BIG-IP 12.1.3.1 Fixes and Known Issues

Supplemental Document : BIG-IP 12.1.3.1 Fixes and Known Issues

Applies To:

Show Versions

BIG-IP AAM

12.1.3

BIG-IP APM

12.1.3

BIG-IP Analytics

12.1.3

BIG-IP Link Controller

12.1.3

BIG-IP LTM

12.1.3

BIG-IP PEM

12.1.3

BIG-IP AFM

12.1.3

BIG-IP DNS

12.1.3

BIG-IP ASM

12.1.3

Original Publication Date: 03/18/2018 Updated Date: 06/22/2020

ID Number	CVE	Solution Article(s)	Description
673595-2	CVE-2017-3167 CVE-2017-3169	K34125394	Apache CVE-2017-3167

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
673129	3-Major		New feature: revoke license

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
682837	1-Blocking		Compression watchdog period too brief.
675921	1-Blocking		Creating 5th vCMP 'ssl-mode dedicated' guest results in an error, but is running
696468	2-Critical		Active compression requests can become starved from too many queued requests.
665656-1	2-Critical		BWC with iSession may memory leak
663366-3	2-Critical		SEGV fault can occur during tmm 'panic' on i4x00 and i2x00 platforms.
621386-1	2-Critical	K91988084	restjavad spawns too many icrd_child instances
679959-1	3-Major		Unable to ping self IP of VCMP guest configured on i5000, i7000, or i10000
672988-2	3-Major	K03433341	MCP memory leak when performing incremental ConfigSync
669288-3	3-Major	K76152943	Cannot run tmsh utils unix-* commands in Appliance mode when /shared/f5optics/images does not exist.
668352-2	3-Major		High Speed Logging unbalance in log distribution for multiple pool destination.
668048-1	3-Major	K02551403	TMM memory leak when manually enabling/disabling pool member used as HSL destination
663063-2	3-Major		Disabling pool member used in busy HSL TCP destination can result service disruption.
659057-1	3-Major		BIG-IP iSeries: Retrieving the gateway from the Host via REST through the LCD
658636-2	3-Major	K51355172	When creating LTM or DNS monitors through batch/transaction mode newlines are improperly escaped.
652691-1	3-Major		Installation fails if only .iso.384.sig (new format signature file) is present★
652689-2	3-Major	K14243280	Displaying 100G interfaces
642952	3-Major		platform_check doesn't run PCI check on i11800
640636-3	3-Major		F5 Optics seen as unsupported instead of misconfigured when inserted into wrong port on B4450 Blade
638881-1	3-Major		Incorrect fan status displayed when fan tray is removed on BIG-IP iSeries appliances
628739-1	3-Major		BIG-IP iSeries does not disallow configuring of management IP outside the management subnet using the LCD
628735-1	3-Major		Displaying Hardware SYN Cookie Protection field in TCP/FastL4/FastHTTP profiles
604547-1	3-Major		Unix daemon configuration may lost or not be updated upon reboot
674515	4-Minor		New revoke license feature for VE only implemented
663580-1	4-Minor		logrotate does not automatically run when /var/log reaches 90% usage
644723-1	4-Minor		cm56xxd logs link 'DOWN' message when an interface is admin DISABLED
507206-1	4-Minor		Multicast Out stats always zero for management interface.

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
681710-4	3-Major		Malformed HTTP/2 requests may cause TMM to crash
463097-3	3-Major		Clock advanced messages with large amount of data maintained in DNS Express zones

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
652796-1	1-Blocking		When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled.
652792-1	2-Critical		When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled.
678976-2	3-Major	K24756214	Do not print all HTTP headers to avoid printing user credentials to /var/log/apm.
677058-3	3-Major		Citrix Logon prompt with two factor auth or Logon Page agent with two password type variables write password in plain text

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
679440-2	2-Critical	K14120433	MCPD Cores with SIGABRT
591828-4	3-Major	K52750813	For unmatched connection TCP RST may not be sent for data packet

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
668252-2	2-Critical	K22784428	TMM crash in PEM_DIAMETER component
628311-3	2-Critical	K87863112	Potential TMM crash due to duplicate installed PEM policies by the PCRF
675928-2	3-Major		Periodic content insertion could add too many inserts to multiple flows if http request is outstanding
674686-2	3-Major		Periodic content insertion of new flows fails, if an outstanding flow is a long flow
673683-2	3-Major		Periodic content insertion fails, if pem and classification profile are detached and reattached to the Listener
673678-2	3-Major		Periodic content insertion fails, if http request/response get interleaved by second subscriber http request
673472-2	3-Major		After classification rule is updated, first periodic Insert content action fails for existing subscriber
639486-4	3-Major		TMM crash due to PEM usage reporting after a CMP state change.
634015-3	3-Major		Potential TMM crash due to a PEM policy content triggered buffer overflow
572568-2	3-Major		Gy CCR-i requests are not being re-sent after initial configured re-transmits

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
672504-1	2-Critical	K52325625	Deleting zones from large databases can take excessive amounts of time.
614788-1	2-Critical		zxfrd crash due to lack of disk space
655233-1	3-Major	K93338593	DNS Express using wrong TTL for SOA RRSIG record in NoData response
648766-1	3-Major	K57853542	DNS Express responses missing SOA record in NoData responses if CNAMEs present
645615-2	3-Major	K70543226	zxfrd may fail and restart after multiple failovers between blades in a chassis.
433678-2	3-Major		A monitor removed from GTM link cannot be deleted: 'monitor is in use'
646615-1	4-Minor		Improved default storage size for DNS Express database

Traffic Classification Engine Fixes

ID Number	Severity	Solution Article(s)	Description
648786-5	2-Critical		TMM crashes when categorizing long URLs

Cumulative fixes from BIG-IP v12.1.3 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
684879-2	CVE-2017-6164	K02714910	Malformed TLS1.2 records may result in TMM segmentation fault.
662022-5	CVE-2017-6138	K34514540	The URI normalization functionality within the TMM may mishandle some malformed URIs.
653993-3	CVE-2017-6132	K12044607	A specific sequence of packets to the HA listener may cause tmm to produce a core file
653880	CVE-2017-6214	K81211720	Kernel Vulnerability: CVE-2017-6214
652539	CVE-2016-0634 CVE-2016-7543 CVE-2016-9401	K73705133	Multiple Bash Vulnerabilities
652516	CVE-2016-10088 CVE-2016-10142 CVE-2016-2069 CVE-2016-2384 CVE-2016-6480 CVE-2016-7042 CVE-2016-7097 CVE-2016-8399 CVE-2016-9576	K31603170	Multiple Linux Kernel Vulnerabilities
651221-2	CVE-2017-6133	K25033460	Parsing certain URIs may cause the TMM to produce a core file.
650286-2	CVE-2017-6167	K24465120	REST asynchronous tasks permissions issues
650059-1	CVE-2017-6129	K20087443	TMM may crash when processing VPN traffic
649907-2	CVE-2017-3137	K30164784	BIND vulnerability CVE-2017-3137
649904-2	CVE-2017-3136	K23598445	BIND vulnerability CVE-2017-3136
644904-5	CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925, CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7929, CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933, CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937, CVE-2016-7938, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973, CVE-2016-7986, CVE-2016-7992, CVE-2016-7993, CVE-2016-8574, CVE-2016-8575, CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984, CVE-2016-7985 CVE-2017-5202, CVE-2017-5203, CVE-2017-5204, CVE-2017-5205, CVE-2017-5341, CVE-2017-5342, CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485, CVE-2017-5486	K55129614	tcpdump 4.9
644693-3	CVE-2016-2183, CVE-2017-3272, CVE-2017-3289, CVE-2017-3253, CVE-2017-3261, CVE-2017-3231,CVE-2016-5547,CVE-2016-5552, CVE-2017-3252, CVE-2016-5546, CVE-2016-5548, CVE-2017-3241	K15518610	Fix for multiple CVE for openjdk-1.7.0
638556-2	CVE-2016-10045	K73926196	PHP Vulnerability: CVE-2016-10045
634779-1	CVE-2017-6147	K43945001	In SSL Forward Proxy, an uninitialized variable may overflow a buffer and cause TMM to produce a core file
625860-2	CVE-2017-6140	K55102452	Improved handling of crypto hardware decrypt failures on B4450 platform.
624903-6	CVE-2017-6140	K55102452	Improved handling of crypto hardware decrypt failures on 2000s/2200s or 4000s/4200v platforms.
600069-6	CVE-2017-0301	K54358225	Portal Access: Requests handled incorrectly
659791-2	CVE-2017-6136	K81137982	TFO and TLP could produce a core file under specific circumstances
655059-3	CVE-2017-6134	K37404773	TMM Crash
653224-1	CVE-2016-8610 CVE-2017-5335 CVE-2017-5336 CVE-2017-5337	K59836191	Multiple GnuTLS Vulnerabilities
653217-2	CVE-2016-2125 CVE-2016-2126	K03644631	Multiple Samba Vulnerabilities
645480-3	CVE-2017-6139	K45432295	Unexpected APM response
645101-2	CVE-2017-3731, CVE-2017-3732	K44512851	OpenSSL vulnerability CVE-2017-3732
642659-2	CVE-2015-8870, CVE-2016-5652, CVE-2016-9533, CVE-2016-9534, CVE-2016-9535, CVE-2016-9536, CVE-2016-9537, CVE-2016-9540	K34527393	Multiple LibTIFF Vulnerabilities
640768	CVE-2016-10088	K05513373	Kernel vulnerability: CVE-2016-10088
639729-2	CVE-2017-0304	K39428424	Request validation failure in AFM UI Policy Editor
637666-2	CVE-2016-10033	K74977440	PHP Vulnerability: CVE-2016-10033
635314-5	CVE-2016-1248	K22183127	vim Vulnerability: CVE-2016-1248
597176-1	CVE-2015-8711 CVE-2015-8714 CVE-2015-8716 CVE-2015-8717 CVE-2015-8718 CVE-2015-8720 CVE-2015-8721 CVE-2015-8723 CVE-2015-8725 CVE-2015-8729 CVE-2015-8730 CVE-2015-8733 CVE-2016-2523 CVE-2016-4006 CVE-2016-4078 CVE-2016-4079 CVE-2016-4080 CVE-2016-4081 CVE	K01837042	Multiple Wireshark (tshark) vulnerabilities
583678-1	CVE-2016-3115	K93532943	SSHD session.c vulnerability CVE-2016-3115
567233-1	CVE-2015-5252, CVE-2015-5296, CVE-2015-5299	K92616530	Multiple samba vulnerabilities
656912-4	CVE-2017-6460, CVE-2017-6462, CVE-2017-6463, CVE-2017-6464, CVE-2017-6451, CVE-2017-6458	K32262483	Various NTP vulnerabilities
615226-5	CVE-2016-4809, CVE-2016-7166, CVE-2015-8916, CVE-2015-8917, CVE-2015-8919, CVE-2015-8920, CVE-2015-8922, CVE-2015-8924, CVE-2015-8925, CVE-2015-8926, CVE-2015-8928, CVE-2016-4300, CVE-2016-4302, CVE-2015-8921, CVE-2015-8923	K13074505	Libarchive vulnerabilities: CVE-2016-8687 and others
590840-2	CVE-2015-8325	K20911042	OpenSSH vulnerability CVE-2015-8325
655021-2	CVE-2017-3138	K23598445	BIND vulnerability CVE-2017-3138
627203-1	CVE-2016-5542, CVE-2016-5554, CVE-2016-5573, CVE-2016-5582, CVE-2016-5597	K63427774	Multiple Oracle Java SE vulnerabilities

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
654549-1	2-Critical		PVA support for uncommon protocols DoS vector
653729-2	2-Critical		Support IP Uncommon Protocol
653234	2-Critical		Many objects must be reconfigured before use when loading a UCS from another device.★
652094-2	2-Critical	K49190243	Improve traffic disaggregation for uncommon IP protocols
643210-2	2-Critical	K45444280	Restarting MCPD on Secondary Slot of Chassis causes deletion of netHSM keys on SafeNet HSM
643054-2	2-Critical		ARP and NDP packets should be CoS marked by the swtich on ingress
663521-2	3-Major		Intermittent dropping of multicast packets on certain BIG-IP platforms
651772-3	3-Major		IPv6 host traffic may use incorrect IPv6 and MAC address after route updates
643143-2	3-Major		ARP and NDP packets should be QoS/DSCP marked on egress
632875-3	3-Major		Non-Administrator TMSH users no longer allowed to run dig
610710-2	3-Major		Pass IP TOS bits from incoming connection to outgoing connection
584545-2	3-Major		Failure to stabilize internal HiGig link will not trigger failover event
567177-1	4-Minor		Log all attempts of key export in ltm log
650074-1	5-Cosmetic		Changed Format of RAM Cache REST Status output.

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
642703-2	1-Blocking		Formatting installation using software v12.1.2 or v13.0.0 fails for i5000, i7000, i10000, i11000, i12000 platforms.★
619097	1-Blocking		iControl REST slow performace on GET request for virtual servers
539093-1	1-Blocking	K26104530	VE shows INOPERATIVE status until at least one VLAN is configured and attached to an interface.
697878	2-Critical		High crypto request completion time under some workload patterns
666790-2	2-Critical		Use HSB HiGig MAC reset to recover both FCS errors and link instability
665354-2	2-Critical		Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log
658574-2	2-Critical	K61847644	An accelerated flow transmits packets to a stale (incorrect) destination MAC address.
655357-2	2-Critical	K06245820	Corrupted L2 FDB entries on B4450 blades might result in dropped traffic
653376-5	2-Critical		bgpd may crash on receiving a BGP update with >= 32 extended communities
649866-1	2-Critical		fsck should not run during first boot on public clouds
638997-2	2-Critical		Reboot required after disk size modification in a running BIG-IP VE instance.
625456-5	2-Critical		Pending sector utility may write repaired sector incorrectly
624826-2	2-Critical		mgmt bridge takes HWADDR of guest vm's tap interface
613415-2	2-Critical		Memory leak in ospfd when distribute-list is used
609335-1	2-Critical		IPsec tmm devbuf memory leak.
604011-1	2-Critical		Sync fails when iRule or policy is in use★
595783	2-Critical		Changing console baud rate for B2100, B2150 and B2250 blades does not work
593137-1	2-Critical		userDefined property for bot signatures is not shown in REST
579210-3	2-Critical	K11418051	VIPRION B4400N blades might fail to go Active under rare conditions.
471860-10	2-Critical	K16209	Disabling interface keeps DISABLED state even after enabling
412817-3	2-Critical		BIG-IP system unreachable for IPv6 traffic via PCI pass-through interfaces as current ixgbevf drivers do not support multicast receive.
671920-1	3-Major		Accessing SNMP over IPv6 on non-default route domains
669818-2	3-Major	K64537114	Higher CPU usage for syslog-ng when a syslog server is down
667278-3	3-Major		DSC connections between BIG-IP units may fail to establish
667138-1	3-Major		LTM 12.1.2 HF1 - Upgrade to 12.1.2 HF1 fails with err "folder does not exist"★
664829-1	3-Major		BIG-IP sometimes performs unnecessary reboot on first boot
662331-1	3-Major	K24331010	BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
661764-2	3-Major	K53762147	It is possible to configure a number of CPUs that exceeds the licensed throughput
660532-2	3-Major	K21050223	Cannot specify the event parameter for redirects on the policy rule screen.
655671-1	3-Major		Polling time waiting for I2C bus transactions in the bcm56xxd daemon needs to be reduced
655649-2	3-Major		BGP last update timer incorrectly resets to 0
654011-2	3-Major	K33210520	Pool member's health monitors set to Member Specific does not display the active monitors
652638-2	3-Major		php - Fix DOS vulnerability in gdImageCreateFromGd2Ctx()
651155-1	3-Major		HSB continually logs 'loopback ring 0 tx not active'
650349	3-Major	K50168519	Creation or reconfiguration of iApps will fail if logging is configured
650002-1	3-Major		tzdata bug fix and enhancement update
649949-1	3-Major		Intermittent failure to do a clean install on iSeries platforms from USB DVD-ROM★
647988-3	3-Major	K15331432	HSL Balanced distribution to Two-member pool may not be balanced correctly.
647944-2	3-Major		MCP may crash when making specific changes to a FIX profile attached to more than one virtual server
645179-6	3-Major		Traffic group becomes active on more than one BIG-IP after a long uptime
644404-1	3-Major		Extracting SSD from system leads to Emergency LCD alert★
644184-4	3-Major	K36427438	ZebOS daemons hang while AgentX SNMP daemon is waiting.
643294	3-Major		IGMP and PIM not in self-allow default list when upgrading from 10.2.x★
643121-1	3-Major		Failed installation volumes cannot be deleted in the GUI.
643013	3-Major		DAGv2 introduced on i5600, i5800, i7600, i7800, i10600, i10800 platforms in v12.1.3
642982-3	3-Major	K23241518	tmrouted may continually restart after upgrade, adding or renaming an interface★
642314-2	3-Major	K24276198	CNAME ending with dot in pool causes validation problems after upgrade from 11.x to 12.x or v13.x★
638825-2	3-Major		SNMP Get of sysInterfaceMediaActiveSpeed returns wrong value for 100000SR4-FD
637561-1	3-Major		Wildcard wideips not handling matching queries after tmsh load sys from gtm conf file twice
636744-1	3-Major	K16918340	IKEv1 phase 2 SAs not deleted
631866-2	3-Major		Cannot access LTM policy rules in the web UI when the name contains certain characters
631172-4	3-Major		GUI user logged off when idle for 30 minutes, even when longer timeout is set
624692-3	3-Major		Certificates with ISO/IEC 10646 encoded strings may prevent certificate list page from displaying
623391-5	3-Major		cpcfg cannot copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size★
622619-5	3-Major		BIG-IP 11.6.1 - "tmsh show sys log <item> range" can kill MCPD
622133-1	3-Major		VCMP guests may incorrectly obtain incorrect MAC addresses
621259-3	3-Major		Config save takes long time if there is a large number of data groups
619060	3-Major		Reduction in boot time in BIG-IP Virtual Edition platforms
617875-1	3-Major		vCMP guest may fail to start due to not enough hugepages
612752-1	3-Major		UCS load or upgrade may fail under certain conditions.★
610442-2	3-Major	K75051412	vcmp_media_insert failed message and lind restart loop on vCMP guest when installing with block-device-image with bad permissions on .iso★
607961-1	3-Major		Secondary blades restart when modifying a virtual server's route domain in a different partition.
605792-1	3-Major		Installing a new version changes the ownership of administrative users' files★
601709-2	3-Major	K02314881	I2C error recovery for BIG-IP 4340N/4300 blades
590938-3	3-Major		The CMI rsync daemon may fail to start
583475-1	3-Major		The BIG-IP may core while recompiling LTM policies
577474-3	3-Major		Users with auditor role are unable to use tmsh list sys crypto cert
569100-1	3-Major		Virtual server using NTLM profile results in benign Tcl error
544906-2	3-Major	K07388310	Issues when using remote authentication when users have different partition access on different devices
507240-4	3-Major	K13811263	ICMP traffic cannot be disaggregated based on IP addresses
480983-4	3-Major		tmrouted daemon may core due to daemon_heartbeat
471029-2	3-Major		If the configuration contains a filename with the $ character, then saving the UCS fails.
656900-1	4-Minor		Blade family migration may fail
655314	4-Minor		When failing to load a UCS, the hostname is still changed, only in 12.1.2 or 13.0.0★
653225-1	4-Minor		coreutils security and bug fix update
645717	4-Minor		UCS load does not set directory owner
644975-4	4-Minor		/var/log/maillog contains errors when ssmtp is not configured to use a valid mailhost
644799-1	4-Minor	K42882011	TMM may crash when the BIG-IP system processes CGNAT traffic.
642723-3	4-Minor		Western Digital WD1600YS-01SHB1 hard drives not recognized by pendsect
634371-2	4-Minor		Cisco ethernet NIC driver
530927-8	4-Minor		Adding interfaces to trunk fails if trunk and interfaces are forced to lower speed
530530-6	4-Minor		tmsh sys log filter is displays in UTC time
527720-1	4-Minor		Rare 'No LopCmd reply match found' error in getLopReg
448409-1	4-Minor	K15491	'load sys config verify' commands cause loss of sync configuration and initiates a provisioning cycle
626596	5-Cosmetic		Statistics :: Analytics :: Hardware Acceleration menu contains misspelled menu item: 'Assited Connections'.

