping may, in rare cases, lead to inconsistent persistence behavior
428163-3 3-Major   Removing a DNS cache from configuration can cause TMM crash
384451-6 3-Major   Duplicated cert/keys/chain might cause SIGABRTs and low-memory conditions
503560-2 4-Minor   Statistics profiles cannot be configured along with HTTP transparent profile on the same virtual server.
498597-5 4-Minor K16761 SSL profile fails to initialize and might cause SSL operation issues
481820-1 4-Minor   Internal misbehavior of the SPDY filter
480888-2 4-Minor K51148522 Tcl parks during HTTP::collect, and serverssl is present, data can be truncated
469739-4 4-Minor K16218 ConfigSync may fail if HA pair has dissimilar cert-key-chain sub-object names within an SSL profile
463696-5 4-Minor   FIPS keys might not be recoverable from UCS
451224-3 4-Minor   IP packets that are fragmented by TMM, the fragments will have their DF bit


Performance Fixes

ID Number Severity Solution Article(s) Description
476144-1 1-Blocking   TMM generates a core file when dynamically loading a shared library.
497619-6 3-Major K16183 TMM performance may be impacted when server node is flapping and persist is used
426939-5 3-Major K15337 APM Polices does not work in VIPRION 4800 chassis if there is no slot1


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
477240-2 2-Critical   iQuery connection resets every 24 hours
499719-1 3-Major   Order Zones statistics would cause database error
475549-3 3-Major   Input handling error in GTM GUI
475092 3-Major   Viewing DNS::Zones:Zones:Zones List:Statistics in the GUI generates error.
468519-1 3-Major   BIG-IP DNS configuration load failure from invalid bigip_gtm.conf file.
494305-3 4-Minor K36360597 [GUI] [GTM] Cannot remove the first listed dependent virtual server from dependency list.
491554-2 4-Minor K54162409 [big3d] Possible memory leakage for auto-discovery error events.


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
488306-1 1-Blocking   Requests not logged locally on the device
478674-1 1-Blocking K08359230 ASM internal parameters for high availability timeout was not handled correctly
516523-2 2-Critical   Full ASM Config Sync was happening too often in a Full Sync Auto-Sync Device Group
515433-1 2-Critical K16639 BD crash on specific signature sets configuration.
512616-1 2-Critical   BD crash during brute force attack on cluster environement
508908-1 2-Critical   Enforcer crash
507919-1 2-Critical   Updating ASM through iControl REST does not affect CMI sync state
506372 2-Critical   XML validation files related errors on upgrade
504182-1 2-Critical   Enforcer cores after upgrade upon the first request
503169-1 2-Critical   XML validation files are broken after upgrade
493401-2 2-Critical   Concurrent REST calls on a single endpoint may fail
492978-1 2-Critical   All blades in a cluster remain offline after provisioning ASM or FPS
487420-1 2-Critical   BD crash upon stress on session tracking
486323-1 2-Critical K16817 The datasyncd process may keep restarting during the first 30 minutes following a hotfix installation
481476-5 2-Critical   MySQL performance
517245-2 3-Major   A request that should be blocked was forwarded to the server
517019-1 3-Major   AVR-HTTP (and Application DoS): Detection of pool-member is sometimes incorrect
515449-1 3-Major   bd agent listens on all addresses instead of the localhost only
515190-2 3-Major   Event Logs -> Brute Force Attacks can't show details after navigating to another page
514093-1 3-Major   Allow request logs to be filtered by destination IP
513763 3-Major   Slow response from GUI when listing Event Logs
512668-1 3-Major   ASM REST: Unable to Configure Clickjacking Protection via REST
512001-1 3-Major   Using REST API to Update ASM Attack Signatures Fails
512000-1 3-Major   Event Log Filter using Policy Group isn't accurate
511947-1 3-Major K24475274 Policy auto-merge of Policy Diff
511488-1 3-Major   Correlation restarting on a multi-bladed vCMP guest
511477-2 3-Major   Manage ASM security policies from BIG-IQ
510499-2 3-Major K17544 System Crashes after Sync in an ASM-only Device Group.
509968-3 3-Major   BD crash when a specific configuration change happens
509873-1 3-Major K01443011 Rare crash and core dump of TMM or bd after rebooting a device or joining a trust domain.
509495 3-Major   A TMM memory leak when HTTP protocol security enabled profile and no AFM license
508519-4 3-Major   Performance of Policy List screen
508338-1 3-Major   Under rare conditions cookies are enforced as base64 instead of clear text
507905 3-Major   Saving Policy History during UCS load causes db deadlock/timeout
507902-1 3-Major K16697 Failure and restart of mcpd in secondary blade when cluster is part of a trust domain.
507289-3 3-Major   User interface performance of Web Application Security Editor users
506407 3-Major K04420402 Certain upgrade paths to 11.6.x lose the redirect URL configuration for Alternate Response Pages
506386-2 3-Major   Automatic ASM sync group remains stuck in init state when configured from tmsh
506355-1 3-Major   Importing an XML file without defined entity sections
506110-1 3-Major K25430927 Log flood within datasyncd.log in clustered environment
505624-1 3-Major   Remote logger will continue to get DoS L7 messages after it was removed from the virtual server configuration
504973-1 3-Major   Configuring a route domain with 32 bit subnet mask, 128 bit mask saved instead
504718-2 3-Major K75221274 Policy auto-merge of Policy Diff
502852-2 3-Major   Deleting an in-use custom policy template
501612-4 3-Major   Spurious Configuration Synchronizations
500544-1 3-Major   XML validation files are not correctly imported/upgraded
498708-1 3-Major   Errors logged in bd.log coming from the ACY module
498189-3 3-Major   ASM Request log does not show log messages.
497769 3-Major   Policy Export: BIG-IP does not export redirect URL for 'Login Response Page'
496565-1 3-Major   Secondary Blades Request a Sync
496264-1 3-Major   SOAP Methods Were Not Being Validated For WSDL Based XML Profiles
490284-3 3-Major K17383 ASM user interface extremely slow to respond (e.g., longer that 2 minutes to render policy list)
489648-1 3-Major   Empty violation details for attack signatures
485764-5 3-Major K17401 WhiteHat vulnerability assessment tool is configured but integration does not work correctly
484079-1 3-Major K90502502 Change to signature list of manual Signature Sets does not take effect.
482915-1 3-Major K17510 Learning suggestion for the maximum headers check violation appears only for blocked requests
475819-4 3-Major K17325 BD crash when trying to report attack signatures


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
508544-1 3-Major   AVR injects CSPM JavaScript when the payload does not contain an HTML <head> tag
504414-1 3-Major   AVR HTTP External log - missing fields
503683 3-Major   Configuration upgrade failure due to change in an ASM predefined report name
503471-1 3-Major K17395 Memory leak can occur when there is a compressed response, and abnormal termination of the connection
500457-1 3-Major   Synchronization problem in AVR lookups that sometimes causes TMM and other daemons, such as the Enforcer, to crash
500034-1 3-Major   [SMTP Configuration] Encrypted password not shown in GUI
497681-1 3-Major   Tuning of Application DoS URL qualification criteria
497376-1 3-Major   Wrong use of custom XFF headers when there are multiple matches
488713-1 3-Major   Corrupt memory


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
497662-3 1-Blocking   BIG-IP DoS via buffer overflow in rrdstats
517146-1 2-Critical   Log ID 01490538 may be truncated
516075-6 2-Critical   Linux command line client fails with on-demand cert
513795-1 2-Critical   HTML5 client is not available on APM Full Webtop when using VMware Horizon 6.1
507782-1 2-Critical   TMM crashes for Citrix connection when Address field in the ICA file has non-patched/invalid data
506235-2 2-Critical   TMM Crash
497436-4 2-Critical   Mac Edge Client behaves erratically while establishing network access connection
496894-1 2-Critical   TMM may restart when accessing SAML resource under certain conditions.
495901-3 2-Critical   Tunnel Server crash if probed on loopback listener.
493360-1 2-Critical   Fixed possible issue causing Edge Client to crash during reconnect
489328-9 2-Critical   When BIG-IP virtual accessed with multiple tabs with long initial URLs before session creation can cause TMM crash.
473092-1 2-Critical   Transparent Proxy + On-Demand Cert Auth will reset
431980-1 2-Critical K17310 SWG Reports: Overview and Reports do not show correct data.
514636-1 3-Major K17137 SWG Category Lookup using Subject.CN results in a crash if the certificate presented does not have a Subject.CN.
514277-1 3-Major   Provide a way to enable connection bar for Citrix desktops only
513646-1 3-Major K37170914 APM(ACCESS)/SWG filter might process SessionDB replies after flow has been aborted resulting in orphaned timer
512999-1 3-Major K17432 LDAP Query may fail if user belongs to a group from foreign domain
512378-1 3-Major   Changing per request policy in the middle of data traffic can cause TMM to crash
511961-1 3-Major   BIG-IP Edge Client does not display logon page for FirePass
511648-2 3-Major K16959 On standby TMM can core when active system sends leasepool HA commands to standby device
511441-3 3-Major K17564 Memory leak on request Cookie header longer than 1024 bytes
509956-4 3-Major   Improved handling of cookie values inside SWG blocked page.
509758-2 3-Major   EdgeClient shows incorrect warning message about session expiration
509010 3-Major   Adding/Deleting a local user takes 30 seconds to complete
508719-1 3-Major K22391125 APM logon page missing title
508630-4 3-Major   The APM client does not clean up DNS search suffixes correctly in some cases
507899 3-Major   Custom APM report - Assigned IP field shows 'IPv4' instead of assigned IP value
507318-3 3-Major   JS error when sending message from DWA new message form using Chrome
507116-1 3-Major K17030 Web-application issues and/or unexpected exceptions.
506349-4 3-Major   BIG-IP Edge Client for Mac identified as browser by APM in some cases
505797-1 3-Major   Citrix Receiver for Android fails to authenticate with APM configured as StoreFront proxy and Access Gateway
505755-3 3-Major K11043155 Some scripts on dynamically loaded html page could be not executed.
504880-2 3-Major   TMM may crash when RDP client connects to APM configured as Remote Desktop Gateway
504606-3 3-Major   Session check interval now has minimum value
503319-4 3-Major K16901 After network access is established browser sometimes receives truncated proxy.pac file
502441-5 3-Major   Network Access connection might reset for large proxy.pac files.
502016-4 3-Major   MAC client components do not log version numbers in log file.
501498-1 3-Major   APM CTU doesn't pick up logs for Machine Certificate Service
499620-6 3-Major   BIG-IP Edge Client for MAC shows wrong SSL protocol version; does not display the protocol version that was negotiated.
499427-1 3-Major   Windows File Check does not work if the filename starts with an ampersand
498993-1 3-Major K16972 it is possible to get infinite loop in LDAP Query while resolving nested groups
498782-2 3-Major K17104 Config snapshots are deleted when failover happens
498469-5 3-Major   Mac Edge Client fails intermittently with machine certificate inspection
497455-1 3-Major   MAC Edge client crashed during routine Network Access.
497325-1 3-Major K16643 New users cannot log in to Windows-based systems after installing BIG-IP EDGE client in certain deployment
496817-1 3-Major   Big-IP Edge client for Windows fails to connect to Firepass server if tunnel is established through a proxy
495702-4 3-Major K40419383 Mac Edge Client cannot be downloaded sometimes from management UI
495319-3 3-Major   Connecting to FP with APM edge client is causing corporate network to be inaccessible
495265-1 3-Major   SAML IdP and SP configured in same access profile not supported
494176-5 3-Major   Network access to FP does not work on Yosemite using APM Mac Edge Client.
494088-4 3-Major   APD or APMD should not assert when it can do more by logging error message before exiting.
490844-4 3-Major K50522620 Some controls on a web page might stop working.
490681-1 3-Major K17470 Memcache entry for dynamic user leaks
490675-1 3-Major K16855 User name with leading or trailing spaces creates problems.
489382-7 3-Major   Machine Cert allows mismatched SubjectCN and FQDN for browsers in case of valid cert
487170-1 3-Major   Enahnced support for proxy servers that resolve to multiple IP addresses
486597-1 3-Major   Fixed Network Access renegotiation procedure
486268-1 3-Major   APM logon page missing title
485355-3 3-Major   Click-to-Run version of Office 2013 does not work inside PWS (Protected WorkSpace)
484582-2 3-Major   APM Portal Access is inaccessible.
483526-1 3-Major   Rarely seen Edge Client for Mac crash on session disconnect
482269-1 3-Major   APM support for Windows 10 out-of-the-box detection
480817-3 3-Major   Added options to troubleshoot client by disabling specific features
480242-5 3-Major   APD, APMD, MCPD communication error failure now reported with error code
477898-1 3-Major   Some strings on BIG-IP APM EDGE Client User Interface were not localized
477795-1 3-Major   SSL profile passphrase may be displayed in clear text on the Dashboard
476038-1 3-Major   Mac Edge Client crashes on OS X 10.7 if a user adds new server using its IP address rather than DNS name
475505-6 3-Major   Windows Phone 8.1 built-in browser is not properly detected by BIG-IP system.
474698-2 3-Major   BIG-IP as IdP can send incorrect 'Issuer' element for some SLO requests under certain conditions.
474582-3 3-Major   Add timestamps to logstatd logs for Policy Sync
473697-6 3-Major   HD Encryption check should provide an option to choose drive
473129-5 3-Major K15943 httpd_apm access_log remains empty after log rotation
471421-5 3-Major K16270 Ram cache evictions spikes with change of access policy leading to slow webtop rendering
471331-2 3-Major   APM::RBA reset due to a leaked HUDEVT_REQUEST_DONE
460715-5 3-Major   Changes in captive portal probe URL
452464-4 3-Major K28271912 iClient does not handle multiple messages in one payload.
452416-1 3-Major   tmctl leasepool_stat and snmp apmLeasepoolStatTable return incorrect values
437744-4 3-Major K15186 SAML SP service metadata exported from APM may fail to import.
437743-6 3-Major   Import of Access Profile config that contains ssl-cert is failing
436201-6 3-Major   JavaScript can misbehave in case of the 'X-UA-Compatible' META tag when a client uses IE11
433972-13 3-Major   New Event dialog widget is shifted to the left and Description field does not have action widget
433847-1 3-Major   APD crashes with a segmentation fault.
432900-9 3-Major   APM configurations can fail to load on newly-installed systems
431149-6 3-Major K17217 APM config snapshot disappears and users see "Access Policy configuration has changed on gateway"
416115-14 3-Major   Edge client continues to use old IP address even when server IP address changed
410089-2 3-Major   Linux client hangs after receiving the application data
403991-8 3-Major   Proxy.pac file larger than 32 KB is not supported
510596-6 4-Minor   Broken DNS resolution on Linux client when "DNS Default Domain Suffix" is empty
505662-1 4-Minor   Signed SAML IdP/SP exported metadata contains some elements in wrong order
504461-2 4-Minor   Logon Page agent gets empty user input in clientless mode 3 when a Variable Assign agent resides in front of it.
485202-1 4-Minor   LDAP agent does not escape '=' character in LDAP DN
482134-1 4-Minor   APD and APMD cores during shutdown.
471452-2 4-Minor   Access policy in progress with multiple tabs, landing URL set to the tab in which policy is completed.
465012-4 4-Minor   Rewrite plugin may crash if webtrace or debug log level is enabled for Portal Access
464992-7 4-Minor   Mac Edge fails to pass machine certificate inspection if domain component is included in search criteria
461597-11 4-Minor   MAC edge client doesn't follow HTTP 302 redirect if new site has untrusted self-signed certificate
460427-2 4-Minor   Address collision reported when the Primary blade goes down or its TMM crashes in an Chassis IntraCluster environment.
456911-3 4-Minor   Add BIG-IP hostname to system's static DNS host entries
493385-6 5-Cosmetic   BIG-IP Edge Client uses generic icon set even if F5 icon set is configured


WebAccelerator Fixes

ID Number Severity Solution Article(s) Description
514838-1 1-Blocking   TMM Crash on Relative URL
514785-2 1-Blocking   TMM crash when processing AAM-optimized video URLs
486346-3 2-Critical   Prevent wamd shutdown cores
447254-1 2-Critical   Core in parked transaction due to evicted stand-in document
511534-1 3-Major K44288136 A large number of regular expressions in match rules on path-segments may cause an AAM policy to take too long to load,
481431-1 3-Major   AAM concatenation set memory leak on configuration change
467633-5 3-Major   WAM CSS minification can add spaces to the output, potentially coring TMM (in rare cases)
488917-2 4-Minor   Potentially confusing wamd shutdown error messages


Service Provider Fixes

ID Number Severity Solution Article(s) Description
486356-1 2-Critical K16807 Unable to configure a virtual server with Stats profile and SIP profile in 11.6.0
482436-1 2-Critical K16973 BIG-IP processing of invalid SIP request may result in high CPU utilization
478442-5 2-Critical   Core in sip filter due to sending of HUDEVT message while processing of HUDCTL message
477318-1 2-Critical   Fixes possible segfault
466761-4 2-Critical   Heartbeat, UDP packet with only double CRLF, on existing SIP flow results in connection loss.
455006-7 2-Critical K50532341 Invalid data is merged with next valid SIP message causing SIP connection failures
512054-1 3-Major K17135 CGNAT SIP ALG - RTP connection not created after INVITE
511326-2 3-Major K24410405 SIP SUBSCRIBE message not forwarded by BIG-IP when configured as SIP ALG with translation.
507143-1 3-Major K17071 Diameter filter may process HUDCTL_ABORT message before processing previously queued events leading to tmm assertion
503676-4 3-Major   SIP REFER, INFO, and UPDATE request do not trigger SIP_REQUEST or SIP_REQUEST_SEND iRule events
500365-3 3-Major   TMM Core as SIP hudnode leaks
499701-1 3-Major   SIP Filter drops UDP flow when ingressq len limit is reached.
472376-3 3-Major K17190 A SIP virtual server may crash while trying to send a message if the connection is in the process of shutting down
448493-10 3-Major   SIP response from the server to the client get dropped


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
515562-1 2-Critical K16813 Sweep and flood may crash if it is enabled when AFM is not licensed or provisioned.
513403-1 2-Critical K16490 TMM asserts when certain ICMP packets (e.g multicast echo) are classified by AFM and match rules at Global and Route Domain context with logging enabled for these rules and also log-translations is enabled in AFM Logging configuration.
512609 2-Critical   Firewall rules specifying wildcard IPv6 addresses match IPv4 addresses
503541-2 2-Critical   Use 64 bit instead of 10 bit for Rate Tracker library hashing.
501480-3 2-Critical   AFM DoS Single Endpoint Sweep and Flood Vectors crash TMM under heavy traffic.
500925-3 2-Critical   Introduce a new sys db variable to control number of merges per second of Rate Tracker library.
515187-2 3-Major   Certain ICMP packets are evaluated twice against Global and Route Domain ACL rules.
513565-1 3-Major   AFM Kill-on-the-fly does not re-evaluate existing flows against any Virtual/SelfIP ACL policies if a Global or Route-Domain rule action is modified from Accept-Decisively to Accept.
511406-1 3-Major K16421 Pagination issue on firewall policy rules page
503085-3 3-Major   Make the RateTracker threshold a constant
502414-2 3-Major   Make the RateTracker tier3 initialization number less variant.
501986-3 3-Major   Add a sys db tunable to make Sweep and Flood vectors be rate-limited per-TMM process
496278-2 3-Major K16294 Disabling/enabling Rule within Rule List causes disabling/enabling of other Rule with the same name
500449 4-Minor   "Any IPv4 or IPv6" choice in sweep attack has atypical definition
497311 4-Minor   Can't add a ICMPv6 type and code to a FW rule.


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
519407-1 2-Critical   PEM session lookup by subscriber ID in TMSH fails if same IP is being used to create session with different subscriber ID
518967-1 2-Critical K45215234 Possible error when parsing for certain URL categorization input.
508051-1 2-Critical K53394418 DHCP response may return to wrong DHCP client.
506734 2-Critical   Cloud lookup stress condition
506283 2-Critical   100% TPS drop when webroot cloud lookup is enabled under stress condition
505529 2-Critical   wr_urldbd restarts continuously on VIPRION chassis with webroot lookup enabled.
505069 2-Critical   Webroot cloud lookup granularity
503381-2 2-Critical   SSL persistence may cause connection resets
500219-1 2-Critical   TMM core if identical radius starts messages received
496976-2 2-Critical   Crash when receiving RADIUS message to update PEM static subscriber.
484278-4 2-Critical K16734 BIG-IP crash when processing packet and running iRule at the same time
480544-1 2-Critical   Secondary IP flows are not forwarded in multiple IP session
473680-1 2-Critical K17559 Multiple DHCP solicit packets may not succeed.
515638 3-Major   5% drop in Webroot cloud lookup performance with mixed upper/lowercase URLs
512734 3-Major   Socket error when Webroot cloud lookup is enabled under stress condition
511064-1 3-Major K17108 Repeated install/uninstall of policy with usage monitoring stops after second time
510811-1 3-Major   PEM::info irule does not take effect if used right after PEM::session config policy irule
510721-1 3-Major   PEM::enable / PEM::disable iRule errors out with an error message
509105-1 3-Major K74503799 TMM cores sometimes if provisioning hold time is set to non-zero.
507753 3-Major   URL categorization missed if HTTP1.0 header does not have HOST
507549-1 3-Major   PEM may ignore a RAR if the target session is in the Provision-Pending state
506578 3-Major   Webroot cloud lookup does not yield a category.
505986 3-Major   Extra Webroot cloud lookup requests when cache is full
504028-1 3-Major   Generate CCR-T first and then CCR-I if session being replaced
495913-2 3-Major   TMM core with CCA-I policy received with uninstall
488166-1 3-Major   Provide an option to delete the session if IP class address Limit reached when new IP being added and create a new one instead.
467106-1 3-Major   Loading ucs file after install 11.6.0 on top of 11.5.0 failed when Gx reporting is enabled.
512663 4-Minor   Added urlcatblindquery iRule command
489767 4-Minor   Webroot cloud lookup support
478399-2 4-Minor   PEM subscriber sessions are created without PEM licensed, if "radiusLB-subscriber-awre" profile is configured.


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
519723 2-Critical   dnatutil utility needs update because DAG changed.
494280-3 2-Critical K16256 TMM crashes when PPTP finds a redirected flow when checking for an existing tunnel
493807-5 2-Critical K15989 TMM might crash when using PPTP with profile logging enabled
482202-1 3-Major   Very long FTP command may be ignored.


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
487553 3-Major   FPS alerts


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
461949 2-Critical K16431 Virtual server with Portal Access and DOS profile resets connection


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
513215 2-Critical   Only one of the TMMs load the classification library after an IM package upgrade
508660-1 2-Critical   Intermittent TMM crash in classification library
484483-2 2-Critical   TCP and UDP was classified as Unknown by classification library



Cumulative fixes from BIG-IP v11.6.0 Hotfix 4 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
503237-8 CVE-2015-0235 K16057 CVE-2015-0235 : glibc vulnerability known as Ghost
496849-1 CVE-2014-9326 K16090 F5 website update retrievals vulnerability
494078-4 CVE-2014-9326 K16090 Update Check feature can be target of man-in-middle-attack
492368-5 CVE-2014-8602 K15931 Unbound vulnerability CVE-2014-8602
492367-4 CVE-2014-8500 K15927 BIND vulnerability CVE-2014-8500
489323-1 CVE-2015-8098 K43552605 Out-of-bounds memory access when 'remotedesktop' profile is assigned to a virtual server.
477274-8 CVE-2014-6031 K16196 Buffer Overflow in MCPQ
500088-1 CVE-2014-3571 K16123 OpenSSL Vulnerability (January 2015) - OpenSSL 1.0.1l update
497719-1 CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296 K15934 NTP vulnerability CVE-2014-9293, NTP vulnerability CVE-2014-9294, NTP vulnerability CVE-2014-9295, and NTP vulnerability CVE-2014-9296
496845-1 CVE-2014-9342 K15933 NTP vulnerability CVE-2014-9296
482710-4 CVE-2014-3566 K15702 SSLv3 protocol disabled in APM clients
474757-15 CVE-2014-3508 CVE-2014-5139 CVE-2014-3509 CVE-2014-3505 CVE-2014-3506 CVE-2014-3507 CVE-2014-3510 CVE-2014-3511 CVE-2014-3512 K15573 OpenSSL DTLS vulnerabilities CVE-2014-3505, CVE-2014-3506, and CVE-2014-3507, OpenSSL vulnerability CVE-2014-3508, OpenSSL vulnerability CVE-2014-3510, TLS vulnerability CVE-2014-3511.
485812-2 CVE-2014-3660 K15872 libxml2 vulnerability CVE-2014-3660
471014-14 CVE-2014-2970 CVE-2014-5139 K15567 OpenSSL vulnerability CVE-2014-5139


Functional Change Fixes

ID Number Severity Solution Article(s) Description
480583-1 2-Critical   Support SIP/DNS DOS only for UDP packets and SIP DOS does not drop packets but count drops
477524 3-Major   Enable ssh for admin account and disable ssh for root account for Amazon deployments


TMOS Fixes

ID Number Severity Solution Article(s) Description
493275-3 1-Blocking   Restoring UCS file breaks auto-sync requiring forced sync.
483436-1 1-Blocking   No support in license files for 'hourly billing'.
482943-1 1-Blocking   Cannot upgrade because of lack of root/admin access.
476126-1 1-Blocking K16683 Adding SR-IOV and VLAN tagging in the F5 VE with Emulex NIC
475829-1 1-Blocking   AWS - VE is locked out after live install on 2nd slot.
499880 2-Critical   boot menu titles might not contain volume suffix
487567-4 2-Critical   Addition of a DoS Profile Along with a Required Profile May Fail
486137-3 2-Critical   License activation may not proceed if MCPD is not fully operational
484399-2 2-Critical K16048 Virtual Edition second installation slot and VMWare
478896 2-Critical   Hourly Billing AMIs for 11.6.0 contain internal instead of production license
477031-2 2-Critical   Deleting multiple VXLAN tunnels with flooding type multipoint can cause TMM restart
473641-1 2-Critical   Missing a tunnel FDB endpoint configuration in VXLAN tunnels could result in memory leak
497870-1 3-Major   PEM configured with BWC doing pem policy changes could trigger leak
497062-1 3-Major K16964 PEM configured with BWC doing PEM policy changes could trigger leak
492809-4 3-Major K16166 Small but continuous mcpd memory leak associated with statistics.
485352-1 3-Major   TMM dumps core file when loading configuration or starting up
483228-3 3-Major   The icrd_child process generates core when terminating
479359-1 3-Major   Loading a UCS file with no-platform-check stalls at platform check
479302-3 3-Major K16641 Error message in ltm log: bcm56xxd: reading L2 entry Operation failed bs_arl.cpp.
479152-5 3-Major K15888 Hardware parity error mitigation on 10000s/10200v/10250v platforms and B4300/B4340N and B2250 blades
474332-3 3-Major   No 'base-installable' images (release plus hotfix) for VM
474172 3-Major   BIG-IQ at times cannot discover BIG-IP running TMOS 11.6.0 - 11.6.0 HF3, failure reason: Failed getting time zone.
474166-4 3-Major   ConfigSync operation failing with rarely occurring sFlow error
473409-1 3-Major   Route domain stats can not be reset by using F5-BIGIP-LOCAL-MIB::ltmRouteDomainStatResetStats
468514-4 3-Major K16000 Receiving several ConfigSync requests in a short period of time may cause the mcpd process to restart and produce a core file
468021-3 3-Major   UCS file from earlier version may not load into 11.5.0 or later image
481135-1 4-Minor K15818 The pool members of a wide IP in Link Controller can not be modified once created
441512-4 4-Minor K15840 ConfigSync failing with sFlow error


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
490225-3 2-Critical K16030 Duplicate DNSSEC keys can cause failed upgrade.
484948-1 2-Critical K16732 UDP connflow may aborted from parked iRule in server_closed.
478812-2 2-Critical   DNSX Zone Transfer functionality preserved after power loss
502174-4 3-Major   DTLS fragments do not work for ClientHello message.
484429-4 3-Major   After updating a key/certificate in place and synchronizing the configuration, TMM may log critical-level messages that it could not load a key, certificate, or chain.
483974-2 3-Major   Unrecognized EDNS0 option may be considered malformed.
483328-4 3-Major K15851 Client SSL profiles might fail to complete handshake, system logs critical-level error '01260000:2: Profile name-of-profile: could not load key/certificate'
477924-1 3-Major   System can crash referencing compression provider where selection of provider has been deferred
477394-1 3-Major   LTM might reset and cause out-of-ports
476281 3-Major K16681 tmm crash on uninitialized variable
475055-3 3-Major   Core caused by incorrect accounting of I/O flows
472944-3 3-Major   SMTPS race condition after STARTTLS may cause incorrect SMTP responses
463902-3 3-Major   Hardware Compression in CaveCreek may cause excessive memory consumption.
437627-5 3-Major   TMM may crash if fastl4 vs has fragmeneted pkt
492780-1 4-Minor K37345003 Elliptic Curves Extension in ServerHello might cause failed SSL connection.


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
482442-5 4-Minor   [GTM] [GUI] Changes to a single wideip Propagates to All WIPs


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
504232-1 2-Critical   Attack signatures are not blocked after signature/set change
489705-2 2-Critical K16245 Running out of memory while parsing large XML SOAP requests
478876-2 2-Critical   BIG-IP with many active ASM accounts after a restart
478672-1 2-Critical   Enforcer memory leak
477432-6 2-Critical   Roll forward from 11.3.0 with iApp configured fails to load correctly and causes bd to core
475856-1 2-Critical   BD may crash when enabling Base64 Decoding on Wildcard cookie
496011-1 3-Major K17385 Resets when session awareness enabled
492570-1 3-Major   JavaScript error during CSRF protection
481792-1 3-Major K84202340 BD may crash within HTTP payload parser.
476191-1 3-Major   Bypass unicode validation on XML and JSON profiles by internal parameter
476179-1 3-Major   Brute Force end attack operation mode reported as blocking while it was actually in transparent mode
475861-1 3-Major   Session Awareness: Requests are reset
475135-1 3-Major   BIG-IP goes offline after time change
474896-1 3-Major K10035412 Remote logs without attack ID and mitigation fields
474430-1 3-Major   Rare issue: client session might not be restored by fingerprint in the Web Scraping mitigation.
473410-1 3-Major   Policy Diff on merging missing URLs
470779-1 3-Major   The Enforcer should exclude session awareness violations when counting illegal requests.
469786-1 3-Major K04393808 Web Scraping Mitigation: Display of request status when configuration includes an ASM iRule
467776-1 3-Major   Fix in the Guardium to ASM protocol
450241-3 3-Major K21100172 iControl error when discover ASM from EM
441239-1 3-Major   Event Correlation is not enabled on vCMP guests if the disk is SSD.
438809-6 3-Major K17098 Brute Force Login


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
499299-1 2-Critical   Synchronization problem in AVR lookups sometimes causes TMM and other daemons, such as the Enforcer, to crash
480350-1 2-Critical K15251065 AVR and APM: TMM crashes
476336 2-Critical   TMM and other daemons, such as the Enforcer, crash
475439-1 2-Critical K16434 Synchronization problem in AVR lookups sometimes causes TMM and other daemons, such as the Enforcer, to crash
474251-1 2-Critical   IP addresses are not properly cleaned from lookup tables, so there might be no room for new IP addresses to be collected.
472969-1 2-Critical   If you try to create more than 264 AVR profiles, avrd might crash.
499036 3-Major   Rare cases of errors when loading data into mysql
496560-1 3-Major   AVR and APM: TMM crashes (additional fixes for ID 480350)
493825-1 3-Major K17520 Upgrade failure from version 11.4.0 due to incorrect configuration being saved
489682-1 3-Major K40339022 Configuration upgrade failure due to change in an ASM predefined report name
481541-1 3-Major   Memory leak in monpd when LTM and AVR or ASM are provisioned
478346-1 3-Major   Some AVR statistics not collected properly
472607 3-Major   VCMP: Warning messages in AVR log
467945-3 3-Major   Error messages in AVR monpd log


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
488986-2 1-Blocking K16582 Access policy cannot enter Windows Protected Workspace on Internet Explorer versions 10 and 11, and edge client.
504060 2-Critical   iOS and Mac receivers cannot create account on Citrix StoreFront in proxy mode
494098-6 2-Critical K16857 PAC file download mechanism race condition
485906 2-Critical   TMM may core when an APM virtual server has a OneConnect profile attached to the virtual server
485465-3 2-Critical K16775 TMM might restart under certain conditions when executing SLO.
484454-3 2-Critical K16669 Users not able to log on after failover
482833 2-Critical   apd crash for missing db variable
479524-5 2-Critical K16823 If a "refresh" response header should not be rewritten, it can crash the rewrite plugin or be improperly rewritten
477540-1 2-Critical K16851 'ACCESS::policy evaluate' iRule command causes crash of apmd daemon
476736-2 2-Critical   APM IPv6 Network Access connection may fail in some cases
475049-1 2-Critical   Missing validation of disallowing empty DC configuration list
474532-5 2-Critical K16357 TMM may restart when SLO response is received on SLO request URL (.../post/sls)
474392-1 2-Critical   OS X 10.10 Yosemite support
474058-5 2-Critical K16689 When the BIG-IP system is configured as Service Provider, APD may restart under certain conditions
471874-1 2-Critical K16850 VDI plugin crashes when trying to respond to client after client has disconnected
469960-1 2-Critical K16333 Managing apd connection from tmm
458928-5 2-Critical   APMD cores in Kerberos authentication, when the agent tries to derefence a null authparam session variable.
455284-4 2-Critical K15907 Monitor traffic rejected with ICMP message, causing node down
496449-1 3-Major   APM does not support using session variables for the destination address in Citrix and VMware View remote desktop resources.
496447-1 3-Major   APM does not apply route domain configured in visual policy editor to Citrix/VMware View connections when their backends are specified as hostname/IP address.
496441-1 3-Major   APM does not apply route domain configured in visual policy editor to Java AppTunnel connections.
496440-1 3-Major   APM does not apply route domain configured in visual policy editor to Java RDP connections.
494284-3 3-Major K16624 Mac Edge Client, with primary language of German shows unneeded text shown under disconnected status.
494189-1 3-Major   Poor performance in clipboard channel when copying
493487-3 3-Major K45558362 Function::call() and Function::apply() wrapping does not work as expected
493164-3 3-Major K62553244 flash.net.NetConnection::connect() has an erroneous security check
492238-6 3-Major K16848 When logging out of Office 365 TMM may restart
492153-2 3-Major K17055 Edge clients shuts down the DTLS channel if the state of IP address on the adapter that was used to build the tunnel, changes to deprecated.
491887-1 3-Major K16645 Changing the ending of a macro in Access Policy crashes TMM.
491478-1 3-Major   EAM is a CMP plugin and spins up one thread per TMM.
491233-1 3-Major K16105 Rare deadlock in CustomDialer component
490811-5 3-Major   Proxy configuration might not to be restored correctly in some rare cases
490482-1 3-Major K16638 Applying Access Policy with an unused macro crashes TMM.
488892-3 3-Major   JavaRDP client disconnects
487859-1 3-Major K42022001 Importing local db users from a CSV file that has no UID set, displays incorrect information in the GUI.
485948-5 3-Major K17418 Machine Info Agent should have a fallback branch
485396 3-Major   Online help about persistent cookies does not specify supported use
484847-2 3-Major   DTLS cannot be disabled on Edge Client for troubleshooting purposes
484298-2 3-Major K16605 The aced process may restart in a loop
483601 3-Major K16895 APM sends a logout Bookmarked Access whitelist URL when session is expired.
483379-1 3-Major   High CPU consumption and unresponsive interface of the menubar icon after 20-30 minutes
482260-4 3-Major   Location of Captive portal configuration registry entry in 64 bit windows is incorrect
482046-1 3-Major   Old password is not verified during password change from View client.
481257-5 3-Major   Information on "OPSWAT Integration Libraries V3" is missing from CTU report
481210-1 3-Major K16426 Active Directory Query doesn't populate all values of multi-value attributes
481203-5 3-Major   User name case sensitivity issue
481046-5 3-Major K17497 F5_Inflate_text(o, incr, v) wrapper need to be fixed for case when o is script tag
481020-1 3-Major K17487 Traffic does not flow through VPN tunnel in environements where proxy server is load balanced
480995-1 3-Major   APM client components are not using extended logging by default.
480247-5 3-Major   Modifying edge client application folder causes gatekeeper to throw warning
480047-1 3-Major   BIG-IP Edge Client for Windows does not enable you to generate a client troubleshooting report from the user interface.
479451-1 3-Major K16737 Different Outlook users with same password and client IP are tied to a single APM session when using Basic auth
478491 3-Major   Microsoft RDP client for iOS doesn't work against F5 APM for versions >= 8.1.0
478333 3-Major   Edge-Client client shows an error about corrupted config file, when User's profile and temp folders located on different partitions
478285-2 3-Major   [MAC][NA] Routing table is not restored correctly in multi-homed environment if server settings disallow local subnet access
478214-1 3-Major   APM Native RDP Proxy does not allow users to authenticate without specifying a domain name.
478115-5 3-Major   The action attribute value of a form HTML tag is not properly rewritten in the Minimal Content Rewriting mode when it starts with "/"
477841-1 3-Major   Safari 8 does not use Network Access proxy.
477642-5 3-Major   Portal Access rewriting leads to page reload in Firefox
477474-3 3-Major K03431040 Wrong HTML rewriting at client side for very special case
477445-1 3-Major K16752 APM client improved to support 2 interface connected to the same network segment
476133-1 3-Major   In APM OAM authentication, ObSSOCookie _lastUseTime was not updated.
476033-1 3-Major   APM does not support Microsoft Remote Desktop 8.0.8 client for iOS to work using APM as RD Gateway.
476032-1 3-Major   BIG-IP Edge Client may hang for sometime when disconnecting from Firepass server
475770-1 3-Major   Fixed routing table management for cases when 2 or more interfaces are used
475682-6 3-Major   APM OAM should be sending a single Cookie header with the cookies delimited by semi-colon.
475650-5 3-Major K16271 The TMM may restart when processing single logout (SLO) messages.
475363-6 3-Major   Empty or invalid configuration, or during exception in NTLM, handling might not work as expected.
475360-6 3-Major   Edge client remembers specific virtual server URI after it is redirected
475262-1 3-Major   In some cases Edge Client for Windows does not re-resolve server hostname while reconnecting
475163-5 3-Major   Submitting an HTML form that does not have an action attribute is a 404 error and 'null' in the request URL.
475148-1 3-Major   Microsoft RDP Client for Mac OS X ver. 8.0.9 does not work correctly with BIG-IP APM.
475143 3-Major   CATEGORY::filetype command may cause tmm to crash and restart
474730-5 3-Major   Incorrect handling of form if it contains a tag with id=action
474231-5 3-Major   RAM cache evictions spikes with change of access policy which may lead to slow webtop rendering
473728-3 3-Major K16899 Incorrect HTML form handling.
473386-4 3-Major K17540 Improved Machine Certificate Checker matching criteria for FQDN case
473344-6 3-Major   Kerberos Request-Based Auth (RBA) failure when session is initially created on a different VIP.
472825-2 3-Major K52892802 The Dashboard charts may dip when a blade is rebooted.
471825-3 3-Major K16637 Add 'Date:' header in email message generated by APM Email agent to comply with RFC 5322.
471772-1 3-Major   APM does not support VMware View application remoting.
471714-1 3-Major K16637 Certain SMTP servers (Windows) do not receive complete email due to missing CRLF header terminator in Emails generated by APM Email agent.
471125 3-Major   Fixed issue causing EdgeClient to work improperly behind environment with CaptivePortal.
470414-4 3-Major   Portal Access rewrite daemon may crash while processing some Flash files
470225-4 3-Major K15951 Machine Certificate checker now correctly works in Internet Explorer 11
470205-2 3-Major   /config/.../policy_sync_d Directory Is 100% Full
469100-5 3-Major K17145 JavaScript index expressions with a comma are not properly rewritten
468478-5 3-Major K16659 APM Portal Access becomes unresponsive.
467849-6 3-Major   In some cases user cannot go to external sites through proxy when vpn is connected
466877-6 3-Major K16774 When BIG-IP is used as SAML SP, signatures created by IBM Tivoli Federated Identity Manager may fail validation
466325-6 3-Major K16692 Continuous policy checks on windows might fail incorrectly in some cases
463776-2 3-Major K17142 VMware View client freezes when APM PCoIP is used and user authentication fails against VCS 5.3
463230-1 3-Major   Aced service does not recover if child process dies.
462727-1 3-Major K16436 TMM crash when processing ACCESS::session iRule without an attached Access Policy
456403-2 3-Major   Citrix Storefront native protocol
454493-1 3-Major K16566 VMWare View applications are not available on BIG-IP APM webtops
447013-4 3-Major K15890619 The Citrix Client Detection process may incorrectly prompt for the installation of client software.
441355-1 3-Major   Enable change password within vmview client when password doesn't meet the AD policy requirements
439518-3 3-Major K16254 Portal access resource item modifications are not synced
438730-5 3-Major K16666 DNS Filtering driver causes crash/BSOD
432102-6 3-Major   HTML reserved characters not supported as part of SAML RelayState
431810-5 3-Major K16315 APMD process core due to missing exception handling in execute agents
428387-2 3-Major   SAML SSO could fail if SAML configuration contains special XML characters (&,<,>,",')
418850-1 3-Major   Do not restrict AD to be the last auth agent for View Client
407350-4 3-Major   Client side checks on Windows Phone 8
400726-4 3-Major   No support for multi-valued attributes inside SAML assertion.
398657-8 3-Major   Active Session Count graph underflow
503924-1 4-Minor   Citrix receivers cannot authenticate
492844-1 4-Minor   Office365 generated SAML SLO message causes browser connection to be reset.
489888-1 4-Minor   Configuring VDI profile when APM is not provisioned, but does not.
489364-1 4-Minor   Now web VPN client correctly minimizes IE window to tray
485760-1 4-Minor   Tag <NameIDFormat> in SAML metadata may contain wrong attributes
480827-1 4-Minor   Logging might show unnecessary messages when Citrix Receiver connects to Storefront: err tmm[20105]: 01490563:3: 00000000: Access stats encountered error: Failed to add/delete session entry (ERR_NOT_FOUND).
480360-5 4-Minor   Edge Client for Mac blocks textexpander application's functionality
478397-1 4-Minor   Memory leak in BIG-IP APM Edge Client Windows API.
477138-1 4-Minor   Only one of several VMware View Desktop/Application pools with the same display name can be launched from APM Webtop
473377-5 4-Minor   BIG-IP as IdP may rejects AuthnRequest with specific NameID format
472216-2 4-Minor   Duration counter for customized Edge Client
466797-6 4-Minor   Added warning message when maximum session timeout is reached
464547-1 4-Minor   Show proper error message when VMware View client sends invalid credentials to APM
450033-5 4-Minor   Sometimes VMware View client 2.3 for Windows can't launch desktops via APM
447302-3 4-Minor   APM incorrectly supports 'redirect' ending in an access policy for web browser clients when deployed for Citrix Web Interface in proxy mode.
432423-5 4-Minor   Need proactive alerts for APM license usage
421901-2 4-Minor   The 'Restore down' button can be hidden for full-screen RDP resources.
503673-1 5-Cosmetic   APM sets MRHSession cookie on /cgi/login request from Citrix Receivers
486344-2 5-Cosmetic   French translation does not properly fit buttons in BIG-IP Edge client on Windows
484856-1 5-Cosmetic   Citrix remote desktop visible even if the user cannot access it


Wan Optimization Manager Fixes

ID Number Severity Solution Article(s) Description
479889-5 1-Blocking   Memory leaks when iSession and iControl are configured
480305-1 4-Minor   tmm log flood: isession_handle_evt: bad transition:7


Service Provider Fixes

ID Number Severity Solution Article(s) Description
476886-3 3-Major K15727 When ICAP cuts off request payload, OneConnect does not drop the connection
472092-3 3-Major   ICAP loses payload at start of request in response to long execution time of iRule


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
496036 1-Blocking K16640 GUI throws an error in some situations when an ASM policy is assigned to virtual server
484245-1 1-Blocking   Delete firewall rule in GUI changes port settings in other rules to 'any'
498227-2 2-Critical   Incorrect AFM firewall rule counter update after pktclass-daemon restarts.
497342 2-Critical   TMM crash while executing FLOW_INIT event (with multiple commands that abort the connection) in an iRule attached to an AFM firewall rule.
480903-1 2-Critical   AFM DoS ICMP sweep mitigation performance impact
478644 2-Critical   dwbld race with mcpd causes core.
477769-1 2-Critical   TMM crash (panic) in AFM pktclass code (Assertion 'classifier ref non-zero' failed.) when virtual server has SPDY or HTTP Prefetching enabled along with AFM Rules.
469512-2 2-Critical   TMM aborted by SOD due to heartbeat failure when trying to load huge firewall policies.
500640-1 3-Major K21264026 TMM core might occur if FLOW_INIT iRule attached to Virtual server
497732-2 3-Major   Enabling specific logging may trigger other unrelated events to be logged.
497667-2 3-Major   Configuring of ICMPv4/ICMPv6 ip-protocol in mgmt port ACL Rules generated error
497263-1 3-Major   Global whitelist count exhausted prematurely
496498-3 3-Major   Firewall rule compilation will fail in certain scenario when there are multiple scheduled AFM rules and one of the non scheduled AFM rule is modified.
495928-5 3-Major   APM RDP connection gets dropped on AFM firewall policy change
495698-3 3-Major   iRule can be deleted even though it exists in a rule-list
493234-1 3-Major   Device version in AFM log message could be empty
485787-1 3-Major   Firewall ACL counters for staged policy attached to a Virtual/SelfIP are not incremented when a policy with a similar rule to drop/reject packets is enforced by the Global or Route Domain context
485771-1 3-Major   TMM crashes while executing multiple FLOW_INIT events and one of the event triggers an abort.
480826 3-Major   IPs can be added for infinite duration
478816 3-Major   Fastl4 TCP connection trasitions are not logged
477576-1 3-Major   Valid iRule command FLOWTABLE::limit gets rejected when virtual server or route domain name is not specified
442535-5 3-Major K16227 Time zone changes do not apply to log timestamps without tmm restart
429885-6 3-Major K17576 Traffic that does not match any virtual or Self IP is dropped silently (without any logs or statistics)
498785 4-Minor   Black List Classes/Black List Categories terminology inconsistency
481189-2 4-Minor   Change the default value of pccd.hash.load.factor to 25
480623 4-Minor   Category defaulted to whitelist when a valid category was not specified
480196 4-Minor   Packets not counted in tmctl ip_intelligence_stat on accept-decisively ACL match
478631 4-Minor   No validation for Shun TTL lengths


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
489754-1 2-Critical K17408 Flow based reporting attribute mismatch between TMUI and TCL
483798-1 2-Critical   TMM crashes if iRule PSC::ip_address is used after RADIUS Authentication of DHCP discovery.
481373-1 2-Critical   TMM might core when deleting an entry for a user in a Radius AAA cache
472860-3 2-Critical   RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented.
484095-1 3-Major   RADIUS accounting message with multiple IPv6 prefix causes TMM crash
482137-1 3-Major   Adding TCP iRules to PEM space
479917-1 3-Major   TMM crashes if new IP address is added to a session through radius interim update message.
476705-1 3-Major   TMM can crash if receiving radius start or stop messages with multiple IP but no subscriber ID.
474638-1 3-Major   PEM: Session policy list may be lost if there is an radius update of custom attributes
453959-3 3-Major   UDP profile improvement for flexible TTL handling
481950-1 4-Minor   DHCP: Need an upgrade script for DHCPRELAY virtuals for BIG-IP version 11.5 and 11.4
476904-2 4-Minor   App type 0 session Update Failed on PEMDB: ERR_INPROGRESS


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
484020 2-Critical   If Identify as Username is enabled for a parameter, the Encrypt checkbox is not grayed out.
492549 3-Major   FPS injection only into success responses
489933 3-Major   Generic malware false positives
486001 3-Major   Application Layer encryption not working on password field in certain situations
485253 3-Major   Enable directory protection
482034 3-Major   Browser displays error in console in Firefox 3.6.22
474469 3-Major   Identical source integrity alerts are present.
473771 3-Major   No URL path in the Browser Automation alert
491168 4-Minor   Encrypt checkbox should be greyed out for a new parameter when Application Layer Encryption is disabled under URL Configuration.
478859 4-Minor   Username displayed with trailing "&" sign


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
487512-1 2-Critical   Enable Bittorrent classification in Qosmos by default
479450 2-Critical K16766 SSL traffic is not forwarded to destination



Cumulative fixes from BIG-IP v11.6.0 Hotfix 3 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
484635-1 CVE-2014-3513 CVE-2014-3567 CVE-2014-3566 CVE-2014-3568 K15722 OpenSSL DTLS SRTP Memory Leak CVE-2014-3513, OpenSSL vulnerability CVE-2014-3567, and OpenSSL vulnerability CVE-2014-3568.
451218-2 CVE-2014-8730 K15882 TLS1.x padding vulnerability CVE-2014-8730.


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
478791-1 1-Blocking   Hardware compression test fails on 5000 series, 7000 series, 10000 series platforms


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
488208-1 2-Critical   openssl v1.0.1j.
485188-1 3-Major   Support for TLS_FALLBACK_SCSV


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
487808-3 3-Major   End of Life announcement for inbound and outbound cost-based link load balancing and inbound link path-based load balancing.



Cumulative fixes from BIG-IP v11.6.0 Hotfix 2 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
476475 1-Blocking   SSL accelerator card does not function on the BIG-IP 12250 platform.
479374-5 2-Critical K16255 Setting appropriate TX driver settings for 40 GB interfaces.
478948 2-Critical   DC PSU reported as AC
477676 2-Critical   HSB v2.3.12.1 bitstream integrated to fix HSB firmware issues
473772 3-Major   SNMP reports the incorrect product name for the BIG-IP 10350 NEBS platform.
473210 3-Major   Chassis Temperature Status not showing Nitrox3x3 temperatures
472767-1 3-Major   Adding slots to running guests with host-iso can become stuck
467693-1 3-Major K16664 sysObjectID SNMP OID returns 'linux' instead of BIG-IP platform.
410101-3 3-Major   HSBe2 falls off the PCI bus


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
477571-1 2-Critical   HTTP/2 support.



Cumulative fixes from BIG-IP v11.6.0 Hotfix 1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
480931-1 CVE-2014-6271 CVE-2014-7169 CVE-2014-7187 CVE-2014-7186 CVE-2014-6277 CVE-2014-6278 K15629 Multiple BASH vulnerabilities - ShellShock


Functional Change Fixes

None


Cumulative fix details for BIG-IP v11.6.5 that are included in this release

810557-6 : ASM ConfigSync Hardening

Solution Article: K05123525


807477-5 : ConfigSync Hardening

Solution Article: K04280042


799617-6 : ConfigSync Hardening

Solution Article: K05123525


799589-6 : ConfigSync Hardening

Solution Article: K05123525


797885-6 : ConfigSync Hardening

Solution Article: K05123525


796469-5 : ConfigSync Hardening

Solution Article: K05123525


794413-6 : BIND vulnerability CVE-2019-6471

Solution Article: K10092301


794389-3 : iControl REST endpoint response inconsistency

Component: TMOS

Symptoms:
Certain iControl REST endpoints may produce inconsistent responses to requests.

Conditions:
iControl REST endpoint receives specially crafted input.

Impact:
Inconsistent responses to REST requests.

Workaround:
None.

Fix:
iControl REST endpoints now return consistent responses.


757027-5 : BIND Update

Solution Article: K01713115


757026-5 : BIND Update

Component: TMOS

Symptoms:
Upgrade BIND to 9.11.5-P4 per recommendation from ISC

Conditions:
GTM provisioned.

Impact:
BIND not up-to-date

Workaround:
None.

Fix:
Upgrade to BIND 9.11.5-P4


757025-5 : BIND Update

Solution Article: K00040234


756774-2 : Aborted DNS queries to a cache may cause a TMM crash

Component: Global Traffic Manager (DNS)

Symptoms:
TMM may crash if an attempt is made to send a response to a TCP connection that has already been torn down.

Conditions:
TCP connections that are aborted before receiving a RESPONSE from a cache.

Impact:
Loss of service until TMM is restarted. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Aborted DNS queries to a cache no longer cause a TMM crash.


756270-6 : SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle

Component: Local Traffic Manager

Symptoms:
If there are multiple certificates in the trusted CA bundle with the same common name, CRL signature verification checks only one of them while looking for CRL issuer.

Conditions:
Multiple certificates with the same subject name as the CRL issuer in the trusted CA bundle used for authentication in SSL profiles.

Impact:
Handshake failure.

Workaround:
None.

Fix:
This has been fixed to check for the issuer among all certificates that have the same subject name as the CRL issuer.


754944-5 : AVR reporting UI does not follow best practices

Solution Article: K00432398


750488-2 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Cache does not always include an EDNS OPT Record in responses to queries that contain an EDNS OPT Record.

Conditions:
Responses to queries with EDNS0 record to DNS Cache do not contain the RFC-required EDNS0 record.

Impact:
Some compliance tools and upstream DNS servers may consider the BIG-IP non-compliant, and report it as such.

This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.

Workaround:
None.

Fix:
Corrected EDNS OPT record handling in DNS Cache.

Note: Any NOSOA and NOAA results from the EDNS Compliance Tester used for DNS Flag Day are false positives and are expected when testing against DNS Cache. The EDNS Compliance Tester assumes an authoritative server, and makes non-recursive queries. For example, you might see a Resolver response similar to the following:

example1.com. @10.10.10.126 (ns.example1.com.): dns=nosoa,noaa edns=nosoa,noaa edns1=ok edns@512=noaa ednsopt=nosoa,noaa edns1opt=ok do=nosoa,noaa ednsflags=nosoa,noaa optlist=nosoa,noaa,subnet signed=nosoa,noaa,yes ednstcp=noaa

These types of responses are expected when running the validation tool against DNS Cache.


750484-2 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Cache drops a DNS query that contains an EDNS OPT Record that it does not understand.

Conditions:
If a client (such as a DNS Flag Day compliance tool) or upstream DNS Server sends an invalid ENDS OPT record.

Impact:
DNS Cache drops the request. Clients (such as a DNS Flag Day compliance tool) or upstream DNS server will experience a timeout for that query.

This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.

Workaround:
None.

Fix:
When a query with an invalid EDNS OPT version is received by DNS Cache, the system now sends a response with the BADVERS error code, as stipulated by the RFC.

Note: Any NOSOA and NOAA results from the EDNS Compliance Tester used for DNS Flag Day are false positives and are expected when testing against DNS Cache. The EDNS Compliance Tester assumes an authoritative server, and makes non-recursive queries. For example, you might see a Resolver response similar to the following:

example1.com. @10.10.10.126 (ns.example1.com.): dns=nosoa,noaa edns=nosoa,noaa edns1=ok edns@512=noaa ednsopt=nosoa,noaa edns1opt=ok do=nosoa,noaa ednsflags=nosoa,noaa optlist=nosoa,noaa,subnet signed=nosoa,noaa,yes ednstcp=noaa

These types of responses are expected when running the validation tool against DNS Cache.


750472-2 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Express drops a DNS query that contains an EDNS OPT Record that it does not understand.

Conditions:
If a client (such as a DNS Flag Day compliance tool) or upstream DNS Server sends an invalid ENDS OPT record.

Impact:
DNS Express drops the request. Clients (such as a DNS Flag Day compliance tool) or upstream DNS server will experience a timeout for that query.

This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.

Workaround:
None.

Fix:
When a query with an invalid EDNS OPT version is received by DNS Express, send a response with the BADVERS error code as stipulated by the RFC.

Note: The EDNS Compliance Tester should produce output similar to the following when run against DNS Express:

example1.com. @10.10.10.125 (ns.example1.com.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok ednstcp=ok


750460-5 : Subscriber management configuration GUI

Solution Article: K61002104


750457-2 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Express does not always include an EDNS OPT Record in responses to queries that contain an EDNS OPT Record.

Conditions:
Queries to DNS Express containing an ENDS0 record it does not understand.

Impact:
DNS Express responses might not contain the RFC-required ENDS0 record. Some compliance tools and upstream DNS servers may consider the BIG-IP non-compliant, and report it as such.

This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.

Workaround:
None.

Fix:
Corrected EDNS OPT record handling in DNS Express.

Note: The EDNS Compliance Tester should produce output similar to the following when run against DNS Express:

example1.com. @10.10.10.125 (ns.example1.com.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok ednstcp=ok


749879-6 : Possible interruption while processing VPN traffic

Solution Article: K47527163


749774-1 : EDNS0 client subnet behavior inconsistent when DNS Caching is enabled

Component: Global Traffic Manager (DNS)

Symptoms:
When EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled, the responses differ in their inclusion of EDNS0 client subnet information based on whether the response was supplied by the cache or not.

Conditions:
This occurs when EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled.

Impact:
Inconsistent behavior.

Workaround:
None.

Fix:
In this release, responses are now consistent when caching is enabled.


749675-1 : DNS cache resolver may return a malformed truncated response with multiple OPT records

Component: Global Traffic Manager (DNS)

Symptoms:
A configured DNS resolving cache returns a response with two OPT records when the response is truncated and not in the cache.

Conditions:
This can occur when:
-- A DNS resolving cache is configured.
-- The DNS query being handled is not already cached.
-- The response for the query must be truncated because it is larger than the size the client can handle (either 512 bytes or the buffer size indicated by an OPT record in the query).

Impact:
A DNS message with multiple OPT records is considered malformed and will likely be dropped by the client.

Workaround:
A second query will return the cached record, which will only have one OPT record.

Fix:
DNS cache resolver now returns the correct response under these conditions.


745387-5 : Resource-admin user roles can no longer get bash access

Component: TMOS

Symptoms:
Resource-admin users with bash access may write to system files beyond the scope of their assigned access.

Conditions:
Resource-admin users configured with bash shell access.

Impact:
Resource-admin users with bash access may write to system files causing security risks.

Workaround:
Do not assign bash access for resource-admin users.

Fix:
Resource-admin users restricted to tmsh access now. If a resource-admin user had bash access in a prior version and upgrades to this version, that user will get converted to tmsh access automatically after the upgrade process.

Behavior Change:
Resource-admin roles can no longer have bash shell access. And upon upgrade, resource-admin users with bash access will get converted to tmsh shell access.


745358-5 : ASM GUI does not follow best practices

Solution Article: K14812883


745257-5 : Linux kernel vulnerability: CVE-2018-14634

Solution Article: K20934447


745165-5 : Users without Advanced Shell Access are not allowed SFTP access

Solution Article: K38941195


744937-5 : Make authenticated-denial-of-existence NSEC3 RR Types Bitmap reflect available Resource Records

Solution Article: K00724442

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP does not know what resource records some external zone holds at the time the BIG-IP is responding to some dnssec query that asked for some record type at some owner name.
If the resource record type does not exist, then as part of the response, the BIG-IP generates an NSEC3 record (to authenticate denial of existence along with RRSIG) containing a types bitmap that is supposed to have the available RRs at the owner name.
With some new feature supported in BIND 9.12 (RFC 8198) called Aggressive use of Negative Cache, that negative response with the inaccurate types bitmap is cached which can then be re-used to show that some resource records do not exist but are in fact available at the owner name.

Conditions:
A query comes in for a zone that is not hosted on the BIG-IP where the BIG-IP is only responsible for DNSSEC signing.

Impact:
Validating resolvers implementing Aggressive Use of DNSSEC-Validated Cache may respond with NODATA for an existing resource record.

Workaround:
N/A


742226-4 : TMSH platform_check utility does not follow best security practices

Solution Article: K11330536


739970-4 : Linux kernel vulnerability: CVE-2018-5390

Solution Article: K95343321


739947-4 : TMM may crash while processing APM traffic

Solution Article: K42465020


739927-5 : Bigd crashes after a specific combination of logging operations

Component: Local Traffic Manager

Symptoms:
Bigd crashes. Bigd core will be generated.

Conditions:
1. Boot the system and set up any monitor.
2. Enable and disable bigd.debug:
-- tmsh modify sys db bigd.debug value enable
-- tmsh modify sys db bigd.debug value disable
3. Enable monitor logging.

Impact:
Bigd crashes.

Workaround:
None.

Fix:
Bigd no longer crashes under these conditions.


739846-5 : Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection

Component: Global Traffic Manager (DNS)

Symptoms:
When the big3d runs out of memory for iQuery connections, a segmentation fault might occur.

Conditions:
-- Not enough memory to create additional iQuery connections.
-- Receive an new iQuery connection.

Impact:
Segmentation fault and big3d restarts. No statistics collection or auto-discovery while big3d restarts.

Workaround:
None.

Fix:
The big3d process no longer gets a segmentation fault when reaching the limits of the memory footprint while trying to establish iQuery connections.


738887-1 : The snmpd daemon may leak memory when processing requests.

Component: TMOS

Symptoms:
Under certain conditions, the snmpd daemon may leak memory when processing requests.

Conditions:
This issue is known to occur on a multi-blade vCMP guest after specific maintenance operations have been carried out by an Administrator on the guest.