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
670011-2	1-Blocking		SSL forward proxy does not create the server certchain when ignoring server certificates
621452-1	1-Blocking	K58146172	Connections can stall with TCP::collect iRule
659899-1	2-Critical	K10589537	Rare, intermittent system instability observed in dynamic load-balancing modes
657713-5	2-Critical	K05052273	Gateway pool action may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart.
655628-1	2-Critical		TCP analytics does not release resources under specific sequence of packets
655211-1	2-Critical	K25384206	bigd crash (SIGSEGV) when running FQDN node monitors
650317-3	2-Critical		The TMM on the next-active panics with message: "Missing oneconnect HA context"
649171-4	2-Critical		tmm core in iRule with unreachable remote address
648037-2	2-Critical		LB::reselect iRule on a virtual with the HTTP profile can cause a tmm crash
646643-2	2-Critical	K43005132	HA standby virtual server with non-default lasthop settings may crash.
646604-5	2-Critical	K21005334	Client connection may hang when NTLM and OneConnect profiles used together
645663	2-Critical		Crypto traffic failure for vCMP guests provisioned with more than 12 vcpus.
644112-2	2-Critical	K56150996	Permanent connections may be expired when endpoint becomes unreachable
643631	2-Critical		Serverside connections on virtual servers using VDI may become zombies.
635274-1	2-Critical	K21514205	SSL::sessionid command may return invalid values
634265-2	2-Critical	K34688632	Using route pools whose members aren't directly connected may crash the TMM.
632552-2	2-Critical	K08634156	tmm crashes when CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event
629178-1	2-Critical	K42206046	Incorrect initial size of connection flow-control window
611704-5	2-Critical		tmm crash with TCP::close in CLIENTSSL_CLIENTCERT iRule event
605983-1	2-Critical		tmrouted may crash when being restarted in debug mode
604926-3	2-Critical		The TMM may become unresponsive when using SessionDB data larger than ~400K
604223-2	2-Critical		pkcs11d signal handler improvement to turn off all threads at time of "SIGTERM"
583700-3	2-Critical		tmm core on out of memory
583355-1	2-Critical		The TMM may crash when changing profiles associated with plugins
566071-5	2-Critical		network-HSM may not be operational on secondary slots of a standby chassis.
559030-1	2-Critical	K65244513	TMM may core during ILX RPC activity if a connflow closes before the RPC returns
677119	3-Major		HTTP2 implementation incorrectly treats SETTINGS_MAX_HEADER_LIST_SIZE
672008-1	3-Major	K22122208	NUL character inserted into syslog message when system time rolls over to exactly 1000000 microseconds
671935-2	3-Major	K64461712	Possible ephemeral port reuse.
669025-1	3-Major	K11425420	Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate
668521-2	3-Major		Bigd might stall while waiting for an external monitor process to exit
666032-3	3-Major		Secure renegotiation is set while data is not available.
663326-2	3-Major		Thales HSM: "fipskey.nethsm --export" fails to make stub keys
662881-2	3-Major	K10443875	L7 mirrored packets from standby to active might cause tmm core when it goes active.
662085-1	3-Major		iRules LX Workspace editor in TMUI fails to display all workspace contents after install of large Node.js packages
658214-2	3-Major	K20228504	TCP connection fail intermittently for mirrored fastl4 virtual server
655793-1	3-Major	K04178391	SSL persistence parsing issues due to SSL / TCP boundary mismatch
654109-2	3-Major	K01102467	Configuration loading may fail when iRules calling procs in other iRules are deleted
653511-2	3-Major	K45770397	Intermittent connection failure with SNAT/automap, SP-DAG and virtual server source-port=preserve
652535-1	3-Major	K54443700	HTTP/2 stream reset with PROTOCOL_ERROR when frame header is fragmented.
652445-2	3-Major	K87541959	SAN with uppercase names result in case-sensitive match or will not match
651651-3	3-Major	K54604320	bigd can crash when a DNS response does not match the expected value
650292-2	3-Major		DNS transparent cache can return non-recursive results for recursive queries
650152-1	3-Major		Support AES-GCM acceleration in Nitrox PX wlite VCMP platforms
648954-5	3-Major	K01102467	Configuration validation (e.g., ConfigSync) may fail after an iRule is deleted, if the iRule made procedure calls
647137	3-Major		bigd/tmm con vCMP guests
646443-1	3-Major		Ephemeral Node may be errantly created in bigd, causing crash
645058-3	3-Major		Modifying SSL profiles in GUI may fail when key is protected by passphrase
645036-3	3-Major	K85772089	Removing pool from virtual server does not update its status
644873-2	3-Major	K97237310	ssldump can fail to decrypt captures with certain TCP segmenting
644851-2	3-Major		Websockets closes connection on receiving a close frame from one of the peers
644418-2	3-Major		Do not consider self-signed certificate in hash algorithm selection when Forward Proxy forges a certificate
643777-2	3-Major		LTM policies with more than one IP address in TCP address match may fail
643582-2	3-Major		Config load with large ssl profile configuration may cause tmm restart
641491-2	3-Major	K37551222	TMM core while running iRule LB::status pool poolname member ip port
640376-3	3-Major		STPD leaks memory on 2000/4000/i2000/i4000 series
638715-3	3-Major	K77010072	Multiple Diameter monitors to same server ip/port may race on PID file
632001-1	3-Major		For Thales net-HSMs, fipskey.nethsm now defaults to module protected keys
627574-1	3-Major		After upgrade to BIG-IP v12.1.x, Local Traffic Policies in partitions other than Common cannot be converted into a draft.
626434-6	3-Major		tmm may be killed by sod when a hardware accelerator does not work
624805-1	3-Major		ILX node.js process may be restarted if a single operation takes more than 15 seconds
623940-3	3-Major		SSL Handshake fails if client tries to negotiate EC ciphers but does not present ec_point_formats extension in ClientHello
622178-1	3-Major		Improve flow handling when Autolasthop is disabled
622017-8	3-Major	K54106058	Performance graph data may become permanently lost after corruption.
621736-6	3-Major		statsd does not handle SIGCHLD properly in all cases
620788-1	3-Major	K05232247	FQDN pool created with existing FQDN node has RED status
618161-1	3-Major		SSL handshake fails when clientssl uses softcard-protected key-certs.
618121	3-Major		"persist add" irule validation fails for RTSP_RESPONSE event on upgrade to v12.x.x★
607246-10	3-Major		Encrypted cookie insert persistence with fallback may not honor cookie after fallback expires
603609-2	3-Major		Policy unable to match initial path segment when request-URI starts with "//"
602040-3	3-Major		Truncated support ID for HTTP protocol security logging profile
600614-5	3-Major		External crypto offload fails when SSL connection is renegotiated
596433-3	3-Major		Virtual with lasthop configured rejects request with no route to client.
596242-1	3-Major		[zxfrd] Improperly configured master name server for one zone makes dns express responds with previoius record
595275-5	3-Major		Virtual IP address change might cause VIP state to go from GREEN to RED to GREEN
593390-4	3-Major		Profile lookup when selected via iRule ('SSL::profile') might cause memory issues.
589006-5	3-Major	K52594899	SSL does not cancel pending sign request before the handshake times out or is canceled.
587705-5	3-Major		Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools.
578573-1	3-Major		SSL Forward Proxy Forged Certificate Signature Algorithm
563933-4	3-Major		[DNS] dns64-additional-section-rewrite v4-only does not rewrite v4 RRs
536563-7	3-Major		Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' or 'No flow found for ACK' on subsequent packets.
484542-1	3-Major		QinQ tag-mode can be set on unsupported platforms
668802-3	4-Minor	K83392557	GTM link graphs fail to display in the GUI
667318-3	4-Minor		BIG-IP DNS/GTM link graphs fail to display in the GUI.
584210-1	4-Minor		TMM may core when running two simultaneous WebSocket collect commands
578415-2	4-Minor		Support for hardware accelerated bulk crypto SHA256 missing
513288-7	4-Minor		Management traffic from nodes being health monitored might cause health monitors to fail.
462043-2	4-Minor		DB variable 'qinq.cos' does not work in all cases on 5000 and C2400 platforms

Performance Fixes

ID Number	Severity	Solution Article(s)	Description
620903-1	2-Critical		Decreased performance of ICMP attack mitigation.

Global Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
626141-3	3-Major		DNSX Performance Graphs are not displaying Requests/sec"

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
653014-1	2-Critical		Apply Policy failure if an custom Blocking Page is configured with an underscore in the header name
652200-1	2-Critical	K81349220	Failure to update ASM enforcer about account change.
638629-2	2-Critical		Bot can be classified as human
619110-1	2-Critical		Slow to delete URLs, CPU spikes with Automatic Policy Builder
672695-1	3-Major		Internal perl process listening on all interfaces when ASM enabled
665905	3-Major	K83305000	Signature System corruption from specific ASU prevents ASU load after upgrade
664930-2	3-Major		Policy automatic learning mode changes to manual after failover
655617-1	3-Major	K36442669	Safari, Firefox in incognito mode on iOS device cannot pass persistent client identification challenge
631444-2	3-Major		Bot Name for ASM Search Engines is case sensitive
606521-1	3-Major		Policy with UTF-8 encoding retains disallowed high ASCII meta-characters after upgrade
605616-1	3-Major		Creating 256 Fundamental Security policies will result in an out of memory error
602975-1	3-Major		Unable to update the HTTP URL's "Header-Based Content Profiles" values
596685-1	3-Major	K76841626	Request Log failure on request with XML format violation
595900-4	3-Major	K11833633	Cookie Signature overrides may be ignored after Signature Update
563727-1	3-Major		Issue a Body in Get sub violation for GET request with 'transfer-encoding: chunked'
534247-1	3-Major		Issue a Body in Get sub violation for GET request with content type header

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
604191-1	2-Critical		AVR: Loading the configuration after upgrade might fail due to mishandling of scheduled-reports★
629573-1	3-Major		No drill-down filter for virtual-servers is mentioned on exported reports when using partition
603875-2	3-Major		The statistic ASM memory Utilization - bd swap size: stats are wrong
601536-1	3-Major		Analytics load error stops load of configuration★
639395-2	4-Minor	K91614278	AVR does not display 'Max read latency' units.

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
647108-1	1-Blocking		Deletion of saml-idp-connector may fail depending on the order in which related objects are deleted within a transaction
679235-5	2-Critical		Inspection Host NPAPI Plugin for Safari can not be installed
669341	2-Critical		Category Lookup by Subject.CN will result in a reset
666454-2	2-Critical	K05520115	Edge client on Macbook Pro with touch bar cannot connect to VPN after OS X v10.12.5 update
663506-7	2-Critical	K30533350	apmd crash during ldap cache initialization
652004-2	2-Critical	K45320415	Show /apm access-info all-properties causes memory leaks in tmm
662639-2	3-Major		Policy Sync fails when policy object include FIPS key
659371-2	3-Major		apmd crashes executing iRule policy evaluate
658852-5	3-Major		Empty User-Agent in iSessions requests from APM client on Windows
654513-6	3-Major	K11003951	APM daemon crashes when the LDAP query agent returns empty in its search results.
649929-1	3-Major		saml_sp_connector not properly deleted in a transaction that removes the saml resource and servers referring to it
648053-1	3-Major		Rewrite plugin may crash on some JavaScript files
646928-1	3-Major		Landing URI incorrect when changing URI
645684-2	3-Major		Flash application components are loaded into wrong ApplicationDomain after Portal Access rewriting.
618957-1	3-Major		Certificate objects are not properly imported from external SAML SP metadata when metadata contains both signing and encryption certificates
601919-2	3-Major		Custom categories and custom url filter assignment must be specific to partition instead of global lookup
583272-2	3-Major		"Corrupted Connect Error" when using IPv6 and On-Demand Cert Auth
580567-1	3-Major		LDAP Query agent failed to resolve nested group membership
551795-1	3-Major		Portal Access: corrections to CORS support for XMLHttpRequest
550547-2	3-Major		URL including a "token" query fails results in a connection reset

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
664535-1	2-Critical		Diameter failure: load balancing fails when all pool members use same IP Address
640407-1	2-Critical	K41344483	Usage of iRule commands that try to get or set connection state during CLIENT_CLOSED iRule event may core with MRF
568545-2	2-Critical	K17124802	iRules commands that refer to a transport-config will fail validation
559953-1	2-Critical		tmm core on long DIAMETER::host value
662364-2	3-Major		MRF DIAMETER: IP ToS not passing through with DIAMETER
644946-2	3-Major	K05053251	Enabling mirroring on SIP or DIAMETER router profile effects per-client connection mode operation
644565-1	3-Major		MRF Message metadata lost when routing message to a connection on a different TMM
634078-2	3-Major		MRF: Routing using a virtual with SNAT set to none may select a source port of zero
624155-2	3-Major		MRF Per-Client mode connections unable to return responses if used by another client connection
620929-4	3-Major		New iRule command, MR::ignore_peer_port
353229-2	3-Major	K54130510	Buffer overflows in DIAMETER
651640-3	4-Minor		queue full dropped messages incorrectly counted as responses

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
670400-3	2-Critical		SSH Proxy public key authentication can be circumvented in some cases
655470	2-Critical	K79924625	IP Intelligence logging publisher removal can cause tmm crash
651001-1	2-Critical		massive prints in tmm log: "could not find conf for profile crc"
650081-1	3-Major		FP feature causes the blank page/delay on IE11
648617	3-Major		JavaScript challenge repeating in loop when URL has path parameters
644855-2	3-Major		irules with commands which may suspend processing cannot be used with proactive bot defense
630356-1	3-Major		JavaScript challenge follow-up to POST is sent as GET in iframe from IE/Edge
628351-1	3-Major		Redirect loops on URLs with Path Parameters when Proactive Bot Defense is enabled
618902-4	3-Major		PCCD memory usage increases on configuration changes and recompilation due to small amount of memory leak on each compilation
618656-2	3-Major		JavaScript challenge repeating in loop on Firefox when URL is longer than 1033 characters
519612-1	3-Major		JavaScript challenge fails when coming within iframe with different domain than main page

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
658261-2	2-Critical		TMM core after HA during GY reporting
658148-2	2-Critical	K23150504	TMM core after intra-chassis failover for some instances of subscriber creation
657632-4	2-Critical		Rarely if a subscriber delete is performed following HA switchover, tmm may crash
653285-1	2-Critical		PEM rule deletion with HSL reporting may cause tmm coredump
652973-2	2-Critical		Coredump observed at system bootup time when many DHCP packets arrived at BigIP
650422-2	2-Critical		TMM core after a switchover involving GY quota reporting
659567-1	3-Major		iRule command PEM::session functions differently in 12.1.x and 13.0.0 than it did in prior versions
652052-3	3-Major		PEM:sessions iRule made the order of parameters strict
635257-2	3-Major	K41151808	Inconsistencies in Gx usage record creation.
623037-2	3-Major		delete of pem session attribute does not work after a update

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
676808-2	2-Critical		FPS: tmm may crash on response with large payload from server
669364-1	2-Critical		TMM core when server responds fast with server responses such as 404.
669359	2-Critical		WebSafe might cause connections to hang
674931	3-Major		FPS modified responses/injections might result in a corrupted response
674909-3	3-Major		Application CSS injection might break when connection is congested
667872-1	3-Major		Websafe's 'Apply cookies to base domain' feature doesn't work for non standard ports
658321-2	3-Major		Websafe features might break in IE8
657502-2	3-Major		JS error when leaving page opened for several minutes
644694	3-Major		FPS security update check ends up with an empty page when error occurs.
618185-1	3-Major		Mismatch in URL CRC32 calculation
643602-2	4-Minor		'Select All' checkbox selects items on hidden pages