Impact:
Once enough memory has leaked, the system may become unstable and fail unpredictably.

Workaround:
If the snmpd daemon is consuming excessive memory, restart it with the following command:

bigstart restart snmpd

Fix:
The snmpd daemon no longer leaks memory when a multi-blade vCMP guest reaches a certain condition.


738119-4 : SIP routing UI does not follow best practices

Solution Article: K23566124


737574-4 : iControl REST input sanitization

Solution Article: K20541896


734446-4 : TMM crash after changing LSN pool mode from PBA to NAPT

Component: Carrier-Grade NAT

Symptoms:
TMM crashes after changing LSN pool mode from PBA to NAPT when long lived connections are killed due to the PBA block lifetime and zombie timeout expiring.

Conditions:
An LSN pool using PBA mode with a block lifetime and zombie timeout set and long lived connections.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Instead of changing the LSN pool mode from PBA to NAPT, create a new LSN pool configured for NAPT and change the source-address-translation pool on the virtual servers that use the PBA pool.

The PBA pool can be deleted after the virtual servers are no longer using it.

Fix:
TMM no longer crashes after changing LSN pool mode from PBA to NAPT.


726409-2 : Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077

Component: TMOS

Symptoms:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8890
The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allows attackers to cause a denial of service (double free) or
possibly have unspecified other impact by leveraging use of the accept system call.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9075
The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance,
which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076
The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance,
which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9077
The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance,
which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.

Conditions:
For more information see: https://support.f5.com/csp/article/K02236463
https://support.f5.com/csp/article/K02613439

Impact:
denial of service

Workaround:
don't allow login

Fix:
For more information see: https://support.f5.com/csp/article/K02236463
https://support.f5.com/csp/article/K02613439


726239-2 : interruption of traffic handling as sod daemon restarts TMM

Component: Local Traffic Manager

Symptoms:
When the receiving host in a TCP connection has set its send window to zero (stopping the flow of data), following certain unusual protocol sequences, the logic in the TMM that persists in probing the zero window may enter an endless loop.

Conditions:
When the TCP implementation is probing a zero-window connection under control of a persist timer.

Impact:
Lack of stability on the device. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This fix handles a rare TMM crash when TCP persist timer is active.


724680-2 : OpenSSL Vulnerability: CVE-2018-0732

Component: TMOS

Symptoms:
For more information see: https://support.f5.com/csp/article/K21665601

Conditions:
For more information see: https://support.f5.com/csp/article/K21665601

Impact:
For more information see: https://support.f5.com/csp/article/K21665601

Workaround:
None.

Fix:
For more information see: https://support.f5.com/csp/article/K21665601


724319 : BIG-IP versions 11.6.3.x show 'Edition' as 'Final', not 'Point Release'

Component: TMOS

Symptoms:
When issuing the command 'tmsh show sys version' or viewing the /VERSION file, BIG-IP versions 11.6.3.x show the 'Edition' element as 'Final', not the expected 'Point Release'.

For example, on BIG-IP v11.6.3.2, the 'tmsh show sys version' command shows:

# tmsh show sys version

Sys::Version
Main Package
  Product BIG-IP
  Version 11.6.3.2
  Build 0.0.2
  Edition Final
  Date Wed May 23 19:39:10 PDT 2018

Conditions:
This occurs on all Point Release versions of BIG-IP v11.6.3.x.

Impact:
Possibly misleading indication of whether the installed BIG-IP v11.6.3.x version is a Point Release or not.

Workaround:
The final numeric element in the Version string indicates the Point Release number.

Fix:
When issuing the command 'tmsh show sys version' or viewing the /VERSION file, BIG-IP versions 11.6.3.x show the 'Edition' element as the expected 'Point Release'.


723130-5 : Invalid-certificate warning displayed when deploying BIG-IP VE OVA file

Solution Article: K13996

Component: TMOS

Symptoms:
The OVA signing certificate that signs BIG-IP Virtual Edition (VE) OVA files expired. When deploying a BIG-IP VE from an OVA file, an invalid-certificate warning might be displayed due to the expired OVA signing certificate.

Conditions:
This issue may be encountered during the creation of new instances of BIG-IP VE in clients that check the validity of the OVA signing certificate (e.g., VMware).

Note: Existing BIG-IP VE instances are not subject to this issue.

Impact:
There might be questions about the integrity of the OVA file, and in some cases, might not be able to deploy a new instance from an OVA file.

Workaround:
None.

Fix:
The expired OVA signing certificate has been replaced with a valid signing certificate.


722677-2 : High-Speed Bridge may lock up

Solution Article: K26455071


722387-1 : TMM may crash when processing APM DTLS traffic

Solution Article: K97241515


722363-4 : Client fails to connect to server when using PVA offload at Established

Component: Local Traffic Manager

Symptoms:
A client can fail to connect to the server on subsequent attempts if using FastL4 with hardware (HW) acceleration.

When this issue occurs, the profile_bigproto_stat/rxsynatestablished stat is non-zero.

Conditions:
A FastL4 virtual server is configured with offload_state = EST.

Impact:
Clients fail to connect to the server.

Workaround:
There is no workaround other than to disable PVA acceleration.


721924-4 : bgpd may crash processing extended ASNs

Solution Article: K17264695

Component: TMOS

Symptoms:
Under certain conditions bgpd may crash while processing extended ASNs.

Conditions:
Dynamic routing enabled.
Extended ASP capabilities enabled: bgp extended-asn-cap enabled

Impact:
Dynamic routing disrupted while bgpd restarts.

Fix:
bgpd now processes extended ASNs as expected.


721895-2 : Add functionality to configure the minimum TLS version advertised and accepted by big3d (iQuery)

Component: Global Traffic Manager (DNS)

Symptoms:
big3d advertises a TLSv1.0 version. Even though big3d requires previously exchanged certificates to validate a connection request, the TLSv1.0 advertisement triggers various vulnerability scanners and is flagged.

Conditions:
Running a vulnerability scanner or other SSL test tool.

Impact:
The scanner or tool reports that big3d might potentially accept a TLSv1.0 connection request (which is considered insecure). Vulnerability scanners then flag the BIG-IP system as vulnerable.

Workaround:
Although there is no workaround, because big3d accepts connections only from clients that match the certificates on the BIG-IP system, the risk is minimal.

In addition, you can deploy firewall rules to accept connections only on port 4353 from know BIG-IP systems.

Fix:
This version adds a db variable for the big3d
big3d.minimum.tls.version. By default the value is 'TLSv1'. You can also specify TLSV1.1 or TLSV1.2 (the setting is case insensitive).

After changing the DB variable, restart big3d. Change the value on all BIG-IP systems that are subject to scans. This includes GTM as well as LTM configurations.


719554-4 : Linux Kernel Vulnerability: CVE-2018-8897

Solution Article: K17403481


716992-4 : The ASM bd process may crash

Solution Article: K75432956


716922-5 : Reduction in PUSH flags when Nagle Enabled

Component: Local Traffic Manager

Symptoms:
When Nagle is enabled in the TCP profile, the number of PUSH flags generated by the BIG-IP system drops substantially compared to the Nagle-disabled case, or to the Nagle-enabled case prior to v12.1.2-HF1. This matters most when there is a single outstanding unsent segment in the send buffer awaiting acknowledgment of all other data.

Conditions:
-- Nagle is enabled.
-- Running BIG-IP software versions later than v12.1.2-HF1.

Note: The problem is only impactful when the client withholds ACKs when there is no PUSH flag.

Impact:
If the client withholds ACKs, this can save handset power, but it also causes Nagle's algorithm to withhold the last bit of data, increasing latency.

Workaround:
Set Nagle to the 'Auto' setting or 'Disabled'.

Mote: To take advantage of some of the Nagle benefits, use 'Auto'.

Fix:
Revised PUSH flag setting logic to set the flag in cases where sending is Nagle-limited.


716900-5 : TMM core when using MPTCP

Solution Article: K91026261


716391-4 : High priority for MySQL on 2 core vCMP may lead to control plane process starvation

Solution Article: K76031538

Component: TMOS

Symptoms:
vCMP guest with only 2 cores (or 2 cores per blade for multi-blade guests) may undergo control plane process starvation, which could lead to failover due to CPU starvation of sod.

Conditions:
-- A device using Intel Hyper-Threading Technology is configured with only 2 cores (or 2 cores per blade for multi-blade vCMP guests).
-- A module using MySQL is provisioned, MySQL, for example BIG-IP ASM and BIG-IP Analytics (AVR). These other modules also implicitly provision AVR: ASM, AFM, DOS, APM, PEM, and vCMP.

Impact:
Control plane processes may experience CPU starvation, including failover due to CPU starvation of sod. This is a rarely occurring issue.

Workaround:
Revert to pre-11.5.1 HF4 behavior by setting the scheduler.splitplanes.asmopt database key to false.
 
IMPORTANT: You should not revert to pre-11.5.1 HF4 behavior unless requested by F5 Support. However, if required, you can disable this new behavior and revert to pre-11.5.1-HF4 behavior. For instructions on how to do so, see K16469: Certain BIG-IP ASM control plane processes are now pinned to the highest-numbered logical CPU core :: https://support.f5.com/csp/article/K16469.


715923-2 : When processing TLS traffic TMM may terminate connections unexpectedly

Solution Article: K43625118


714879-5 : APM CRLDP Auth passes all certs

Solution Article: K34652116


714716-4 : Apmd logs password for acp messages when in debug mode

Solution Article: K10248311

Component: Access Policy Manager

Symptoms:
Apmd logs password when executing policy via iRule.

Conditions:
-- APM is licensed and provisioned
-- Executing policy via iRule using iRule command 'ACCESS::policy evaluate'.
-- Clear text password is supplied for authentication
-- Debug mode active

Impact:
Apmd logs clear text password

Fix:
Apmd now no longer logs password in debug mode when evaluating policy via iRule.


714181-1 : TMM may crash while processing TCP traffic

Solution Article: K14632915


713951-2 : tmm core files produced by nitrox_diag may be missing data

Component: Local Traffic Manager

Symptoms:
When the nitrox_diag utility generates a tmm core file, that file might include data for only one tmm thread instead of all tmm threads.

Conditions:
-- Running the nitrox_diag utility.
-- Using devices with the Cavium Nitrox crypto card.
-- The nitrox_diag utility generates a tmm core file.

Impact:
The resulting core file might include data for only one tmm thread instead of all tmm threads, making it more difficult for F5 to diagnose reported problems with the Cavium Nitrox crypto card. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
When the nitrox_diag utility generates a tmm core file, that file now includes data for all tmm threads instead of only one.


711281-2 : nitrox_diag may run out of space on /shared

Component: Local Traffic Manager

Symptoms:
Running nitrox_diag may lose collected data if there is insufficient free space for the tar file to be created.

Conditions:
-- Running nitrox_diag.
-- Insufficient free space available on /shared.

Impact:
Might lose data required to diagnose problems with Cavium Nitrox chips.

Workaround:
The only workaround is to ensure there is enough free space for the files to be created.

In general, planning enough space for two copies of a tmm core file and two copies of a qkview works. That might require approximately one gigabyte. Though more might be needed for systems with a large amount of RAM.

Fix:
nitrox_diag now clears the older data before gathering new data, instead of after. Note, however, that if there is insufficient free space on /shared to collect the raw data, the operation still cannot succeed.


710827-5 : TMUI dashboard daemon stability issue

Solution Article: K44603900


710314-3 : TMM may crash while processing HTML traffic

Solution Article: K94105051


710148-5 : CVE-2017-1000111 & CVE-2017-1000112

Solution Article: K60250153


710028-5 : LTM SQL monitors may stop monitoring if multiple monitors querying same database

Component: Local Traffic Manager

Symptoms:
When using an SQL monitor to monitor the health of SQL database pool members, one of the health monitors may stop actively monitoring one or more pool members.

When this problem occurs, the following error messages may be logged in /var/log/DBDaemon-0.log:

[if debug = yes in monitor configuration]:
Using cached DB connection for connection string '<connection string>'

then multiple, periodic instances of the following message, referencing the same connection string:

Abandoning hung SQL query: '<query string>' for: '<connection string>'

or:

<connection string>(<thread-number>): Hung SQL query; abandoning

Conditions:
This may occur when all of the following conditions are met:
-- Using one of the following LTM monitors: mssql, mysql, oracle, postgresql.
-- Configuring multiple pool members for the same node (server).
-- Configuring multiple SQL monitors that query the same server and database.

And when one or both of the following conditions are met:
Either:
-- The SQL monitor is configured with a non-zero 'count' value.
Or:
-- An error occurs while querying a SQL database, such as [recorded in the DBDaemon log]:
java.io.EOFException: Can not read response from server. Expected to read 4 bytes, read 0 bytes before connection was unexpectedly lost.

Impact:
When this problem occurs, the affected pool members are reported down, even though the database is actually up and responding correctly to traffic.

Workaround:
When this problem occurs, successful monitoring can be temporarily restored by disabling then re-enabling monitoring of affected pool members.

To avoid one possible trigger for this issue (and thus reduce the likelihood of this issue occurring), configure the 'count' parameter in the SQL monitor configuration to a value of '0'.

Fix:
LTM SQL monitors continue monitoring when multiple monitors/ query the same server and database.


708653-4 : TMM may crash while processing TCP traffic

Solution Article: K07550539


708382 : Multiple TMM cores in http_cookie_decrypt

Component: Local Traffic Manager

Symptoms:
Client/server SSL profiles, HTTP profile, and cookie persistence profile experiences multiple cores in http_cookie_decrypt.

Conditions:
This occurs with a virtual server configured as follows:
-- Client/server SSL profiles.
-- HTTP profile.
-- Cookie persistence profile

Impact:
Device fails over. TMM cores. Traffic disrupted while tmm restarts.

Workaround:
This is likely a rarely occurring event. There is no workaround short of not using encryption for HTTP cookie persistence.


708249-5 : nitrox_diag utility generates QKView files with 5 MB maximum file size limit

Component: Local Traffic Manager

Symptoms:
When nitrox_diag generates a QKView file, the utility does not use the -s0 flag for the qkview command. That means there is a 5 MB file-size limit for the resulting QKView file nitrox_diag generates.

Conditions:
Run the nitrox_diag command.

Impact:
QKView files generated in response to running the nitrox_diag command might not contain all necessary information, for example, the result might contain truncated log files.

Workaround:
After running nitrox_diag, run the following command to generate a complete QKView file: qkview -s0

Fix:
Nitrox_diag utility now uses the -s0 command to generate QKView files, so there is no longer a 5 MB maximum file size limit, and the full QKView file is created.


708114-2 : TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed

Solution Article: K33319853

Component: Local Traffic Manager

Symptoms:
TMM crashes when receiving the HUDEVT_SSL_OCSP_RESUME_CLNT_HS after the SSL connection is closed.

Conditions:
-- The SSL connection has been closed.
-- SSL receives the HUDEVT_SSL_OCSP_RESUME_CLNT_HS message.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now ensures that SSL can still properly process the messages, even when the SSL connection is closed.


707740-2 : Failure deleting GTM Monitors when used on multiple virtual servers with the same ip:port combination

Component: TMOS

Symptoms:
When attempting to delete a GTM monitor, the system indicates that it is in use, even after removing that monitor from all GTM virtual servers. The system posts a message similar to the following:
01070083:3: Monitor /Common/mon-A is in use.

Conditions:
1. Attach a GTM monitor to multiple GTM virtual servers in the same transaction, where both of the virtual servers are monitoring the same ip:port.
2. Remove the monitor from all virtual servers.
3. Attempt to delete the monitor from the configuration.

Impact:
Cannot delete the unused monitor.

Workaround:
After removing the monitor from all virtual servers, reload the GTM configuration using the following command:
tmsh load sys config gtm-only

You can now delete the monitor.

Fix:
You can now delete an unused GTM monitor, if that monitor was attached to multiple GTM virtual servers of the same ip+port combination.


707738-5 : Network Access cannot be established on Windows 10 RS4

Solution Article: K84747528

Component: Access Policy Manager

Symptoms:
Network Access cannot be established on Microsoft Windows 10 RS4. Both EdgeClient and F5 VPN fails with the following error: An incorrect structure size was detected.

Note: Custom Dial-up entry client is not affected.

This is caused by Windows 10 RS4 regression in Remote Access System (RAS).

Conditions:
Networks Access connection fails when any of the following conditions are met:
-- The Windows system is clean Windows 10 RS4 installation
-- The Windows system has never connected to APM.
-- The Windows system previously was connected to APM, but the BIG-IP Administrator modified Network Access resource settings

When all of the following conditions are met, Network Access continues to work, unless the Administrator modifies the resource configuration or the user connects to a new APM server:
-- The Windows system was previously connected to a specific virtual server on a particular APM.
-- The Windows system was upgraded from previous Windows 10 version to Windows 10 RS4.
-- The Windows system Administrator has not modified any settings of Network Access resource.

Impact:
Network Access connection cannot be established.

Workaround:
None.

Note: This is caused by Windows 10 RS4 regression in RAS.

Fix:
Due to an issue introduced in Windows RS4, a VPN connection could not be established. This has been fixed.


707445-1 : Nitrox 3 compression hangs/unable to recover

Solution Article: K47025244

Component: TMOS

Symptoms:
LTM logs show the following message:

    Nitrox 3, Hang Detected: compression device was reset

When the error manifests, there will be three error messages sent to the log over a period of several seconds. The device is then considered unrecoverable and marked down, and will no longer accept compression requests.

Conditions:
This applies only to vCMP guests. Some compression requests can stall the device after a bad compression request is made.

Note: Traffic volume and concurrence, along with the type of error have to occur together in order to result in this issue, so the issue is not easily reproduced.

Impact:
Once the device is marked down, compression will be sent to the software compression provider, until tmm on the device is restarted. This can cause local CPU utilization to climb.

Workaround:
There is no complete workaround without a software fix. However, compression will always default to the software compression provider when hardware cannot be recovered.

There are three recovery options available if the TMM-internal reset fails to recover the compression device automatically. These should be employed in this order:

A. Restart tmm using the command: bigstart restart tmm.
B. Restart the vCMP guest.
C. Restart the host (which restarts all guests).

Note: Because of the traffic volume, timing, and error type that cause this condition, this error might recur. This issue appears to be caused by a particular compression request. So regardless of the recovery method you execute, the problem may recur in a short time, or months later.

Fix:
Compression device reset recovery made more robust for some compression failures.


707226-3 : DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations

Component: TMOS

Symptoms:
Mitigations might CVE-2017-5754 Meltdown/PTI (Page Table Isolation) can negatively impact performance.

Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.

Conditions:
Mitigations for CVE-2017-5754 Meltdown/PTI (Page Table Isolation) enabled.

Impact:
Meltdown/PTI mitigations may negatively impact performance.

Workaround:
Disable CVE-2017-5754 Meltdown/PTI mitigations.

To turn off mitigations for CVE-2017-5754 Meltdown/PTI, run the following command:

tmsh modify sys db kernel.pti value disable

Note: Turning off these mitigations renders the system vulnerable to CVE-2017-5754 Meltdown; but in order to take advantage of this vulnerability, they must already possess the ability to run arbitrary code on the system. Good access controls and keeping your system up-to-date with regards to security fixes will mitigate this risk on non-VCMP systems. vCMP systems with multiple tenants should leave these mitigations enabled.

Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.

Fix:
On releases that provide mitigations for CVE-2017-5754 Meltdown/PTI, the protection is enabled by default, but can be controlled using db variables.

Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.


706642-4 : wamd may leak memory during configuration changes and cluster events

Component: WebAccelerator

Symptoms:
wamd memory consumption increases over time.

Conditions:
-- AAM is provisioned so wamd is running.
-- User-initiated configuration change and/or other internal configuration or cluster events.

Impact:
wamd grows slowly over time, eventually crashing due to lack of memory. Temporary outage of services provided by wamd such as PDF linearization, invalidation, etc.

Workaround:
No workaround available.

Fix:
wamd n longer leaks memory during configuration changes and cluster events.


706304 : ASU and other Update Check services overload F5 download server

Component: Application Security Manager

Symptoms:
ASM Signature Update (ASU) and other Update Check services may fail due to an overload on the F5 download server.

Conditions:
-- Automatic update attempt is initiated during specified schedule.
-- F5 download server is overloaded by Update attempts.

Impact:
ASU and other Update Check services fail.

Workaround:
To work around this issue, run manual updates instead.

To prevent this issue, change the time of the daily job run. To do so, follow these steps:

1. Open the cron job text file.
   # vi /etc/crontab

2. Change this line as follows:
   From: 02 4 * * * root run-parts /etc/cron.daily
   To: 10 4 * * * root run-parts /etc/cron.daily

3. Save the changes, and quit vi.

This will change the automatic updates to run at 4:10 rather than 4:02.

Fix:
ASU and other Update Check services now stagger download attempts to prevent F5 download server overload.


705794-4 : Under certain circumstances a stale HTTP/2 stream might cause a tmm crash

Component: Local Traffic Manager

Symptoms:
A HTTP/2 stream is getting overlooked when cleaning up a HTTP/2 flow.

Conditions:
The only known condition is that the closing_stream is not empty. Exact entrance conditions are not clear.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
HTTP/2 flows are now properly cleaned up to prevent a tmm crash.


705476-5 : Appliance Mode does not follow design best practices

Solution Article: K28003839


704580-4 : apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP

Solution Article: K05018525


704490-1 : CVE-2017-5754 (Meltdown)

Solution Article: K91229003


704483-1 : CVE-2017-5753 (Spectre Variant 1)

Solution Article: K91229003


704184-4 : APM MAC Client create files with owner only read write permissions

Solution Article: K52171282


703940-4 : Malformed HTTP/2 frame consumes excessive system resources

Solution Article: K45611803


703835-7 : When using SCP into BIG-IP systems, you must specify the target filename

Solution Article: K82814400


703515-6 : MRF SIP LB - Message corruption when using custom persistence key

Solution Article: K44933323

Component: Service Provider

Symptoms:
If the custom persistence key is not a multiple of 3 bytes, the SIP request message may be corrupted when the via header is inserted.

Conditions:
Custom persistence key is not a multiple of 3 bytes

Impact:
The SIP request message may be corrupted when the via header is inserted.

Workaround:
Pad the custom persistence key to a multiple of 3 bytes in length.

Fix:
All persistence key lengths work as expected.


702490-5 : Windows Credential Reuse feature may not work

Component: Access Policy Manager

Symptoms:
Windows Credential Reuse feature may not work requiring that the EdgeClient end user enter credentials in the EdgeClient login window as well as at the Microsoft Windows logon screen, instead of getting Single Sign-On (SSO).

The logterminal.txt file contains messages similar to the following:

<Date and time>, 1312,1320,, 48, \certinfo.cpp, 926, CCertInfo::IsSignerTrusted(), the file is signed by 3rd party certificate
<Date and time>, 1312,1320,, 1, \certinfo.cpp, 1004, CCertInfo::IsSignerTrusted(), EXCEPTION - CertFindCertificateInStore() failed, -2146885628 (0x80092004) Cannot find object or property.
<Date and time>, 1312,1320,, 1, \certinfo.cpp, 1009, , EXCEPTION caught
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 256, IsTrustedClient, EXCEPTION - File signed by untrusted certificate
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 264, , EXCEPTION caught
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 360, GetCredentials, EXCEPTION - Access Denied - client not trusted

Conditions:
-- Using a specific combination of versions of F5 Credential Manager Service and EdgeClient on Windows systems.
-- The Reuse Credential option is enabled in the Connectivity Profile.

Impact:
The EdgeClient end user must retype credentials in EdgeClient login windows instead of having the login occur without requiring credentials, as SSO supports.

Workaround:
There is no workaround at this time.

Fix:
Previously, in some situations, Windows Credential Reuse did not work, requiring the EdgeClient end user to log in separately. This issue has been fixed.


702472-5 : Appliance Mode Security Hardening

Solution Article: K87659521


702450-5 : The validation error message generated by deleting certain object types referenced by a policy action is incorrect

Component: Local Traffic Manager

Symptoms:
When deleting certain objects that are referenced by policy actions, you may see a validation error like this:

# tmsh delete ltm virtual test-vs
01071726:3: Cannot delete policy action '/Common/test-vs'. It is in use by ltm policy '/Common/test-policy'.

The referenced object is not a "policy action" in this case, but is a virtual server.

Conditions:
LTM policies must be in use, and at least one policy action must forward to an object. The user must attempt to delete that object.

Impact:
Possible confusion at the error message.

Workaround:
There is no workaround at this time.

Fix:
Made the error message accurately reflect what the user was attempting to delete.


702443 : A pool can be deleted despite being referenced as a clone-pool by an LTM policy action

Solution Article: K22510506

Component: Local Traffic Manager

Symptoms:
If a pool is being referenced as a clone-pool by a policy action, it can be deleted without any validation errors.

Conditions:
-- LTM policies configured.
-- At least one policy action forwards to the pool as a clone-pool.
-- No other objects reference the pool.
-- The referenced pool is deleted.

Impact:
The policy is deleted without error, but the reference to the pool remains. The policy will be referencing a pool that no longer exists. Config sync operations fail, and the configuration does not load.

Workaround:
Manually remove the reference to the pool from the policy action.

Fix:
Prevented pools from being deleted when they are referenced as clone-pools by policy actions.


702151-3 : HTTP/2 can garble large headers

Component: Local Traffic Manager

Symptoms:
The HTTP/2 filter may incorrectly encode large headers.

Conditions:
A header that encodes to larger than 2048 bytes may be incorrectly encoded.

Impact:
The garbled header may no longer conform to the HPACK spec, and cause the connection to be dropped. The garbled header may be correctly formed, but contain incorrect data.

Fix:
The HTTP/2 filter correctly encodes large HTTP headers.


701944-6 : machine certificate check crash for 'match issuer' configuration on macOS Sierra 10.12.6

Solution Article: K42284762

Component: Access Policy Manager

Symptoms:
Machine certificate check crashes a Mac BIG-IP Edge Client running on macOS Sierra 10.12.6 (16G29) when 'match issuer' is specified in the configuration.

Conditions:
- Machine certificate check configured for with 'match issuer' configuration.
- macOS Sierra 10.12.6 (16G29).
- BIG-IP Edge client.
- F5 EPI.

Impact:
Machine certificate check does not pass because Edge client crashes.

Workaround:
None.

Fix:
The machine certificate check now completes successfully using the Mac BIG-IP Edge Client running on macOS Sierra 10.12.6 (16G29) when "match issuer" is specified in the configuration.


701785-4 : Linux kernel vulnerability: CVE-2017-18017

Solution Article: K18352029


701626-4 : GUI resets custom Certificate Key Chain in child client SSL profile

Solution Article: K16465222

Component: TMOS

Symptoms:
In the GUI, editing a client SSL profile or selecting a different parent profile changes the Certificate Key Chain to default (i.e., /Common/default.crt and /Common/default.key).

Conditions:
This happens in the following scenario:

1. Using the GUI, create a client SSL profile.
2. Configure the new profile to inherit from a client SSL profile other than the default, clientssl.
3. Click the Custom box for Certificate Key Chain and select a different cert and key from the default.
4. Click Update.
5. In the GUI, change any setting in the newly created profile, or select a different parent profile (but not the clientssl profile).
6. Click Update again.

Impact:
The system resets Certificate Key Chain to default, even though the Custom box is checked.

Workaround:
To work around this issue in the GUI, click the Custom checkbox next to the 'Certificate Key Chain' option in the parent profile. This will set the value of inherit-certkeychain to false , preventing the issue from occurring.

You can also use tmsh to update parent profile settings to avoid the occurrence of this issue..

Fix:
GUI no longer resets custom Certificate Key Chain in child client SSL profiles.


701359-3 : BIND vulnerability CVE-2017-3145

Solution Article: K08613310


701253-2 : TMM core when using MPTCP

Solution Article: K16248201


700889-1 : Software syncookies without TCP TS improperly include TCP options that are not encoded

Solution Article: K07330445

Component: Local Traffic Manager

Symptoms:
When sending a software syncookie and there is no TCP timestamp option, tmm sends back TCP options like window scaling (WS), sackOK, etc. The values for these options are encoded in the timestamp field which is not sent. When the final ACK of the 3WHS arrives (without a timestamp), there is no way to know that the BIG-IP system negotiated the use of SACK, WS and other options that were encoded in the timestamp. This will leave the client believing that options are enabled and the BIG-IP believing that they are not.

Conditions:
TCP timestamps are disabled by the client, or in the TCP profile.

Impact:
In one known case, the client was Windows 7 which apparently disables timestamps by default. Users might experience poor connection performance because the client believed it was using WS, and that the BIG-IP system would scale up the advertised window. However, the BIG-IP system does not using WS in this case, and used the window size from the TCP header directly, causing the BIG-IP system to send small packets (believing it had filled the window) and wait for a response.

Workaround:
Specifically prevent the WS issue by lowering the send_buffer_size and receive_window_size to less than or equal to 65535.

Fix:
Added dependency between the window scale option and the timestamp option in a SYN/ACK response.


700757-3 : vcmpd may crash when it is exiting

Component: TMOS

Symptoms:
vcmpd may crash when it is exiting. The system logs an error message similar to the following in /var/log/ltm:

err vcmpd[14604]: 01510000:3: Uncaught exception: basic_string::_S_create

It's possible that vcmpd will then not start up, logging errors similar to the following in /var/log/ltm:

umount(/var/tmstat-vcmp/<guest name>) failed: (16, Device or resource busy

Conditions:
vCMP must be in use.

Impact:
vcmpd cores, but does so when already exiting. It is possible that vcmpd will then be unable to restart itself, and will need to be manually restarted.

Workaround:
If vcmpd cannot restart itself, you can manually restart it by running the following command:

tmsh restart sys service vcmpd

Fix:
Prevented vcmpd from crashing when exiting.


700571-1 : SIP MR profile, setting incorrect branch param for CANCEL to INVITE

Component: Service Provider

Symptoms:
BIG-IP SIP profile MR does not maintain the Via 'branch parameter' ID when the Via header insertion is enabled for INVITE and CANCEL for the same INVITE.

Conditions:
This happens only when the following conditions are both met:
-- The transport connection that issued INVITE has been terminated.
-- A new transport is used to issue CANCEL

Impact:
The result is different branch IDs for the BIG-IP system-generated Via header. INVITE is only cancelled on the calling side, while on the called side, the line will ring until time out.

Workaround:
None.

Fix:
The branch parameter value calculation now remains consistent throughout the connection.


700433-3 : Memory leak when attaching an LTM policy to a virtual server

Solution Article: K10870739

Component: Local Traffic Manager

Symptoms:
BIG-IP LTM policies may cause an mcpd process memory leak.

As a result of this issue, you may encounter one or more of the following symptoms:

-- Latency when configuring the BIG-IP system.
-- Error messages logged in /var/log/ltm similar to the following example:
01140029:4: HA daemon_heartbeat mcpd fails action is restart.
-- The mcpd process may generate a core file in the /var/core directory.

Conditions:
This issue occurs when all of the following conditions are met:

-- Your configuration includes one or more virtual servers with an associated BIG-IP LTM policy.
-- The BIG-IP LTM policy has at least one rule.
Note: Rules with actions or conditions can leak increased amounts of memory.

-- You delete and add BIG-IP LTM policies that are associated with the virtual server.
Note: This modification causes the memory leak to increase over time.

Impact:
The mcpd process might run slower as memory is consumed, and can fail when all system memory is exhausted. Devices in a high availability (HA) configuration may experience a failover event.

Workaround:
None.

Fix:
The system now prevents MCP from leaking memory when attaching an LTM policy to a virtual server.


700393-5 : Under certain circumstances, a stale HTTP/2 stream can cause a tmm crash

Solution Article: K53464344

Component: Local Traffic Manager

Symptoms:
Tmm might crash due to a stale/stalled HTTP/2 stream.

Conditions:
HTTP/2 profile in use.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
Stale/stalled HTTP2 streams are handled correctly to prevent a tmm crash.


700057-2 : LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved

Component: Local Traffic Manager

Symptoms:
After upgrading to an affected build, the default key will have incorrect group ownership.

Conditions:
Upgrade or load a .ucs with SSL keys configured.

Impact:
File permissions are not preserved in the .ucs file. The httpd process will not be able to use the default key, so anything using it will fail.

Workaround:
Run the following two commands:
tmsh save /sys config
tmsh load /sys config

Fix:
The system now preserves correct permissions for default.key across upgrade and ucs load.


699455-2 : SAML export does not follow best practices

Solution Article: K50254952


699452-2 : Web UI does not follow current best coding practices

Solution Article: K29280193


699346-1 : NetHSM capacity reduces when handling errors

Solution Article: K53931245


699267-3 : LDAP Query may fail to resolve nested groups

Component: Access Policy Manager

Symptoms:
LDAP Query agent may fail to resolve nested groups for a user.
/var/log/apm logfile contains the following error messages when 'debug' log level is enabled for Access Profile:
err apmd[17159]: 014902bb:3: /Common/ldap_access:Common:254fdc14 Failed to process the LDAP search result while getting group membership down with error (No such object.).
err apmd[17159]: 014902bb:3: /Common/ldap_access:Common:254fdc14 Failed to process the LDAP search result while querying LDAP with error (No such object.).

Conditions:
LDAP Query agent is configured in an Access Policy.
'Fetch groups to which the user or group belong' option is enabled

Impact:
LDAP Query agent fails.
unable to get user identity.
unable to finalize Access Policy.

Fix:
after fix, LDAP Query resolves all nested groups as expected and session.ldap.last.attr.memberOf attributes contains user's groups


698000-4 : Connections may stop passing traffic after a route update

Solution Article: K04473510

Component: Local Traffic Manager

Symptoms:
When a pool is used with a non-translating virtual server, routing updates may lead to an incorrect lookup of the nexthop for the connection.

Conditions:
-- Pool on a non-translating virtual server.
-- Routing update occurs.

Impact:
Connections may fail after routing updates. New connections will not be affected.

Workaround:
Use a route to direct traffic to the ultimate destination rather than using a pool to indicate the nexthop.

Fix:
Routing updates no longer interrupts traffic to connections using a pool member to reach the nexthop.


697904 : GUI does not show Device names with <> properly.

Component: TMOS

Symptoms:
When the Device Name has <> (left and right angle brackets) in the name, the GUI does not show the name properly.

Conditions:
Device Name contains <> characters.

Impact:
User is unable to see the device name in the GUI.

Workaround:
Use tmsh to see the device name.

Fix:
Enable the GUI to show device name with <> characters.


697794 : ROM layout file missing for Blade B2250 in BIG-IP VIPRION 2400 chassis

Component: TMOS

Symptoms:
An error similar to the following is posted when blade B2250 is PXE-booted and an attempt is made to extract OPTN class data from the SPI flashrom:

ERROR: Could not open ROM layout (/usr/firmware/victoria2-rom.layout).
Please run "flashrom --help" for usage info.

Conditions:
When the ROM layout file is missing under the /usr/firmware/ directory in Maintenance OS (MOS).

Impact:
Failure to extract OPTN class data from the SPI flashrom results in failure to determine whether the system should be RAID formatted.

Workaround:
None.


697303-4 : BD crash

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
-- The internal parameter relax_unicode_in_json is set to 1.
-- Specific traffic scenario.

Impact:
BD crash, failover, and traffic disturbance.

Workaround:
Turn off the internal parameter relax_unicode_in_json.

Fix:
BD no longer crashes under these conditions.


696265-2 : BD crash

Solution Article: K60985582

Component: Application Security Manager

Symptoms:
BD crash.

Conditions:
ecard_max_http_req_uri_len is set to a value greater than 8 KB.

Impact:
Potential traffic disturbance and failover.

Workaround:
Change the value of ecard_max_http_req_uri_len to a size lower than 8 KB.

Fix:
Fixed a BD crash scenario.


696049-4 : High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running

Component: Service Provider

Symptoms:
High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running.

Conditions:
Multiple response messages arrive on a connection while an asynchronous Tcl command is running on that connection.

Impact:
High CPU load might occur as multiple responses will be assigned the same request_sequence_number.

Workaround:
None.

Fix:
Request_sequence_numbers are not assigned to response messages until the Tcl event is executed for that message. This avoids assigning the same number to multiple events.


695925-4 : tmm crash when showing connections for a CMP disabled virtual server

Component: Local Traffic Manager

Symptoms:
tmm crashes when performing 'tmsh show sys connection' and there is a connection from a secondary blade to a CMP-disabled virtual server.

Conditions:
This occurs when all of the following conditions are met:

-- There is a CMP-disabled virtual server.

-- There is a connection to that server from the control plane of a secondary blade (this can include monitoring traffic).

-- Connections are displayed that include the connection from the secondary blade ('tmsh show sys connection').

Impact:
tmm crashes and restarts impacting traffic.

Workaround:
Do not use 'cmp-enabled no' virtual servers when there will be connections from the BIG-IP control plane to the virtual server.

Avoid using tmsh show sys connection


695901-3 : TMM may crash when processing ProxySSL data

Solution Article: K46940010


694922-2 : ASM Auto-Sync Device Group Does Not Sync

Component: Application Security Manager

Symptoms:
In rare circumstances a device may enter an untrusted state and confuse the device group.

Conditions:
1) ASM sync is enabled on an autosync device group
2) A new ASM entity is created on a device

Impact:
ASM configuration is not correctly synchronized between devices

Workaround:
1) Remove ASM sync from the device group (Under Security ›› Options : Application Security : Synchronization : Application Security Synchronization)
2) Restart asm_config_server.pl on both devices and wait until they come back up
3) Change the device group to a manual sync group
4) On the device with the good configuration re-enable ASM sync for the device group
5) Make a spurious ASM change, and push the configuration.
6) Change the sync type back to automatic

Fix:
Devices no longer spuriously enter an untrusted state


694901-1 : CVE-2015-8710: Libxml2 Vulnerability

Solution Article: K45439210


694073-4 : All signature update details are shown in 'View update history from previous BIG-IP versions' popup

Component: Application Security Manager

Symptoms:
If you are running a BIG-IP release named with 4 digits (e.g., 12.1.3.1), all signature update details are shown only in 'View update history from previous BIG-IP versions' popup. The 'Latest update details' section is missing.

Conditions:
Running a BIG-IP software release named with 4 digits (e.g., 12.1.3.1).

Impact:
Low and incorrect visibility of signature update details.

Workaround:
Signature update details can be viewed in 'View update history from previous BIG-IP versions' popup.

Fix:
Signature updates are now shown correctly for all versions.


693810-4 : CVE-2018-5529: APM Linux Client Vulnerability

Solution Article: K52171282


693744-2 : CVE-2018-5531: vCMP vulnerability

Solution Article: K64721111


693739-5 : VPN cannot be established on macOS High Sierra 10.13.1 if full tunneling configuration is enabled

Component: Access Policy Manager

Symptoms:
For some Network Access configurations, VPN cannot establish a connection with client systems running macOS High Sierra 10.13.1 using F5 Edge client or Browser helper apps.

Conditions:
The following conditions must be true:
-- The Network Access resource Traffic Options setting is configured for Force all Traffic Through Tunnel.
-- The Network Access resource Allow Local Subnet setting is disabled.
(Both of these options are defaults.)
-- Client running macOS High Sierra 10.13.1.

Impact:
The Edge Client unsuccessfully tries to connect, resulting in a loop. The client cannot establish VPN.

Workaround:
1. Navigate to the Network Access resource.
2. Set the Network Access resource Allow Local Subnet checkbox to Enabled.
3. Save the setting, and apply the Access Policy.

Fix:
Edge Client operation does not go into a reconnect loop and is able to establish and maintain connection successfully on macOS High Sierra 10.13.1.


693211-4 : CVE-2017-6168

Solution Article: K21905460


692095-4 : bigd logs monitor status unknown for FQDN Node/Pool Member

Solution Article: K65311501

Component: Local Traffic Manager

Symptoms:
While monitoring FQDN nodes or pool members, bigd may log the current or previous monitor status of the node or pool member as 'unknown' in messages where that state internally could have been logged as 'checking' or 'no address' for FQDN template nodes. Other states for FQDN configured nodes or pool members log monitor status as expected. Messages are similar to the following:

notice bigd[####]: 01060141:5: Node /Common/node_name monitor status unknown [ ip.address: unknown ] [ was up for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: unknown ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: up ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status unknown. [ ] [ was unchecked for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status up. [ ] [ was unknown for ##hrs:##mins:##sec ]

Conditions:
This may occur of the FQDN template node or pool member is in a 'checking' or 'no address' state.
The 'checking' state may occur if the DNS resolution of the FQDN node or pool member name is in progress.
The 'no address' state may occur if no IP addresses were returned by the DNS server for the configured FQDN node or pool member name.

Impact:
Unable to triage state of FQDN nodes or pool members identified in these log messages, to determine whether further troubleshooting is required, or what specific problem condition might require further investigation.

Workaround:
None.

Fix:
An FQDN-configured node or pool member logs each internal monitor status, including for scenarios of 'checking' and 'no address' for FQDN template nodes which were previously logged as 'unknown'.


691806-4 : RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state

Solution Article: K61815412

Component: Local Traffic Manager

Symptoms:
The BIG-IP system resets connection with RST if it receives FIN/ACK in SYN-RECEIVED state.

Conditions:
The BIG-IP system receives FIN/ACK when it is in SYN-RECEIVED state.

Impact:
The BIG-IP system resets connection with RST.

Workaround:
None.

Fix:
The BIG-IP system now responds with FIN/ACK to early FIN/ACK.


691767-3 : SNMP does not follow best security practices

Solution Article: K27400151


691670-2 : Rare BD crash in a specific scenario

Component: Application Security Manager

Symptoms:
BD crash or False reporting of signature ID 200023003.

Conditions:
JSON/XML/parameters traffic (should not happen with the enforce value signature).

Impact:
Failover, traffic disturbance in the core case. False positive violation or blocking in the other scenario.

Workaround:
Removing attack signature 200023003 from the security policy stops the issue.

Fix:
Fix a bug in the signatures engine that causes a false positive reporting of a signature. In some rare cases, this false reporting may cause a crash.

A newly released attack signature update changes the signature in a way that it no longer causes the issue to happen.


691485-2 : System fails to boot when syslog-ng is not running.

Solution Article: K47635484

Component: TMOS

Symptoms:
System hangs during boot while trying to start the httpd service.

Conditions:
syslog-ng is not running.

Impact:
System fails to boot

Workaround:
Correct the /etc/syslog-ng/syslog-ng.conf file if necessary and start the syslog-ng service using the following command:
  service syslog-ng start

The system should continue to boot.


690819-2 : Using an iRule module after a 'session lookup' may result in crash

Component: TMOS

Symptoms:
'session lookup' does not clean up an internal structure after the call finishes. If another iRule module uses the values in this internal structure after a 'session lookup', it may result in a core or other undesired behavior.

Conditions:
Calling 'session lookup' in an iRule where a result is successfully retrieved, and then calling another module.

Impact:
The system may core, or result in undefined and/or undesired behavior.

Workaround:
Check the return value of 'session lookup' before using another iRule module.

If 'session lookup' says that the entry exists, call 'session lookup' again for a key that is known to not exist.


690042-4 : Potential Tcl leak during iRule suspend operation

Solution Article: K43412307

Component: Local Traffic Manager

Symptoms:
TMM's Tcl memory usage increases over time, and does not decrease. Memory leak of Tcl objects might cause TMM to core.

Conditions:
-- iRules are in use.
-- Some combination of nested proc calls and/or loops must go at least five levels deep.
-- Inside the nested calls, an iRule executes a suspend operation.

Impact:
Degraded performance. TMM out-of-memory crash. A failover or temporary outage might occur. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer leaks memory.


689449-4 : Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured

Component: Local Traffic Manager

Symptoms:
As a result of a known issue, in some circumstances the system may experience an unconstrained TMM memory growth when a virtual server is configured for spdy/http2 and http with fallback-host.

Conditions:
- VIP configured with spdy/http2 and http with fallback-host.

Impact:
TMM may eventually enter aggressive sweeper mode where this memory will be released. In the process it is possible that some legitimate connections will killed.

Workaround:
No workaround at this time.

Fix:
BIG-IP no longer attempts to send a response with a configured fallback host in HTTP profile, when a connection is aborted by a client or due to an internal error. It prevents the internal flow to stay in memory after the connection has died.


689437-3 : icrd_child cores due to infinite recursion caused by incorrect group name handling

Solution Article: K49554067

Component: TMOS

Symptoms:
Every time the virtual server stats are requested via REST, icrd_child consumes high CPU, grows rapidly toward the 4 GB max process size (32-bit process), and might eventually core.

Conditions:
Virtual server stats are requested via iControl REST with a special string that includes the dotted group names.

Impact:
icrd_child consumes high CPU, grows rapidly, and might eventually core.

Workaround:
Clear the virtual server stats via reset-stats and icrd_child no longer cores.

Fix:
icrd_child parsing logic update is needed to not enter recursion.


688625-3 : PHP Vulnerability CVE-2017-11628

Solution Article: K75543432


687658-3 : Monitor operations in transaction will cause it to stay unchecked

Component: TMOS

Symptoms:
If a monitored object is deleted and created or modified in the same transaction, and any of its monitor configuration is changed (either the monitor, or the state user-down), the monitor state will become unchecked.

Conditions:
This only happens within transactions.

Note: Using the command 'modify ltm pool <name> members replace-all-with' is considered a transaction containing a delete and create of pool members.

Impact:
Monitor state never returns to its correct value.

Workaround:
Do not do these operations in transactions. For pool members, use 'modify ltm pool <name> members modify' instead of replace-all-with.


687193-3 : TMM may leak memory when processing SSL Forward Proxy traffic

Solution Article: K45325728


686389-4 : APM does not honor per-farm HTML5 client disabling at the View Connection Server

Component: Access Policy Manager

Symptoms:
Current logic for determining whether to offer HTML5 client option works for Horizon 6.x (and earlier) but it does not work for Horizon 7.x.

With Horizon 7.x, VMware has enhanced the XML so that each resource includes a flag to indicate whether HTML5 client is enabled (absence of <html-access-disabled/> tag). APM does not honor this flag to show HTML5 client option to APM end user only if it has been enabled for that resource.

Conditions:
-- APM webtop with a VMware View resource assigned.
-- HTML5 Access disabled for some of the RDS farms managed by the broker.

Impact:
APM offers HTML5 client launch option and actually runs it if requested, although it is disabled at the backend.

Workaround:
There is no workaround at this time.

Fix:
For Horizon 7.x, the system now honors the <html5-access-disabled> flag in broker responses to disable HTML5 client for those RDS desktops and apps that have this flag set.

Behavior Change:
Before this fix, all the RDS desktops and apps were available for HTML5 client if it was installed on VCS.
Now, for those desktops and apps where HTML5 access has been deliberately disabled at the broker, only the native client option will be available.


686305-5 : TMM may crash while processing SSL forward proxy traffic

Solution Article: K64552448


686228-5 : TMM may crash in some circumstances with VLAN failsafe

Solution Article: K23243525

Component: Local Traffic Manager

Symptoms:
TMM may crash when managing traffic in response to the VLAN failsafe traffic generating mechanisms

Conditions:
- VLAN failsafe is configured with low timers.
- VLAN failsafe is triggered and multiple responses are received for traffic generating in fast succession.

Impact:
A TMM may core file may be produced. Traffic disrupted while tmm restarts.

Workaround:
Relax the timer to the default VLAN failsafe timer setting.

Fix:
TMM no longer crashes in some circumstances with VLAN failsafe.


685857 : Memory consumption of tmm slowly increases.

Component: Access Policy Manager

Symptoms:
Memory consumption of tmm slowly increases.

Conditions:
This occurs only when a session is terminated in policy evaluation phase, e.g., a client lands on the logon page and lets it times out.

You can determine whether this issue is occurring by checking for memory usage as 'session' is expanded to 4 GB.

Impact:
Device may fail over to another unit in the high-availability (HA) configuration.

Workaround:
To recover from this issue, restart tmm.

Note: Traffic will be disrupted while tmm restarts.

Fix:
Memory consumption of tmm no longer increases when a client allows the logon page to time out.


685708-5 : Routing via iRule to a host without providing a transport from a transport-config created connection cores

Component: Service Provider

Symptoms:
Using MR::message route command without specifying a transport to use (virtual or config) will core if the connection receiving the request was created using a transport-config.

Conditions:
Using MR::message route command without specifying a transport to use (virtual or config) will core if the connection receiving the request was created using a transport-config.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Specify a transport to use for creating a new outgoing connection in the MR::message route command.

Fix:
The system will no longer core.


685519-4 : Mirrored connections ignore the handshake timeout

Component: Local Traffic Manager

Symptoms:
Mirrored connections that do not complete the TCP 3-way-handshake do not honor the configured TCP handshake timeout on active and standby systems.

Conditions:
High availability mirroring enabled on virtual server with attached FastL4 profile.

Impact:
Unestablished TCP sessions in the connection table stay open for the duration of the TCP idle-timeout.

Workaround:
None.

Fix:
Mirrored connections now honor the TCP handshake timeout.


685207-3 : DoS client side challenge does not encode the Referer header.

Component: Application Security Manager

Symptoms:
XSS reflection when DoS client side is enabled as a mitigation, or a proactive bot defense is enabled.

Conditions:
1. Login to the client IP address and send the ab request.
2. Once the DoS attack starts, sends the curl request
hl=en&q=drpdrp'-alert(1)-'drpdrp".
3. Unencoded Referer header is visible.

Impact:
The XSS reflection occurs after triggering the DoS attack.

Workaround:
None.

Fix:
DoS client side challenge now encodes the Referer header.


684937-5 : [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users

Solution Article: K26451305

Component: Access Policy Manager

Symptoms:
APM performance of handling HTTP request drops gradually when Kerberos SSO is being used over period of time.
Websso process CPU usage is very high during this time. The latency can vary between APM end users.

Conditions:
-- A large number of APM end users have logged on and are using Kerberos SSO.
-- Running APM.

Impact:
Increased latency of HTTP request processing.

Workaround:
Reduce the number of cached Kerberos user tickets by lowering the cache lifetime.

Fix:
LRU cache performance no longer drops linearly with the number of caches Kerberos tickets, the latency of HTTP request processing has been significantly improved.


684879-3 : TMM may crash while processing TLS traffic

Solution Article: K02714910


684325-4 : APMD Memory leak when applying a specific access profile

Component: Access Policy Manager

Symptoms:
Access profile having CheckMachineCert agent, while updating profile using 'Apply access policy', each time it leaks 12096 bytes of memory.

Conditions:
-- Access profile configured with agent 'CheckMachineCert'.
-- Repeatedly update the profile using 'Apply access policy'.

Impact:
APMD process stops after repeated application of the script.

Workaround:
None.

Fix:
APMD no longer leaks memory when applying Access profile configured with agent 'CheckMachineCert'.


684312-3 : During Apply Policy action, bd agent crashes, causing the machine to go Offline

Solution Article: K54140729

Component: Application Security Manager

Symptoms:
During Apply Policy action, bd agent crashes, causing with this error:
--------------------
crit perl[21745]: 01310027:2: ASM subsystem error (bd_agent,): bd_agent exiting, error:[Bit::Vector::new_Dec(): input string syntax error at /usr/local/share/perl5/F5/CfgConvert.pm line 66, <$inf> line 1. ]
--------------------

Causing bd and bd_agent processes restart, and causing the machine to go Offline.

Conditions:
-- ASM provisioned.
-- Applying policy.
-- Corrupted data was attempted to be loaded during an Apply Policy action.

Impact:
bd and bd_agent processes restart, causing the machine to go Offline while the processes restart..

Workaround:
None.

Fix:
During Apply Policy action, bd agent no longer crashes when attempting to load corrupted data.


683241-4 : Improve CSRF token handling

Solution Article: K70517410

Component: Application Security Manager

Symptoms:
Under certain conditions, CSRF token handling does not follow current best practices.

Conditions:
CSRF is configured.

Impact:
CSRF token handling does not follow current best practices.

Workaround:
None.

Fix:
CSRF token handling now follows current best practices.


683113-5 : [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users

Solution Article: K22904904

Component: Access Policy Manager

Symptoms:
APM performance of handling HTTP request drops gradually when Kerberos SSO is being used over a period of time.

Websso CPU usage is very high.

The BIG-IP system response can rate drop to the point that the clients disconnect after waiting for a response. The system logs error messages similar to the following: Failure occurred when processing the work item.

Conditions:
-- Running APM.
-- A large number of APM end users (~20 KB) have logged on and are using Kerberos SSO.

Impact:
Increased latency of HTTP request processing.

Workaround:
Reduce the number of cached Kerberos user tickets by lowering the cache lifetime.

Fix:
Improvements to the krb5 library have been implemented for better scalability, so the latency of HTTP request processing has been significantly improved.


682682-5 : tmm asserts on a virtual server-to-virtual server connection

Component: Local Traffic Manager

Symptoms:
tmm might crash when using a virtual server-to-virtual server connection, and that connection has a TCP profile with keepalive configured.

Conditions:
-- L7 virtual server-to-virtual server connection (Virtual command, cpm rule, etc.).
-- TCP profile with keepalive configured.
-- (Deflate profile.)
-- At the beginning of the connection, there is a stall for longer than the specified keepalive timer interval.
-- The received response decompresses to a size that is greater than the advertised window size on the first virtual server's TCP stack.

Impact:
Shortly after the keepalive packet is received, which then is decompressed, the assert is triggered, and tmm restarts. Traffic disrupted while tmm restarts.

Workaround:
Remove keepalive from the TCP profiles of the two virtual servers involved.

Fix:
The system now honors the current receive window size when sending keepalives, so the tmm crash no longer occurs.


682281 : iSession tunnels are not reused and idle tunnels are not terminated by the sweeper

Component: Wan Optimization Manager

Symptoms:
When an iSession tunnel is created with certain iSession profile properties, the tunnel is not reused and the idle client-side (incoming) tunnel is not reset by the sweeper. TMM must be restarted to clean up the client-side iSession tunnels. tmm crash

Conditions:
An iSession tunnel is created with these three iSession profile properties:
 -- reuse-connection enabled
 -- deduplication disabled
 -- compression disabled

Impact:
Tunnel is not reused and the idle client-side (incoming) tunnel is not reset by the sweeper. TMM must be restarted to clean up the client-side iSession tunnels. Traffic disrupted while tmm restarts.

Workaround:
Disable the iSession profile reuse-connection property.

Fix:
iSession tunnels are reused and idle tunnels are terminated by the sweeper.


681710-5 : Malformed HTTP/2 requests may cause TMM to crash

Solution Article: K10930474


680755-2 : max-request enforcement no longer works outside of OneConnect

Solution Article: K27015502

Component: Local Traffic Manager

Symptoms:
max-request enforcement does not work when OneConnect is not configured.

Conditions:
-- The max-request enforcement option is configured.
-- OneConnect is not configured.

Impact:
max-request enforcement does not work.

Workaround:
Always use OneConnect.

Fix:
max-request enforcement now works when OneConnect is not configured.


680729-5 : DHCP Trace log incorrectly marked as an Error log.

Solution Article: K64307999

Component: Policy Enforcement Manager

Symptoms:
The following sample DHCP debug log may be found repeatedly in the TMM logs.

<#> <date> <slot#> notice DHCP:dhcpv4_xh_timer_callback/1053: Entering: <mac-addr>

Conditions:
Send a DHCP request through a DHCP virtual and wait for 30 seconds for the DHCP callback to trigger.

Impact:
Possible clutter in the TMM logs.

Workaround:
Set the db variable to critical. To do so, run the following command: setdb tmm.dhcp.log.level critical

Fix:
The following log can be seen only when DHCP debug logs are set to enabled.
<#> <date> <slot#> notice DHCP:dhcpv4_xh_timer_callback/1053: Entering: <mac-addr>


679861-3 : Weak Access Restrictions on the AVR Reporting Interface

Component: Application Visibility and Reporting

Symptoms:
The AVR reporting interface does not follow best practices for access restrictions.

Conditions:
AVR provisioned

Impact:
If accessed the AVR reporting interface may disclose:
 - Client and server IP addresses
 - URIs from client requests
 - Metadata about attacks detected by BIG-IP

Workaround:
Ensure that network access to the management port is restricted and that Port Lockdown setting for Self-IPs is not set to "Allow All". The default port lockdown of "Allow Default" provides mitigation against access via Self-IP.

Fix:
Stronger access restrictions enforced on the AVR reporting interface.


679603-3 : bd core upon request, when profile has sensitive element configured.

Solution Article: K15460886

Component: Application Security Manager

Symptoms:
bd crash, system goes offline.

Conditions:
ASM provisioned.
-- ASM policy attached on a virtual server.
-- json profile configured with sensitive element.

Impact:
System goes offline/fails over.

Workaround:
Remove sensitive elements from the json profile in the ASM policy.

Fix:
ASM now handles this condition so the crash no longer occurs.


679235-4 : Inspection Host NPAPI Plugin for Safari can not be installed

Component: Access Policy Manager

Symptoms:
Inspection Host NPAPI Plugin for Safari on macOS High Sierra can not be installed.

Conditions:
macOS High Sierra, Inspection Host Plugin package installation triggered.

Impact:
Inspection Host plugin cannot be installed, therefore, endpoint checks will not work.

Workaround:
There is no workaround at this time.

Fix:
Previously, the Inspection Host NPAPI Plugin for Safari on macOS High Sierra could not be successfully installed. This plugin can now be successfully installed.


679114-1 : Persistence record expires early if an error is returned for a BYE command

Component: Service Provider

Symptoms:
When an error is returned for a SIP command, the persistence timeout is set to the transaction timeout.

Conditions:
An error is returned for a any SIP command.

Impact:
The persistence record will expire early when the call has not been ended.

Workaround:
None.

Fix:
For BYE commands, the timeout is not set to transaction timeout on failure.


678976-5 : Do not print all HTTP headers to avoid printing user credentials to /var/log/apm.

Solution Article: K24756214

Component: Access Policy Manager

Symptoms:
VDI debug logs print user credentials to /var/log/apm.

Conditions:
VDI debug logs are enabled and VDI functionality is used on the virtual server.

Impact:
User credentials are written to /var/log/apm.

Workaround:
Set VDI debug level to Notice.

Fix:
The system no longer prints user credentials to VDI debug logs.


678822-5 : Gx/Gy stats display provision pending sessions if there is no route to PCRF or the app is unlicensed

Component: Policy Enforcement Manager

Symptoms:
If the PEM subscribers are brought up with diameter apps (Gx/Gy) configured and the PCRF is not reachable since there is no route or simply because there is no license configured for those apps. The Provision pending for sessions will get incremented and never rollback to zero even after the subscribers are cleaned up.

Conditions:
If the route to PCRF/OCS is missing or not reachable.

Impact:
Non-Zero stats for provision pending sessions

Workaround:
Disable the Gx/Gy profile if not required or configure the route.

Fix:
The system no longer increments the stats for diameter apps if the PCRF/OCS is not reachable, so this issue no longer occurs.


678462-1 : after chassis failover: asmlogd CPU 100% on secondary

Component: Application Security Manager

Symptoms:
After a failover in a chassis:

 - asmlogd CPU 0% on primary slot (which was secondary before the failover).

 - asmlogd CPU 100% on secondary (which was primary before the failover).

Without traffic running through the chassis.

Conditions:
-- ASM provisioned.
-- Chassis with at least two active slots.
-- Chassis failover after some traffic was passed through the chassis.

Impact:
asmlogd CPU shows 100% on secondary (which was primary before the failover), and vice versa.

Workaround:
There is no workaround at this time.

Fix:
The asmlogd process now better handles chassis failovers during which the chassis slots change roles (primary/secondary), so this issue no longer occurs.


677525-5 : Translucent VLAN group may use unexpected source MAC address

Component: Local Traffic Manager

Symptoms:
When a VLAN group is configured in translucent mode, IPv6 neighbor discovery packets sent from the BIG-IP system may have the locally unique bit flipped in the source MAC address.

Conditions:
VLAN group in translucent mode.

Impact:
In an HA configuration, switches in the network may have FDB entries for the standby system assigned to the port of the active system.

Workaround:
No workaround at this time.

Fix:
Translucent VLAN group no longer send neighbor discovery packets whose source MAC has the locally unique bit flipped.


677193-4 : ASM BD Daemon Crash.

Solution Article: K38243073


677119-1 : HTTP2 implementation incorrectly treats SETTINGS_MAX_HEADER_LIST_SIZE

Component: Local Traffic Manager

Symptoms:
When HTTP2 connection's parameters are negotiated, either side may report about its limits in SETTINGS type frame where one of the parameters SETTINGS_MAX_HEADER_LIST_SIZE determines a maximum size of headers list it is willing to accept. The BIG-IP system incorrectly interchanged this parameter with another one called SETTINGS_HEADER_TABLE_SIZE, limiting value of the former one to 32,768.

Conditions:
HTTP2 is configured and an opposite endpoint (user agent using HTTP2 protocol) tries to set SETTINGS_MAX_HEADER_LIST_SIZE to a value above 32,768.

Impact:
The BIG-IP system does not accept the value, and terminates the connection using GOAWAY frame with PROTOCOL_ERROR as a reason.

Workaround:
None.

Fix:
The BIG-IP system no longer generates an error due to this issue, and allows value for SETTINGS_MAX_HEADER_LIST_SIZE to exceed 32,768.