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
636541-3	1-Blocking		DNS Rapid Response filters large datagrams
667028-1	2-Critical		DNS Express does not run on i11000 platforms with htsplit disabled.
649564-2	2-Critical		Crash related to GTM monitors with long RECV strings
663073-1	3-Major		GSLB Pool member Manage page combo box has an issue that can cause the wrong pool member to be removed from the available list when adding a member to the selected list.
659912-1	3-Major		GSLB Pool Member Manage page display issues and error message
655807-5	3-Major	K40341291	With QoS LB, packet rate score is calculated incorrectly and dominates the QoS score
655445-2	3-Major		Provide the ability to globally specifiy a DSCP value.
654599-1	3-Major	K74132601	The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed
648286-2	3-Major		GSLB Pool Member Manage page fails to auto-select next available VS/WiP after pressing the add button.
644447-2	3-Major		sync_zones script increasingly consumes memory when there is network connectivity failure
615222-1	3-Major		GTM configuration fails to load when it has gslb pool with members containing more than one ":"★
605260-1	3-Major		[GUI] Changes can not be made to GTM listener in partition with default route domain <> 0
659969-1	4-Minor		tmsh command for gtm-application disabled contexts does not work with none and replace-all-with
644220-3	4-Minor	K37049259	Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page
604371-1	4-Minor		Pagination controls missing for GSLB pool members
582773-5	4-Minor		DNS server for child zone can continue to resolve domain names after revoked from parent

Device Management Fixes

ID Number	Severity	Solution Article(s)	Description
605123-1	2-Critical		IAppLX objects fail to sync after establishing HA in auto-sync mode★

iApp Technology Fixes

ID Number	Severity	Solution Article(s)	Description
606316-4	1-Blocking		HTTPS request to F5 licensing server fails
665778-1	2-Critical	K34503519	Non-admin BIG-IP users can now view/re-deploy iApps through TMUI.
599424-2	2-Critical		iApps LX fails to sync★
632060-1	4-Minor		restjavad is unable to read the dtca.key files resulting in Error: Failed to read key: invalid header★

Cumulative fixes from BIG-IP v12.1.2 Hotfix 2 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
693211-3	CVE-2017-6168	K21905460	CVE-2017-6168

Functional Change Fixes

None

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
664063-1	2-Critical		Azure displays failure for deployment of BIG-IP from a Resource Manager template

Cumulative fixes from BIG-IP v12.1.2 Hotfix 1 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
652151-1	CVE-2017-6131	K61757346	Azure VE: Initialization improvement
641256-1	CVE-2016-9257	K43523962	APM access reports display error
623885-4	CVE-2016-9251	K41107914	Internal authentication improvements
621371-2	CVE-2016-9257	K43523962	Output Errors in APM Event Log
648865-2	CVE-2017-6074	K82508682	Linux kernel vulnerability: CVE-2017-6074
643187-2	CVE-2017-3135	K80533167	BIND vulnerability CVE-2017-3135
641445-1	CVE-2017-6145	K22317030	iControl improvements
641360-2	CVE-2017-0303	K30201296	SOCKS proxy protocol error
636702-3	CVE-2016-9444	K40181790	BIND vulnerability CVE-2016-9444
636699-5	CVE-2016-9131	K86272821	BIND vulnerability CVE-2016-9131
631582	CVE-2016-9250	K55792317	Administrative interface enhancement
630475-5	CVE-2017-6162	K13421245	TMM Crash
628836-4	CVE-2016-9245	K22216037	TMM crash during request normalization
626360	CVE-2017-6163	K22541983	TMM may crash when processing HTTP2 traffic
624570-1	CVE-2016-8864	K35322517	BIND vulnerability CVE-2016-8864
624526-3	CVE-2017-6159	K10002335	TMM core in mptcp
624457-5	CVE-2016-5195	K10558632	Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195
623093-1	CVE-2016-3990 CVE-2016-3632 CVE-2015-7554 CVE-2016-5320	K38871451	TIFF vulnerability CVE-2015-7554
620400-1	CVE-2017-6141	K21154730	TMM crash during TLS processing
610255-1	CVE-2017-6161	K62279530	CMI improvement
596340-8	CVE-2016-9244	K05121675	F5 TLS vulnerability CVE-2016-9244
580026-5	CVE-2017-6165	K74759095	HSM logging error
648879-2	CVE-2016-6136 CVE-2016-9555	K90803619	Linux kernel vulnerabilities: CVE-2016-6136 CVE-2016-9555
641612-2	CVE-2017-0302	K87141725	APM crash
638137	CVE-2016-7117 CVE-2016-4998 CVE-2016-6828	K51201255	CVE-2016-7117 CVE-2016-4998 CVE-2016-6828
635412	CVE-2017-6137	K82851041	Invalid mss with fast flow forwarding and software syn cookies
635252-1	CVE-2016-9256	K47284724	CVE-2016-9256
631841-7	CVE-2016-9311	K55405388	NTP vulnerability CVE-2016-9311
631688-7	CVE-2016-9311 CVE-2016-9310 CVE-2016-7427 CVE-2016-7428 CVE-2016-9312 CVE-2016-7431 CVE-2016-7434 CVE-2016-7429 CVE-2016-7426 CVE-2016-7433	K55405388 K87922456 K63326092 K51444934 K80996302	Multiple NTP vulnerabilities
630150-1	CVE-2016-9253	K51351360	Websockets processing error
627916-1	CVE-2017-6144	K81601350	Improve cURL Usage
627747-1	CVE-2017-6142	K20682450	Improve cURL Usage
625372-5	CVE-2016-2179	K23512141	OpenSSL vulnerability CVE-2016-2179
623119	CVE-2016-4470	K55672042	Linux kernel vulnerability CVE-2016-4470
622496	CVE-2016-5829	K28056114	Linux kernel vulnerability CVE-2016-5829
622126-1	CVE-2016-7124 CVE-2016-7125 CVE-2016-7126 CVE-2016-7127	K54308010	PHP vulnerability CVE-2016-7124
621337-6	CVE-2016-7469	K97285349	XSS vulnerability in the BIG-IP and Enterprise Manager Configuration utilities CVE-2016-7469
618261-6	CVE-2016-2182	K01276005	OpenSSL vulnerability CVE-2016-2182
615267-2	CVE-2016-2183	K13167034	OpenSSL vulnerability CVE-2016-2183
613225-7	CVE-2016-2180, CVE-2016-6306, CVE-2016-6302	K90492697	OpenSSL vulnerability CVE-2016-6306
606710-10	CVE-2016-2834, CVE-2016-5285, CVE-2016-8635	K15479471	Mozilla NSS vulnerability CVE-2016-2834
600232-9	CVE-2016-2177	K23873366	OpenSSL vulnerability CVE-2016-2177
600223-2	CVE-2016-2177	K23873366	OpenSSL vulnerability CVE-2016-2177
599858-7	CVE-2015-8895 CVE-2015-8896 CVE-2015-8897 CVE-2015-8898 CVE-2016-5118 CVE-2016-5239 CVE-2016-5240	K68785753	ImageMagick vulnerability CVE-2015-8898
635933-3	CVE-2004-0790	K23440942 K13361021	The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable
628832-4	CVE-2016-6161	K71581599	libgd vulnerability CVE-2016-6161
622662-7	CVE-2016-6306	K90492697	OpenSSL vulnerability CVE-2016-6306
609691-1	CVE-2014-4617	K21284031	GnuPG vulnerability CVE-2014-4617
600205-9	CVE-2016-2178	K53084033	OpenSSL Vulnerability: CVE-2016-2178
600198-2	CVE-2016-2178 CVE-2016-6306 CVE-2016-6302 CVE-2016-2216	K53084033	OpenSSL vulnerability CVE-2016-2178
599285-2	CVE-2016-5094 CVE-2016-5095 CVE-2016-5096	K51390683	PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095
598002-10	CVE-2016-2178	K53084033	OpenSSL vulnerability CVE-2016-2178
621937-1	CVE-2016-6304	K54211024	OpenSSL vulnerability CVE-2016-6304
621935-6	CVE-2016-6304	K54211024	OpenSSL vulnerability CVE-2016-6304
606771-2	CVE-2016-5399 CVE-2016-6288 CVE-2016-6289 CVE-2016-6290 CVE-2016-5385 CVE-2016-6291 CVE-2016-6292 CVE-2016-6207 CVE-2016-6294 CVE-2015-8879 CVE-2016-6295 CVE-2016-6296 CVE-2016-6297	K35799130	Multiple PHP vulnerabilities

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
653453	2-Critical		ARP replies reach front panel port of the B4450 blade, but fail to reach TMMs.
628972-2	2-Critical		BMC version 2.51.7 for iSeries appliances
624831-2	2-Critical		BWC: tmm crash can occur if dynamic BWC policy is used at max-user-rate over 2gbps
616918-1	2-Critical		BMC version 2.50.3 for iSeries appliances
633723-3	3-Major		New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot
633391-1	3-Major		GUI Error trying to modify IP Data-Group
609614-3	3-Major		Yafuflash 4.25 for iSeries appliances
597797-4	3-Major	K78449695	Allow users to disable enforcement of RFC 7057
581840-5	3-Major	K46576869	Cannot manage BIG-IP version 11.6.1 or 11.6.1 HF1 through BIG-IQ.
564876-2	3-Major		New DB variable log.lsn.comma changes CGNAT logs to CSV format
609084-2	4-Minor	K03808942	Max number of chunks not configurable above 1000 chunks
597270-2	4-Minor		tcpdump support missing for VXLAN-GPE NSH

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
655500	1-Blocking		Rekey SSH sessions after one hour
642058-1	1-Blocking		CBL-0138-01 Active Copper does not work on i2000/i4000/HRC-i2800 Series appliances
641390-5	1-Blocking		Backslash removal in LTM monitors after upgrade★
627433-1	1-Blocking		HSB transmitter failure on i2x00 and i4x00 platforms
602830-1	1-Blocking		BIG-IP iSeries appliance LCD does not indicate when BIG-IP is in platform_check diagnostic mode
648056-2	2-Critical	K16503454	bcm56xxd core when configuring QinQ VLAN with vCMP provisioned.
645805	2-Critical		LACP PDUs generated by lacpd on i4x00/i2x00 platforms contain bad ethernet src mac address
641248	2-Critical		IPsec-related tmm segfault
641013-5	2-Critical		GRE tunnel traffic pinned to one TMM
638935-3	2-Critical		Monitor with send/receive string containing double-quote may cause upgrade to fail.★
636918-2	2-Critical		Fix for crash when multiple tunnels use the same traffic selector
636290	2-Critical		vCMP support for B4450 blade
627898-2	2-Critical		TMM leaks memory in the ECM subsystem
625824-1	2-Critical		iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory
624263-4	2-Critical		iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response
618779-1	2-Critical		Route updates during IPsec tunnel setup can cause tmm to restart
616059-1	2-Critical	K19545861	Modifying license.maxcores Not Allowed Error
614296-1	2-Critical		Dynamic routing process ripd may core
613536-5	2-Critical		tmm core while running the iRule STATS:: command
610295-1	2-Critical		TMM may crash due to internal backplane inconsistency after reprovisioning
583516-2	2-Critical		tmm ASSERT's "valid node" on Active, after timer fire..
567457-2	2-Critical		TMM may crash when changing the IKE peer config.
652484-2	3-Major		tmsh show net f5optics shows information for only 1 chassis slot in a cluster
649617-2	3-Major		qkview improvement for OVSDB management
648544-5	3-Major	K75510491	HSB transmitter failure may occur when global COS queues enabled
646760	3-Major		Common Criteria Mode Disrupts Administrative SSH Access
644490-1	3-Major		Finisar 100G LR4 values need to be revised in f5optics
637559-1	3-Major		Modifying iRule online could cause TMM to be killed by SIGABRT
636535	3-Major	K24844444	HSB lockup in vCMP guest doesn't generate core file
635961-1	3-Major		gzipped and truncated files may be saved in qkview
635129	3-Major		Chassis systems in HA configuration become Active/Active during upgrade★
635116-1	3-Major	K34100550	Memory leak when using replicated remote high-speed logging.
634115-1	3-Major	K10608314	Not all topology records may sync.
633879-1	3-Major	K52833014	Fix IKEv1 md5 phase1 hash algorithm so config takes effect
633512-1	3-Major		HA Auto-failback will cause an Active/Active overlap, or flapping, on VIPRION.
633413-1	3-Major		IPv6 addr can't be deleted; not able to add ports to addr in DataGroup object in GUI
631627-4	3-Major		Applying BWC over route domain sometimes results in tmm not becoming ready on system start
630622-1	3-Major		tmm crash possible if high-speed logging pool member is deleted and reused
630610-5	3-Major	K43762031	BFD session interface configuration may not be stored on unit state transition
630546-1	3-Major		Very large core files may cause corrupted qkviews
629499-9	3-Major		tmsh show sys perf command gives an error "011b030d:3: Graph 'dnsx' not found"
629085-1	3-Major	K55278069	Any CSS content truncated at a quoted value leads to a segfault
628202-4	3-Major		Audit-forwarder can take up an excessive amount of memory during a high volume of logging
628164-3	3-Major	K20766432	OSPF with multiple processes may incorrectly redistribute routes
628009-1	3-Major		f5optics not enabled on Herculon iSeries variants HRC-i2800, HRC-i5800, HRC-i10800
627961-3	3-Major		nic_failsafe reboot doesn't trigger if HSB fails to disable interface
627914-1	3-Major		Unbundled 40GbE optics reporting as Unsupported Optic
627214-3	3-Major		BGP ECMP recursive default route not redistributed to TMM
626839	3-Major		sys-icheck error for /var/lib/waagent in Azure.
626721-5	3-Major		"reset-stats auth login-failures" command for unknown users causes secondary mcpd processes to restart
625703-2	3-Major		SELinux: snmpd is denied access to tmstat files
625221-5	3-Major		Support for overriding SPDAG address bit selection and L1 buckets on P8
625085	3-Major		lasthop rmmod causes kernel panic
624361-1	3-Major		Responses to some of the challenge JS are not zipped.
623930-3	3-Major		vCMP guests with vlangroups may loop packets internally
623401-1	3-Major		Intermittent OCSP request failures due to non-optimal default TCP profile setting
623336-4	3-Major		After an upgrade, the old installation's CA bundle may be used instead of the one that comes with the new version of TMOS★
623055-1	3-Major		Kernel panic during unic initialization
622183-5	3-Major		The alert daemon should remove old log files but it does not.
621909-4	3-Major	K23562314	Uneven egress trunk distribution on 5000/10000 platforms with odd number of trunk members
621273-1	3-Major		DSR tunnels with transparent monitors may cause TMM crash.
620659-3	3-Major		The BIG-IP system may unecessarily run provisioning on successive reboots
620366-4	3-Major		Alertd can not open UDP socket upon restart
617628-1	3-Major		SNMP reports incorrect value for sysBladeTempTemperature OID
615934-1	3-Major		Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.
615107-1	3-Major		Cannot SSH from AOM/SCCP to host without password (host-based authentication).
613765-3	3-Major		Creating 0.0.0.0:0 Virtual Server in TMUI results in slow-loading virtual server page and name resolution errors.
612809-1	3-Major		Bootup script fails to run on on a vCMP guest due to a missing reference file.
611658-3	3-Major		"less" utility logs an error for remotely authenticated users using the tmsh shell
611512-1	3-Major		AWS: Pool member autoscaling in BIG-IP fails to add pool members when pool name is same as AWS Autoscaling Group name.
611487-3	3-Major		vCMP: VLAN failsafe does not trigger on guest
610417-1	3-Major	K54511423	Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported.
609119-7	3-Major		Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3:
608320-3	3-Major		iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response
604727-1	3-Major		Upgrade from 10.2.4 to 12.1.x fails when SNMP trap exists in config from 10.2.4.★
604237-3	3-Major		Vlan allowed mismatch found error in VCMP guest
604061-2	3-Major		Link Aggregation Control Protocol May Lose Synchronization after TMM Crash
602376-1	3-Major		qkview excludes files
598498-7	3-Major		Cannot remove Self IP when an unrelated static ARP entry exists.
598134-1	3-Major		Stats query may generate an error when tmm on secondary is down
596067-2	3-Major		GUI on VIPRION hangs on secondary blade reboot
590211-2	3-Major		jitterentropy-rngd quietly fails to start
583754-7	3-Major		When TMM is down, executing 'show ltm persist persist-records' results in a blank error message.
575027-1	3-Major		Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.
562928-2	3-Major		Curl connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled
559080-5	3-Major		High Speed Logging to specific destinations stops from individual TMMs
557471-3	3-Major		LTM Policy statistics showing zeros in GUI
543208-1	3-Major		Upgrading to v12.x or later in a sync-failover group might cause mcpd to become unresponsive.★
534520-1	3-Major		qkview may exclude certain log files from /var/log
424542-5	3-Major		tmsh modify net interface with invalid interface name or attributes will create an interface in cluster or VE environments
418349-2	3-Major		Update/overwrite of FIPS keys error
643404-2	4-Minor	K30014507	'tmsh system software status' does not display properly in a specific cc-mode situation★
636520-3	4-Minor	K88813435	Detail missing from power supply 'Bad' status log messages
633181-1	4-Minor		A CSR generated from Configuration Utility or tmsh may have an empty 'Attributes' or 'Requested Extensions' section
632668-5	4-Minor		When a BIG-IP using BFD sessions is forced offline, the system continues to send "State Up" BFD packets for ~30 seconds
632069-3	4-Minor		Sudo vulnerabilities: CVE-2016-7032, CVE-2016-7076
621957-2	4-Minor		Timezone data on AOM not syncing with host
617901-1	4-Minor		GUI to handle file path manipulation to prevent GUI instability.
609107-1	4-Minor		mcpd does not properly validate missing 'sys folder' config in bigip_base.conf
605420-5	4-Minor		httpd security update - CVE-2016-5387
601268-5	4-Minor		PHP vulnerability CVE-2016-5766
599191-2	4-Minor		One of the config-sync scenarios causes old FIPS keys to be left in the FIPS card
589379-2	4-Minor	K20937139	ZebOS adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route.
585097-1	4-Minor		Traffic Group score formula does not result in unique values.
541550-3	4-Minor		Defining more than 10 remote-role groups can result in authentication failure
541320-10	4-Minor	K50973424	Sync of tunnels might cause restore of deleted tunnels.
500452-8	4-Minor	K28520025	PB4300 blade doesn't disaggregate ESP traffic based on IP addresses in hardware
642015-2	5-Cosmetic		SSD Manufacturer "unavailable"
524277-2	5-Cosmetic		Missing power supplies issue warning message that should be just a notice message.