677088-5 : BIG-IP tmsh vulnerability CVE-2018-15321

Solution Article: K01067037


677058-4 : Citrix Logon prompt with two factor auth or Logon Page agent with two password type variables write password in plain text

Solution Article: K31757417

Component: Access Policy Manager

Symptoms:
Logon page agent with more than one password variable or Citrix logon prompt will log plain text password when debug logging is turned on for access policy.

Conditions:
This occurs when following conditions are met:

- Citrix Logon Prompt with two factor auth or Logon page agent with more than one password variable is added in the Access Policy.
- Access Policy logging is set to debug.

Impact:
APM logs plain text password when debug logging is turned on for access policy.

Workaround:
None.

Fix:
Password values are no longer written in APM logs when debug logging is enabled for access policy.


676982-1 : Active connection count increases over time, long after connections expire

Solution Article: K21958352

Component: Local Traffic Manager

Symptoms:
- Number of active connections is increasing over time.
- Memory used by TMM increases over time.
- Potential TMM restart is possible.

Conditions:
This issue arises only when all the following conditions occur:
- Hardware is chassis type.
- There is more than one blade in service.
- A fastL4 profile is configured (e.g., using bigproto).
- SessionDB is used either by iRules or by native profile
  functionality.

Impact:
- Service may be impacted after a period.
- TMM instances may restart.

Workaround:
None.

Fix:
SessionDB-related accesses initiated via iRules are now properly cleaned up and no longer hang.


676457-2 : TMM may consume excessive resource when processing compressed data

Solution Article: K52167636


676416-3 : BD restart when switching FTP profiles

Component: Application Security Manager

Symptoms:
Switching a Virtual Server from an FTP profile with Protocol Security enabled to an FTP profile with Protocol Security disabled, causes the BIG-IP system to go offline, generates errors in the bd log, and causes BD to restart.

Conditions:
-- Running FTP traffic with FTP profile with Protocol Security enabled.
-- On FTP service, change to FTP profile with Protocol Security disabled.

Impact:
BD restart, traffic disrupted, and failover in high availability (HA) configuration.

Workaround:
There is no workaround at this time.

Fix:
This version provides an improved mechanism for switching FTP profiles, so that now there is no BD restart.


676355-3 : DTLS retransmission does not comply with RFC in certain resumed SSL session

Component: Local Traffic Manager

Symptoms:
The DTLS FINISHED message is not retransmitted if it is lost in the Cavium SSL offloading platform. Specifically, it is the CCS plus FINISHED messages that are not retransmitted.

Conditions:
-- In the Cavium SSL offloading platform.
-- DTLS FINISHED Message is lost.

Impact:
When the DTLS FINISHED Message is lost in the Cavium SSL offloading platform, the CCS and FINISHED messages do not get retransmitted.

Workaround:
None.

Fix:
The FINISHED messages are saved before transmitting the Cavium encrypted FINISHED message, and starting the DTLS re-transmit timer. When the re-transmit timer expires, the CCS plus FINISHED messages will be retransmitted.


676300-6 : EPSEC binaries may fail to upgrade in some cases

Solution Article: K04551025

Component: Access Policy Manager

Symptoms:
Windows client may fail to upgrade endpoint security package in some cases. This happens due to a corrupted registration of old endpoint security components.

Conditions:
Corrupted registry entry related to endpoint security components.

Impact:
Client may not be able to upgrade to latest endpoint package hosted on APM.

Workaround:
Remove the following registry keys from the registry:

Note: Use extra care editing the registry. Only remove the following keys, and no others.


"HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKEY_CLASSES_ROOT\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKEY_CLASSES_ROOT\Wow6432Node\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKEY_CLASSES_ROOT\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKEY_CLASSES_ROOT\Wow6432Node\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"
"HKEY_CLASSES_ROOT\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"


"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"


"HKCU\SOFTWARE\Classes\Wow6432Node\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKCU\SOFTWARE\Classes\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKCU\SOFTWARE\Classes\Wow6432Node\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKCU\SOFTWARE\Classes\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKCU\SOFTWARE\Classes\Wow6432Node\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"
"HKCU\SOFTWARE\Classes\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"

Fix:
EPSEC binaries now upgrade successfully.


675866-3 : WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO

Component: Access Policy Manager

Symptoms:
Kerberos rejects tickets with 2 minutes left in their ticket lifetime. This causes tickets to be rejected by KDC, causing APM to disable SSO.

Conditions:
This occurs with Kerberos-protected resources using Windows Server 2012-based DC due to issue described in the Microsoft KB: Kerberos authentication fails when the computer tries to request a service ticket from a Windows Server 2012-based DC, https://support.microsoft.com/en-us/help/2877460/kerberos-authentication-fails-when-the-computer-tries-to-request-a-ser.

Impact:
Cannot access the Kerberos-protected resources.

Workaround:
None.

Fix:
Kerberos SSO (S4U) tickets are not used when the remaining lifetime is less than 5 minutes. Existing tickets with more than half the configured lifetime or at least 1 hour of lifetime remaining are used. If there are no such tickets, then new tickets are acquired and used.


675232-2 : Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction

Component: Application Security Manager

Symptoms:
Errors encountered -

In TMSH CLI transaction:
----------------
transaction failed: 01020036:3: The requested ASM policy (/Common/<some_policy>) was not found.
----------------

In iApp template implementation:
----------------
script did not successfully complete: (01020036:3: The requested ASM policy (/Common/<some_policy>) was not found.
----------------

Conditions:
In an iApp template implementation or TMSH CLI transaction, create a new ASM policy and then try to modify it's active state.

Impact:
The policy is created but the modify action cannot find the policy.

Workaround:
iApps are built to work with ASM Policy Templates.

A new ASM Policy Template can be created from the desired ASM Policy.

That can be done via GUI and starting from from v13.0 via REST as well.

Then, the newly created ASM Policy Template can be referenced in the iApp template implementation or TMSH CLI transaction as follows:
-----------------
tmsh::create asm policy <some_policy> active policy-template NEWLY_CREATED_POLICY_TEMPLATE
-----------------

Fix:
iApp template implementation and TMSH CLI transaction can now modify a newly created ASM policy.


675188-4 : CVE-2017-9233: Expat vulnerability

Solution Article: K03244804


674747-1 : sipdb cannot delete custom bidirectional persistence entries.

Solution Article: K30837366

Component: Service Provider

Symptoms:
Custom bidirectional SIP persistence entries cannot be deleted using the sipdb tool.

Conditions:
Rules and SIP messages created custom bidirectional SIP persistence entries.

Impact:
Custom bidirectional SIP persistence entries exist and can be viewed with the sipdb utility. They cannot be deleted,
however.

Workaround:
None.

Fix:
The sipdb tool now supports deletion of bidirectional SIP persistence entries.


674486-3 : Expat Vulnerability: CVE-2017-9233

Solution Article: K03244804


674320-3 : Syncing a large number of folders can prevent the configuration getting saved on the peer systems

Solution Article: K11357182

Component: TMOS

Symptoms:
When syncing a large number of folders (more than 56), the configuration on the peer systems fails to save. An error similar to the following appears in the audit log, possibly followed by garbage characters:

 notice tmsh[15819]: 01420002:5: AUDIT - pid=15819 user=root folder=/Common module=(tmos)# status=[Syntax Error: "}" is missing] cmd_data=save / sys config partitions { tf01 tf02 tf03 tf04 tf05 tf06 tf07 tf08 tf09 tf10 tf11 tf12 tf13 tf14 tf15 tf16 tf17 tf18 tf19 tf20 tf21 tf22 tf23 tf24 tf25 tf26 tf27 tf28 tf29 tf30 tf31 tf32 tf33 tf34 tf35 tf36 tf37 tf38 tf39 tf40 tf41 tf42 tf43 tf44 tf45 tf46 tf47 tf48 tf49 tf50 tf51 tf52 tf53 tf54 tf55 tf56 tf57 tf58 tf59

Note: These 'tfnn' folder names are examples. The audit log will contain a list of the actual folder names. (Folders are also called 'partitions'.)

Conditions:
-- System is in a device group.
-- Sync operation occurs on the device group.
-- There are a large number of folders (more than 56).

Impact:
Configuration on peer systems in a device group does not get saved after a sync.

Workaround:
Manually save the configuration on peer systems after a sync.

Fix:
The configuration on peer systems is now saved when a large number of folders are involved in the sync.


674189-2 : iControl-SOAP exposed to CVE-2016-0718 in Expat 2.2.0

Solution Article: K52320548


674145-4 : chmand error log message missing data

Component: TMOS

Symptoms:
When there is an error with communication between chmand and lopd, a message is logged giving information about the problem. That message is missing data useful to F5 for determining the cause of the communications error.

Messages similar to:
Jul 11 11:10:19 localhost warning chmand[7815]: 012a0004:4: getLopReg: lop response data does not match request, u16DataLen=0xb expected=0xb, u8Length=0x8 expected=0x, u8Page=0x28 expected=0x$, u8Register=0x50 expected=0xP

The expected data values are missing in this message, making it more difficult for F5 engineers to determine what caused the original communications problem.

Conditions:
This issue only occurs when there is some problem with the communication channel between chmand and lopd.

Impact:
Added difficulty for F5 to determine what problem caused the error message to be logged.

Fix:
The expected data values are properly printed in the log message.


673814-2 : Custom bidirectional persistence entries are not updated to the session timeout

Solution Article: K37822302

Component: Service Provider

Symptoms:
Custom bidirectional persistence entries will be created using the transaction timeout when processing the request, but will not be updated to the session timeout on a successful response.

Conditions:
-- Using custom bidirectional persistence.
-- Successful response message is received.

Impact:
The persistence timeout will prematurely time out.

Workaround:
Set the transaction timeout to the session timeout value.

Fix:
The persistence timeout is correctly updated to the session timeout value when a successful response message is received.


673165-2 : CVE-2017-7895: Linux Kernel Vulnerability

Solution Article: K15004519


673029-1 : Debug image TMM crash

Component: Policy Enforcement Manager

Symptoms:
If a debug TMM is being run and with PEM logging enabled. Under some subscriber addition cases, TMM crashes

Conditions:
-- TMM debug is used.
-- PEM debug log is enabled.
-- Many subscribers are added.
-- The log message crashes subscribers.

Impact:
TMM restarts resulting in failover. Traffic disrupted while tmm restarts.

Workaround:
Do not enable PEM loggins in PEM debug image.


672988-3 : MCP memory leak when performing incremental ConfigSync

Solution Article: K03433341

Component: TMOS

Symptoms:
MCP will leak memory when performing incremental ConfigSync operations to peers in its device group. The memory leak can be seen tmctl utility to watch the umem_alloc_80 cache over time.

This leak occurs on the device that is sending the configuration.

Conditions:
A device group that has incremental sync enabled. In versions prior to BIG-IP v13.0.0, this is controlled by the 'Full Sync' checkbox. When unchecked, the system attempts to perform incremental sync operations.

Impact:
MCP leaks a small amount of memory during each sync operation, and after an extended period of time, might eventually crash.

Workaround:
None.

Fix:
MCPD no longer leaks when performing incremental ConfigSync operations.


672480 : WebSSO plugin process may become unresponsive in rare situations for Kerberos SSO

Component: Access Policy Manager

Symptoms:
HTTP requests that are being processed by Kerberos SSO never leaves APM, and connections simply time out.

Conditions:
There is an issue in MIT krb5 library for calculating wait time for responses from KDC, which ends up with a negative value. This translates to infinite timeout by poll() syscall. At the same time, if all Kerberos requests to KDC are dropped (e.g., by a misconfigured firewall), Kerberos SSO never receives the responses, and Kerberos SSO never gives up on waiting for the KDC response (this is an issue in the library).

Impact:
A deadlock occurs within the Kerberos SSO. Eventually there will be a global deadlock, which causes this particular WebSSO process to be completely unresponsive for Kerberos SSO functionality. APM end users cannot access the backend.

Workaround:
For this issue to have a real impact, there must be an unresponded-to Kerberos request. To eliminate this possibility, make sure there is no firewall blockage, incorrect routing, etc., so that WebSSO always receives responses, even negative ones.

Note: WebSSO will never use infinite timeout when waiting for Kerberos responses, so even if a firewall blocks the Kerberos request, although Kerberos SSO does not function, it does not cause global unresponsiveness from the WebSSO process.


672124-2 : Excessive resource usage when BD is processing requests

Solution Article: K12403422


671638-3 : TMM crash when load-balancing mptcp traffic

Solution Article: K33211839


671498-2 : BIND zone contents may be manipulated

Solution Article: K02230327


671497-2 : TSIG authentication bypass in AXFR requests

Solution Article: K59448931


671447-3 : ZebOS 7 Byte SystemID in IS-IS Restart TLV may cause adjacencies to not form

Component: TMOS

Symptoms:
When using a BIG-IP system configured in an IS-IS network; adjacencies may fail to form with other vendor devices.

Conditions:
- BIG-IP configured to participate as a peer in a IS-IS network.
- IS-IS peers perform strict validation on the length of the Restart TLV.
-- The SystemID used by the BIG-IP system is of length 7 instead of 6. (ZebOS uses a 7-Byte SystemID.)

Impact:
IS-IS adjacencies may not form.

Workaround:
None.

Fix:
The BIG-IP system now uses a correct SystemID length in the Restart TLV.


671326-3 : DNS Cache debug logging might cause tmm to crash.

Solution Article: K81052338

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Cache debug logging might cause tmm to crash.

Conditions:
This occurs when the following conditions are met:

-- The dnscacheresolver.loglevel debug value is set to 1 - 5.
-- tmm.verbose is enabled.

Impact:
tmm crashes and restarts. Traffic disrupted while tmm restarts.

Workaround:
Do not enable the DNS Cache debug log when tmm.verbose is enabled.

Fix:
DNS Cache debug logging no longer causes tmm to crash.


670918-1 : Flash AS3 wrappers should have an additional check for the activation object

Component: Access Policy Manager

Symptoms:
Flash AS3 wrappers should have an additional check for the activation object.

Conditions:
Presence of a getlex (or [get/set]property after getpropstrict/getproperty) instruction that gets/sets the value of an variable with the some interesting name like "url" and defined on an activation object.

Example:

...
(function() {
 var url;
 (function(){return url;})();
})();
...

Impact:
Flash application malfunction.

Fix:
APM Portal Access Rewrite has been improved to handle Flash ActionScript 3 in a more robust fashion.


670910-1 : Flash AS3 flash.external.ExternalInterface.call() wrapper can fail when loaderInfo object is undefined

Component: Access Policy Manager

Symptoms:
Flash AS3 flash.external.ExternalInterface.call() wrapper can fail when loaderInfo object is undefined.

Conditions:
This might occur when using the following definition:

<?xml version="1.0" encoding="utf-8"?>
<s:Application xmlns:fx="http://ns.adobe.com/mxml/2009"
<-->xmlns:s="library://ns.adobe.com/flex/spark"
<-->width="100%" height="100%"
<-->minWidth="256" minHeight="64"
<-->creationComplete="initApp()">
<--><s:VGroup width="100%" height="100%" verticalAlign="middle" horizontalAlign="center">
<--><--><s:TextInput id="f_output" text="..." width="100%" />
<--><--><fx:Script><![CDATA[
<--><--><-->import flash.external.ExternalInterface;
<--><--><-->private function initApp():void {
<--><--><--><-->f_output.text = ExternalInterface.call("function(v){window.alert(/a\\dc/.toString());return '\\\\Done: '+v+' URL: '+location.href;}", "\\\\Ok?");
<--><--><-->}
<--><-->]]></fx:Script>
<--></s:VGroup>
</s:Application>

Impact:
Flash application malfunction.

Workaround:
None.

Fix:
APM Portal Access Rewrite now correctly handles flash.external.ExternalInterface.call() when the loaderInfo object is not defined.


670822-4 : TMM may crash when processing SOCKS data

Solution Article: K55225440


670816-3 : HTTP/HTTPS/TCP Monitor response code for 'last fail reason' can include extra characters

Solution Article: K44519487

Component: Local Traffic Manager

Symptoms:
An HTTP/HTTPS/TCP monitor response code may contain extraneous trailing characters, such as: 'Response Code: 200 (OKxxx)' where the server response code 'OK' is appended with unrelated characters 'xxx', when the server does not include a carriage-return/line-feed after the response status line.

Conditions:
An HTTP/HTTPS/TCP monitor is configured with a receive string, and the server does not include a carriage-return/line-feed in the TCP segments that match the receive string.

Impact:
The monitor status code displays the correct server response code, but with extraneous trailing characters appended. The monitor continues to function and respond to status changes as expected.

Workaround:
Configure HTTP/HTTPS/TCP servers to return a response that includes a carriage-return/line-feed after the response status line and before the receive string.

Fix:
HTTP/HTTPS/TCP monitor response code for 'last fail reason' no longer contains extraneous trailing characters when the server does not include a carriage-return/line-feed in the TCP segments that match the receive string.


670804-1 : Hardware syncookies, verified-accept, and OneConnect can result in 'verify_accept' assert in server-side TCP

Solution Article: K03163260

Component: Local Traffic Manager

Symptoms:
The system experiences a 'verify_accept' assert in server-side TCP.

Conditions:
-- Verified Accept enabled in TCP profile.
-- Hardware syncookies enabled.
-- OneConnect profile on virtual servers.
-- Syncookie threshold crossed.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
Disable verified accept when used with OneConnect on a virtual server.

Fix:
Verified accept, OneConnect, and hardware syncookies now work together correctly.


669818-3 : Higher CPU usage for syslog-ng when a syslog server is down

Solution Article: K64537114

Component: TMOS

Symptoms:
Higher CPU usage for syslog-ng when a syslog server is down.

Conditions:
A remote log server is added but it is not available.

Impact:
Potentially higher than expected CPU usage.

Workaround:
To mitigate this issue, use either of the following:
-- Ensure that the remote log server is available.
-- Remove the remote log server from the configuration.


669394 : CS redirects to incorrect URL

Solution Article: K23432927

Component: Application Security Manager

Symptoms:
The BIG-IP ASM system may redirect a client request to an incorrect URL after the client browser passes the client-side integrity defense JavaScript challenge.

Conditions:
This issue occurs when all of the following conditions are met:

-- You have enabled the Client Side Integrity Defense feature in a DoS profile associated with a virtual server.
-- A client request containing a certain structured URL is processed by the virtual server with the DoS profile.
-- The client browser passes the client-side integrity defense JavaScript challenge issued by the BIG-IP ASM system.

Impact:
The client browser is redirected to an incorrect URL. If a malicious attacker triggers the DoS profile and then sends a maliciously crafted structured URL to unsuspecting users as part of a phishing attack, the users may be redirected to a malicious website.

Workaround:
None.

Fix:
Client side code no longer redirects to an incorrect URL under these conditions.


668623-2 : macOS Edge client fails to detect correct system language for regions other than USA

Solution Article: K85991425

Component: Access Policy Manager

Symptoms:
macOS Edge client fails to detect correct system language for regions other than USA.

Conditions:
-- macOS Sierra.
-- Non-English language (e.g., Korean with different regions).

Impact:
Incorrect customization of Edge client for certain items, such as: logo, banner color, banner text color, and tray icon type.

Workaround:
Run one of the following command on the Terminal and re-launch Edge client:

For English:
$ defaults write -globalDomain AppleLanguages -array "en" "en-US"

For German:
$ defaults write -globalDomain AppleLanguages -array "de" "de-US"

For Korean:
$ defaults write -globalDomain AppleLanguages -array "ko" "ko-US"

For Japanese:
$ defaults write -globalDomain AppleLanguages -array "ja" "ja-US"

For French:
$ defaults write -globalDomain AppleLanguages -array "fr" "fr-US"

For Spanish:
$ defaults write -globalDomain AppleLanguages -array "es" "es-US"

For Chinese traditional:
$ defaults write -globalDomain AppleLanguages -array "zh-Hant" "zh-Hant-TW" "zh-Hant-US"

For Chinese simplified:
$ defaults write -globalDomain AppleLanguages -array "zh-Hans" "zh-Hans-US"

Fix:
Customization of the following items for Edge client now correctly reflect the region's language selection.

-- Edge client logo.
-- Banner color.
-- Banner text color.
-- Tray icon.


668521-1 : Bigd might stall while waiting for an external monitor process to exit

Component: Local Traffic Manager

Symptoms:
The bigd process restarts due to a hearbeat failure. /var/log/ltm will contain a message similar to:
warning sod[5444]: 01140029:4: HA daemon_heartbeat bigd fails action is restart.

Conditions:
External monitors are in use. External monitors include user-defined external monitors as well as built-in external monitors (for example, SNMP, LDAP, etc.)

High system load makes this more likely to occur.

Impact:
bigd will restart due to a heartbeat failure and monitoring will be interrupted.

Workaround:
Mitigations:
-- If possible, reduce the system load on the BIG-IP system.
-- If possible, use a built-in monitor type.

Fix:
bigd no longer stalls while waiting for an external monitor process to exit.


668196-3 : Connection limit continues to be enforced with least-connections and pool member flap, member remains down

Component: Local Traffic Manager

Symptoms:
In rare circumstances while using least-connections load balancing with a connection limit applied, if a pool member is at the connection limit and the node is stopped and restarted, the node will remain marked down.

Conditions:
This occurs under the following circumstances:
- Least Connections (node or member).
- Connection limit is set.
- Then a pool member hits the connection limit.
- The pool member is then marked down then up (e.g., manually).

Impact:
Pool member remains marked down.

Workaround:
This condition is very rare but if it occurs you can try removing the pool member or node and re-adding it.

Fix:
Connection limit is now correctly enforced with least-connections and pool member flap, so the member no longer incorrectly remains down.


667278-4 : DSC connections between BIG-IP units may fail to establish

Component: TMOS

Symptoms:
The device service clustering (DSC) connection between two BIG-IP units may fail to establish. One unit will log messages similar to the following example:

-- err mcpd[7912]: 01071af4:3: Inbound CMI connection from IP (192.168.100.1) denied because it came from VLAN (v1542), not from expected VLAN (tmm).

While the unit at the other end of the connection will log messages similar to the following example:

-- notice mcpd[5730]: 01071432:5: CMI peer connection established to 192.168.200.1 port 6699 after 0 retries
May 31 20:58:04 BIG-IP-c-sea notice mcpd[5730]: 0107143c:5: Connection to CMI peer 192.168.200.1 has been removed

Conditions:
This issue occurs when the Self-IP addresses used for Config-Sync by the two BIG-IP units are not in the same IP subnet, and special routing is configured between the BIG-IP units. Examples of special routing include a gateway pool or dynamic routing configurations with multiple routes to the same destination (i.e., ECMP routing).

Impact:
Config-Sync and device discovery operations will fail between affected units.

Workaround:
You can work around this issue by using Self-IP addresses for Config-Sync that are on the same IP subnet or rely on simpler routing to achieve connectivity (i.e., a single route).

Fix:
Config-Sync and device discovery operations no longer fail.


667257-1 : CPU Usage Reaches 100% With High FastL4 Traffic

Component: TMOS

Symptoms:
CPU usage reaches 100% with high FastL4 traffic. Issue with re-offloading evicted FastL4 traffic to ePVA.
Typically observed on systems handling a lot of FastL4 traffic that have been upgraded to a version that has re-offload behavior implemented by Bug ID 563475: ePVA dynamic offloading can result in immediate eviction and re-offloading of flows.

Conditions:
-- Most traffic is FastL4 forwarding deterministic LDNS.
-- ePVA hardware is in use.

Impact:
Default configurations may suddenly show higher CPU performance profile usage after upgrade.

Workaround:
None.

Fix:
The following db variables have been added to control re-offload behavior:

sys db pva.reoffload.delay {
    value "5"
}
sys db pva.reoffload.exponential {
    value "true"
}

pva.reoffload.delay is in seconds. This is the amount of time that needs to expire before TMM attempts to re-offload the flow to the ePVA.

If pva.reoffload.exponential is 'true', then if there is a collision, there is an exponential backoff (5 seconds, 10 seconds, 20 seconds, and so on), before the flow is re-offloaded).

If pva.reoffload.exponential is 'false', then there is no backoff, and the flow is re-offloaded after the pva.reoffload.delay expires.

Behavior Change:
The following db variables have been added to control re-offload behavior:

sys db pva.reoffload.delay {
    value "5"
}
sys db pva.reoffload.exponential {
    value "true"
}

pva.reoffload.delay is in seconds. This is the amount of time that needs to expire before TMM attempts to re-offload the flow to the ePVA.

If pva.reoffload.exponential is 'true', then if there is a collision, there is an exponential backoff (5 seconds, 10 seconds, 20 seconds, and so on), before the flow is re-offloaded).

If pva.reoffload.exponential is 'false', then there is no backoff, and the flow is re-offloaded after the pva.reoffload.delay expires.


667173-2 : 13.1.0 cannot join a device group with 13.1.0.1

Component: TMOS

Symptoms:
13.1.0.1 cannot form device trust with a 13.1.0 device.

Conditions:
A device running 13.1.0 wanting to establish device trust with a device running 13.1.0.1 or vice versa.

Impact:
Cannot form Device Trust.

Workaround:
13.1.0 cannot initially form device trust with a 13.1.0.1 device. However, if you establish trust from the 13.1.0.1 device and then bring in the 13.1.0 device from 13.1.0.1, you can mitigate this issue. Once trust is formed, there should be no issue.

Fix:
13.1.0.1 now can form device trust with a 13.1.0 device.


666454-6 : Edge client on Macbook Pro with touch bar cannot connect to VPN after OS X v10.12.5 update

Solution Article: K05520115

Component: Access Policy Manager

Symptoms:
Edge client running on Macbook Pro 2016 with a touch bar interface cannot connect to VPN in a full tunneling configuration with 'Prohibit routing table modification' option selected.

Edge client's svpn.log shows an error entry similar to
2017-05-18,13:55:17:000, 16637,16638,svpn, 1, , 870, CMacOSXRouteTable::UpdateIpForwardEntry2(), EXCEPTION - write failed, 22, Invalid argument.

Conditions:
This occurs when all of the following conditions are met:
1) Edge client is running on Macbook Pro that has the iBridge interface (e.g., one with the touch bar).
2) VPN is configured in full tunneling configuration
3) Mac OS X version is v10.12.5.

Note: You can find the interface on the Macbook Pro in the Network Utility under the Info tab.

Impact:
VPN connection will fail.

Workaround:
Use one of the following workarounds:
- Disable 'Prohibit Routing table change' in the network access configuration.
- Enable 'Allow access to local subnets'.
- Enable a split tunneling configuration.


666401-1 : Memory might become corrupted when a Standby device transitions to Active during failover

Solution Article: K03294104

Component: Local Traffic Manager

Symptoms:
When a failover event occurs with connection mirroring enabled, it is possible for memory to be corrupted when the Standby device transitions to Active.

Conditions:
-- Active-Standby high availability configuration.
-- Virtual server configured with the type set to 'Standard'.
-- Connection mirroring enabled.

Impact:
Tmm might crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Memory is no longer corrupted.


665905-1 : Signature System corruption from specific ASU prevents ASU load after upgrade

Solution Article: K83305000

Component: Application Security Manager

Symptoms:
After loading Attack Signature Update "ASM-SignatureFile_20170403_145743.im" on 11.5.4 HF2 (or later) and upgrading to certain software versions, attempts to perform Signature Update fail.

Conditions:
-- Loading Attack Signature Update "ASM-SignatureFile_20170403_145743.im".
-- Using v11.5.4 HF2 (or later).
-- Upgrading the device to 11.6.1, 12.1.0, 12.1.1, or 12.1.2.

Impact:
Attempts to perform Signature Update fail.

Workaround:
The mistaken Signature System can be deleted using the following SQL:

----------------------------------------------------------------------
UPDATE PLC.NEGSIG_SIGNATURE_SYSTEMS set system_id = 14 where system_id = (select system_id FROM PLC.NEGSIG_SYSTEMS where system_name = 'Apache');
DELETE FROM PLC.NEGSIG_SYSTEMS where system_name = 'Apache';
----------------------------------------------------------------------

Fix:
Database corruption introduced by loading Attack Signature Update 'ASM-SignatureFile_20170403_145743.im' is now corrected upon upgrade.


665732-5 : FastHTTP may crash when receiving a fragmented IP packet

Solution Article: K45001711

Component: Local Traffic Manager

Symptoms:
A virtual server configured to use FastHTTP may cause a TMM core if fragmented IP packets are received by the virtual. This can be observed by the following TMM log statement: panic: Assertion 'l4hdr set' failed.

Conditions:
A virtual server configured with a FastHTTP profile receiving fragmented IP packets.

Impact:
Intermittent TMM core, resulting in a TMM restart. Traffic disrupted while tmm restarts.

Workaround:
Use a different profile than FastHTTP, such as a full proxy with TCP/HTTP filters.

Fix:
Force packet reassembly before packet is forwarded to a FastHTTP virtual.


664930-1 : Policy automatic learning mode changes to manual after failover

Component: Application Security Manager

Symptoms:
Policy automatic learning mode changes to manual when a failover occurs.

Conditions:
-- ASM provisioned.
-- Device group with ASM policy sync configured for multi-blade devices.
-- ASM Policy is in automatic learning mode.
-- A failover occurs.

Impact:
The policy changes from automatic learning mode to manual.

Workaround:
None.

Fix:
Policy automatic learning mode no longer changes to manual when a failover occurs. Automatic learning mode will now be disabled only in active/active configurations.


664769-2 : TMM may restart when using SOCKS profile and an iRule

Component: Local Traffic Manager

Symptoms:
TMM restarts when sending traffic through a SOCKS virtual server that has an attached iRule that uses certain blocking commands.

Conditions:
Virtual server has a SOCKS profile, and an iRule which triggers on the SERVER_CONNECTED event. If the iRule uses commands that block, tmm might restart.

Impact:
Unexpected tmm restart. Traffic disrupted while tmm restarts.

Workaround:
Avoid adding iRule on the SERVER_CONNECTED event, or avoid using certain iRule commands which do not complete immediately, such as 'after', 'table', 'session', and others.

Fix:
TMM no longer crashes when using SOCKS profile and serverside iRule parks.


663924-3 : Qkview archives includes Kerberos keytab files

Component: TMOS

Symptoms:
Qkview captures Kerberos keytab files used for APM dataplane services.

Conditions:
APM provisioned with Kerberos authentication.

Impact:
Private security key exposure.

Workaround:
There is no workaround.

Fix:
Qkview no longer collects 'kerberos_keytab_file_d' directory containing keytab files when creating qkview archive.


663326-3 : Thales HSM: "fipskey.nethsm --export" fails to make stub keys

Component: Local Traffic Manager

Symptoms:
When using "fipskey.nethsm --export -i /shared/tmp/testkey.pem -o thaleskey" to export a key file from BIG-IP and import into HSM, the HSM fails to generate the stub key at /config/ssl/ssl.key/ on the BIG-IP system.

Conditions:
-- Thales HSM is installed.
-- Running 'fipskey.nethsm --export' to export a key file from BIG-IP and import it to the Thales HSM.

Impact:
Even the key has been stored in HSM, the BIG-IP is still unable to use it because of its lacking stub key to be configured on the BIG-IP system.

Workaround:
This can be worked around by directly using the Thales command, for example:

[root@localhost:Active:Standalone] config # generatekey --import pkcs11 certreq=yes
type: Key type? (DES3, RSA, DES2) [RSA] >
pemreadfile: PEM file containing RSA key? []
> /shared/tmp/testkey.pem
embedsavefile: Filename to write key to? []
> /config/ssl/ssl.key/thales2
plainname: Key name? [] > thales2
x509country: Country code? [] > US
x509province: State or province? [] > WA
x509locality: City or locality? [] >
x509org: Organisation? [] > F5
x509orgunit: Organisation unit? [] > AS
x509dnscommon: Domain name? [] >
x509email: Email address? [] > test@test.com
nvram: Blob in NVRAM (needs ACS)? (yes/no) [no] >
digest: Digest to sign cert req with? (md5, sha1, sha256, sha384, sha512)
  [default sha1] >

Fix:
When using 'fipskey.nethsm --export -i /shared/tmp/testkey.pem -o thaleskey' to export a key file from BIG-IP and import into HSM, the HSM now generates a stub key and stores it at /config/ssl/ssl.key/ on the BIG-IP system, as expected.


663310-4 : named reports "file format mismatch" when upgrading to versions with Bind 9.9.X versions for text slave zone files

Component: Global Traffic Manager (DNS)

Symptoms:
named reports "file format mismatch", zone files are renamed randomly to db-XXXX files, and zone cannot be loaded.

Conditions:
-- Upgrade from BIG-IP containing pre-9.9.X versions of Bind, to BIG-IP versions with Bind versions later than 9.9.x.
-- Slave zone files are in text format.
-- No options set for masterfile-format text.

Impact:
Zones cannot be loaded.

Workaround:
Before upgrading, add the following line to the named.conf options:
masterfile-format text;

Fix:
BIND 9.9.x changes the default behavior governing the storage format of slave zone files to "raw" from "text".

On upgrade, the config needs to be parsed looking for slave zones that do not specify the masterfile-format and set them to "text".


662881-3 : L7 mirrored packets from standby to active might cause tmm core when it goes active.

Solution Article: K10443875

Component: Local Traffic Manager

Symptoms:
L7 mirrored packets from standby to active might cause tmm core when it goes active.

Conditions:
-- Spurious ACK sent to the standby unit that is mirrored over to the active unit for processing.
-- Matching connection on the active has not been fully initialized.

Impact:
tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Spurious ACK no longer causes outage, instead the packet is dropped.


662850-3 : Expat XML library vulnerability CVE-2015-2716

Solution Article: K50459349


662816-3 : Monitor node log fd leak for certain monitor types

Solution Article: K61902543

Component: Local Traffic Manager

Symptoms:
When certain types of LTM health monitors are configured with node logging enabled, the bigd daemon may leak file descriptors for the node logs when the monitor is removed from the LTM node, pool or pool member configuration.

Conditions:
This may occur when:
1. One of the below-listed LTM health monitor types is assigned to an LTM node, pool, or pool member with node logging enabled ('logging' value set to 'enabled' in the LTM node or pool member configuration).
2. The LTM health monitor is removed from the LTM node, pool, or pool member configuration while logging is still enabled ('monitor' value set to 'none').

Affected LTM health monitor types include:
diameter, external, firepass, ftp, gateway_icmp, icmp, imap, ldap, module_score, mssql, mysql, nntp, oracle, pop3, postgresql, radius, radius_accounting, real_server, rpc, sasp, scripted, sip, smb, smtp, snmp_dca, snmp_dca_base, soap, virtual_location, wap, wmi.

This problem does not occur if node logging is disabled in the LTM node or pool member configuration ('logging' value set to 'disabled' in the LTM node or pool member configuration) prior to removing the monitor from the LTM node, pool, or pool member configuration.

The following LTM health monitor types are not affected:
dns, http, https, inband, mqtt, tcp, tcp_echo, tcp_half_open

Impact:
When this problem occurs, each instance of bigd running on the BIG-IP appliance or on each blade in a VIPRION chassis leaks one file descriptor for each node or pool member with monitor logging enabled.

File descriptors that are opened by the bigd daemon and not closed count against bigd's internal file descriptor limit. This can result in file descriptor exhaustion and failure of LTM health monitoring.

Workaround:
Disable node logging (set 'logging' value to 'disabled') in the LTM node or pool member configuration prior to removing the monitor from the LTM node, pool, or pool member configuration.

Fix:
The bigd daemon does not leak file descriptors for monitor node logs when certain types of LTM health monitors are configured with node logging enabled and the monitor is then removed from the LTM node, pool, or pool member configuration.


662663-3 : Decryption failure Nitrox platforms in vCMP mode

Solution Article: K52521791


661881-3 : Memory and performance issues when using certain ASN.1 decoding formats in iRules

Solution Article: K00030614

Component: Local Traffic Manager

Symptoms:
Memory and performance issues when using calls to ASN1::decode with "a" or "B" characters in the format string. This occurs because these calls do not correctly free memory allocated by those functions.

Conditions:
iRules that contain calls to ASN1::decode with "a" or "B" characters in the format string.

Impact:
Memory leak, degraded performance, potential eventual out-of-memory crash.

Workaround:
None.

Note: Because of the memory leak associated with this issue, using calls to ASN1::decode with "a" or "B" characters in the format string should be avoided.

Fix:
Prevented memory leak when using calls to ASN1::decode with "a" or "B" characters in the format string.


660239-2 : When accessing the dashboard, invalid HTTP headers may be present

Component: TMOS

Symptoms:
When accessing parts of the BIG-IP dashboard via the GUI, there might be invalid HTTP headers in the responses.

Conditions:
Access the dashboard via Statistics :: Dashboard.

Impact:
The invalid HTTP headers might cause issues with the dashboard if there are intervening proxies between the browser and the BIG-IP.

You may see such errors in the http error logs

Feb 20 08:47:58 myBIG-IP err httpd[13777]: [error] [client 10.20.30.40] Response header name '<PostData><![CDATA[table=log%5Fstat]]></PostData>Cache-Control' contains invalid characters, aborting request, referer: https://mybigip.com/tmui/dashboard/MonitorDashboardModule.swf

Workaround:
There is no workaround at this time.

Fix:
Eliminated invalid header data.


659969-2 : tmsh command for gtm-application disabled contexts does not work with none and replace-all-with

Component: Global Traffic Manager (DNS)

Symptoms:
The command for distributed-app's disabled-contexts does not work with the options 'none' and 'replace-all-with'.

Conditions:
Issuing gtm-application disabled contexts commands including the options 'none' and 'replace-all-with'.

Impact:
Command does not complete successfully. This is an internal validation issue.

Workaround:
None.


659899-5 : Rare, intermittent system instability observed in dynamic load-balancing modes

Solution Article: K10589537

Component: Local Traffic Manager

Symptoms:
The dynamic pool member load-balancing modes require a precision measurement of active connection counts and/or rates. Rare, intermittent system instability has been observed in dynamic pool member selection when a new connection arrives. TMM may restart, leaving a core file.

Conditions:
LTM pool configured to use a dynamic load-balancing mode ('ltm pool NAME load-balancing-mode MODE' where MODE is one of the dynamic load-balancing modes, such as dynamic-ratio-member, least-connections-node, predictive-node, etc.). The dynamic modes use the session database to share data among all TMM instances, and under extremely rare conditions, the session database may become unreliable.

Impact:
TMM restarts and leaves a core file. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The dynamic load-balancing modes are now more tolerant of errors from the underlying session database.


658852-1 : Empty User-Agent in iSessions requests from APM client on Windows

Component: Access Policy Manager

Symptoms:
'User-Agent' might be empty in some '/isession' requests from APM client on Microsoft Windows. Having empty User-Agent headers is not in RFC compliance and forces some firewall to block the connection. This might result in failure to establish a VPN tunnel.

Conditions:
'/isession' requests from APM client on Windows.

Impact:
Failure to establish a VPN tunnel.

Workaround:
None.

Fix:
Now all connections from Windows APM VPN client contain 'User-Agent' headers, as expected.


658557-1 : The snmpd daemon may leak memory when processing requests.

Solution Article: K35209601


658278-4 : Network Access configuration with Layered-VS does not work with Edge Client

Component: Access Policy Manager

Symptoms:
When Network Access is configured in virtual server-to-virtual server targeting, the Edge client cannot connect.

Conditions:
Network Access is configured as follows :
-- The external-client-facing virtual server has the SSL profile attached.
-- The internal virtual server has the Access profile and connectivity profile attached.
-- The external-client-facing virtual server has an iRule that forwards the HTTP requests to the internal virtual server.

Impact:
When Edge client connects, the external-client-facing virtual server issues a request for '/pre/config.php?version=2.0', and the Edge client hangs.

Workaround:
None.

Fix:
Network Access configuration with Layered-VS now works with Edge Client.


658214-3 : TCP connection fail intermittently for mirrored fastl4 virtual server

Solution Article: K20228504

Component: Local Traffic Manager

Symptoms:
In some cases, a mirrored FastL4 virtual server may fail to forward the SYN on the server-side after receiving the context-ack from the peer. Note: This is a connection-failure through the active system, not simply a failure to mirror to the peer.

Symptoms include:
-- TCP connection failures.
-- Possibly other packets lost.

Conditions:
-- FastL4 virtual server.
-- Mirroring is enabled.
-- Certain traffic interleaving might be necessary for this intermittent problem to occur.

Impact:
FastL4 mirroring does not always forward SYN to server after receiving context ACK. Connections fail.

Workaround:
Set the tm.fastl4_ack_mirror dv variable using the following command: tmsh modify sys db tm.fastl4_ack_mirror value disable.

Fix:
In this release, mirrored FastL4 virtual server now forward the SYN on the server-side after receiving the context-ack from the peer as expected.


657961-1 : The edit button on the GSLB Wide IP create page does not place the pool name back into the select dropdown

Solution Article: K44031930

Component: Global Traffic Manager (DNS)

Symptoms:
The edit button in the Pools section of a Wide IP create page does not place the pool name entry back into the select dropdown.

Conditions:
There must be a pool in the selected list, that pool must be highlighted when the edit button is clicked.

Impact:
The edit button does not work as intended.

Workaround:
Use the delete button and find the pool in the select dropdown to edit its ratio.

Fix:
Fixed issue that caused the edit button on the Wide IP create page to not place the pool name back into the select dropdown.


657883-3 : tmm cache resolver should not cache response with TTL=0

Solution Article: K34442339

Component: Local Traffic Manager

Symptoms:
tmm cache resolver caches responses with TTL=0, and it shouldn't.

Conditions:
TTL is set to 0 on the BIG-IP DNS system, so TMM will see TTL=0 from the DNS answer.

Impact:
tmm cache resolver caches responses with TTL=0.

Workaround:
None.

Fix:
The system no longer caches ttl=0 response for tmm cache resolver. This is correct behavior.


657795-2 : Possible performance impact on some SSL connections

Solution Article: K51498984

Component: Local Traffic Manager

Symptoms:
Some SSL connections may be delayed by almost exactly 5 seconds. The delay occurs between the SSL client hello and the server hello response from the BIG-IP system.

Conditions:
-- SSL configured on a Virtual Server. Affects VIPRION/vCMP Guests.

-- Client connects with an SSL session ID that is not in the cache, and in a very specific format that causes tmm to associate the session ID to a blade that does not exist.

Impact:
Performance may be impacted on those SSL connections.

Workaround:
Disable SSL session cache by setting cache-size to zero in the clientssl profile.

Fix:
This release fixes an issue that might cause performance impact on certain SSL connections.


657713-3 : Gateway pool action may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart.

Solution Article: K05052273

Component: Local Traffic Manager

Symptoms:
As a result of this issue, you may encounter one or more of the following symptoms:

-- TMM generates a core file in the /shared/core directory.
-- Your BIG-IP system logs a SIGFPE to the /var/log/tmm file at the same time TMM produces a core file and restarts.
-- In one of the /var/log/tmm log files, you may observe error messages similar to the following example:

notice panic: ../modules/hudfilter/hudfilter.c:1063: Assertion "valid node" failed.
notice ** SIGFPE **

Conditions:
This issue occurs when either of the following conditions are met:
1.
-- Your BIG-IP system is configured to route traffic using a gateway pool.
-- Your BIG-IP system is configured with DNS resolver.
-- The gateway pool is configured with Action On Service Down = Reject or Action On Service Down = Drop.
-- The pool monitor marks all members of the gateway pool as unavailable.
-- An outstanding DNS request that is pending response.
2.
-- Your BIG-IP system is not configured to route traffic using a gateway pool.
-- Your BIG-IP system is configured with DNS resolver.
-- All pools are configured with Action on Service Down = None.

Impact:
The BIG-IP system temporarily fails to process traffic while the TMM process restarts. If the BIG-IP system is configured for high availability (HA), the system fails over to a peer system.

Workaround:
For the set of Conditions defined in the first scenario, you can use the following workaround:

Set service-down-action to Action On Service Down = None or Action On Service Down = Reselect.

There is no workaround for the issue described in the second scenario in Conditions.

Fix:
Gateway pool action no longer triggers TMM to produce a core file and restart.


657463 : SSL sends HUDEVT_SENT to TCP in wrong state which causes HTTP disconnect the handshake.

Component: Local Traffic Manager

Symptoms:
SSL sends HUDEVT_SENT to TCP in wrong state which causes HTTP disconnect the handshake.

Conditions:
SSL sends HUDEVT_SENT to TCP in wrong state.

Impact:
Then HTTP disconnects the handshake

Fix:
Don't allow SSL send HUDEVT_SENT event in the wrong state.


655807-3 : With QoS LB, packet rate score is calculated incorrectly and dominates the QoS score

Solution Article: K40341291

Component: Global Traffic Manager (DNS)

Symptoms:
When choosing QoS Load balance, packet rate is dominating the score.

Conditions:
QoS load balance.

Impact:
Load balance decision is mostly impacted by packet rate.

Workaround:
None.

Fix:
Corrected a calculation error for QoS score involving packet rate.


655691-1 : GUI image list contains misleading 'MD5 Sum Verified' field

Component: TMOS

Symptoms:
In the GUI, images in the Image List and Hotfix List contain a field called 'MD5 Sum Verified', which is misleading since no such verification is actually done.

Conditions:
Using BIG-IP GUI and viewing the Image List and Hotfix List.

Impact:
It appears that MD5 sums are being verified when in reality much more limited tests are done.

Workaround:
N/A

Fix:
Replace 'MD5 Sum Verified' with 'BIG-IP Image Verified' in Image List and Hotfix List in BIG-IP GUI to more accurately reflect our verification procedures.


655432-4 : SSL renegotiation failed intermittently with AES-GCM cipher

Solution Article: K85522235

Component: Local Traffic Manager

Symptoms:
SSL failed to renegotiate intermittently with AES-GCM cipher because IV is not properly updated when a change cipher spec message is received.

Conditions:
This failure is more likely to occur during mutual authentication.

Impact:
Some servers authenticate client using renegotiation. This issue prevents their clients from properly connecting to the servers.

Workaround:
Disable AES-GCM cipher.

Fix:
The system now properly updates AES-GCM IV when a change cipher spec message is received.


655211-2 : bigd crash (SIGSEGV) when running FQDN node monitors

Component: Local Traffic Manager

Symptoms:
bigd processing FQDN node monitors may crash due to a timing issue when processing probe responses.

Conditions:
bigd is configured for FQDN node monitors.

Impact:
bigd crashes (SIGSEGV). The system restarts bigd automatically, and monitoring resumes. No other action is needed.

Workaround:
Although no workaround is available for bigd configured for FQDN node monitors, this crash occurs due to a timing issue, and should be rare.

Fix:
bigd no longer crashes (SIGSEGV) when running FQDN node monitors due to a timing issue.


655146-5 : APM Profile access stats are not updated correctly

Component: Access Policy Manager

Symptoms:
The active and established sessions counts in the output of 'tmsh show apm profile access' command are not getting updated as sessions are established and terminated. At the same time, the following errors are showing up in the APM log:

err tmm1[19902]: 01490574:3: (null):Common:00000000: Could not find tmstat. (/Common/Google_vsstats_key)

Conditions:
-- When session is established and terminated.
-- Running the command: tmsh show apm profile access to view stats.

Impact:
APM profile access stats are not accurate.

Workaround:
None.

Fix:
Now the tmsh command "tmsh show apm profile access" displays the correct profile access stats.


655059-2 : TMM Crash

Solution Article: K37404773


655021-3 : BIND vulnerability CVE-2017-3138

Solution Article: K23598445


654599-2 : The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed

Solution Article: K74132601

Component: Global Traffic Manager (DNS)

Symptoms:
Tomcat can potentially drop requests made by the client via the Web GUI on the GSLB Pool Members Manage page.

Conditions:
The config contains a large amount (in the thousands) of GSLB virtual servers or wide IP's, resulting in the action not being completed.

Impact:
The "Finished" button on that page does not save the changes made on that page.

Workaround:
Use TMSH.

Fix:
Fixed an issue with saving GSLB data via the GUI in large configurations.


654566-1 : Incomplete files still linked in /shared/vmisolinks

Solution Article: K94822416

Component: TMOS

Symptoms:
If copying of an image file is interrupted and leaves a partial file with a .part or .filepart extension, it is still linked in /shared/vmisolinks and synced between blades.

Conditions:
Copy of an image to /shared/images is interrupted and a file with a .part or .filepart extension is left behind.

Impact:
The corrupted copy might appear valid when it is not.

Workaround:
Delete incomplete file copies with extension .part or .filepart.

Fix:
Csyncd ignores files with extensions .part or .filepart in /shared/images.


654513-5 : APM daemon crashes when the LDAP query agent returns empty in its search results.

Solution Article: K11003951

Component: Access Policy Manager

Symptoms:
APM daemon crashes when the LDAP query agent returns no search results.

Conditions:
This issue occurs when all of the following conditions are met:

-- Your BIG-IP access profile access policy is configured with an AD Auth agent.
-- The access policy is configured with an LDAP query agent.
-- A user successfully authenticates to the access profile.
-- The LDAP query agent returns no query results.

Impact:
APM daemon crashes, need to restart RBA and WebSSO. This is a very rarely encountered issue.

Workaround:
Add LDAP Auth agent before the LDAP query to the existing policy.

Note: Adding the extra agent, LDAP Auth agent, in the policy will preserve the functionality and features, enabling the policy to fail in LDAP Auth agent, instead of crash in LDAP Query agent.

Fix:
Now APM daemon no longer crashes when the LDAP query agent returns a specific type of null result from its search.


654368-5 : ClientSSL/ServerSSL profile does not report an error when a certain invalid CRL is associated with it when authentication is set to require

Solution Article: K15732489

Component: Local Traffic Manager

Symptoms:
Error is not reported if the profile is associated with an invalid Certificate Revocation List (CRL) that is not signed by trusted CAs, if the CRL issuer has the same subject name as one of the certs in trusted CA.

Conditions:
This occurs when associating CRLs with virtual servers.

Impact:
Error is not reported for invalid CRL.

Workaround:
OpenSSL command can be used to check if the CRL is signed by trusted CA.

The command to verify CRL against a CA file is as follows:
openssl crl -CAfile <path to the CA certificate bundle/file> -noout -in <path to CRL file>

Fix:
Error is reported in TMM logs if the CRL is not signed by trusted CA.


654109-3 : Configuration loading may fail when iRules calling procs in other iRules are deleted

Solution Article: K01102467

Component: Local Traffic Manager

Symptoms:
Loading of the configuration fail with a message indicating a previously deleted iRule cannot be found:

 01020036:3: The requested rule (/Common/rule_uses_procs) was not found.

Conditions:
- iRule A is calling another iRule B using proc calls
- iRule A is attached to a virtual server.
- Detaching and deleting iRule A.
- Loading the config (or performing config sync).

Impact:
iRules are still referenced after implicit deletion (via load).
Configuration does not load.

Workaround:
Force reloading of the MCP binary database.

For specific steps, see K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).

Fix:
Configuration loading no longer fails when iRules calling procs in other iRules are deleted.


653993-2 : A specific sequence of packets to the HA listener may cause tmm to produce a core file

Solution Article: K12044607


653880-1 : Kernel Vulnerability: CVE-2017-6214

Solution Article: K81211720


652877-2 : Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades

Component: TMOS

Symptoms:
All services on one or all secondary blades in a VIPRION chassis restart, and MCPD logs errors similar to the following:

-- err mcpd[9063]: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (sflow_vlan_data_source) object ID (1168). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_vlan_data_source status:13)
-- err mcpd[9063]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3:Configuration error: DB validation exception, unique constraint violation on table (sflow_vlan_data_source) object ID (1168). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_vlan_data_source status:13)... failed validation with error 17237812.

In versions prior to v11.6.0, the error is: 'Can't save/checkpoint DB object,' rather than 'Can't update_indexes/checkpoint DB object'.

Conditions:
Multi-bladed VIPRION system, where the 'if-index' value for VLANs differs between blades.

You can check the 'if-index' value by running the following command on each blade: tmsh list net vlan all if-index.

Impact:
MCPD restart on all secondary blades results in partial service outage.

Workaround:
Reactivate the license only on a system that is standby/offline.

Fix:
Reactivating the license on a VIPRION system no longer causes MCPD process restart on one or all secondary blades.


652516-1 : Multiple Linux Kernel Vulnerabilities

Solution Article: K31603170


652400-1 : During blade changes, PBA may cause a TMM restart

Component: Carrier-Grade NAT

Symptoms:
TMM will restart, and an ASSERT will appear in the logs that there have been too many retries.

Conditions:
-- A port block allocation configuration with very high CPU utilization.
-- The addition of a new blade.
-- Running a version earlier than 12.0.0.

Impact:
TMM will restart, so existing blocks and connections will be lost. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround.


652004-4 : Show /apm access-info all-properties causes memory leaks in tmm

Solution Article: K45320415

Component: Access Policy Manager

Symptoms:
When tmsh is used to view session information, memory will leak on each request to pull the session information from tmm. This is a small leak but can be significant issue when all sessions are examined or the sessions are examined multiple times in a short time interval.

Conditions:
when using show /apm access-info all-properties

Impact:
Memory will leak in tmm daemons. This affects all modules that use tmm.

Workaround:
The only workaround is not to use the mcp interface by tmm daemon, or to restart the tmms periodically after using the interface multiple times.

Fix:
Accessing APM session variables via tmsh (e.g., 'tmsh show /apm access-info all-properties') no longer causes a small TMM memory leak.


651901-4 : Removed unnecessary ASSERTs in MPTCP code

Component: Local Traffic Manager

Symptoms:
There are many scenarios that call ASSERT in the MPTCP code, many of which can be handled without using ASSERT.

Conditions:
A virtual server is configured with a TCP profile with MPTCP enabled.

Impact:
If an ASSERT fails, traffic is disrupted while TMM restarts.

Workaround:
There is no workaround at this time.

Fix:
Replaced many ASSERTs with other mitigations that allow TMM to continue running.


651772-5 : IPv6 host traffic may use incorrect IPv6 and MAC address after route updates

Component: Local Traffic Manager

Symptoms:
IPv6 traffic generated from the host, either from a host daemon, monitors, or from the command line, may use an MAC and IPv6 source address from a different VLAN.

Conditions:
- Multiple vlans with IPv6 configured addresses.
- Multiple routes to the same destination, either the same or more specific, default routes, etc. that cover the traffic destination.
- Changes in routes that will cause the traffic to the destination to shift from one vlan and gateway to another. This can be typically observed with dynamic routing updates.

Impact:
Traffic to the destination may fail due to using incorrect source IPv6/MAC address.
This may cause monitor traffic to fail.

Workaround:
Continuous traffic to the IPv6 link-local nexthops can avoid this issue.
This may be achieved by a script or an external monitor pinging the nexthop link-local address using the specific vlan.

Fix:
IPv6 host traffic no longer use incorrect IPv6 and MAC address after route updates.

Behavior Change:
Introduction of sys db ipv6.host.router_probe_interval, to control sysctl net.ipv6.conf.default.router_probe_interval value. This value is default to 5s.


651541-3 : Changes to the HTTP profile do not trigger validation for virtual servers using that profile

Solution Article: K83955631

Component: Local Traffic Manager

Symptoms:
Changing the HTTP profile does not trigger validation for virtual servers, so no inter-profile dependencies are checked.

Conditions:
Using an HTTP profile with a virtual server that uses other profiles that have settings that are mutually exclusive with those of the HTTP profile.

Impact:
The system will be in an invalid state. One immediate way this can be seen is when syncing to a peer. The sync operation does not complete as expected.

Workaround:
Use the error messages in the logs to determine how to change the configuration to return the system to a valid state.

Fix:
Changing the HTTP profile now triggers validation of all virtual servers using that profile.


651155-4 : HSB continually logs 'loopback ring 0 tx not active'

Component: TMOS

Symptoms:
In the TMM log files, HSB reports that 'loopback ring 0 tx not active'.

Conditions:
The conditions under which this occurs are not known.

Impact:
Excessive logging. This may also cause an HSB lockup to not be detected.

Workaround:
None.

Fix:
HSB no longer continually logs 'loopback ring 0 tx not active'.


650292-3 : DNS transparent cache can return non-recursive results for recursive queries

Component: Local Traffic Manager

Symptoms:
If a non recursive query is cached by the DNS transparent cache, subsequent recursive queries provide the non-recursive answer.

Conditions:
DNS transparent cache that receives a non-recursive query whose result is stored in the cache.

Impact:
Non recursive responses for recursive requests.

Workaround:
An iRule can be attached to the listener to disable the cache if the "rd bit" is not set in the DNS request.

Fix:
The RD bit is now handled as expected. If a recursive request is received, a non-recursive cached entry is ignored, and replaced, when the recursive request is answered.


650002-3 : tzdata bug fix and enhancement update

Component: TMOS

Symptoms:
There have been changes to timezone data that impact tzdata packages:

* Mongolia no longer observes Daylight Saving Time (DST).

* The Magallanes Region of Chile has moved from a UTC-04/-03 scheme to UTC-03 all year. Starting 2017-05-13 at 23:00, the clocks for the Magallanes Region will differ from America/Santiago.

Conditions:
-- Mongolia during DST portion of the year.
-- Comparing clock times in the America/Santiago zone with those in the Magallanes Region.

Impact:
Timezone data provided in tzdata will not match the area's time. Clocks for the Magallanes Region will differ from America/Santiago (its current timezone).

Workaround:
None.

Fix:
To accommodate for Mongolia no longer observing DST, the new America/Punta_Arenas zone was created. Changes were also made to support other timezone changes.

* The zone1970.tab file has been added to the list of files to be installed with the tzdata packages installation.

Note: Users of tzdata are advised to upgrade tzdata to zdata-2017b-1.el6


649933-3 : Fragmented RADIUS messages may be dropped

Component: Service Provider

Symptoms:
Large RADIUS messages may be dropped when processed by iRules.

Conditions:
This occurs when a RADIUS message that exceeds 2048 bytes is processed by an iRule containing the RADIUS::avp command.

Impact:
The RADIUS message will be dropped, and an error will be logged that resembles:

Illegal argument (line 1) (line 1) invoked from within "RADIUS::avp 61 "integer""

Workaround:
Remove RADIUS::avp commands from iRules processing large messages, or ensure that no RADIUS client or server will send large messages.


649907-3 : BIND vulnerability CVE-2017-3137

Solution Article: K30164784


649904-3 : BIND vulnerability CVE-2017-3136

Solution Article: K23598445


649613-1 : Multiple UDP/TCP packets packed into one DTLS Record

Component: Access Policy Manager

Symptoms:
The system converts the server provided packet into PPP buffers. These PPP packets are used to pack into DTLS records. Currently there is a limit of about 14 KB of DTLS records, such that the system can pack multiple PPP records into one DTLS record.

However, creating bigger DTLS record can cause server IP Fragmentation. In the lossy environment, losing one IP fragment can cause the complete DTLS record to be lost, resulting in poor performance.

Conditions:
Multiple UDP/TCP packets packed into one DTLS Record.

Impact:
In networks with packet losses, the APM end-user application might suffer poor network performance.

Workaround:
None.

Fix:
DTLS performance has been improved in lossy or high latency networks by optimizing the number of encoded ppp records inside of DTLS records.


649564-3 : Crash related to GTM monitors with long RECV strings

Component: Global Traffic Manager (DNS)

Symptoms:
gtmd core dump related to GTM monitors with long RECV strings.

Conditions:
Sufficiently large RECV (receive) string on a GTM Monitor.

Impact:
Core dump. Traffic might be disrupted while gtmd restarts.

Workaround:
None.

Fix:
Fixed an issue relating to a crash when a GTM monitor has a sufficiently large receive string configured.


649234-4 : TMM crash from a possible memory corruption.

Solution Article: K64131101

Component: Access Policy Manager

Symptoms:
When APM resumes an iRule event from an asynchronous session data lookup, the resumption fails due to a bad memory access resulting in a crash.

Conditions:
The following must be true for this to happen:
- APM provisioned and licensed.
- Use of APM iRule events.
- Session data lookup from iRule events.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Access to an invalid or stale Access session result from custom iRules no longer causes TMM crash.


648954-3 : Configuration validation (e.g., ConfigSync) may fail after an iRule is deleted, if the iRule made procedure calls

Solution Article: K01102467

Component: Local Traffic Manager

Symptoms:
Configuration validation fails spuriously, including potentially as a result of a ConfigSync or modifying an iRule, with an error similar to the following:

    01020036:3: The requested rule (/Common/rule_uses_procs) was not found.

Referencing an iRule that previously existed, but has been deleted (or is being deleted as a result of a ConfigSync).

Conditions:
-- iRule using procedures in a different iRule.
-- iRule attached to virtual server.

Impact:
iRule procs are still referenced after deletion. Configuration validation fails spuriously.

Workaround:
Force reloading of the MCP binary database.

For specific steps, see K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).


648879-1 : Linux kernel vulnerabilities: CVE-2016-6136 CVE-2016-9555

Solution Article: K90803619


648865-1 : Linux kernel vulnerability: CVE-2017-6074

Solution Article: K82508682


648786-2 : TMM crashes when categorizing long URLs

Solution Article: K31404801


648320-1 : Downloading via APM tunnels could experience performance downgrade.