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
651476	2-Critical		bigd may core on non-primary bigd when FQDN in use
648715-2	2-Critical		BIG-IP i2x00 and ix4x00 platforms send LLDP, STP, and LACP PDUs with a VLAN tag of 0
643396-2	2-Critical	K34553627	Using FLOW_INIT iRule may lead to TMM memory leak or crash
642400-2	2-Critical		Path MTU discovery occasionally fails
640352-2	2-Critical	K01000259	Connflow can be leaked when DHCP proxy in forwarding mode with giaddr set in DHCP renewal packet
639744-1	2-Critical	K84228882	Memory leak in STREAM::expression iRule
637181-4	2-Critical		VIP-on-VIP traffic may stall after routing updates
632685	2-Critical		bigd memory leak for FQDN nodes on non-primary bigd instance
630306-1	2-Critical		TMM crash in DNS processing on UDP virtual server with no available pool members
629145-1	2-Critical		External datagroups with no metadata can crash tmm
628890-1	2-Critical		Memory leak when modifying large datagroups
627403-2	2-Critical		HTTP2 can can crash tmm when stats is updated on aborting of a new connection
626311-2	2-Critical	K75419237	Potential failure of DHCP relay functionality credits to incorrect route lookup.
625198-1	2-Critical		TMM might crash when TCP DSACK is enabled
622856-1	2-Critical		BIG-IP may enter SYN cookie mode later than expected
621870-2	2-Critical		Outage may occur with VIP-VIP configurations
619663-3	2-Critical	K49220140	Terminating of HTTP2 connection may cause a TMM crash
619528-4	2-Critical		TMM may accumulate internal events resulting in TMM restart
619071-3	2-Critical		OneConnect with verified accept issues
614509-1	2-Critical		iRule use of 'all' keyword with 'class match' on large external datagroups may result in TMM restart
609027-1	2-Critical		TMM crashes when SSL forward proxy is enabled.
608304-1	2-Critical	K55292305	TMM crash on memory corruption
603667-2	2-Critical		TMM may leak or corrupt memory when configuration changes occur with plugins in use
603082-3	2-Critical		Ephemeral pool members are getting deleted/created over and over again.
602136-5	2-Critical		iRule drop command causes tmm segfault or still sends 3-way handshake to the server.
601828-1	2-Critical		An untrusted certificate can cause TMM to crash.
600982-5	2-Critical		TMM crashes at ssl_cache_sid() with "prf->cache.sid == 0"
599720-2	2-Critical		TMM may crash in bigtcp due to null pointer dereference
597828-1	2-Critical		SSL forward proxy crashes in some cases
596450-1	2-Critical		TMM may produce a core file after updating SSL session ticket key
594642-3	2-Critical		Stream filter may require large allocations by Tcl leading TMM to core on allocation failure.
581746-1	2-Critical	K42175594	MPTCP or SSL traffic handling may cause a BIG-IP outage
557358-5	2-Critical		TMM SIGSEGV and crash when memory allocation fails.
423629-3	2-Critical	K08454006	bigd cores when route-domain tagged to a pool with monitor as gateway_ICMP is deleted
651106	3-Major		memory leak on non-primary bigd with changing node IPs
649571-1	3-Major		Limits set in Server SSL Profile are not enforced if the server ignores BIG-IP's renegotiation ClientHello
648990	3-Major		Serverside SSL renegotiation does not occur after block cipher data limit is exceeded
641512-4	3-Major		DNSSEC key generations fail with lots of invalid SSL traffic
632324-2	3-Major		PVA stats does not show correct connection number
629412-3	3-Major		BIG-IP closes a connection when a maximum size window is attempted
627246-1	3-Major	K09336400	TMM memory leak when ASM policy configured on virtual server
626386-1	3-Major	K28505256	SSL may not be reassembling fragments correctly with a large-sized client certificate when SSL persistence is enabled
626106-3	3-Major		LTM Policy with illegal rule name loses its conditions and actions during upgrade★
625106-2	3-Major		Policy Sync can fail over a lossy network
624616-1	3-Major		Safenet uninstall is unable to remove libgem.so
620625-2	3-Major	K38094257	Changes to the Connection.VlanKeyed DB key may not immediately apply
620079-3	3-Major		Removing route-domain may cause monitors to fail
619849-4	3-Major		In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled.
618430-2	3-Major		iRules LX data not included in qkview
618428	3-Major		iRules LX - Debug mode does not function in dedicated mode
618254-4	3-Major		Non-zero Route domain is not always used in HTTP explicit proxy
617858-2	3-Major		bigd core when using Tcl monitors
616022-2	3-Major	K46530223	The BIG-IP monitor process fails to process timeout conditions
613326-1	3-Major		SASP monitor improvements
612694-5	3-Major		TCP::close with no pool member results in zombie flows
610429-5	3-Major		X509::cert_fields iRule command may memory with subpubkey argument
610302-1	3-Major		Link throughput graphs might be incorrect.
609244-4	3-Major		tmsh show ltm persistence persist-records leaks memory
608551-3	3-Major		Half-closed congested SSL connections with unclean shutdown might stall.
607152-1	3-Major		Large Websocket frames corrupted
604496-4	3-Major		SQL (Oracle) monitor daemon might hang.
603979-4	3-Major		Data transfer from the BIG-IP system self IP might be slow
603723-2	3-Major		TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
603550-1	3-Major		Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats.
600827-8	3-Major		Stuck Nitrox crypto queue can erroneously be reported
600593-1	3-Major		Use of HTTP Explicit Proxy and OneConnect can lead to an issue with CONNECT HTTP requests
600052-1	3-Major		GUI displaying "Internal Server Error" page when there many (~3k) certs/keys in the system
599121-2	3-Major	K24036315	Under heavy load, hardware crypto queues may become unavailable.
592871-3	3-Major		Cavium Nitrox PX/III stuck queue diagnostics missing.
591666-3	3-Major		TMM crash in DNS processing on TCP virtual with no available pool members
589400-1	3-Major		With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.
586738-4	3-Major		The tmm might crash with a segfault.
584471-1	3-Major		Priority order of clientssl profile selection of virtual server.
584310-1	3-Major		TCP:Collect ignores the 'skip' parameter when used in serverside events
584029-6	3-Major		Fragmented packets may cause tmm to core under heavy load
582769-1	3-Major	K99405272	WebSockets frames are not forwarded with Websocket profile and ASM enabled on virtual
579926-1	3-Major		HTTP starts dropping traffic for a half-closed connection when in passthrough mode
568543-4	3-Major		Syncookie mode is activated on wildcard virtuals
562267-3	3-Major		FQDN nodes do not support monitor alias destinations.
517756-6	3-Major		Existing connections can choose incorrect route when crossing non-strict route-domains
509858-5	3-Major	K36300805	BIG-IP FastL4 profile vulnerability
419741-3	3-Major		Rare crash with vip-targeting-vip and stale connections on VIPRION platforms
352957-4	3-Major	K03005026	Route lookup after change in route table on established flow ignores pool members
660170-1	4-Minor	K28505910	tmm may crash at ~75% of VLAN failsafe timeout expiration
631862-1	4-Minor	K32107573	Stream is not finalized when OWS response has Transfer-Encoding header with zero-size chunk
618517-1	4-Minor	K61255401	bigd may falsely complain of a file descriptor leak when it cannot open its debug log file; bigd stops monitoring
611161-3	4-Minor	K28540353	VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.
587966-1	4-Minor	K77283304	LTM FastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port
583943-1	4-Minor	K27491104	Forward proxy does not work when netHSM is configured on TMM interfaces
574020-5	4-Minor		Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}')

Performance Fixes

ID Number	Severity	Solution Article(s)	Description
621115-1	2-Critical		IP/IPv6 TTL/hoplimit may not be preserved for host traffic

Global Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
642330-2	3-Major		GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.★
629530-2	3-Major	K53675033	Under certain conditions, monitors do not time out.
601180-2	3-Major	K73505027	Link Controller base license does not allow DNS namespace iRule commands.★
567743-2	3-Major		Possible gtmd crash under certain conditions.

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
646511-1	2-Critical		BD crashes repeatedly after interrupted roll-forward upgrade★
636397-1	2-Critical		bd cores when persistent storage configuration and under some memory conditions.
634001-2	2-Critical		ASM restarts after deleting a VS that has an ASM security policy assigned to it
627117-1	2-Critical		crash with wrong ceritifcate in WSS
625783-1	2-Critical		Chassis sync fails intermittently due to sync file backlog
618771-1	2-Critical		Some Social Security Numbers are not being masked
601378-2	2-Critical		Creating an ASM security policy with "Auto accept" language leads to numerous errors in asm log and restarts of 'pabnagd' and 'asm_config_server' daemons
584082-3	2-Critical		BD daemon crashes unexpectedly
540928-1	2-Critical		Memory leak due to unnecessary logging profile configuration updates.
640824-1	3-Major	K20770267	Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★
635754-1	3-Major	K65531575	Wildcard URL pattern match works inncorectly in Traffic Learning
632344-2	3-Major		POP DIRECTIONAL FORMATTING causes false positive
632326-2	3-Major	K52814351	relax_unicode_in_xml/json internal may still trigger a false positive Malformed XML violation
631737-1	3-Major	K61367823	ArcSight cs4 (attack_type) is N/A for certain HTTP Compliance sub-violations
630929-1	3-Major	K69767100	Attack signature exception list upload times-out and fails
627360-1	3-Major		Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★
625832-4	3-Major		A false positive modified domain cookie violation
622913-2	3-Major		Audit Log filled with constant change messages
621524-2	3-Major		Processing Timeout When Viewing a Request with 300+ Violations
620635-2	3-Major		Request having upper case JSON login parameter is not detected as a failed login attempt
611151-2	3-Major		An upper case JSON sensitive parameter is not masked when ASM policy is case-insensitive
608245	3-Major		Reporting missing parameter details when attack signature is matched against parameter value
581406-1	3-Major		SQL Error on Peer Device After Receiving ASM Sync in a Device Group
580168-4	3-Major		Information missing from ASM event logs after a switchboot and switchboot back
576591-6	3-Major		Support for some future credit card number ranges
572885-1	3-Major		Policy automatic learning mode changes to manual after failover
392121-3	3-Major		TMSH Command to retrieve the memory consumption of the bd process
642874-1	4-Minor	K15329152	Ready to be Enforced filter for Policy Signatures returns too many signatures

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
634215-1	2-Critical		False detection of attack after restarting dosl7d
573764-1	2-Critical		In some cases, only primary blade retains it's statistics after upgrade on multi bladed system
642221-2	3-Major		Incorrect entity is used when exporting TCP analytics from GUI
641574	3-Major	K06503033	AVR doesn't report on virtual and client IP in DNS statistics
635561-1	3-Major		Heavy URLs statistics are not shown after upgrade.
631722	3-Major		Some HTTP statistics not displayed after upgrade
631131-3	3-Major		Some tmstat-adapters based reports stats are incorrect
605010-1	3-Major		Thrift::TException error
560114-6	3-Major		Monpd is being affected by an I/O issue which makes some of its threads freeze

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
637308-8	2-Critical	K41542530	apmd may crash when HTTP Auth agent is used in an Access Policy
632005-1	2-Critical		BIG-IP as SAML SP: Objects created by IdP connector automation may not be updated when remote metadata changes
622244-2	2-Critical		Edge client can fail to upgrade when always connected is selected
617310-2	2-Critical		Edge client can fail to upgrade when Always Connected is selected★
614322-1	2-Critical	K31063537	TMM might crash during handling of RDG-RPC connection when APM is used as RD Gateway
608424-2	2-Critical		Dynamic ACL agent error log message contains garbage data
608408-2	2-Critical		TMM may restart if SSO plugin configuration initialization fails due to internal error in tmconf library
593078-1	2-Critical		CATEGORY::filetype command may cause tmm to crash and restart
643547-1	3-Major	K43036745	APMD initialization may fail when large number of access policy agents are configured in access policies installed on BIG-IP
638799-1	3-Major		Per-request policy branch expression evaluation fails
638780-3	3-Major		Handle 302 redirects for VMware Horizon View HTML5 client
636044-1	3-Major	K68018520	Large number of glob patterns affects custom category lookup performance
634576	3-Major	K48181045	TMM core in per-request policy
634252	3-Major	K99114539	TMM crash with per-request policy in SWG explicit
632504-1	3-Major	K31277424	APM Policy Sync: Non-LSO resources such as webtop are listed under dynamic resource list
632499-1	3-Major	K70551821	APM Policy Sync: Resources under webtop section are not sync'ed automatically
632472-1	3-Major		Frequently logged "Silent flag set - fail" messages
632386-1	3-Major		EdgeClient cannot establish iClient control connection to BIG-IP if another control connection exists
630571-1	3-Major	K35254214	Edge Client on Mac OSX Sierra stuck in a reconnect loop
629801-2	3-Major		Access policy is applied automatically on target device after policy sync, when there is a also a FODG in the trust domain.
629698-1	3-Major		Edge client stuck on "Initializing" state
629069-2	3-Major		Portal Access may delete scripts from HTML page in some cases
628687-2	3-Major		Edge Client reconnection issues with captive portal
628685-2	3-Major	K79361498	Edge Client shows several security warnings after roaming to a network with Captive Portal
627972-2	3-Major	K11327511	Unable to save advanced customization when using Exchange iApp
627059-1	3-Major		In some rare cases TMM may crash while handling VMware View client connection
626910-1	3-Major		Policy with assigned SAML Resource is exported with error
625474-1	3-Major		POST request body is not saved in session variable by access when request is sent using edge client
625159-1	3-Major		Policy sync status not shown on standby device in HA case
624966-2	3-Major		Edge client starts new APM session when Captive portal session expire
623562-3	3-Major		Large POSTs rejected after policy already completed
622790-1	3-Major		EdgeClient disconnect may take a lot of time when machine is moved to network with no connectivity to BIG-IP
621976-4	3-Major		OneDrive for Business thick client shows javascript errors when rendering APM logon page
621974-4	3-Major		Skype For Business thick client shows javascript errors when rendering APM logon page
621447-1	3-Major		In some rare cases, VDI may crash
621210-2	3-Major		Policy sync shows as aborted even if it is completed
621126-2	3-Major		Import of config with saml idp connector with reuse causes certificate not found error
620829-2	3-Major		Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
620801-3	3-Major		Access Policy is not able to check device posture for Android 7 devices
620614-4	3-Major		Citrix PNAgent replacement mode: iOS Citrix receiver fails to add new store account
619879-1	3-Major		HTTP iRule commands could lead to WEBSSO plugin being invoked
619811-2	3-Major		Machine Cert OCSP check fails with multiple Issuer CA
619486-3	3-Major		Scripts on rewritten pages could fail with JavaScript exception if application code modifies window.self
619473-2	3-Major		Browser may hang at APM session logout
618170-3	3-Major		Some URL unwrapping functions can behave bad
617063-1	3-Major		After VPN tunnel established, if network is switched and a Captive Portal is present in the new network, EdgeClient fails to re-establish VPN tunnel
617002-1	3-Major		SWG with Response Analytics agent in a Per-Request policy fails with some URLs
616838-3	3-Major		Citrix Remote desktop resource custom parameter name does not accept hyphen character
615970-1	3-Major		SSO logging level may cause failover
615254-2	3-Major		Network Access Launch Application item fails to launch in some cases
612419-1	3-Major		APM 11.4.1 HF10 - suspected memory leak (umem_alloc_32/network access (variable))
611968-3	3-Major		JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow
611669-4	3-Major		Mac Edge Client customization is not applied on macOS 10.12 Sierra
610180-2	3-Major		SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin.
597214-5	3-Major		Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
595819-1	3-Major		Access session 'Bytes In' and 'Bytes Out' are not getting updated (stay at 0) when accessed with a http/2 enabled browser and HTTP/2 profile attached,
595272-1	3-Major		Edge client may show a windows displaying plain text in some cases
591246-1	3-Major		Unable to launch View HTML5 connections in non-zero route domain virtual servers
584582-1	3-Major		JavaScript: 'baseURI' property may be handled incorrectly
570217-2	3-Major		BIG-IP APM now uses Airwatch v2 API to retreive device posture information
533956-3	3-Major	K30515450	Portal Access: Space-like characters in EUC character sets may be handled incorrectly.
503842-4	3-Major		MS WebService html component doesn't work after rewriting
640521-1	4-Minor		EdgeClient does not render Captive Portal login page which uses jQuery library for mobile devices
636254-2	4-Minor		Cannot reinitiate a sync on a target device when sync is completed
618404-1	4-Minor		Access Profile copying might end up in invalid way if series of names.
606257-3	4-Minor	K56716107	TCP FIN sent with Connection: Keep-Alive header for webtop page resources

WebAccelerator Fixes

ID Number	Severity	Solution Article(s)	Description
630661-2	3-Major	K30241432	WAM may leak memory when a WAM policy node has multiple variation header rules

Wan Optimization Manager Fixes

ID Number	Severity	Solution Article(s)	Description
644970-1	2-Critical		Editing a virtual server config loses SSL encryption on iSession connections
644489-1	3-Major	K14899014	Unencrypted iSession connection established even though data-encrypt configured in profile