Solution Article: K38159538

Component: Local Traffic Manager

Symptoms:
Multiple DTLS records can be packed into one UDP packet. When packet size is too large, packet fragmentation is possible at IP layer. This causes high number of packet drops and therefore performance downgrade.

Conditions:
When downloading using APM tunnels.

Impact:
High number of packet drops and inferior performance.

Workaround:
None.

Fix:
One DTLS record is now contained in each UDP packet to avoid packet fragmentation.


648316 : Flows using DEFLATE decompresion can generate error message during flow tear-down.

Solution Article: K10776106

Component: TMOS

Symptoms:
Repeated entries in the ltm log will show a completion-code error (comp_code=4) as in the following:

  Zip engine ctx eviction (comp_code=4): ctx dropped.

Conditions:
The problem occurs when a flow that requests DEFLATE decompression is terminated when the compression engine is still in the middle of working on an incomplete DEFLATE block.

Impact:
False errors can appear:
  o In fields of tmctl rst_cause_stat table, false stats counters will increment for compression and packet errors.
  o Log entries with the "Zip engine... (comp_code=4)" appear in ltm log.

Monitors observing the ltm log or stats in the tmctl rst_cause_stat table will see false positives.

Workaround:
Disable hardware acceleration.

Fix:
A new tcl variable, nitrox::comp_suppress_itrunc, was added. It defaults to NO which yields legacy behavior. Setting it to YES causes comp_code=4 (ITRUNC) errors to not propagate as an error.

To enable the feature, add the following line to /config/tmm_init.tcl:

    nitrox::comp_suppress_itrunc yes

You will have to restart tmm for the change to take effect.


648083-1 : APM rewrite process may incorrectly handle the eval() function.

Solution Article: K83700745

Component: Access Policy Manager

Symptoms:
Errors indicated by web-application.

Other potential symptoms include incorrect rendering for some pages and/or links not rewritten in web applications.

Conditions:
Using indirect references to native eval function in web-application code.

For example. using a function in web-application's code similar to the following:

function f(n) {
  var e = eval;
  return e(n);
}
f(some_text)

Impact:
Application does not work correctly via Portal Access.

Workaround:
Use a custom iRule.

Fix:
Now Portal Access supports calling eval() using indirect references. This improves web-application compatibility.


647944-3 : MCP may crash when making specific changes to a FIX profile attached to more than one virtual server

Component: TMOS

Symptoms:
When a FIX profile is attached to more than one virtual server, making specific edits to the profile may result in MCP crashing and restarting.

Conditions:
A FIX profile is be in use and attached to more than one virtual server. You then edit the profile (and click "Update") in this order:

- Change the Error Action from "Don't Forward" to "Drop Connection"
- Add a new mapping to the Sender and Tag Substitution Data Group Mapping.

Impact:
Traffic disrupted while mcpd restarts.

Fix:
Prevented MCP from crashing when the FIX profile is edited.


647757-1 : RATE-SHAPER:Fred not properly initialized may halt traffic

Solution Article: K96395052

Component: Local Traffic Manager

Symptoms:
RATE-SHAPER:Fred is not properly initialized and might halt traffic.

Conditions:
Initialize RATE-SHAPER:Fred as the drop policy using its default properties.

Impact:
Traffic is halted.

Workaround:
There are two possible workarounds:
-- Initialize the drop policy fred to the value of 9999 instead of default 0.
-- Use RED as drop policy instead of fred.


647165 : A monitor may unexpectedly transition from up to down and back to up.

Component: Local Traffic Manager

Symptoms:
A pool member or node monitor may unexpectedly transition from up to down and back to up even though the pool member or node has not failed.

Conditions:
One or more of FTP, IMAP, POP3, or SMTP monitors are in use. This might also occur with monitor types other than those listed.

Impact:
BIG-IP system might send a premature FIN on the connection. This might result in unexpected monitor flapping even though the monitored object has not failed.

Workaround:
None.

Fix:
BIG-IP system no longer sends a premature FIN on the connection, so unexpected monitor flapping no longer occurs, in this case.


646643-3 : HA standby virtual server with non-default lasthop settings may crash.

Solution Article: K43005132

Component: Local Traffic Manager

Symptoms:
A long-running high availability (HA) Standby Virtual Server with non-default lasthop settings may crash TMM.

Conditions:
-- HA standby virtual server is configured on the system with non-default lasthop configurations (e.g., lasthop pools or autolasthop disabled, etc).

-- That virtual server receives more than 2 billion connections (2 billion is the maximum value of a 32-bit integer).

Impact:
TMM on the next-active device crashes. The Active device is not affected. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
HA standby virtual server configured with non-default lasthop configurations no longer crashes.


646604-3 : Client connection may hang when NTLM and OneConnect profiles used together

Solution Article: K21005334

Component: Local Traffic Manager

Symptoms:
In deployments where a NT LanManager (NTLM) authentication profile and a OneConnect profile are used together in a LTM virtual server to label an authenticated connection to a Domain Controller (DC); if the persisted connection to the DC is re-used, the connection may hang. A connection in this state may not be cleaned up by the sweeper, resulting in a memory leak.

Conditions:
The NTLM and OneConnect profiles are associated with a LTM virtual server.

Impact:
A client connection won't be serviced and TMM memory will leak. Over a long time period, this may result in more widespread service disruptions.

Workaround:
Avoid the use of OneConnect profiles on virtual servers that use NTLM profiles. The connections to the Domain Controller won't be pooled, but all other features will be retained.

Fix:
Fixed a problem that prevented NTLM and OneConnect profiles from working properly on the same LTM virtual server.


646443-3 : Ephemeral Node may be errantly created in bigd, causing crash

Solution Article: K54432535

Component: Local Traffic Manager

Symptoms:
When FQDN Ephemeral Nodes are being used at the same time as static Node objects, and there is change in those objects, either via DNS resolver changes or manual changes to static nodes, there exists a chance where one may be misidentified as the other during an update, causing a crash in bigd.

Conditions:
This issue occurs when all of the following conditions are met:

-- The BIG-IP configuration contains a mix of FQDN pool members or nodes, and static node objects.
-- You perform one of the following actions:
  + Modify current node settings
  + Create or delete nodes

Impact:
The bigd process restarts and produces a core file, causing interruption of pool member monitors.

Workaround:
Avoid use of FQDN Nodes and Pool Members; use only static-IP Nodes/Members instead.

Fix:
Fixed case where misidentification may occur, resulting in bigd running without crashing.


645684-1 : Flash application components are loaded into wrong ApplicationDomain after Portal Access rewriting.

Component: Access Policy Manager

Symptoms:
Flash ActionScript3 application components are loaded into incorrect ApplicationDomain and in some rare cases this may cause errors in application.

Conditions:
This can occur when viewing Flash video while connected to APM.

Impact:
Flash applications might fail to render through Portal Access.

Workaround:
None

Fix:
Flash files accessed through Portal Access are now loading components into correct Application Domain. This improves compatibility with Flash apps.


645615-3 : zxfrd may fail and restart after multiple failovers between blades in a chassis.

Solution Article: K70543226

Component: Global Traffic Manager (DNS)

Symptoms:
zxfrd may fail and restart after multiple failovers between blades in a single chassis.

Conditions:
DNS Express must be configured in a multi-blade chassis. If a blade transitions from active to backup to active states and the DNS Express (tmmdns.bin) database has been re-created while the blade was in backup status, zxfrd may fail when attempting to reference old data.

Impact:
zxfrd will create a core file and restart, picking up where it left off.

Workaround:
None.

Fix:
The cause of the failure is now addressed.


645197-2 : Monitors receiving unique HTTP 'success' response codes may stop monitoring after status change

Component: Local Traffic Manager

Symptoms:
Monitors that return unique HTTP/1.1 200 codes (indicating success) accumulate in the monitor history. Upon monitor status change (such as to 'fail'), this history is sent (from 'bigd' to 'mcpd') to indicate that monitor's new-status, plus historical context. This history may grow too large if no monitor status is detected for an extended time (such as days or weeks) when unique status codes are returned from the web server and accumulated in the history. Upon a monitor status change (such as from 'success' to 'fail'), notification from 'bigd' to 'mcpd' fails due to this too-large history, resulting in the monitor remaining in its previous state (i.e., 'success'). 'bigd' properly records the monitor status and continues to monitor, but 'mcpd' is not notified of that status change (due to message-send failure from the history being too large).

This is typically not an issue when the web server returns the same HTTP/1.1 200 code (indicating 'success'), as 'bigd' elides/merges the response-value into the monitor history (so the history does not continue to grow). However, for web servers generating a unique value for each success code (e.g., by appending an always-unique transaction ID to the end of the HTTP/1.1 200 response), the history continues to grow for that monitor until a status-change is detected.

Conditions:
-- Web server returns unique HTTP/1.1 200 (success) codes, such as an included date/time stamp.
-- Success history is accumulated for that monitor without status-change for extended time (typically days-or-weeks); followed by a monitor status change (such as from 'success' to 'fail').

Impact:
The monitor remains in the 'success' state, as the status-change is lost' ('bigd' properly recognizes the changed monitor status, but 'mcpd' is not notified of the change). The system may eventually self-correct, such as when 'bigd' detects further monitor status changes, and again forwards status-change notifications for that monitor to 'mcpd'.

Workaround:
Modify the web server configuration to not respond with unique HTTP/1.1 200 codes.

(Receiving the same return-code elides/merges content with previously accumulated values in the monitor history.)

Fix:
HTTP/1.1 200 codes with unique values accumulate for limited history, rather than unbounded history, such that monitor status change notifications are always recorded.


645179-3 : Traffic group becomes active on more than one BIG-IP after a long uptime

Component: TMOS

Symptoms:
Traffic-groups become active/active for 30 seconds after a long uptime interval.

Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime.

For example:

-- For 7 traffic groups, the interval is ~710 days.
-- For 15 traffic groups, the interval is ~331 days.

Conditions:
-- Two or more BIG-IP systems defined in a device group for sync/failover.
-- There is one or more traffic groups configured.
-- The BIG-IP systems have a long uptime.

Impact:
Outage due to traffic-group members being active on both systems at the same time.

Workaround:
There is no workaround.

The only option is to reboot all the BIG-IP units in the device group on a regular interval. The interval is directly dependent on the number of traffic groups.

Fix:
Traffic groups no longer becomes active on more than one BIG-IP system in a device group after a long uptime interval.


645101-4 : OpenSSL vulnerability CVE-2017-3732

Solution Article: K44512851


645058-1 : Modifying SSL profiles in GUI may fail when key is protected by passphrase

Component: Local Traffic Manager

Symptoms:
When a client SSL profile has a Certificate Key Chain (CKC) entry with a passphrase-protected key, attempting to modify/update the profile via the GUI may fail, and produce an error similar to the following:

01070313:3: Error reading key PEM file <Key_File_Path> for profile <Profile_Name>: error:0906A068:PEM routines:PEM_do_header:bad password read.

This can occur even when the passphrase already in the SSL profile is correct.

Conditions:
Upgrading a BIG-IP system from a version prior to BIG-IP v11.5.0 to v11.5.0 or later, while having a passphrase-protected key specified in the profile.

Alternately, creating an SSL profile with a custom cert-key-chain name that references a passphrase-protected key, e.g.:

tmsh create ltm profile client-ssl example-profile defaults-from clientssl cert-key-chain replace-all-with { no { cert protected.crt key protected.key passphrase password } }

Impact:
User cannot update client SSL profile via the GUI.

Workaround:
Modifications to the profile can be made from tmsh. Alternately, delete the CKC and recreate it.

Fix:
User can now update client SSL profile after upgrading a BIG-IP system from a version prior to BIG-IP v11.5.0 to v11.5.0 or later, while having a passphrase-protected key specified in the profile.


645036-4 : Removing pool from virtual server does not update its status

Solution Article: K85772089

Component: Local Traffic Manager

Symptoms:
Removing a pool from a virtual server does not update the virtual server's status.

Conditions:
1) Create a pool and assign a monitor to it.
2) Ensure the pool goes green.
3) Create a virtual server without assigning the pool to it.
4) Ensure the virtual server stays blue (unknown).
5) Associate the pool to the virtual server.
6) Ensure the virtual server goes green (available).
7) Remove the pool from the virtual server.
8) The virtual server should go back to blue (unknown); however, it doesn't and stays green.

Impact:
The virtual will appear to be associated with a monitored pool when it is not. This should have no functional impact on the virtual server, since a virtual server without a pool has no traffic to pass, and associating a pool with the virtual server will reflect the pool status.

Workaround:
Restart the BIG-IP system. The status should be blue/unchecked once again after the BIG-IP is restarted.

Note: Restarting the BIG-IP system might have an impact on existing traffic. Because this issue is cosmetic, this workaround is not recommended for BIG-IP systems in production.

Fix:
Associating a pool with the virtual server now correctly updates the virtual server status.


644970-2 : Editing a virtual server config loses SSL encryption on iSession connections

Component: Wan Optimization Manager

Symptoms:
Editing a virtual server configuration causes iSession connection resets or unencrypted iSession connections to be established, because the virtual server's dynamically configured default server-ssl profile has been deleted.

Conditions:
A virtual server has a server-side iSession profile with data-encrypt enabled. This virtual server also lacks client-ssl and server-ssl profiles.

Impact:
After editing the virtual server, iSession connections fail to be established if the destination iSession listener has a client-ssl profile with allow-non-ssl disabled. If the destination iSession listener has allow-non-ssl enabled, unencrypted iSession connections are established.

Workaround:
Modify the virtual server's configured server-side iSession profile. For example toggle the iSession profile from A to B and then back to A.

Fix:
Editing a virtual server configuration no longer deletes
an iSession dynamically configured default server-ssl profile.


644904-4 : tcpdump 4.9

Solution Article: K55129614


644693-4 : Fix for multiple CVE for openjdk-1.7.0

Solution Article: K15518610


644489-2 : Unencrypted iSession connection established even though data-encrypt configured in profile

Solution Article: K14899014

Component: Wan Optimization Manager

Symptoms:
iSession connections may be intermittently established as unencrypted even though they are configured to be secure.

Conditions:
Either of two scenarios can result in an unencrypted iSession connection being established:
    1) An error occurs during dynamic server-ssl profile replacement.
    2) Both the WOM local-endpoint and destination WOM remote-endpoint lack server-ssl profiles.

In both cases the virtual server must have a server-side iSession profile with data-encrypt enabled and the remote virtual must have a client-ssl profile with allow-non-ssl enabled.

Impact:
An unencrypted iSession connection may be established which is inconsistent with configuring data-encrypt as enabled in the sever-side iSession profile.

Workaround:
Configure the client-ssl profile with allow-non-ssl disabled (the default value) to reject non-SSL connections.

Fix:
The outgoing connection is aborted if the server-side iSession profile is configured with data-encrypt enabled and either of the two following scenarios occurs:
    1) The destination remote-endpoint and the local-endpoint lack server-ssl profiles.
    2) An error occurs during dynamic server-ssl profile replacement.


644220-2 : Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page

Component: Global Traffic Manager (DNS)

Symptoms:
Under LTM :: Virtual Servers :: Properties, the "Link" value sometimes displays "none" when it should display an actual link name.

Conditions:
This happens under certain configuration of Self IP / GTM Servers / GTM Links / LTM Virtual Servers.

Impact:
When conditions are met, the Virtual Server's link information displayed is not correct.

Workaround:
None.

Fix:
Virtual Server's assigned Link on the LTM Virtual Server Properties page is now displayed correctly.


644184-1 : ZebOS daemons hang while AgentX SNMP daemon is waiting.

Solution Article: K36427438

Component: TMOS

Symptoms:
ZebOS daemons hang while AgentX SNMP daemon is unresponsive.

Conditions:
- Dynamic routing is enabled.
- SNMP is enabled.
- SNMP is unresponsive which could be caused by several issues such as snmpd calling an external script that takes several moments to return or mcpd is slow to respond to snmpd queries.

Impact:
Dynamic routing may be halted for the duration of AgentX daemon being busy.

Workaround:
If snmpd is calling external scripts that take several moments to return, then stop using the external script.

Fix:
ZebOS daemons no longer hangs while AgentX is waiting.


644112-4 : Permanent connections may be expired when endpoint becomes unreachable

Solution Article: K56150996

Component: Local Traffic Manager

Symptoms:
Permanent connections, such as those used between tunnel endpoints, can be deleted when the route to the remote endpoint is removed.

Conditions:
-- Permanent connection, such as a tunnel.
-- Routing updates, either from explicit static or dynamic routes, or modifying self IP addresses.

Impact:
Tunnel, or other affected connection, will not pass traffic.

Workaround:
Remove and re-add the affected connection: e.g., delete and re-configure tunnel.

Fix:
Routing updates can no longer lead to expired permanent connections.


643777-3 : LTM policies with more than one IP address in TCP address match may fail

Solution Article: K27629542

Component: Local Traffic Manager

Symptoms:
An LTM policy using a rule that attempts to match based on a list of IP addresses may fail if more than one IP address is used.

Conditions:
LTM policy rule with a 'tcp match address' statement that attempts to match against more than one IP address.

Impact:
The action configured with the match may not be taken.

Workaround:
Use one of the following workarounds:
- Use a subnet instead of single IP addresses.
- Use a datagroup with the list of IP addresses to match.
* Datagroup option available beginning in v13.0.0.

Fix:
The BIG-IP system now correctly matches several IP addresses in LTM policies.


643631-1 : Serverside connections on virtual servers using VDI may become zombies.

Solution Article: K70938130

Component: Local Traffic Manager

Symptoms:
Listing connections with "tmsh show sys connection all-properties" (please be cautious executing this command as it could have performance impact) will show connections with only a server side whose age is greater than the configured idle timeout. As more zombie connections accumulate, the BIG-IP may run out of memory.

Conditions:
APM provisioned and VDI (Virtual Desktop Infrastructure) is configured on the affected virtual.

Impact:
Zombie connections consume memory that cannot be reclaimed. Potential out-of-memory condition.

Workaround:
None.

Fix:
Expired serverside connections are properly torn down.


643582-1 : Config load with large ssl profile configuration may cause tmm restart

Component: Local Traffic Manager

Symptoms:
When doing a config load with a large number of ssl profiles tmm may become busy enough to cause mcp tcp connection to go down and cause tmm restart.

Conditions:
Doing a full config load with large number of ssl profiles.

Impact:
Possible tmm restart.

Workaround:
Doing incremental sync of changes can avoid this issue.

Fix:
A full configuration reload with large number of ssl profiles may cause tmm restart.


643554-11 : OpenSSL vulnerabilities - OpenSSL 1.0.2k library update

Solution Article: K37526132 K44512851 K43570545


643375-2 : TMM may crash when processing compressed data

Solution Article: K10329515


643210-1 : Restarting MCPD on Secondary Slot of Chassis causes deletion of netHSM keys on SafeNet HSM

Solution Article: K45444280

Component: Local Traffic Manager

Symptoms:
When mcpd (re)starts on a secondary slot, part of the initialization process triggers the delete of any netHSM keys on the SafeNet HSM.

Conditions:
This occurs on a chassis that is configured to use a SafeNet netHSM.

Impact:
The key is removed from the HSM and must be reimported to the HSM from a backup, if it exists.

Workaround:
When rebooting a secondary blade, temporarily remove the BIG-IP from the network it uses to connect to the SafeNet HSM. Once the BIG-IP is Active, it is safe to reconnect it to the network.

Fix:
The BIG-IP no longer deletes keys from the Safenet HSM when the key is deleted from the BIG-IP system. Now, you must manually delete keys using fipskey.nethsm or 'cmu delete'.

Important! Delete operations cannot be undone. Before deleting keys on the HSM using one of these commands, make sure that the key is not used by any BIG-IP, because the key deletion on the HSM is irreversible.

Behavior Change:
Beginning with this release, the BIG-IP system will not delete a key from the SafeNet HSM when you delete the corresponding key on the BIG-IP system: You must manually delete the key on the HSM using either fipskey.nethsm or 'cmu delete'.

Important! Delete operations cannot be undone. Before deleting keys on the HSM using one of these commands, make sure that the key is not used by any BIG-IP, because the key deletion on the HSM is irreversible.


643187-3 : BIND vulnerability CVE-2017-3135

Solution Article: K80533167


643034-3 : Turn off TCP Proxy ICMP forwarding by default

Solution Article: K52510343

Component: Local Traffic Manager

Symptoms:
Forwarding of ICMP PMTU messages through the BIG-IP can negatively impact performance if OneConnect or SNAT functionality is active.

Conditions:
Forwarding of ICMP PMTU messages through the BIG-IP when OneConnect or SNAT are active.

Impact:
Peers use suboptimal Path Maximum Transmission Units (PMTUs).

Workaround:
For TCP and UDP proxies, ensure proxy-mss is disabled in the profile.

OR

Disable MTU caching on pool members.

Fix:
There are legitimate reasons to forward ICMP messages through BIG-IP, so in some cases mitigation must occur at pool members. However, we have introduced more control (tm.tcp.enforcepathmtu) to tune this more precisely.

Behavior Change:
The default behavior on TCP proxies is now to not forward ICMP messages, restoring the default from TMOS 12.0.0 and earlier.

For TCP proxies to forward ICMP PMTU messages now requires BOTH proxy-mss 'enabled' in the TCP profile (which is the default setting) and 'tm.tcp.enforcepathmtu' set to 'enabled' (not the default).


642400-1 : Path MTU discovery occasionally fails

Component: Local Traffic Manager

Symptoms:
Connections using a TCP profile that receive an ICMP needsfrag message may incorrectly ignore the message. This may cause Path MTU discovery to fail.

Conditions:
TCP profile assigned to VIP. Smaller MTU on data path than on TCP endpoints.

Impact:
The connection may stall as large TCP segments are continually retransmitted.

Workaround:
Configure the MSS in the TCP profile to match the lowest MSS. Use or disable Path MTU discovery with the tm.pathmtudiscovery database key.

Fix:
Path MTU discovery functions correctly with the TCP profile.


642298-2 : Unable to create a bidirectional custom persistence record in MRF SIP

Component: Service Provider

Symptoms:
Setting a persistence key via iRule sets the persistence entry as uni-directional

Conditions:
Setting a persistence key via iRule sets the persistence entry as uni-directional

Impact:
Custom SIP persistence entries cannot be bidirectional.

Fix:
This change adds a new SIP::persist key to set or reset the persistence entry as bidirectional.


642068-2 : PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens

Component: Policy Enforcement Manager

Symptoms:
PEM sessions stay in the marked-for-delete state if CCR-T times out.

Conditions:
This occurs if PCRF does not respond to CCR-T packets from the BIG-IP system during session termination.

Impact:
PEM sessions remain in the marked-for-delete state.

Workaround:
Configure the required timeout value in the sys db variable tmm.pem.session.timeout.endpointdeleteresponse.

Note: The value must be greater than 0 (zero).

Fix:
PEM sessions no longer stay in the marked-for-delete state if CCR-T times out.


642039-3 : TMM core when persist is enabled for wideip with certain iRule commands triggered.

Solution Article: K20140595

Component: Global Traffic Manager (DNS)

Symptoms:
tmm cores with SIGSEGV.

Conditions:
This occurs when persist is enabled for wideip, and an iRule with the following commands triggered:
forward
reject
drop
discard
noerror
host

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable persist on wideip.

Note: Although this is not an ideal workaround, it provides a way that to use those iRule commands without causing a tmm core.

Fix:
TMM no longer coreswhen persist is enabled for wideip with certain iRule commands triggered.


641512-3 : DNSSEC key generations fail with lots of invalid SSL traffic

Solution Article: K51064420

Component: Local Traffic Manager

Symptoms:
DNSSEC keys can rollover periodically. This will fail, leading to no keys to sign DNSSEC queries (no RRSIG records) when the BIG-IP is handling a lot of SSL traffic with invalid certificates.

The system posts the following log signature in /var/log/ltm:
err tmm1[12393]: 01010228:3: DNSSEC: Could not initialize cipher context for key /Common/x1-zsk.

Conditions:
DNSSEC keys configured with periodic rollover. The certificate path queues an error (situations include but not limited to lots of SSL traffic with invalid certificates).

Impact:
DNSSEC key generations fail to be accepted by the TMM so that when the prior generation expires there is no valid certificate to sign DNSSEC queries.

Workaround:
Restart the TMM after the new key generation is created.

Fix:
DNSSEC key generations now complete successfully, even with a lot of SSL traffic with invalid certificates.


641482-5 : Subscriber remains in delete pending state until CCR-t ack has success as result code is received

Component: Policy Enforcement Manager

Symptoms:
BIG-IP subscriber session will remain in delete pending (stale) state if the Result-code received Acknowledgement from Gx or Gy and is marked as Failure for CCR-T request.

Conditions:
The stale session happens, during subscriber termination and if any CCR-T request for Gx or Gy receives an acknowledgement with non-SUCCESS in Result-code AVP

Impact:
The subscriber session in BIG-IP will stay in delete pending state (stale)

Workaround:
A tmm restart will cleanup all the stale sessions

Fix:
Fix will cleanup the session if a CCR-T acknowledgement is received irrespective of the Result-code AVP


641390-4 : Backslash removal in LTM monitors after upgrade

Solution Article: K00216423

Component: TMOS

Symptoms:
After upgrading, BIG-IP fails to load the configuration and reports that a monitor failed to load.

Conditions:
-- Specific backslash escaping in LTM monitors.
-- Upgrading from 11.5.x, 11.6.0, 11.6.1, 11.6.2, or 11.6.3 to 12.0.0, 12.1.0, 12.1.1, 12.1.2, or 13.0.0.

Note: This issue is specific to LTM monitors. It does not occur in BIG-IP DNS/GTM monitors.

For example, to have two backslashes in the value, you specify three backslashes. The first backslash is the 'escape' character.

ltm monitor https /Common/my_https {
    adaptive disabled
    cipherlist DEFAULT:+SHA:+3DES:+kEDH
    compatibility enabled
    defaults-from /Common/https
    destination *:*
    interval 5
    ip-dscp 0
    recv "Test string"
    recv-disable \\\"Test\\\"me\\\" <-- pertinent string value (can be in recv, send or username attributes too).
    send Test
    time-until-up 0
    timeout 16
    username test\\\"me
}

Impact:
The monitor fails to load.

Workaround:
Manually correct the string to be the way it was before upgrade, then the configuration will load.

Fix:
Upgrade no longer results in incorrectly removing backslashes for some LTM monitor attributes.


641360-3 : SOCKS proxy protocol error

Solution Article: K30201296


640924-6 : On macOS Sierra (10.12) LED icons on Edge client's main UI buttons (connect, disconnect and auto-connect) are scaled incorrectly

Component: Access Policy Manager

Symptoms:
On macOS Sierra (10.12) LED icons on Edge client's main UI, the buttons (Auto-Connect, Connect, Disconnect) are scaled incorrectly.

Conditions:
macOS Sierra (10.12.x) and Edge client application.

Impact:
This is a display issue only. There is no functional impact to the system.

Workaround:
None.

Fix:
On macOS Sierra (10.12) LED icons on Edge client's main UI buttons (connect, disconnect and auto-connect) are now scaled correctly.


640768-1 : Kernel vulnerability: CVE-2016-10088

Solution Article: K05513373


640565-3 : Incorrect packet size sent to clone pool member

Solution Article: K11564859

Component: Local Traffic Manager

Symptoms:
Cloned packets do not obey the egress interface MTU, and clone pool members may get traffic exceeding the link MTU.

Conditions:
Clone pool is configured on a virtual server.

Impact:
Clone pool members may get traffic exceeding the link MTU.

Workaround:
Disable TSO using the following tmsh command:
tmsh modify sys db tm.tcpsegmentationoffload value disable.


640407-4 : Usage of iRule commands that try to get or set connection state during CLIENT_CLOSED iRule event may core with MRF

Component: Service Provider

Symptoms:
A core may occur with message routing framework (MRF) virtuals or transport-config connections if trying to use certain iRule commands during CLIENT_CLOSED event.

Conditions:
Use of an iRule command that gets or sets state in a MRF protocol filter or MR proxy during CLIENT_CLOSED iRule event may core. This is because CLIENT_CLOSED event is raised after all state has been freed for the current connection.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use iRule command to get or set state during CLIENT_CLOSED iRule event.


639619-4 : UCS may fail to load due to Master key decryption failure on EEPROM-less systems

Component: TMOS

Symptoms:
The following error:
'Symmetric Unit Key decrypt failure - decrypt failure'
is logged to /var/log/ltm when attempting to load a UCS.
Configuration fails then to load due to a secure attribute decryption failure.

Conditions:
1. UCS contains secure attributes.
2. UCS contains a '/config/bigip/kstore/.unitkey' file.
3. The current '/config/bigip/kstore/.unitkey' file does not match the '.unitkey' file within UCS.
4. System does not utilize an EEPROM for storing its unitkey. (For more information, see K73034260: Overview of the BIG-IP system Secure Vault feature :: https://support.f5.com/csp/article/K73034260.)

Impact:
The configuration fails to load.

Workaround:
Perform the following procedure:

1. Stop the system:
# bigstart stop
2. Replace the '/config/bigip/kstore/.unitkey' file with the '.unitkey' file from the UCS
3. Replace the '/config/bigip/kstore/master' file with the 'master' file from the UCS
4. Remove the mcp db to forcibly reload the keys:
# rm -f /var/db/mcpd.bin
# rm -f /var/db/mcpd.info

5. Restart the system and reload the configuration:
# bigstart start
# tmsh load sys config
or
# reboot

Fix:
The system now always reload the .unitkey from storage when loading other keys, so the UCS loads as expected.


639617 : When AVR collect Page load time and/or session data the Content-Length can be set incorrectly

Component: Application Visibility and Reporting

Symptoms:
When the analytics profile with 'Page Load Time' and 'User Sessions' options is attached to a virtual server, sometimes it can incorrectly modify Content-Length for HTML responses. This might happen due to memory corruption.

Conditions:
AVR collect session and/or 'page load time' statistic.

Impact:
The response 'Content-Length' can be wrong.

Workaround:
Uncheck collect 'Page load time' and sessions on analytics profile.

Fix:
Potential memory corruption has been fixed. AVR sets the 'Content-Length' to the right value.


639395-1 : AVR does not display 'Max read latency' units.

Solution Article: K91614278

Component: Application Visibility and Reporting

Symptoms:
AVR does not display units for 'Max Read Latency'.

Conditions:
AVR, ASM, DoS, or AFM are provisioned.

Impact:
No units are displayed.

Workaround:
1. Edit the following file: /etc/avr/monpd/monp_disk_info_measures.cfg.
2. Add the following line at line 63: units=microsecond.
3. Restart monpd.

Fix:
Added units (microsecond) to AVR report.