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
639236-1	2-Critical	K66947004	Parser doesn't accept Contact header with expires value set to 0 that is not the last attribute
624023-3	2-Critical		TMM cores in iRule when accessing a SIP header that has no value
569316-1	2-Critical		Core occurs on standby in MRF when routing to a route using a transport config
649933-1	3-Major		Fragmented RADIUS messages may be dropped
629663-1	3-Major	K23210890	CGNAT SIP ALG will drop SIP INVITE
625542-1	3-Major		SIP ALG with Translation fails for REGISTER refresh.
625098-3	3-Major		SCTP::local_port iRule not supported in MRF events
601255-4	3-Major		RTSP response to SETUP request has incorrect client_port attribute

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
632731-2	2-Critical		specific external logging configuration can cause TMM service restart
628623-1	2-Critical		tmm core with AFM provisioned
639193-1	3-Major	K03453591	BIG-IP devices configured with Manual Sync, deleting parent policy causes sync to fail.
631025-1	3-Major		500 internal error on inline rule editor for certain firewall policies
627907-1	3-Major		Improve cURL usage
626438-1	3-Major		Frame is not showing in the browser and/ or an error appears
614563-3	3-Major		AVR TPS calculation is inaccurate
610129-3	3-Major	K43320840	Config load failure when cluster management IP is not defined, but instead uses address-list.
592113-5	3-Major		tmm core on the standby unit with dos vectors configured
590805-4	3-Major		Active Rules page displays a different time zone.
583024-1	3-Major		TMM restart rarely during startup
431840-3	3-Major		Cannot add vlans to whitelist if they contain a hyphen

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
627257-2	2-Critical		Potential PEM crash during a Gx operation
626851-2	2-Critical	K37665112	Potential crash in a multi-blade chassis during CMP state changes.
624744-1	2-Critical		Potential crash in a multi-blade chassis during CMP state changes.
624733-1	2-Critical		Potential crash in a multi-blade chassis during CMP state changes.
624228-1	2-Critical		Memory leak when using insert action in pem rule and flow gets aborted
623922-5	2-Critical	K64388805	TMM failure in PEM while processing Service-Provider Disaggregation
641482-2	3-Major		Subscriber remains in delete pending state until CCR-t ack has success as result code is received
640510-3	3-Major		BWC policy category attachment may fail during a PEM policy update for a subscriber.
640457-2	3-Major		Session Creation failure after HA
635233-3	3-Major		Missing some Custom AVPs in CCRu for non-existent policy and CCRt messages
630611-1	3-Major	K84324392	PEM module crash when subscriber not fund
627798-3	3-Major		Buffer length check for quota bucket objects
627279-2	3-Major		Potential crash in a multi-blade chassis during CMP state changes.
623927-2	3-Major	K41337253	Flow entry memory leaked after DHCP DORA process
564281-3	3-Major		TMM (debug) assert seen during Failover with Gy
628869-4	4-Minor		Unconditional logs seen due to the presence of a PEM iRule.

Carrier-Grade NAT Fixes

ID Number	Severity	Solution Article(s)	Description
609788	2-Critical		PCP may pick an endpoint outside the deterministic mapping
642284	3-Major		Closing a PCP connection while an asynchronous mapping request is in progress may result in memory corruption.
629871-2	3-Major		FTP ALG deployment should not rewrite PASV response 464 XLAT cases

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
639750-1	2-Critical		username aliases are not supported
636370	3-Major		Application Layer Encryption AJAX support
629627-1	3-Major		FPS Log Publisher is not grouped nor filtered by partition
629127-1	3-Major		Parent profiles cannot be saved using FPS GUI
628348-1	3-Major		Cannot configure any Mobile Security list having 11 records or more via the GUI
628337-1	3-Major		Forcing a single injected tag configuration is restrictive
625275-1	3-Major		Unable to add and modify URL parameters containing square brackets "[]" in FPS GUI
624198-1	3-Major		Unable to add multiple User-Defined alerts with the same search category
623518-1	3-Major		Unable to add users in User Enforcement list under user-defined partition. Update check fails in user-defined partition
594127-2	3-Major		Pages using Angular may hang when Websafe is enabled
635541	4-Minor		"Application CSS Locations" is not inherited if changing parent profile

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
642039-2	2-Critical		TMM core when persist is enabled for wideip with certain iRule commands triggered.
584374-2	2-Critical		iRule cmd: RESOLV::lookup causes tmm crash when resolving an IP address.
640903-1	3-Major		Inbound WideIP list page on Link Controller takes a long time to load when displaying 50+ records per screen
632423-4	3-Major		DNS::query can cause tmm crash if AXFR/IXFR types specified.
628897-1	3-Major		Add Hyperlink to gslb server and vs on the Pool Member List Page
625671-4	3-Major		The diagnostic tool dnsxdump may crash with non-standard DNS RR types.
624876-1	3-Major		Response Policy Zones can trigger even after entry removed from zone
624193-2	3-Major		Topology load balancing not working as expected
623023-1	3-Major		Unable to set DNS Topology Continent to Unknown via GUI
621239-2	3-Major		Certain DNS queries bypass DNS Cache RPZ filter.
620215-5	3-Major		TMM out of memory causes core in DNS cache
619398-7	3-Major		TMM out of memory causes core in DNS cache
612769-1	3-Major	K33842313	Hard to use search capabilities on the Pool Members Manage page.
557434-4	3-Major		After setting a Last Resort Pool on a Wide IP, cannot reset back to None
366695-1	5-Cosmetic		Remove managers create/modify/delete ability from TMSH on GTM datacenters, links, servers, prober-pools, and topology errors incorrectly, and receive a database error when performed

Traffic Classification Engine Fixes

ID Number	Severity	Solution Article(s)	Description
625172-1	2-Critical		tmm crashes when classification is enabled and ftp traffic is flowing trough the box
631472-1	3-Major		Reseting classification signatures to default may result in non-working configuration

Device Management Fixes

ID Number	Severity	Solution Article(s)	Description
606518-3	2-Critical		iControl REST with 3rd party auth does not function as expected with '@' / email addresses as username.
642983-1	3-Major	K94534313	Update to max message size limit doesn't work sometimes
629845-2	3-Major		Disallowing TLSv1 connections to HTTP causes iControl/REST issues
626542-2	3-Major		Unable to set maxMessageBodySize in iControl REST after upgrade★

Cumulative fixes from BIG-IP v12.1.2 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
618306-2	CVE-2016-9247	K33500120	TMM vulnerability CVE-2016-9247
616864-1	CVE-2016-2776	K18829561	BIND vulnerability CVE-2016-2776
613282-2	CVE-2016-2086, CVE-2016-2216, CVE-2016-1669	K15311661	NodeJS vulnerability CVE-2016-2086
611469-3	CVE-2016-7467	K95444512	Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector
597394-2	CVE-2016-9252	K46535047	Improper handling of IP options
591328-7	CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109	K36488941	OpenSSL vulnerability CVE-2016-2106
591325-8	CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109	K75152412	OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109
591042-17	CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109	K23230229	OpenSSL vulnerabilities
560109-7	CVE-2017-6160	K19430431	Client capabilities failure
618549-1	CVE-2016-9249	K71282001	Fast Open can cause TMM crash CVE-2016-9249
618263-1	CVE-2016-2182	K01276005	OpenSSL vulnerability CVE-2016-2182
614147-1	CVE-2017-6157	K02692210	SOCKS proxy defect resolution
614097-1	CVE-2017-6157	K02692210	HTTP Explicit proxy defect resolution
607314-1	CVE-2016-3500, CVE-2016-3508	K25075696	Oracle Java vulnerability CVE-2016-3500, CVE-2016-3508
605039-3	CVE-2016-2775	K92991044	lwresd and bind vulnerability CVE-2016-2775
601059-6	CVE-2016-1762 CVE-2016-1833 CVE-2016-1834 CVE-2016-1835 CVE-2016-1836 CVE-2016-1837 CVE-2016-1838 CVE-2016-1839 CVE-2016-1840 CVE-2016-3627 CVE-2016-3705 CVE-2016-4447 CVE-2016-4448 CVE-2016-4449	K14614344	libxml2 vulnerability CVE-2016-1840
597023-1	CVE-2016-4954	K82644737	NTP vulnerability CVE-2016-4954
595242-1	CVE-2016-3705	K54225343	libxml2 vulnerabilities CVE-2016-3705
595231-1	CVE-2016-3627	K54225343	libxml2 vulnerabilities CVE-2016-3627 and CVE-2016-3705
594496-1	CVE-2016-4539	K35240323	PHP Vulnerability CVE-2016-4539
593447-1	CVE-2016-5024	K92859602	BIG-IP TMM iRules vulnerability CVE-2016-5024
592485	CVE-2015-5157 CVE-2015-8767	K17326	Linux kernel vulnerability CVE-2015-5157
592001-1	CVE-2016-4071 CVE-2016-4073	K64412100	CVE-2016-4073 PHP vulnerabilities
591455-7	CVE-2016-1550 CVE-2016-1548 CVE-2016-2516 CVE-2016-2518	K24613253	NTP vulnerability CVE-2016-2516
591447-1	CVE-2016-4070	K42065024	PHP vulnerability CVE-2016-4070
591358-1	CVE-2016-3425 CVE-2016-0695 CVE-2016-3427	K81223200	Oracle Java SE vulnerability CVE-2016-3425
585424-1	CVE-2016-1979	K20145801	Mozilla NSS vulnerability CVE-2016-1979
580747-1	CVE-2016-0739	K57255643	libssh vulnerability CVE-2016-0739
557190-3	CVE-2017-6166	K65615624	'packet_free: double free!' tmm core
597010-1	CVE-2016-4955	K03331206	NTP vulnerability CVE-2016-4955
596997-1	CVE-2016-4956	K64505405	NTP vulnerability CVE-2016-4956
591767-8	CVE-2016-1547	K11251130	NTP vulnerability CVE-2016-1547
591438-7	CVE-2015-8865	K54924436	PHP vulnerability CVE-2015-8865
575629-3	CVE-2015-8139	K00329831	NTP vulnerability: CVE-2015-8139
573343-1	CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 CVE-2015-8158	K01324833	NTP vulnerability CVE-2015-8158

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
615377-3	3-Major		Unexpected rate limiting of unreachable and ICMP messages for some addresses.
599536-1	3-Major		IPsec peer with wildcard selector brings up wrong phase2 SAs
590122-2	3-Major		Standard TLS version rollback detection for TLSv1 or earlier might need to be relaxed to interoperate with clients that violate TLS specification.
581438-2	3-Major		Allow more than 16 pool members to be chosen from a pool during a single load-balancing decision.
561348-7	3-Major		krb5.conf file is not synchronized between blades and not backed up
541549-2	3-Major		AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination.
530109-3	3-Major		OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.
246726-1	3-Major		System continues to process virtual server traffic after disabling virtual address
599839-3	4-Minor		Add new keyords to SIP::persist command to specify how Persistence table is updated
591733-4	4-Minor	K83175883	Save on Auto-Sync is missing from the configuration utility.

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
625784	1-Blocking		TMM crash on BigIP i4x00 and i2x00 with large ASM configuration.
617622	1-Blocking		In TM Shell, saving the AAM configuration removes value from matching rule causing system configuration loading failure
621422	2-Critical		i2000 and i4000 series appliances do not warn when an incorrect optic is in a port
620056-1	2-Critical		Assert on deletion of paired in-and-out IPsec traffic selectors
617935	2-Critical		IKEv2 VPN tunnels fail to establish
617481-1	2-Critical		TMM can crash when HTML minification is configured
614865-5	2-Critical		Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.
610354-1	2-Critical		TMM crash on invalid memory access to loopback interface stats object
605476-3	2-Critical		statsd can core when reading corrupt stats files.
601527-4	2-Critical		mcpd memory leak and core
600894-1	2-Critical		In certain situations, the MCPD process can leak memory
598748	2-Critical		IPsec AES-GCM IVs are now based on a monotonically increasing counter
598697-1	2-Critical		vCMP guests may fail after vCMP host system is upgraded to BIG-IP v12.1.x when 'qemu' user isn't created★
595712-1	2-Critical		Not able to add remote user locally
591495-2	2-Critical		VCMP guests sflow agent can crash due to duplicate vlan interface indices
591104-1	2-Critical		ospfd cores due to an incorrect debug statement.
588686	2-Critical		High-speed logging to remote logging node stops sending logs after all logging nodes go down
587698-3	2-Critical		bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured
585745-2	2-Critical		sod core during upgrade from 10.x to 12.x.
583936-5	2-Critical		Removing ECMP route from BGP does not clear route from NSM
557680-4	2-Critical		Fast successive MTU changes to IPsec tunnel interface crashes TMM
355806-7	2-Critical		Starting mcpd manually at the command line interferes with running mcpd
622877-1	3-Major		i2000 and i4000 series appliances may show intermittent DDM alarms/warnings at powerup that clear right away
622199	3-Major		sys-icheck reports error with /var/lib/waagent
622194	3-Major		sys-icheck reports error with ssh_host_rsa_key
621423	3-Major		sys-icheck reports error with /config/ssh/ssh_host_dsa_key
621242-1	3-Major		Reserve enough space in the image for future upgrades.
621225	3-Major		LTM log contains misleading error messages for front panel interfaces, "PCI Device not found for Interface X.0"
620782	3-Major		Azure cloud now supports hourly billing
619410-1	3-Major		TMM hardware accelerated compression not registering for all compression levels.
617986-2	3-Major		Memory leak in snmpd
617229-1	3-Major	K54245014	Local policy rule descriptions disappear when policy is re-saved
616242-3	3-Major	K39944245	basic_string::compare error in encrypted SSL key file if the first line of the file is blank★
614530-2	3-Major		Dynamic ECMP routes missing from Linux host
614180-1	3-Major		ASM is not available in LTM policy when ASM is licensed as the main active module
610441-3	3-Major		When using iControl REST to add a member to an existing pool, the pool member is successfully created. However, a 404 response is received.
610352-1	3-Major		sys-icheck reports error with /etc/sysconfig/modules/unic.modules
610350-1	3-Major		sys-icheck reports error with /config/bigpipe/defaults.scf
610273-3	3-Major		Not possible to do targeted failover with HA Group configured
605894-3	3-Major		Remote authentication for BIG-IP users can fail
603149-2	3-Major		Large ike-phase2-lifetime-kilobytes values in racoon ipsec-policy
602854-8	3-Major		Missing ASM control option from LTM policy rule screen in the Configuration utility
602502-2	3-Major		Unable to view the SSL Cert list from the GUI
601989-3	3-Major	K88516119	Remote LDAP system authenticated username is case sensitive★
601893-2	3-Major		TMM crash in bwc_ctb_instance_recharge because of pkts_avg_size is zero.
601502-4	3-Major		Excessive OCSP traffic
600558-5	3-Major		Errors logged after deleting user in GUI
599816-2	3-Major		Packet redirections occur when using VLAN groups with members that have different cmp-hash settings.
598443-1	3-Major		Temporary files from TMSH not being cleaned up intermittently.
598039-6	3-Major		MCP memory may leak when performing a wildcard query
597729-5	3-Major		Errors logged after deleting user in GUI
596104-1	3-Major	K84539934	HA trunk unavailable for vCMP guest★
595773-4	3-Major		Cancellation requests for chunked stats queries do not propagate to secondary blades
594426-2	3-Major		Audit forwarding Radius packets may be rejected by Radius server
592870-2	3-Major		Fast successive MTU changes to IPsec tunnel interface crashes TMM
592320-5	3-Major		ePVA does not offload UDP when pva-offload-state set to establish in BIG-IP 12.1.0 and 12.1.1
589083-2	3-Major		TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors.
586878-4	3-Major		During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.★
585833-3	3-Major		Qkview will abort if /shared partition has less than 2GB free space
585547-1	3-Major	K58243048	NTP configuration items are no longer collected by qkview★
585485-3	3-Major		inter-ability with "delete IPSEC-SA" between AZURE, ASA, and the BIG-IP system
584583-3	3-Major		Timeout error when attempting to retrieve large dataset.
583285-5	3-Major	K24331010	BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
582084-1	3-Major		BWC policy in device sync groups.
580500-1	3-Major		/etc/logrotate.d/sysstat's sadf fails to read /var/log/sa6 or fails to write to /var/log/sa6, disk space is not reclaimed.
578551-5	3-Major		bop "network 0.0.0.0/0 route-map Default" configuration is lost after after restart/reboot
576305-7	3-Major		Potential MCPd leak in IPSEC SPD stats query code
575649-5	3-Major		MCPd might leak memory in IPFIX destination stats query
575591-6	3-Major		Potential MCPd leak in IKE message stats query code
575589-5	3-Major		Potential MCPd leak in IKE event stats query code
575587-7	3-Major		Potential MCPd leak in BWC policy class stats query code
575176-1	3-Major		Syn Cookie cache statistics on ePVA enabled devices is incremented with UDP traffic
575066-1	3-Major		Management DHCP settings do not take effect
570818-4	3-Major		Address lease-pool in IKEv2 might interfere with IKEv2 negotiations.
568672-1	3-Major		Down IPsec traffic-selector shows as 'up' in 'show net ipsec traffic-selector' and in GUI
566507-4	3-Major		Wrong advertised next-hop in BGP for a traffic group in Active-Active deployment
553795-7	3-Major		Differing certificate/key after successful config-sync
547479-5	3-Major		Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted
546145-1	3-Major		Creating local user for previously remote user results in incomplete user definition.
540872-1	3-Major		Config sync fails after creating a partition.
527206-5	3-Major		Management interface may flap due to LOP sync error
393270-1	3-Major		Configuration utility may become non-responsive or fail to load.
618421	4-Minor		Some mass storage is left un-used
617124	4-Minor		Cannot map hardware type (12) to HardwareType enumeration
581835-1	4-Minor		Command failing: tmsh show ltm virtual vs_name detail.
567546-1	4-Minor		Files with file names larger than 100 characters are omitted from qkview
564771-1	4-Minor		cron sends purge_mysql_logs.pl email error on LTM-only device
564522-2	4-Minor		cron is configured with MAILTO=root but mailhost defaults to 'mail'
559837-4	4-Minor		Misleading error message in catalina.out when listing certificates.
551349-5	4-Minor	K80203854	Non-explicit (*) IPv4 monitor destination address is converted to IPv6 on upgrade★
460833-5	4-Minor		MCPD sync errors and restart after multiple modifications to file object in chassis
572133-5	5-Cosmetic		tmsh save /sys ucs command sends status messages to stderr
442231-4	5-Cosmetic		Pendsect log entries have an unexpected severity

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
618905-1	1-Blocking		tmm core while installing Safenet 6.2 client
616215-4	2-Critical		TMM can core when using LB::detach and TCP::notify commands in an iRule
615388-1	2-Critical		L7 policies using normalized HTTP URI or Referrer operands may corrupt memory
612229-1	2-Critical		TMM may crash if LTM a disable policy action for 'LTM Policy' is not last
609628-2	2-Critical		CLIENTSSL_SERVERHELLO_SEND event in SSL forward proxy is not raised when client reuses session
609199-6	2-Critical		Debug TMM produces core when an MPTCP connection times out while a subflow is trying to join
608555-1	2-Critical		Configuring asymmetric routing with a VE rate limited license will result in tmm crash
607724-2	2-Critical	K25713491	TMM may crash when in Fallback state.
607524-2	2-Critical		Memory leak when multiple DHCP servers are configured, and the last DHCP server configured is down.
607360-5	2-Critical		Safenet 6.2 library missing after upgrade★
606573-3	2-Critical		FTP traffic does not work through SNAT when configured without Virtual Server★
605865-4	2-Critical		Debug TMM produces core on certain ICMP PMTUD packets
604133-2	2-Critical		Ramcache may leave the HTTP Cookie Cache in an inconsistent state
603032-1	2-Critical		clientssl profiles with sni-default enabled may leak X509 objects
602326-1	2-Critical		Intermittent pkcs11d core when installing Safenet 6.2 software
599135-2	2-Critical		B2250 blades may suffer from high TMM CPU utilisation with tcpdump
588959-2	2-Critical	K34453301	TMM may crash or behave abnormally on a Standby BIG-IP unit
588351-5	2-Critical		IPv6 fragments are dropped when packet filtering is enabled.
586449-1	2-Critical		Incorrect error handling in HTTP cookie results in core when TMM runs out of memory
584213-1	2-Critical		Transparent HTTP profiles cannot have iRules configured
575011-1	2-Critical	K21137299	Memory leak. Nitrox3 Hang Detected.
574880-3	2-Critical		Excessive failures observed when connection rate limit is configured on a fastl4 virtual server.
549329-3	2-Critical	K02020031	L7 mirrored ACK from standby to active box can cause tmm core on active
545810-3	2-Critical		ASSERT in CSP in packet_reuse
459671-4	2-Critical		iRules source different procs from different partitions and executes the incorrect proc.
617862-2	3-Major		Fastl4 handshake timeout is absolute instead of relative
617824-3	3-Major		"SSL::disable/enable serverside" + oneconnect reuse is broken
615143-1	3-Major		VDI plugin-initiated connections may select inappropriate SNAT address
613429-2	3-Major		Unable to assign wildcard wide IPs to various BIG-IP DNS objects.
613369-4	3-Major		Half-Open TCP Connections Not Discoverable
613079-4	3-Major		Diameter monitor watchdog timeout fires after only 3 seconds
613065-1	3-Major		User can't generate netHSM key with Safenet 6.2 client using GUI
612040-4	3-Major		Statistics added for all crypto queues
611320-3	3-Major		Mirrored connection on Active unit of HA pair may be unexpectedly torndown
610609-3	3-Major		Total connections in bigtop, SNMP are incorrect
608024-3	3-Major		Unnecessary DTLS retransmissions occur during handshake.
607803-3	3-Major	K33954223	DTLS client (serverssl profile) fails to complete resumed handshake.
607304-5	3-Major		TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.
606940-3	3-Major		Clustered Multiprocessing (CMP) peer connection may not be removed
606575-6	3-Major		Request-oriented OneConnect load balancing ends when the server returns an error status code.
606565-2	3-Major	K52231531	TMM may crash when /sys db tm.simultaneousopen is set to reset or drop_connection
604977-2	3-Major	K08905542	Wrong alert when DTLS cookie size is 32
603236-1	3-Major		1024 and 4096 size key creation issue with SafeNet 6.2 with 6.10.9 firmware
602385-1	3-Major		Add zLib compression
602366-1	3-Major		Safenet 6.2 HA performance
602358-5	3-Major		BIG-IP ServerSSL connection may reset during rengotiation with some SSL/TLS servers due to ClientHello version
601496-4	3-Major		iRules and OCSP Stapling
601178-6	3-Major		HTTP cookie persistence 'preferred' encryption
598874-2	3-Major		GTM Resolver sends FIN after SYN retransmission timeout
597978-2	3-Major		GARPs may be transmitted by active going offline
597879-1	3-Major		CDG Congestion Control can lead to instability
597532-1	3-Major		iRule: RADIUS avp command returns a signed integer
597089-8	3-Major		Connections are terminated after 5 seconds when using ePVA full acceleration
593530-6	3-Major		In rare cases, connections may fail to expire
592784-2	3-Major		Compression stalls, does not recover, and compression facilities cease.
592497-1	3-Major		Idle timeout ineffective for FIN_WAIT_2 when server-side expired and HTTP in fallback state.
591659-5	3-Major	K47203554	Server shutdown is propagated to client after X-Cnection: close transformation.
591476-7	3-Major	K53220379	Stuck crypto queue can erroneously be reported
591343-5	3-Major		SSL::sessionid output is not consistent with the sessionid field of ServerHello message.
589223-1	3-Major		TMM crash and core dump when processing SSL protocol alert.
588115-1	3-Major		TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw
588089-3	3-Major		SSL resumed connections may fail during mirroring
587016-3	3-Major		SIP monitor in TLS mode marks pool member down after positive response.
585813-3	3-Major		SIP monitor with TLS mode fails to find cert and key files.
585412-4	3-Major		SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines
583957-6	3-Major		The TMM may hang handling pipelined HTTP requests with certain iRule commands.
582465-1	3-Major		Cannot generate key after SafeNet HSM is rebooted
580303-5	3-Major		When going from active to offline, tmm might send a GARP for a floating address.
579843-1	3-Major		tmrouted may not re-announce routes after a specific succession of failover states
579371-4	3-Major	K70126130	BIG-IP may generate ARPs after transition to standby
578951-2	3-Major		TCP Fast Open connection timeout during handshake does not decrement pre_established_connections
572281-5	3-Major		Variable value in the nesting script of foreach command get reset when there is parking command in the script
570057-2	3-Major		Can't install more than 16 SafeNet HSMs in its HA group
569288-6	3-Major		Different LACP key may be used in different blades in a chassis system causing trunking failures
565799-4	3-Major		CPU Usage increases when using masquerade addresses
551208-6	3-Major		Nokia alarms are not deleted due to the outdated alert_nokia.conf.
550161-4	3-Major		Networking devices might block a packet that has a TTL value higher than 230.
545796-5	3-Major		[iRule] [Stats] iRule is not generating any stats for executed iRules.
545450-5	3-Major		Log activation/deactivation of TM.TCPMemoryPressure
537553-8	3-Major		tmm might crash after modifying virtual server SSL profiles in SNI configuration
534457-4	3-Major		Dynamically discovered routes might fail to remirror connections.
530266-7	3-Major		Rate limit configured on a node can be exceeded
506543-5	3-Major		Disabled ephemeral pool members continue to receive new connections
483953-1	3-Major		Cached route MTUs may be set to the value of TM.MinPathMTU even if the path MTU is lower than that value.
472571-7	3-Major		Memory leak with multiple client SSL profiles.
464801-3	3-Major		Intermittent tmm core
423392-6	3-Major		tcl_platform is no longer in the static:: namespace
371164-1	3-Major		BIG-IP sends ND probes for all masquerading MAC addresses on all VLANs, so MAC might associated with multiple VLANs.
225634-1	3-Major		The rate class feature does not honor the Burst Size setting.
598860-4	4-Minor		IP::addr iRule with an IPv6 address and netmask fails to return an IPv4 address
587676-2	4-Minor		SMB monitor fails due to internal configuration issue
560471-1	4-Minor		Changing the monitor configuration of a pool can cause the virtual server to be briefly logged as down
544033-5	4-Minor	K30404012	ICMP fragmentation request is ignored by BIG-IP
222034-4	4-Minor		HTTP::respond in LB_FAILED with large header/body might result in truncated response

Performance Fixes

ID Number	Severity	Solution Article(s)	Description
510631-1	3-Major		B4450 L4 No ePVA or L7 throughput lower than expected

Global Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
603598-3	2-Critical		big3d memory under extreme load conditions
587656-2	2-Critical		GTM auto discovery problem with EHF for ID574052
587617-1	2-Critical		While adding GTM server, failure to configure new IP on existing server leads to gtmd core
615338-2	3-Major		The value returned by "matchregion" in an iRule is inconsistent in some cases.
613576-1	3-Major		QOS load balancing links display as gray
613045-7	3-Major		Interaction between GTM and 10.x LTM results in some virtual servers marked down
589256-1	3-Major		DNSSEC NSEC3 records with different type bitmap for same name.
588289-1	3-Major		GTM is Re-ordering pools when adding pool including order designation
584623-2	3-Major		Response to -list iRules command gets truncated when dealing with MX type wide IP
574052-4	3-Major		GTM autoconf can cause high CPU usage for gtmd
370131-4	3-Major		Loading UCS with low GTM Autoconf Delay drops pool Members from config

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
609499-1	2-Critical		Compiled signature collections use more memory than prior versions
603945-2	2-Critical		BD config update should be considered as config addition in case of update failure
588087-1	2-Critical		Attack prevention isn't escalating under some conditions in session opening mitigation
587629-2	2-Critical		IP exceptions may have issues with route domain
575133-1	2-Critical		asm_config_server_rpc_handler_async.pl SIGSEGV and core
622386-1	3-Major		Internet Explorer getting blocked when Web Scraping and Proactive Bot Defense are both enabled
616169	3-Major		ASM Policy Export returns HTML error file
613396-1	3-Major		Invalid XML Policy Exported for Policies with Metachar Overrides on Websocket URLs
611385-1	3-Major		"Learn Explicit Entities" may continue to work as if it is 'Add All Entities'
609496-2	3-Major		Improved diagnostics in BD config update (bd_agent) added
608509-1	3-Major		Policy learning is slow under high load
604923-5	3-Major		REST id for Signatures change after update
604612-1	3-Major	K20323120	Modified ASM cookie violation happens after upgrade to 12.1.x★
602221-2	3-Major		Wrong parsing of redirect Domain
584642-1	3-Major		Apply Policy Failure
584103-2	3-Major		FPS periodic updates (cron) write errors to log
582683-2	3-Major		xpath parser doesn't reset a namespace hash value between each and every scan
582133-1	3-Major		Policy builder doesn't enable staging after policy change on "*" entities (file types, urls, etc.)
581315-1	3-Major		Selenium detection not blocked
579917-1	3-Major		User-defined signature set cannot be created/updated with Signature Type = "All"
579495-1	3-Major		Error when loading Upgrade UCS★
521204-2	3-Major		Include default values in XML Policy Export

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
602654-2	2-Critical		TMM crash when using AVR lookups
602434-1	2-Critical		Tmm crash with compressed response
601056	2-Critical		TCP-Analytics, error message not using rate-limit mechanism can halt TMM
622735	3-Major		TCP Analytics statistics does not list all virtual servers
618944-1	3-Major		AVR statistic is not save during the upgrade process
601035	3-Major		TCP-Analytics can fail to collect all the activity

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
618506	2-Critical		TMM may core under certain conditions when APM is provisioned and access profile is attached to the virtual.
618324-1	2-Critical		Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor
592868-3	2-Critical		Rewrite may crash processing HTML tag with HTML entity in attribute value
591117-3	2-Critical		APM ACL construction may cause TMM to core if TMM is out of memory
569563-3	2-Critical		Sockets resource leak after loading complex policy
619250-1	3-Major		Returning to main menu from "RSS Feed" breaks ribbon
617187-1	3-Major		APM CustomDialer can't connect to APM server with invalid/untrusted SSL certificate
614891-2	3-Major		Routing table doesn't get updated when EDGE client roams among wireless networks
613613-2	3-Major		Incorrect handling of form that contains a tag with id=action
611922-1	3-Major		Policy sync fails with policy that includes custom CA Bundle.
611240-3	3-Major		Import of config with securid might fail
610224-3	3-Major		APM client may fetch expired certificate when a valid and an expired certificate co-exist
608941-1	3-Major		AAA RADIUS system authentication fails on IPv6 network
604767-1	3-Major		Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object.
601905-1	3-Major		POST requests may not be forwarded to backend server when EAM plugin is enabled on the virtual server
600119-3	3-Major		DNS name resolution for servers outside of Network Access Name Split scope can be slow in some conditions
598981-3	3-Major	K06913155	APM ACL does not get enforced all the time under certain conditions
598211-1	3-Major		Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode.
597431-2	3-Major		VPN establishment may fail when computer wakes up from sleep
596116-3	3-Major		LDAP Query does not resolve group membership, when required attribute(s) specified
595227-1	3-Major		SWG Custom Category: unable to have a URL in multiple custom categories
594288-1	3-Major		Access profile configured with SWG Transparent results in memory leak.
592414-4	3-Major		IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed
591840-1	3-Major		encryption_key in access config is NULL in whitelist
591590-1	3-Major		APM policy sync results are not persisted on target devices
591268-1	3-Major		VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions
590820-3	3-Major		Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.
588888-3	3-Major	K80124134	Empty URI rewriting is not done as required by browser.
586718-1	3-Major		Session variable substitutions are logged
586006-1	3-Major		Failed to retrieve CRLDP list from client certificate if DirName type is present
585562-3	3-Major		VMware View HTML5 client shipped with Horizon 7 does not work through BIG-IP APM in Chrome/Safari
583113-1	3-Major		NTLM Auth cannot be disabled in HTTP_PROXY_REQUEST event
582752-3	3-Major		Macrocall could be topologically not connected with the rest of policy.★
582526-3	3-Major		Unable to display and edit huge policies (more than 4000 elements)
580893-2	3-Major	K08731969	Support for Single FQDN usage with Citrix Storefront Integration mode
573643-3	3-Major		flash.utils.Proxy functionality is not negotiated
572558-1	3-Major		Internet Explorer: incorrect handling of document.write() to closed document
569309-3	3-Major		Clientside HTML parser does not recognize HTML event attributes without value
562636-2	3-Major	K05489319	Possible memory exhaustion in access end-user interface pages for transparent proxy/SWG cases.
525429-11	3-Major		DTLS renegotiation sequence number compatibility
455975-1	3-Major		Separate MIBS needed for tracking Access Sessions and Connectivity Sessions
389484-6	3-Major		OAM reporting Access Server down with JDK version 1.6.0_27 or later
386517-1	3-Major		Multidomain SSO requires a default pool be configured
238444-3	3-Major		An L4 ACL has no effect when a layered virtual server is used.
605627	4-Minor		Selinux denial seen for apmd when it is being shutdown.
584373-2	4-Minor		AD/LDAP resource group mapping table controls are not accessible sometimes
573611-1	4-Minor		Erroneous error message Access encountered error: ERR_NOT_FOUND may appear in APM logs
557411-1	4-Minor		Full Webtop resources appear overlapping in IE11 compatibility mode

Wan Optimization Manager Fixes

ID Number	Severity	Solution Article(s)	Description
619757-1	2-Critical		iSession causes routing entry to be prematurely freed

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
613297-3	2-Critical		Default generic message routing profile settings may core
612135-3	2-Critical		Virtual with GenericMessage profile without MessageRouter profile will core when receiving traffic
603397-2	2-Critical		tmm core on MRF when routing via MR::message route iRule command using a non-existant transport-config
596631-2	2-Critical		SIP MRF: Wrong listener may be deleted during media deny-listener deletions, causing crash later
609575-5	3-Major		BIG-IP drops ACKs containing no max-forwards header
609328-3	3-Major	K53447441	SIP Parser incorrectly parsers empty header
607713-3	3-Major		SIP Parser fails header with multiple sequential separators inside quoted string.
603019-3	3-Major		Inserted SIP VIA branch parameter not unique between INVITE and ACK
599521-5	3-Major		Persistence entries not added if message is routed via an iRule
598854-3	3-Major		sipdb tool incorrectly displays persistence records without a pool name
598700-6	3-Major		MRF SIP Bidirectional Persistence does not work with multiple virtual servers
597835-3	3-Major		Branch parameter in inserted VIA header not consistent as per spec
583010-4	3-Major		Sending a SIP invite with 'tel' URI fails with a reset
578564-4	3-Major		ICAP: Client RST when HTTP::respond in HTTP_RESPONSE_RELEASE after ICAP REQMOD returned HTTP response
573075-4	3-Major		ADAPT recursive loop when handling successive iRule events
566576-6	3-Major		ICAP/OneConnect reuses connection while previous response is in progress
401815-1	3-Major		BIG-IP system may reset the egress IP ToS to zero when load balancing SIP traffic
585807-2	4-Minor		'ICAP::method <method>' iRule is documented but is read-only
561500-4	4-Minor		ICAP Parsing improvement