639236-3 : Parser doesn't accept Contact header with expires value set to 0 that is not the last attribute

Solution Article: K66947004

Component: Service Provider

Symptoms:
Incoming SIP REGISTER messages are rejected by the SIP MRF parser when they contain Contact header expires value set to 0 that is not the last attribute

Conditions:
If the Contact header has an expires value of 0 and it's not the last attribute, for example:
Contact: <sip:+414000400@10.0.0.42:5060>;expires=0;q=0.1.

Impact:
REGISTER is rejected with a '400 Bad request' error message

Workaround:
None.

Fix:
Updated SIP parser to handle a Contact header with an expires value set to 0 that is not the last attribute.


638935-7 : Monitor with send/receive string containing double-quote may cause upgrade to fail.

Component: TMOS

Symptoms:
When you upgrade from an affected version, the config gets saved before moving to the new version, thus dropping the enclosing quotes and causing a load failure when booting into the new version.

Conditions:
Configuration where monitor string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.

Impact:
Configuration fails to load.

Workaround:
Manually edit each string in the bigip.conf to include enclosing quotes in order to get the config to load the first time.

Fix:
Configs load successfully after upgrade. Surrounding quotes, if missing, are added to strings in the bigip.conf file after upgrade. For example:
\"service_status\":\"on\".+\"maintenance\":\"off\" in the recv, send recv-disable and username fields. Output of list ltm monitor and bigip.conf match. Reloading the same config via tmsh does not cause unintentional changes, such as losing a level of escape in monitor strings.

If you have an escaped quote in your configuration, and are moving to a configuration with this the dependency of this fix, you cannot reload the configuration or the license which also reloads the configuration. Doing so, will cause the config load to fail.


638780-1 : Handle 302 redirects for VMware Horizon View HTML5 client

Component: Access Policy Manager

Symptoms:
Starting from v4.4, Horizon View HTML5 client is using new URI for launching remote sessions, and supports 302 redirect from old URI for backward compatibility.

Conditions:
APM webtop with a VMware View resource assigned.
HTML5 client installed on backend is of version 4.4 or later.

Impact:
This fix allows for VMware HTML5 clients v4.4 or later to work properly through APM.

Workaround:
For versions 11.6.x and 12.x:
===============================

priority 2
when HTTP_REQUEST {
    regexp {(/f5vdifwd/vmview/[0-9a-f\-]{36})/} [HTTP::uri] vmview_html5_prefix dummy
}

when HTTP_RESPONSE {
    if { ([HTTP::status] == "302") && ([HTTP::header exists "Location"]) } {
        if { [info exists vmview_html5_prefix] } {
            set location [HTTP::header "Location"]
            set location_path [URI::path $location]
            if { $location_path starts_with "/portal/" } {
                set path_index [string first $location_path $location]
                set new_location [substr $location $path_index]
                regsub "/portal/" $new_location $vmview_html5_prefix new_location
                HTTP::header replace "Location" $new_location
            }
            unset vmview_html5_prefix
        }
    }
}

======================
For version 13.0:
priority 2
when HTTP_REQUEST {
    regexp {(/f5vdifwd/vmview/[0-9a-f\-]{36})/} [HTTP::uri] dummy vmview_html5_prefix
}

when HTTP_RESPONSE {
    if { ([HTTP::status] == "302") && ([HTTP::header exists "Location"]) } {
        if { [info exists vmview_html5_prefix] } {
            set location [HTTP::header "Location"]
            set location_path [URI::path $location]
            if { $location_path starts_with "/portal/" } {
                set path_index [string first $location_path $location]
                set new_location "$vmview_html5_prefix[substr $location $path_index]"
                HTTP::header replace "Location" $new_location
            }
            unset vmview_html5_prefix
        }
    }
}

Fix:
Handle 302 redirects for VMware View HTML5 client are now handled properly.


638570-2 : "ACCESS::session remove" hangs in ACCESS_POLICY_COMPLETED

Component: Access Policy Manager

Symptoms:
When "ACCESS:session remove" can hang if it is used within the the ACCESS_POLICY_COMPLETED event. Other commands within the event may not execute.

Conditions:
when ACCESS_POLICY_COMPLETED {
    ACCESS::session remove
}


This iRule was also observed to hang, with the client not receiving the 401 response:
when ACCESS_POLICY_COMPLETED {
    ACCESS::respond 401 content "Error denied..."
    ACCESS:session remove
}

Impact:
ACCESS::session remove cannot be used in the ACCESS_POLICY_COMPLETED event, which may break some use cases. Some Access Exchange iRules are broken from this.

Fix:
Processing of "ACCESS::session remove" was reverted to an earlier version that does not exhibit this behavior.


638556-3 : PHP Vulnerability: CVE-2016-10045

Solution Article: K73926196


638137-1 : CVE-2016-7117 CVE-2016-4998 CVE-2016-6828

Solution Article: K51201255


637666-3 : PHP Vulnerability: CVE-2016-10033

Solution Article: K74977440


637181-3 : VIP-on-VIP traffic may stall after routing updates

Component: Local Traffic Manager

Symptoms:
After a routing update traffic for an existing connection sent to a VIP-on-VIP virtual server may be sent directly to the destination address instead of to the inner virtual server.

Conditions:
VIP-on-VIP configuration and static or dynamic routing changes.

Impact:
Existing connections to the outer VIP may stall.

Workaround:
None.

Fix:
Connections to VIP-on-VIP virtual servers no longer stall after routing updates.


636853-1 : Under some conditions, a change in the order of GTM topology records does not take effect.

Solution Article: K19401488

Component: Global Traffic Manager (DNS)

Symptoms:
A change in the order of topology records does not take effect in GTM until the configuration is reloaded or a topology record is added or deleted.

Conditions:
This occurs only when Longest Match is disabled and the order of topology records is changed without adding or deleting records.

Impact:
In certain configurations, the topology load balancing decision may not be made correctly.

Workaround:
Reload the GTM configuration or add/delete a topology record.

Fix:
Changes in the order of topology records now take effect immediately.


636702-2 : BIND vulnerability CVE-2016-9444

Solution Article: K40181790


636700-3 : BIND vulnerability CVE-2016-9147

Solution Article: K02138183


636699-4 : BIND vulnerability CVE-2016-9131

Solution Article: K86272821


636669-2 : bd log are full of 'Can't run patterns' messages

Solution Article: K37300224

Component: Application Security Manager

Symptoms:
The bd log are getting filled up with 'Can't run patterns' messages. A core might occur due to the i/o outage. General traffic disturbance/slowness might occur.

Conditions:
Configuration change that relates to attack patterns happens while there is heavy traffic.

Impact:
Potential traffic outage/slowness. 'Can't run patterns' messages filling up the bd log file.

Workaround:
None.

Fix:
Fixed log throttling issue related to attack patterns configuration change.


636149 : Multiple monitor response codes to single monitor probe failure

Component: Local Traffic Manager

Symptoms:
A monitor probe failure to a monitor (such as HTTP) is logged to '/var/log/ltm' when the probed resource is unavailable. In some cases, for a probe resulting in an 'Unable to connect' error, multiple log entries are made, with the last log entry being the error that triggered the log entry. The other monitor entries made during this event are not specifically relevant, as they are 'stale' and due to previous monitor probe behavior that was logged earlier.

This is due to an error where the 'Could not connect' event appends rather than overwrites existing earlier error messages.

Conditions:
A monitor probe to a monitor is attempted (such as over HTTP), resulting in an 'Unable to connect' failure; and where that specific monitor previously reported an error (which is now appended).

Impact:
No system behavior is affected, but multiple log entries are made. The final log entry of the 'Could not connect' or 'Unable to connect' message is relevant, while the possible multiple log entries immediately preceding are 'stale' and not relevant (as they are due to an earlier issue that was previously successfully logged).

Workaround:
For an external monitor that generates a 'Could not connect' or 'Unable to connect' error, consider only the last-line for the '/var/log/ltm' log entry, and ignore possibly-present log entries associated with that specific monitor that might be appear immediately above the 'Could not connect' line.

Fix:
The system now handles previous monitor-log errors when reporting a 'Could not connect' error, rather than appending a previous error that might be present.


635933-1 : The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable

Solution Article: K23440942


635561-3 : Heavy URLs statistics are not shown after upgrade.

Component: Application Visibility and Reporting

Symptoms:
Heavy URLs statistics are not shown after upgrade.

Conditions:
Upgrading to newer version

Impact:
Missing statistics.

Workaround:
No workaround

Fix:
Upgrade and verify all heavy URLs statistics are shown.


635412-2 : Invalid mss with fast flow forwarding and software syn cookies

Solution Article: K82851041


635314-4 : vim Vulnerability: CVE-2016-1248

Solution Article: K22183127


635274-3 : SSL::sessionid command may return invalid values

Solution Article: K21514205

Component: Local Traffic Manager

Symptoms:
The SSL::sessionid iRule command might return random, invalid values. This also causes high CPU usage on TMM. This occurs when the SSL ID retrieved from SSL is on the stack and gets overwritten prior to use, resulting in a persist lookup loop which causes the high CPU. The issue is also associated with the SSL::sessionid iRule command because SSL::sessionid and SSL persistence use the same internal mechanism to retrieve the SSL session ID.

Conditions:
This issue occurs when either of the following conditions exists:
-- An iRule exists that queries the SSL::sessionid.
-- An SSL persist profile is configured on the virtual server.

Impact:
The iRule might not work as expected.
High CPU usage.

Workaround:
Do not use the SSL:sessionid iRule.

Fix:
The SSL::sessionid iRule returns the session ID as expected.


634371-3 : Cisco ethernet NIC driver

Component: TMOS

Symptoms:
The Cisco Ethernet NIC driver is version 2.1.1.67

Conditions:
N/A

Impact:
Cisco recommends using the updated version 2.3.0.12

Fix:
Cisco VIC Ethernet NIC Driver 2.3.0.12 is now used.


634259 : IP tuple nexthop object can be freed while still referenced by another structure

Solution Article: K50166002

Component: Local Traffic Manager

Symptoms:
IP tuple nexthop object can be freed while still referenced by another structure.

Conditions:
This can happen if LSN is in use and the proxy connection takes some time to complete, creating a large enough time window where the nexthop object might be freed.

Impact:
The BIG-IP system might crash. This is a very timing/memory-usage dependent issue that is rarely encountered.

Workaround:
None.

Fix:
Management of IP tuple nexthop object reference counting is more consistent.


634001-1 : ASM restarts after deleting a VS that has an ASM security policy assigned to it

Component: Application Security Manager

Symptoms:
ASM restarts with the following errors:

'ltm' log error:
--------
err mcpd[9458]: 0107102e:3: gtm_vs_score refers to nonexistent virtual server (/<partition>/<app>/<vsname>).
--------

'ts_debug.log' error:
--------
asm|INFO|0107102e:3: gtm_vs_score refers to nonexistent virtual server (/<partition>/<app>/<vsname>).
--------

Conditions:
ASM provisioned
Deleting a virtual server that has an ASM security policy assigned to it.

Impact:
ASM restart

Workaround:
None.

Fix:
ASM no longer restarts when deleting a virtual server that has an ASM security policy assigned to it.


633723-2 : New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot

Component: Local Traffic Manager

Symptoms:
A new db variable has been added to print diagnostic information when Cavium Nitrox devices encounter a 'request queue stuck' error. When this occurs, the system posts a log message such as:
crit tmm1[19936]: 01010260:2: Hardware Error(Co-Processor): cn1 request queue stuck.

Conditions:
-- A Cavium Nitrox 'request queue stuck' error occurs.
-- The db variable 'crypto.ha.action' is set to reboot.

Impact:
The system will automatically run 'nitrox_diag' to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.

The system immediately fails over to the standby system, but will then spend approximately one minute gathering diagnostic information before rebooting.

See https://support.f5.com/csp/article/K95944198 for more information about nitrox_diag.

Workaround:
None.

Fix:
The system now automatically gathers nitrox data collection when request queue stuck errors occur.

Behavior Change:
Under rare conditions, the system will take approximately one additional minute to reboot.

If a Cavium Nitrox 'request queue stuck' error occurs and the db variable 'crypto.ha.action' is set to reboot, the system will automatically run 'nitrox_diag' to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.

When the error happens, failover to the standby system will still happen immediately. The delay occurs only on rebooting the system that has already gone to standby mode.


633512-2 : HA Auto-failback will cause an Active/Active overlap, or flapping, on VIPRION.

Solution Article: K20160253

Component: TMOS

Symptoms:
When a preferred device becomes available and takes over due to an Auto-Failback configuration, the takeover is not performed as a smooth handoff, but instead results in both devices becoming Active for the network failover timeout period (3 seconds).

Conditions:
This problem affects traffic groups on VIPRION systems configured with HA Order and Auto-Failback enabled.

Impact:
Since both nodes are Active for (by default) 3 seconds, this may cause network traffic to be dropped or interrupted during the overlap interval. In addition, the Active/Active overlap may not resolve in favor of the preferred device. When this happens, the preferred device attempts to Auto-Failback again after the Auto-Failback expires, and the process repeats forever.

Workaround:
Do not configure Auto-Failback on VIPRION.

Fix:
The devices perform a clean handoff during Auto-Failback, with no Active/Active overlap.


633465 : Curl cannot be forced to use TLSv1.0 or TLSv1.1

Solution Article: K09748643

Component: TMOS

Symptoms:
Curl fails when connecting to server that does not accept TLSv1.1 or TLSv1.2 handshakes. This occurs even if the "--tlsv1.0" or "--tlsv1.1" options to the curl command are used.

Conditions:
Curl is used to attempt to connect to a server that does not understand TLSv1.1 and/or TLSv1.2 handshakes. This occurs when using software v11.5.4 HF2 through 11.5.6 or v11.6.1 HF1 through 11.6.3.

Impact:
Curl will fail.

Workaround:
Use "curl-apd" rather than "curl". curl-apd does not currently implement TLSv1.1 or TLSv1.2.

Fix:
Curl now honors the tlsv version flag, so the system correctly uses TLSv1.0, TLSv1.1, or TLSv1.2, as specified.


632798-1 : Double-free may occur if Access initialization fails

Solution Article: K30710317

Component: Access Policy Manager

Symptoms:
Double-free may occur if Access initialization fails.

Conditions:
Access initialization failure occurs, possibly due to license issues.

Impact:
tmm crashes and cores. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release fixes a double free condition so that the associated tmm crash no longer occurs.


632658-5 : Enable SIP::persist command to operate during SIP_RESPONSE event

Component: Service Provider

Symptoms:
Without this change, it is not possible to change the timeout of a SIP persistence entry during SIP response message processing.

Conditions:
It is not possible to change the timeout of a SIP persistence entry during SIP response message processing.

Impact:
it is not possible to change the timeout of a SIP persistence entry during SIP response message processing.

Workaround:
NA

Fix:
It is possible to change the timeout of a SIP persistence entry during SIP response message processing.


632646-2 : APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server.

Component: Access Policy Manager

Symptoms:
APM - OAM login with invalid ObSSOCookie results in error page instead of redirecting to login page.

Conditions:
This happens occasionally if a session cookie (ObSSOCookie) is deleted from OAM server, or an OAM session is deleted from server.

Impact:
OAM login with invalid ObSSOCookie results in error page. However, expected behavior is that user is redirected to login page if login with ObSSOCokkie fails.

Workaround:
No Workaround

Fix:
Issue is fixed - On authenticate with ObSSOCookie, read getStatus() API call to check the ObSSOCookie status and redirect to IDP if it is not 1 (LOGGEDIN, AWAITINGLOGIN). With this fix user will be redirected to IDP on logging with cookie that is deleted manually from the OAM server.


632423-2 : DNS::query can cause tmm crash if AXFR/IXFR types specified.

Solution Article: K40256229

Component: Global Traffic Manager (DNS)

Symptoms:
Passing "AXFR" or "IXFR" as the type to the DNS::query iRule command can cause a tmm crash.

Conditions:
DNS Express must be enabled when one of the XFR types is used in the DNS::query iRule command.

Impact:
tmm will crash and restart every time this command is issued. Traffic disrupted while tmm restarts.

Workaround:
Do not explicitly use AXFR or IXFR query types.

If the [DNS::question type] command is being used to dynamically pass in the type, add a preceding check similar to the following:

if { not [DNS::question type] ends_with "XFR" } {
    set rrs [DNS::query dnsx [DNS::question name] [DNS::question type]]
}

Fix:
The iRule now provides an error message in /var/log/ltm indicating that AXFR and IXFR are not valid types to use with the DNS::query command, and no tmm crash occurs as a result.


631722-2 : Some HTTP statistics not displayed after upgrade

Component: Application Visibility and Reporting

Symptoms:
Some statistics will disappear after upgrade due to bug in HTTP statistics backup.

Conditions:
Upgrading to newer version

Impact:
Not all statistics are shown.

Workaround:
No workaround

Fix:
Fixed an issue where some ASM HTTP statistics would disappear after upgrade.


631688-4 : Multiple NTP vulnerabilities

Solution Article: K55405388 K87922456 K63326092 K51444934 K80996302


631627-5 : Applying BWC over route domain sometimes results in tmm not becoming ready on system start

Component: TMOS

Symptoms:
Rebooting after applying BWC to route domain stops vlan traffic on VCMP guest. You will experience connection failures when bandwidth Controller (bwc) and Web Accelerator are enabled.

Running the tmsh show sys ha-status all-properties command will indicate that tmm is in "ready-for-world", but the Fail status will read "Yes" when this is triggered.

Conditions:
BWC enabled and associated with a route domain, Web Accelerator is enabled, and the system is rebooted.

Impact:
The system does not comes up fully. TMM does not reach a ready state and will not pass traffic.

Workaround:
Remove BWC from route domain and then reapply the BWC back.

Fix:
BWC enabled and associated with a route domain, Web Accelerator enabled, and the system is rebooted, now results in the system and TMM coming up fully and passing traffic.


631582-4 : Administrative interface enhancement

Solution Article: K55792317


631316-4 : Unable to load config with client-SSL profile error

Solution Article: K62532020

Component: TMOS

Symptoms:
Config loading fails with an error similar to the following: 'Client SSL profile cannot contain more than one set of same certificate/key type.'

Conditions:
This occurs when both of the following conditions are met:
 -- The system is loading config.
 -- The config contains a client SSL profile which has an RSA cert-key-chain whose key is default (/Common/default.key), but whose chain is non-empty, or the cert is different from /Common/default.crt. For example:

    cert-key-chain {
        cert /Common/default.crt <==== default cert
        chain /Common/chainCA.crt <==== non-empty
        key /Common/default.key <==== default key
        rsa {
            cert /Common/default.crt <==== default cert
            chain /Common/chainCA.crt <==== non-empty
            key /Common/default.key <==== default key
        }
    }

Impact:
Configuration can not be loaded.

Workaround:
Remove or adjust the problematic client SSL profile by editing the appropriate bigip.conf file (/config/bigip.conf or /config/partitions/<name>/bigip.conf, depending on the partition the profile resides in), and then load the configuration again.

Steps:
1. Open the configuration file in a text editor.
2. Load the file /config/bigip.conf (or /config/partitions/<name>/bigip.conf, if the client SSL profile is in a partition).
   
3. Update the client SSL profile by setting .crt and .key to non-default, as shown in the following example:

    cert-key-chain {
        cert /Common/kc.crt <==== changed to non-default
        chain /Common/chainCA.crt
        key /Common/kc.key <==== changed to non-default
        rsa {
            cert /Common/kc.crt <==== changed to non-default
            chain /Common/chainCA.crt
            key /Common/kc.key <==== changed to non-default
        }
    }

4. Save your changes, and then run the following command:
 tmsh load sys conf


631204-2 : GeoIP lookups incorrectly parse IP addresses

Solution Article: K23124150


631172-3 : GUI user logged off when idle for 30 minutes, even when longer timeout is set

Solution Article: K54071336

Component: TMOS

Symptoms:
GUI user is auto-logged off when idle for 30 minutes, even though the configured idle timeout is longer.

Conditions:
User logged in to gui and idle for 20-30 minutes

Impact:
User is logged out of the GUI.

Workaround:
None.

Fix:
GUI user is no longer auto-logged off when idle for 30 minutes when the configured idle timeout is longer.


630475-4 : TMM Crash

Solution Article: K13421245


630446-2 : Expat vulnerability CVE-2016-0718

Solution Article: K52320548


629663-2 : CGNAT SIP ALG will drop SIP INVITE

Solution Article: K23210890

Component: Service Provider

Symptoms:
SIP INVITE message is dropped.

Conditions:
Subscriber registers and then attempts to call out.

Impact:
Subscriber not able to make calls.

Workaround:
None.

Fix:
The system now uses the expiration value from the SIP message i.e. either from expires parameter or the Expire header to update the timeout of the registration record.


629530-3 : Under certain conditions, monitors do not time out.

Solution Article: K53675033

Component: Global Traffic Manager (DNS)

Symptoms:
Some monitored resources are marked as "Unknown" when the actual status is "offline".

Conditions:
This can rarely occur when the monitor timeout period elapses when either no response has been received, or a response has been received indicating that the resource is "down" and the monitor is configured to ignore down responses. It is more likely to occur when many monitor timeout periods elapse at the same time, and the monitor timeout value is evenly divisible by the monitor's monitor interval.

Impact:
The status of the monitored resource is incorrect. This does not materially affect the operation of the system since resources marked "Unknown" will not be used.

Workaround:
Disable the affected resources, and then enable them again.

Fix:
The resource status is now correct under all monitor timeout conditions.


628869-1 : Unconditional logs seen due to the presence of a PEM iRule.

Component: Policy Enforcement Manager

Symptoms:
TMM log files will fill up.

Conditions:
Execution of an iRule with the following iRule command:

PEM::subscriber config policy get <subscriber-id> <e164 | imsi | nai | private | mac-address | dhcp | mac-dhcp | dhcp-custom | sip-uri>.

Impact:
Limits the gathering and traversal of relevant data from the TMM logs if the condition is encountered several times.

Workaround:
Do not use an iRule containing the following iRule command: PEM::subscriber config policy get.

Fix:
Unconditional logs are no longer seen in response to the presence of a PEM iRule.


628202-2 : Audit-forwarder can take up an excessive amount of memory during a high volume of logging

Component: TMOS

Symptoms:
During a period where a lot of data is logged (such as the loading of a large configuration), audit_forwarder can use up a large amount of memory.

Conditions:
audit_forwarder is used with config.auditing.forward.type set to either "none" or "radius" and config.auditing set to "verbose" or "all".

Impact:
The excessive memory usage may result in processes getting restarted. Once the logging is done, audit_forwarder will not release all of the used memory.

Workaround:
Setting config.auditing value to "enable" or "disable" will slow or stop the excessive memory usage.

Fix:
Prevented audit_forwarder from using more memory than it needs.


628180-2 : DNS Express may fail after upgrade

Solution Article: K68781474

Component: Global Traffic Manager (DNS)

Symptoms:
TMM may not answer DNSX zones without TMM restart / DNSX zone refresh on upgrade.

Conditions:
Upgrading from previous version.

Impact:
DNS Express may fail after TMM.

Workaround:
Restart TMM, or force TMM to reload the DNS express database by running "tmsh load ltm dns dns-express-db".

Fix:
TMM now answers DNSX zones without requiring TMM restart / DNSX zone refresh on upgrade.


628164-2 : OSPF with multiple processes may incorrectly redistribute routes

Solution Article: K20766432

Component: TMOS

Symptoms:
When OSPF is configured with multiple processes that each redistribute different type routes, LSAs may be created in a process for a route of the type other than the one configured for redistribution into that process.

Conditions:
OSPF routing with multiple processes configured. Each OSPF process configured with a different route type redistributed.

Impact:
Incorrect routing information in the network when OSPF converges.

Workaround:
Redistribute the leaked route type into the affected OSPF process and use a route map that filters out all routes.

Fix:
OSPF no longer leaks LSAs between processes redistributing different types of routes.

OSPF routes are now created synchronously when the LSA database is updated. If routes are rapidly deleted and re-added, OSPF will send maxage LSAs followed by new LSAs. This is potentially a behavior change where, previously, only a single updated LSA would have been sent.


627907-3 : Improve cURL usage

Solution Article: K11464209


627764-3 : Prevent sending a 2nd RST for a TCP connection

Component: Local Traffic Manager

Symptoms:
After a specific sequence of packets resulting in sending a RST packet, TCP connection was kept alive and sent another RST when connection expired.

Conditions:
A specific sequence of packets (a second SYN segment within the TCP window) is received by a TCP connection.

Impact:
2 RST segments is sent to the client instead of 1. In addition, the TCP connection was kept alive until the sweeper cleaned it.

Workaround:
There is no workaround at this time.

Fix:
TCP sends a single RST for specific sequence of packets


627747-3 : Improve cURL Usage

Solution Article: K20682450


627246-2 : TMM memory leak when ASM policy configured on virtual server

Solution Article: K09336400

Component: Local Traffic Manager

Symptoms:
TMM memory leak in hud_oob when ASM policy configured on virtual server.

Conditions:
-- ASM policy is configured on a virtual server.
-- URL access via the virtual server.

Impact:
System leaks 64 bytes of memory. TMM might run out of memory and eventually crash.

Workaround:
None. But disabling ASM policy configuration on the virtual server can alleviate the problem.

Fix:
A memory leak in hud_oob when ASM policy configured on virtual server has been fixed.


626360-5 : TMM may crash when processing HTTP2 traffic

Solution Article: K22541983


625892-3 : Nagle Algorithm Not Fully Enforced with TSO

Component: Local Traffic Manager

Symptoms:
Sub MSS packets are more numerous than Nagle's algorithm would imply.

Conditions:
TCP Segmentation Offload is enabled.

Impact:
Sub-MSS packets increase overhead and client power consumption.

Workaround:
Disable TCP Segmentation Offload by running the following command:
tmsh modify sys db tm.tcpsegmentationoffload value disable

Fix:
Deliver Integer Multiples of MSS to the TSO hardware when Nagle's algorithm applies.


625832-2 : A false positive modified domain cookie violation

Component: Application Security Manager

Symptoms:
An unexpected modified domain cookie violation on system that has more than 127 policies configured.

Conditions:
This occurs when more than 127 policies are configured. The violation modified domain cookie is turned on and there are enforced cookies.

Impact:
A false positive violation.

Workaround:
Remove the modified domain cookie violation from blocking.

Fix:
Fixed a false positive modified domain cookie violation.


625824-3 : iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory

Component: TMOS

Symptoms:
iControl calls related to Management::KeyCertificate might leak memory slowly, which causes swap space to increase continuously and might lead to exhaustion of swap space

Conditions:
This occurs with the iControl command bigip.Management.KeyCertificate.certificate_export_to_pem

Impact:
iControlPortal.cgi memory increases.

Workaround:
Restart httpd to reload the iControl daemon.

Fix:
Fixed a memory leak associated with iControl.


625671-2 : The diagnostic tool dnsxdump may crash with non-standard DNS RR types.

Component: Global Traffic Manager (DNS)

Symptoms:
If the dnsxdump diagnostic tool is run when the DNS Express database has a DNS resource record using a non-standard type, the process may crash providing incomplete diagnostic output.

Conditions:
Running dnsxdump with a DNS Express database containing non-standard resource record types.

Impact:
dnsxdump provide incomplete diagnostic output, stopping on the zone containing the resource record with the non-standard type.

Workaround:
This is primarily known to be caused by non-standard RR types created for WINS records. Removing the WINS records from the master nameserver, will allow dnsxdump to work again after the next zone transfer.

Fix:
dnsxdump handles non-standard resource record types.


625542-4 : SIP ALG with Translation fails for REGISTER refresh.

Component: Service Provider

Symptoms:
SIP-MBLB-ALG-Translation mode doesn't translate SIP REGISTER refresh message when arriving on the original flow.

Conditions:
1. LSN Pool selected on CLIENT_ACCEPTED event.
2. SIP REGISTER request refresh happens on the original flow.

Impact:
SIP Register message egressed will not have translation applied i.e. the CONTACT and VIA header will not be translated.

Workaround:
None

Fix:
SIP REGISTER refresh processing identifies the translation used for the original SIP REGISTER and applies that translation to the SIP REGISTER refresh message.


625376-1 : In some cases, download of PAC file by edge client may fail

Component: Access Policy Manager

Symptoms:
Edge client may fail to download PAC file and incorrectly apply proxy configuration after VPN connection.

Conditions:
- User machine proxy configuration points to a proxy auto configuration file.
- Network access proxy configuration points to a proxy auto configuration file.
- PAC file URI in either case has uppercase characters.
- PAC file is hosted on a server where resource names are case sensitive.

Impact:
PAC file download will fail and client will use incorrect proxy settings due to unavailability of PAC file.

Workaround:
Use only lowercase characters in PAC file URI.

Fix:
Now Edge client can download PAC files from URIs that have uppercase as well as lowercase characters.


625372-2 : OpenSSL vulnerability CVE-2016-2179

Solution Article: K23512141


625198-3 : TMM might crash when TCP DSACK is enabled

Component: Local Traffic Manager

Symptoms:
TMM crashes

Conditions:
All of the below are required to see this behavior:

DSACK is enabled

MPTCP, rate-pace, tail-loss-probe, and fast-open are disabled.

cmetrics-cache-timeout is set to zero; congestion control is high-speed, new-reno, reno, or scalable; AND Nagle is not set to 'auto'.

an iRule exists that changes any of the conditions above besides DSACK.

various client packet combinations interact in certain ways with the iRule logic.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Change any of the conditions above.

Fix:
TCP maintains state appropriately to avoid crash.


625098-1 : SCTP::local_port iRule not supported in MRF events

Component: Service Provider

Symptoms:
SCTP::local_port iRule not supported in MRF events

Conditions:
If MRF events are used, such as MR_INGRESS, MR_EGRESS and MR_FAILED events are used.

Impact:
SCTP::local_port won't work under MR events.

Fix:
After the fix, SCTP::local_port iRule will be supported in MRF events.


624903-3 : Improved handling of crypto hardware decrypt failures on 2000s/2200s or 4000s/4200v platforms.

Solution Article: K55102452


624876-3 : Response Policy Zones can trigger even after entry removed from zone

Component: Global Traffic Manager (DNS)

Symptoms:
If an entry (resource record) is removed from a response policy zone it is possible that it may still trigger as a match for RPZ.

Conditions:
-- An RPZ zone contains an entry, for example badzone.example.com.
-- That entry is subsequently removed.

Impact:
The badzone.example.com entries will continue to be blocked by RPZ, even though the item has been removed.

Workaround:
Delete /var/db/zxfrd.bin and /var/db/tmmdns.bin and restart the system using the following command: bigstart restart zxfrd.

This recreates the databases without the remnants of the deleted entries.

Fix:
The deleted entries are now properly handled and no longer trigger incorrect matches.


624826-3 : mgmt bridge takes HWADDR of guest vm's tap interface

Solution Article: K36404710

Component: TMOS