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
612874-1	2-Critical		iRule with FLOW_INIT stage execution can cause TMM restart
609095-1	2-Critical		mcpd memory grows when updating firewall rules
622281-1	3-Major		Network DoS logging configuration change can cause TMM crash
621808-1	3-Major		Proactive Bot Defense failing in IE11 with Compatibility View enabled
614284-2	3-Major		Performance fix to not reset a data structure in the packet receive hotpath.
613459-1	3-Major		Non-common browsers blocked by Proactive Bot Defense
610857-1	3-Major		DoSL7 Proactive Bot Defense should block requests from a browser (Chrome/Firefox) when it is running selenium webdriver.
610830-1	3-Major		FingerPrint javascript runs slow and causes bad user browsing experience when accessing a webapp's first page.
608566-1	3-Major		The reference count of NW dos log profile in tmm log is incorrect
606875-1	3-Major		DoS Application - Block requests from suspicious browsers feature causes javascript latency for webapp first page
605427-1	3-Major		TMM may crash when adding and removing virtual servers with security log profiles
601924-1	3-Major		Selenium detection by ports scanning doesn't work even if the ports are opened
596502-1	3-Major		Unable to force Bot Defense action to Allow in iRule
594869-4	3-Major		AFM can log DoS attack against the internal mpi interface and not the actual interface
594075-2	3-Major		Sometimes when modifying the firewall rules, the blob does not compile and pccd restarts periodically
586070	3-Major		'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings
585823-1	3-Major		FW NAT translation fails if the matched FW NAT rule uses source address list and the source translation object in the rule is configured for dynamic-pat (with deterministic mode)
501892-1	3-Major		Selenium is not detected by headless mechanism when using client version without server

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
609005-2	1-Blocking		Crash: tmm crashing when 2nd client (srcPort=68) sends a DHCP renew with giaddr (Relay Agent IP) in the packet after 1st client (srcPort=67).
611467-3	2-Critical		TMM coredump at dhcpv4_server_set_flow_key().
608009-1	2-Critical		Crash: Tmm crashing when active system connections are deleted from cli
603825-2	2-Critical		Crash when a Gy update message is received by a debug TMM
593070-2	2-Critical		TMM may crash with multiple IP addresses per session
472860-5	2-Critical		RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented.
623491-2	3-Major		After receiving the first Gx response from the PCRF, the BWC action against a rule is lost.
622220-2	3-Major		Disruption during manipulation of PEM data with suspected flow irregularity
618657-4	3-Major		Bogus ICMP unreachable messages in PEM with ipother profile in use
617014-3	3-Major		tmm core using PEM
608742-2	3-Major		DHCP: DHCP renew ACK messages from server are getting dropped by BIG-IP in Forward mode.
608591-1	3-Major		Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers
592070-5	3-Major		DHCP server connFlow when created based on the DHCP client connFlow does not have the traffic group ID copied
588456-3	3-Major		PEM deletes existing PEM Subscriber Session after lease time expires (DHCP renewal not processed).
577863-5	3-Major		DHCP relay not forwarding server DHCPOFFER and DHCPACK message after some time

Carrier-Grade NAT Fixes

ID Number	Severity	Solution Article(s)	Description
606066-2	2-Critical		LSN_DELETE messages may be lost after HA failover
605525-1	2-Critical		Deterministic NAT combined with NAT64 may cause a TMM core
587106-1	2-Critical		Inbound connections are reset prematurely when zombie timeout is configured.
602171-1	3-Major		TMM may core when remote LSN operations time out

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
617648	2-Critical		Surfing with IE8 sometimes results with script error
603234-3	2-Critical		Performance Improvements
597471	2-Critical		Some Alerts are sent with outdated username value
617688	3-Major		Encryption is not activated unless "real-time encryption" is selected
613671-2	3-Major		Error in the Console, when configured nonexistent parameter with Encryption and Obfuscation
610897-2	3-Major		FPS generated request failure throw "unspecified error" error in old IE.
609098-1	3-Major		Improve details of ajax failure
604885-1	3-Major		Redirect/Route action doesn't work if there is an alert logging iRule
601083-1	3-Major		FPS Globally Forbidden Words lists freeze in IE 11
588058-3	3-Major		False positive "failed to unseal" Source Integrity alerts from old versions of Internet Explorer
609114-1	4-Minor		Add the ability to control dropping of alerts by before-load-function
605125-2	4-Minor		Sometimes, passwords fields are readonly
592274-3	4-Minor		RAT-Detection alerts sent with incorrect duration details

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
607658-1	3-Major		GUI becomes unresponsive when managing GSLB Pool

Anomaly Detection Services Fixes

ID Number	Severity	Solution Article(s)	Description
588405-1	3-Major		BADOS - BIG-IP Self-protection during (D)DOS attack
608826-1	4-Minor		Greylist (bad actors list) is not cleaned when attack ends

Traffic Classification Engine Fixes

ID Number	Severity	Solution Article(s)	Description
624370-1	2-Critical		tmm crash during classification hitless upgrade if virtual server configuration is modified

Device Management Fixes

ID Number	Severity	Solution Article(s)	Description
621401	3-Major		When HA is configured on BIG-IPs managed by BIG-IQ, the AVR reporting from BIG-IQ may fail under the load

iApp Technology Fixes

ID Number	Severity	Solution Article(s)	Description
615824-1	3-Major		REST API calls to invalid REST endpoint log level change

Cumulative fixes from BIG-IP v12.1.1 Hotfix 2 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
613127-3	CVE-2016-5696	K46514822	Linux TCP Stack vulnerability CVE-2016-5696

Functional Change Fixes

None

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
612564	1-Blocking		mysql does not start
618382-4	2-Critical		qkview may cause tmm to restart or may take 30 or more minutes to run
614766-1	3-Major		lsusb uses unknown ioctl and spams kernel logs
612952-1	3-Major		PSU FW revision not displayed correctly
611352	3-Major	K68092141	Benign message "replay num rollover error condition correctable errors" counter on iSeries platforms
610307	3-Major		Spurious error message from mcpd at shutdown: Subscription not found in mcpd for subscriber Id BIGD_Subscriber
609325	3-Major		Unsupported DDM F5 SFP modules do not write log message saying DDM is not supported
606807-1	3-Major		i5x00, i7x00, i10x00 series appliances may use sensor number instead of name "LCD health" reporting communication error
604459-1	3-Major		On i5x00, i7x00 and i10x00 platforms, bcm56xxd may restart on power-up
597309-2	3-Major		Increase the Maximum Members Per Trunk limit to 32 or 64 for high end platforms
561444-1	3-Major		LCD might display incorrect output.
521270-1	3-Major		Hypervisor might replace vCMP guest SYN-Cookie secrets
434573-6	3-Major	K25051022	Tmsh 'show sys hardware' displays Platform ID instead of platform name
609677-1	4-Minor		Dossier warning 14
607857-1	4-Minor		Some information displayed in "list net interface" will be stale for interfaces that change bundle state
607200-1	4-Minor		Switch interfaces may seem up after bcm56xxd goes down
602061	4-Minor		i5x00, i7x00, i10x00 series appliances have inconsistent firmware update messages
601309	4-Minor		Locator LED no longer persists across reboots
592716-1	4-Minor		BMC timezone value was not being synchronized by BIG-IP

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
597708-4	3-Major		Stats are unavailable and VCMP state and status is incorrect

Cumulative fixes from BIG-IP v12.1.1 Hotfix 1 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
598294-1	CVE-2016-7472	K17119920	BIG-IP ASM Proactive Bot Defense vulnerability CVE-2016-7472
601938-2	CVE-2016-7474	K52180214	MCPD stores certain data incorrectly

Functional Change Fixes

None

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
542097-4	2-Critical		Update to RHEL6 kernel
601927-1	4-Minor	K52180214	Security hardening of control plane

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
602653-1	2-Critical		TMM may crash after updating bot-signatures
599769	2-Critical		TMM may crash when managing APM clients.
605682-2	3-Major		With forward proxy enabled, sometimes the client connection will not complete.
599054-2	3-Major		LTM policies may incorrectly use those of another virtual server

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
585120-1	2-Critical		Memory leak in bd under rare scenario

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
596674-2	2-Critical		High memory usage when using CS features with gzip HTML responses.
575170-2	2-Critical		Analytics reports may not identify virtual servers correctly
590074-1	3-Major		Wrong value for TCP connections closed measure

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
603997	2-Critical		Plugin should not inject nonce to CSP header with unsafe-inline
594910-1	3-Major		FPS flags no cookie when length check fails
590608-1	3-Major		Alert is not redirected to alert server when unseal fails
590578-4	3-Major		False positive "URL error" alerts on URLs with GET parameters
593355	4-Minor		FPS may erroneously flag missing cookie
589318-1	4-Minor		Clicking 'Customize All' checkbox does not work.

iApp Technology Fixes

ID Number	Severity	Solution Article(s)	Description
603605-1	2-Critical		Cannot install DoS Hybrid Defender on standby device in HA pair if it's already installed on active
608373-2	3-Major		Some iApp LX packages will not be saved during upgrade or UCS save/restore

Cumulative fixes from BIG-IP v12.1.1 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
596488-1	CVE-2016-5118	K82747025	GraphicsMagick vulnerability CVE-2016-5118.
579955-6	CVE-2016-7475	K01587042	BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475
587077-1	CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2115 CVE-2016-2118	K37603172	Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118
579220-1	CVE-2016-1950	K91100352	Mozilla NSS vulnerability CVE-2016-1950
570697-1	CVE-2015-8138	K71245322	NTP vulnerability CVE-2015-8138
580340-1	CVE-2016-2842	K52349521	OpenSSL vulnerability CVE-2016-2842
580313-1	CVE-2016-0799	K22334603	OpenSSL vulnerability CVE-2016-0799
579829-7	CVE-2016-0702	K79215841	OpenSSL vulnerability CVE-2016-0702
579085-6	CVE-2016-0797	K40524634	OpenSSL vulnerability CVE-2016-0797
578570-1	CVE-2016-0705	K93122894	OpenSSL Vulnerability CVE-2016-0705
569355-1	CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494	K50118123	Java vulnerabilities CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494
565895-1	CVE-2015-3217	K17235	Multiple PCRE Vulnerabilities
570667-2	CVE-2016-0701 CVE-2015-3197	K64009378	OpenSSL vulnerabilities

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
600811-2	3-Major		CATEGORY::lookup command change in behaviour★

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
606509-4	2-Critical		Incorrect process priority in vCMP guest results in low priority of the guest control-plane, which might cause high availability failover★
595605	2-Critical		Upgrades from 11.6.1 or recent hotfix rollups to 12.0.0 may fail★
591119	2-Critical		OOM with session messaging may result in TMM crash
601076	3-Major		Fix watchdog event for accelerated compression request overflow
597303	3-Major		"tmsh create net trunk" may fail
595693	3-Major		Incorrect PVA indication on B4450 blade
591261	3-Major		BIG-IP VPR-B4450N shows "unknown" SNMP Object ID
590904-1	3-Major		New HA Pair created using serial cable failover only will remain Active/Active
589661	3-Major		PS2 power supply status incorrect after removal
588327	3-Major		Observe "err bcm56xxd' liked log from /var/log/ltm
587735	3-Major		False alarm on LCD indicating bad fan
587668	3-Major		LCD Checkmark button does not always bring up clearing prompt on VIPRION blades.
585332	3-Major		Virtual Edition network settings aren't pinned correctly on startup★
584670	3-Major		Output of tmsh show sys crypto master-key
584661	3-Major		Last good master key
584655	3-Major		platform-migrate won't import password protected master-keys from a 10.2.4 UCS file
583177	3-Major		LCD text truncated by heartbeat icon on VIPRION
581945-2	3-Major		Device-group "datasync-global-dg" becomes out-of-sync every hour
581811	3-Major		The blade alarm LED may not reflect the warning that non F5 optics is used.
579529	3-Major		Stats file descriptors kept open in spawned child processes
578064	3-Major		tmsh show sys hardwares show "unavailable" for hard disk manufacturer on B4400/B4450 blade
578036-1	3-Major		incorrect crontab can cause large number of email alerts
573584	3-Major		CPLD update success logs at the same error level as an update failure
563592	3-Major		Content diagnostics and LCD
559655	3-Major		Post RMA, system does not display correct platform name regardless of license
555039-4	3-Major	K24458124	VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration
539360	3-Major		Firmware update that includes might take over 15 minutes. Do not turn off device.
526708	3-Major		system_check shows fan=good on removed PSU of 4000 platform
433357	3-Major		Management NIC speed reported as 'none'
400778	3-Major		Message: err chmand[5011]: 012a0003:3: Physical disk CF1/HD1 not found for logical disk delete
400550	3-Major		LCD listener error during shutdown
587780	4-Minor		warning: HSBe2 XLMAC initial recovery failed after 11 retries.
478986	4-Minor		Powered down DC PSU is treated as not-present
418009	5-Cosmetic		Hardware data display inaccuracies

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
603700	2-Critical		tmm core on multiple SSL::disable calls
598052-1	2-Critical		SSL Forward Proxy "Cache Certificate by Addr-Port", cache lookup fails
591139	2-Critical		TMM QAT segfault after zlib/QAT compression conflation.
585654	2-Critical		Enhanced implementation of AES in Common Criteria mode
579953	2-Critical		Updated the list of Common Criteria ciphersuites
584926-1	3-Major		Accelerated compression segfault when devices are all in error state.
566342	3-Major		Cannot set 10T-FD or 10T-HD on management port

Performance Fixes

ID Number	Severity	Solution Article(s)	Description
599803	1-Blocking		TMM accelerated compression incorrectly destroying in-flight contexts.
588879-2	2-Critical		apmd crash under rare conditions with LDAP in BIGIP 12.0 and beyond

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
588049-1	2-Critical		Improve detection of browser capabilities
585352-2	2-Critical		bruteForce record selfLink gets corrupted by change to brute force settings in GUI
585054-1	2-Critical		BIG-IP imports delay violations incorrectly, causing wrong policy enforcement
583686-2	3-Major		High ASCII meta-characters can be disallowed on UTF-8 policy via XML import
581991-1	3-Major		Logging filter for remote loggers doesn't work correctly with more than one logging profile
521370-1	3-Major		Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8
518201-4	3-Major		ASM policy creation fails with after upgrading

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
587419-1	3-Major		TMM may restart when SAML SLO is performed after APM session is closed
585442-2	3-Major		Provisioning APM to "none" creates a core file

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
596809-1	3-Major		It is possible to create ssh rules with blank space for auth-info
593925-1	3-Major		ssh profile should not contain rules that begin and end with spaces (cannot be deleted)
593696-1	3-Major		Sync fails when deleting an ssh profile

Carrier-Grade NAT Fixes

ID Number	Severity	Solution Article(s)	Description
584921-1	2-Critical		Inbound connections fail to keep port block alive

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
581824-2	3-Major		"Instance not found" error when viewing the properties of GSLB monitors gateway_icmp and bigip_link.

Cumulative fixes from BIG-IP v12.1.0 Hotfix 2 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
600662-9	CVE-2016-5745	K64743453	NAT64 vulnerability CVE-2016-5745
599168-7	CVE-2016-5700	K35520031	BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
598983-7	CVE-2016-5700	K35520031	BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
580596-1	CVE-2013-0169 CVE-2016-6907	K14190 K39508724	TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907

Functional Change Fixes

None

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
604211-1	2-Critical	K72931250	License not operational on Azure after upgrading from 12.0.0 HF1-EHF14 to 12.0.0-HF4 or 12.1.0-HF1 or 12.1.1.★
600859-2	2-Critical		Module not licensed after upgrade from 11.6.0 to 12.1.0 HF1 EHF.★
599033-5	2-Critical		Traffic directed to incorrect instance after network partition is resolved
595394-3	2-Critical		Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x can result in instance becoming inaccessible.★
606110-2	3-Major		BIG-IP VE dataplane interfaces change to using UNIC modules instead of sockets.
596814-4	3-Major		HA Failover fails in certain valid AWS configurations
596603-2	3-Major		AWS: BIG-IP VE doesn't work with c4.8xlarge instance type.

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
600357-2	3-Major		bd crash when asm policy is removed from virtual during specific configuration change

Cumulative fixes from BIG-IP v12.1.0 Hotfix 1 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
569467-5	CVE-2016-2084	K11772107	BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.
591806-8	CVE-2016-3714	K03151140	ImageMagick vulnerability CVE-2016-3714
591918-2	CVE-2016-3718	K61974123	ImageMagick vulnerability CVE-2016-3718
591908-2	CVE-2016-3717	K29154575	ImageMagick vulnerability CVE-2016-3717
591894-2	CVE-2016-3715	K10550253	ImageMagick vulnerability CVE-2016-3715
591881-1	CVE-2016-3716	K25102203	ImageMagick vulnerability CVE-2016-3716

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
583631-2	1-Blocking		ServerSSL ClientHello does not encode lowest supported TLS version, which might result in alerts and closed connections on older Servers.
590993	3-Major		Unable to load configs from /usr/libexec/aws/.
576478	3-Major		Enable support for the Purpose-Built DDoS Hybrid Defender Platform
544477	3-Major		New Hourly Billable VE instances in AWS and Azure register with F5 Licensing Server for Support.

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
591039	2-Critical		DHCP lease is saved on the Custom AMI used for auto-scaling VE
590779	2-Critical		Rest API - log profile in json return does not include the partition but needs to
588140	2-Critical		Pool licensing fails in some KVM/OpenStack environments
587791-1	2-Critical		Set execute permission on /var/lib/waagent
565137	2-Critical	K12372003	Pool licensing fails in some KVM/OpenStack environments.
554713-2	2-Critical		Deployment failed: Failed submitting iControl REST transaction
592363	3-Major		Remove debug output during first boot of VE
592354	3-Major		Raw sockets are not enabled on Cloud platforms

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
592699-3	2-Critical		IPv6 data pulled from the BIG-IP system via HTTPS, SCP, SSH, DNS or SMTP performance
594302-1	3-Major		Connection hangs when processing large compressed responses from server
592854-1	3-Major		Protocol version set incorrectly on serverssl renegotiation
592682-1	3-Major		TCP: connections may stall or be dropped
531979-6	3-Major		SSL version in the record layer of ClientHello is not set to be the lowest supported version.

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
582629-1	2-Critical		User Sessions lookups are not cleared, session stats show marked as invalid

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
590601-2	3-Major		BIG-IP as SAML SP does not redirect users to original request URI after authentication is completed
590428-1	3-Major		The "ACCESS::session create" iRule command does not work
590345-1	3-Major		ACCESS policy running iRule event agent intermittently hangs
585905-1	3-Major		Citrix Storefront integration mode with pass-through authentication fails
581834-5	3-Major		Firefox signed plugin for VPN, Endpoint Check, etc

Anomaly Detection Services Fixes

ID Number	Severity	Solution Article(s)	Description
588399-1	3-Major		BIG-IP CPU utilization can be high even when all bad actors are detected and mitigated
582374-1	3-Major		Multiple 'Loading state for virtual server' messages in admd.log
569121-1	3-Major		Advanced Detection rate limiting can be incorrect in multi-blade clusters when rate limit is low
547053-1	4-Minor		Bad actor quarantining

Traffic Classification Engine Fixes

ID Number	Severity	Solution Article(s)	Description
590795-1	2-Critical		tmm crash when loading default signatures or updating classification signature★

Cumulative fix details for BIG-IP v12.1.3.1 that are included in this release

697878 : High crypto request completion time under some workload patterns

Component: TMOS

Symptoms:
The tmctl tmm/crypto table shows heavily loaded bulk crypto queues backed up into associated waiting queue. The crypto requests continue to complete, but are significantly delayed.

Conditions:
High crypto usage often in conjunction with high compression usage.

Impact:
Crypto requests can be delayed as long as 1.5 seconds.

Workaround:
Disable hardware crypto by setting the "crypto.hwacceleration" DB key to "disable":
tmsh modify sys db crypto.hwacceleration value disable

Fix:
Improve accelerated crypto poll-timing calculation.

696468 : Active compression requests can become starved from too many queued requests.

Component: TMOS

Symptoms:
From the "tmctl compress" table: the cur_ctx value for QAT is equal or higher than 512, and the cur_active remains at zero.

CPU utilization per tmm in this condition may be quite high.

Conditions:
At least 512 contexts with no traffic wait in the compression queue and prevent new requests from getting compression service.

Impact:
Compression on a per-tmm basis can stop servicing new requests.

Workaround:
Switch to software compression.

Fix:
Soften the restriction so that accumulated contexts with no traffic cannot not prevent busy contexts from getting compression time.

693211-3 : CVE-2017-6168

Solution Article: K21905460

684879-2 : Malformed TLS1.2 records may result in TMM segmentation fault.

Solution Article: K02714910

682837 : Compression watchdog period too brief.

Component: TMOS

Symptoms:
Compression TPS can be reduced on certain platforms when sustained, very high compression request traffic is present.

Conditions:
Very high sustained system-wide compression request traffic.

Impact:
Accelerated compression throughput can drop significantly; some flows dropped.

Workaround:
Switch to software compression.

Fix:
Compression request monitor tuned to account for systems with smaller bandwidth.

681710-4 : Malformed HTTP/2 requests may cause TMM to crash

Component: Local Traffic Manager

Symptoms:
Malformed HTTP/2 requests can cause TMM to crash

Conditions:
Specially crafted request is sent through an HTTP/2 configured virtual server.

Impact:
TMM crash leading to a failover event

Workaround:
N/A

Fix:
HTTP/2 configured virtual server properly handles requests

679959-1 : Unable to ping self IP of VCMP guest configured on i5000, i7000, or i10000

Component: TMOS

Symptoms:
Unable to the ping self IP of VCMP guests configured on i5000, i7000, or i10000.

Conditions:
Running TMOS v12.1.3 and VCMP guests configured on i5000, i7000 or i10000.

Impact:
Unable to process client traffic.

Workaround:
No workaround at this time.

Fix:
This issue is fixed.

679440-2 : MCPD Cores with SIGABRT

Solution Article: K14120433

Component: Advanced Firewall Manager

Symptoms:
MCPD cores with SIGABRT.

Conditions:
This occurs while the dynamic white/black daemon (dwbld) processes auto-blacklisted IP addresses.

Impact:
MCPD core.

Workaround:
Run the following command:
tmsh modify sys db debug.afm.shun.notify_peers value disable

Fix:
MCPD no longer cores with SIGABRT if the auto-blacklisting feature is enabled.

679235-5 : Inspection Host NPAPI Plugin for Safari can not be installed

Component: Access Policy Manager

Symptoms:
Inspection Host NPAPI Plugin for Safari on macOS High Sierra can not be installed.

Conditions:
macOS High Sierra, Inspection Host Plugin package installation triggered.

Impact:
Inspection Host plugin cannot be installed, therefore, endpoint checks will not work.

Workaround:
There is no workaround at this time.

Fix:
Previously, the Inspection Host NPAPI Plugin for Safari on macOS High Sierra could not be successfully installed. This plugin can now be successfully installed.

678976-2 : Do not print all HTTP headers to avoid printing user credentials to /var/log/apm.

Solution Article: K24756214

Component: Access Policy Manager

Symptoms:
VDI debug logs print user credentials to /var/log/apm.

Conditions:
VDI debug logs are enabled and VDI functionality is used on the virtual server.

Impact:
User credentials are written to /var/log/apm.

Workaround:
Set VDI debug level to Notice.

Fix:
The system no longer prints user credentials to VDI debug logs.

677119 : HTTP2 implementation incorrectly treats SETTINGS_MAX_HEADER_LIST_SIZE

Component: Local Traffic Manager

Symptoms:
When HTTP2 connection's parameters are negotiated, either side may report about its limits in SETTINGS type frame where one of the parameters SETTINGS_MAX_HEADER_LIST_SIZE determines a maximum size of headers list it is willing to accept. BIG-IP incorrectly interchanged this parameter with another one called SETTINGS_HEADER_TABLE_SIZE, limiting value of the former one to 32,768.

Conditions:
HTTP2 is configured and an opposite endpoint (user agent using HTTP2 protocol) tries to set SETTINGS_MAX_HEADER_LIST_SIZE to a value above 32,768.

Impact:
BIG-IP doesn't accept the value and terminates the connection using GOAWAY frame with PROTOCOL_ERROR as a reason.

Fix:
BIG-IP no longer generates an error due to this issue and allows value for SETTINGS_MAX_HEADER_LIST_SIZE to exceed 32,768.

677058-3 : Citrix Logon prompt with two factor auth or Logon Page agent with two password type variables write password in plain text

Component: Access Policy Manager

Symptoms:
Logon page agent with more than one password variable or Citrix logon prompt will log plain text password when debug logging is turned on for access policy.

Conditions:
This occurs when following conditions are met:

- Citrix Logon Prompt with two factor auth or Logon page agent with more than one password variable is added in the Access Policy.
- Access Policy logging is set to debug.

Impact:
APM logs plain text password when debug logging is turned on for access policy.

Workaround:
None.

Fix:
Password values are no longer written in APM logs when debug logging is enabled for access policy.

676808-2 : FPS: tmm may crash on response with large payload from server

Component: Fraud Protection Services

Symptoms:
A request to a unprotected FPS URL may cause tmm crash if response payload is large and the URL was configured via live update.

Conditions:
1. Page is not protected.
2. Large response payload (e.g.,50 KB).
3. FPS registered for response event (this will happen if a global URL (configured via live update) was matched).

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
FPS will check for fast response situation and will act accordingly.

675928-2 : Periodic content insertion could add too many inserts to multiple flows if http request is outstanding

Component: Policy Enforcement Manager

Symptoms:
Multiple flows of the same subscriber could get insert content enabled frequently, if the requests from those flows are outstanding

Conditions:
If the http request from the subscriber is outstanding when the new flow is triggered

Impact:
PEM insert content pem_acton will be enabled on multiple flows till the first response is received

Fix:
Throttle insert content action on new flows only to periodic interval if the transaction is outstanding.

675921 : Creating 5th vCMP 'ssl-mode dedicated' guest results in an error, but is running

Component: TMOS

Symptoms:
Creating 'ssl-mode dedicated' guests on the BIG-IP i5800, the 5th guest and beyond get an error, however they do become deployed with Status or 'running'.

Conditions:
-- Creating 5 (or more) 'ssl-mode dedicated' vCMP guests.
-- Running on the BIG-IP i5800 platform.

Impact:
5th guest and beyond result in an error.

Workaround:
None.

Fix:
The system now limits the maximum number of 'ssl-mode dedicated' vCMP guests to the number that the BIG-IP i5800 can physically support.

674931 : FPS modified responses/injections might result in a corrupted response

Component: Fraud Protection Services

Symptoms:
in case a connection was congested and FPS tries to send additional egress (modifying the response, e.g. injections) the order of the response sending might break if this send is successful (i.e congestion just ended). instead of sending the buffered data first (response part that was buffered due to congestion), FPS tries to send the new data first and only than will send the buffered data.

Conditions:
- congested connection
- FPS sends modified response (e.g. injections)
- sending egress succeeded (congestion ended)

Impact:
response is corrupted - order of data has erroneously changed

Workaround:
N/A

Fix:
FPS will handle this case correctly, first sending buffered data then sending the new egress.

674909-3 : Application CSS injection might break when connection is congested

Component: Fraud Protection Services

Symptoms:
Large CSS files configured for phishing protection injection in FPS (not fictive websafe CSS files) may be truncated upon response to client.

Conditions:
Inject into Application CSS enabled in Anti-Fraud Profile » Advanced » Phishing Detection

Large CSS file such as bootstrap files configured for Application CSS Locations.

Network congestion engaging TMM flow control.

Impact:
Pages may display incorrectly in client browser depending on application requirements with specific CSS. May break application functionality.

Workaround:
1) Remove affected large files from Application CSS Locations.

or

2) Disable Inject into Application CSS entirely.

Fix:
FPS now handles the case where injecting to application css was interrupted by congestion.

674686-2 : Periodic content insertion of new flows fails, if an outstanding flow is a long flow

Component: Policy Enforcement Manager

Symptoms:
If an outstanding flow with periodic insertion pem_action is very long, it prevents new flow matching the same rule from adding inert content pem_action even for a new periodic interval

Conditions:
If the outstanding flow with insert content pem_action spans multiple periodic interval.

Impact:
No content insertion during the time the long flow is outstanding for new flows matching the same rule as the long flow.

Workaround:
Long flows and short flows need to have separate rule configured

Fix:
New flows will add content insertion, if the new flow request falls in the new periodic interval.

674515 : New revoke license feature for VE only implemented

Component: TMOS

Symptoms:
Prior to this version, the license revoke feature was not implemented/available.

Conditions:
With out revoke implemented, the feature is simply not available.

Impact:
Licenses cannot be revoked and hence re-used.

Fix:
With this feature implemented, VE licenses can be revoked and then re-used on different VE.

673683-2 : Periodic content insertion fails, if pem and classification profile are detached and reattached to the Listener

Component: Policy Enforcement Manager

Symptoms:
Periodic content insertion for a subscriber may stop working after one or more insertions.

Conditions:
When a subscriber action list have Insert content added and if pem and classification profiles are detached and re-attached to the Listener, periodic insertion may fail to insert the content. This happens when more than one subscriber is using the same policy rule and the listener.

Impact:
Periodic insert content action will fail to insert the content

Workaround:
Delete and recreate the subscriber for which insert content action no longer working

Fix:
For subscriber content insertion record lookup, use the right session id storage associated with the subscriber

673678-2 : Periodic content insertion fails, if http request/response get interleaved by second subscriber http request

Component: Policy Enforcement Manager

Symptoms:
Periodic content insertion for a subscriber may stop working after one or more insertions.

Conditions:
When a subscriber action list have Insert content added and if the request/response for that http transaction get interleaved by another subscriber request. This happens when more than one subscriber is using the same policy rule

Impact:
Periodic insert content action will fail to insert the content

Workaround:
Delete and recreate the subscriber for which insert content action no longer working

Fix:
For subscriber content insertion record lookup, use the correct session id storage associated with the subscriber.

673595-2 : Apache CVE-2017-3167

Solution Article: K34125394

673472-2 : After classification rule is updated, first periodic Insert content action fails for existing subscriber

Component: Policy Enforcement Manager

Symptoms:
Immediately after the classification rule associated with a static subscriber is updated and if the action list has Insert content, the first periodic insert content action fails for the subscribers. Subsequent Insert content action will proceed as expected

Conditions:
Update of the classification rule associated with the subscribers.

Impact:
First periodic Insert content action, immediately succeeding after the update of the classification rule will fail.

Workaround:
bigstart restart tmm, after updating the classification rule with insert content action will fix the issue

Fix:
Update the record count associated with the subscriber during eval.

673129 : New feature: revoke license

Component: TMOS

Symptoms:
A different license is required for each Virtual Edition (VE) instance.

Conditions:
Creating new instances of VE.

Impact:
Cannot reuse an existing VE license.

Workaround:
None.

Fix:
For Virtual Edition (VE) BIG-IP systems, licenses can now reused by other VE instances by revoking an active license on one and installing it on another.

Behavior Change:
Revoke license is a new feature so that licenses can be reused for other virtual edition configurations.

To revoke a license using tmsh, run the following command:
tmsh revoke sys license registration-key <reg-key-number>

The system responds with the following confirmation prompt:
Revoking the license will return this BIG-IP to an unlicensed state. It will stop processing traffic. Are you sure? Y/N:

When you type y, the system revokes the license and returns a response similar to the following:
License successfully revoked
[root@bigip11:LICENSE INOPERATIVE:Standalone] config # Jul 17 12:04:28 bigip11 emerg mcpd[5144]: 01070608:0: License is not operational (expired or digital signature does not match contents).

672988-2 : MCP memory leak when performing incremental ConfigSync

Solution Article: K03433341

Component: TMOS

Symptoms:
MCP will leak memory when performing incremental ConfigSync operations to peers in its device group. The memory leak can be seen tmctl utility to watch the umem_alloc_80 cache over time.

This leak occurs on the device that is sending the configuration.

Conditions:
A device group that has incremental sync enabled. In versions prior to BIG-IP v13.0.0, this is controlled by the 'Full Sync' checkbox. When unchecked, the system attempts to perform incremental sync operations.

Impact:
MCP leaks a small amount of memory during each sync operation, and after an extended period of time, might eventually crash.

Workaround:
None.

Fix:
MCPD no longer leaks when performing incremental ConfigSync operations.

672695-1 : Internal perl process listening on all interfaces when ASM enabled

Component: Application Security Manager

Symptoms:
ASM configuration processes are available on unprotected network interfaces.

Conditions:
ASM provisioned

Impact:
Connections to the ASM configuration processes may interfere with normal ASM operations, leading to reduced performance

Workaround:
None

Fix:
ASM-config Event Dispatcher now listens only on protected interfaces

672504-1 : Deleting zones from large databases can take excessive amounts of time.

Solution Article: K52325625

Component: Global Traffic Manager (DNS)

Symptoms:
When deleting a zone or large number of Resource Records, zxfrd can reach 100% CPU for large amounts of time.

Conditions:
With a significantly sized database, deletes might be very time-intensive.

Impact:
Because zxfrd takes an excessive amount of time deleting records, it can delay transfer requests

Workaround:
None.

Fix:
Dramatically improved algorithm, to remove significant delay in deletions.

672008-1 : NUL character inserted into syslog message when system time rolls over to exactly 1000000 microseconds

Solution Article: K22122208

Component: Local Traffic Manager

Symptoms:
Remote syslog logging destinations configured for RFC5424 format might receive malformed timestamp values if the log message is sent when clock rolls over to 1,000,000 microseconds exactly. The resulting log message will have a NUL character appended to the microseconds value in the log's timestamp field.

Example:
Correct timestamp: 2003-08-24T05:14:15.000000-07:00
Malformed timestamp: 2003-08-24T05:14:14.100000\00-07:00

Conditions:
-- syslog destination configured for RFC5424 format.
-- Sending log message when clock rolls over to 1,000,000 microseconds.

Impact:
Some syslog collectors may fail to parse the message, resulting in incorrect log entry or warning.

Workaround:
Change syslog destination format to use RFC3164, which does not include microsecond resolution in timestamp fields.

Fix:
The timestamp field is now formatted correctly for microseconds and seconds values. Seconds now correctly increment when microseconds equal 1,000,000.

671935-2 : Possible ephemeral port reuse.

Solution Article: K64461712

Component: Local Traffic Manager

Symptoms:
When selecting server-side source ports, the BIG-IP system favors ephemeral ports in the upper range.

Conditions:
Source ports, different from the client side, may be reselected. This is always the case when the virtual server's 'source-port change' option is enabled.

Impact:
If server connections are in the TIME_WAIT state and connection recycling is not configured, the server might reset the connection, reusing ports.

Workaround:
Disable the virtual server's 'source-port change' option to use the same source port as the connecting client.

Fix:
Now, even when the virtual server's 'source-port change' option is enabled, the system uses the same source port as the connecting client.

671920-1 : Accessing SNMP over IPv6 on non-default route domains

Component: TMOS

Symptoms:
The SNMP daemon cannot send traps to a non-default route domain destination. However, it can respond to SNMP requests over from a client that is accessed through a non-default route domain path for IPv4. For IPv6 this does not work.

Conditions:
SNMP access over IPv6 on a client accessed through a non-default route domain does not work.

Impact:
Access to SNMP must be through default route domain for IPv6.

Fix:
With this bug fix you can access SNMP from an IPv6 client on a non-default route domain. There is no plan to allow traps to be delivered to destinations on a non-default route domain.

670400-3 : SSH Proxy public key authentication can be circumvented in some cases

Component: Advanced Firewall Manager

Symptoms:
SSH Proxy public key authentication might be circumvented in some cases, allowing a user without the appropriate private key in to the back-end end SSH server.

Conditions:
Public key authentication is being used to authenticate users.

Note: This issue affects only public key authentication, so if additional forms of authentication are being used, the additional security that they provide will not be impacted.

Impact:
Unauthorized access.

Workaround:
A suggested workaround is to configure the back-end SSH server to require 2-factor authentication, or 3-factor authentication. This can be done by adding both publickey+password and publickey+keyboard-interactive as Required Authentications in the configuration file for the back-end SSH server.

See the list below of supported client method orders. Also, keep in mind that the back-end server must support all 3 authentication methods (public-key, password, and keyboard-interactive), as an existing constraint of the current SSH proxy functionality.

One cosmetic item to note is that, when multi-factor authentication is used, regardless of the result of the validity check of the public-key, the SSH proxy will report a 'failed' authentication to the client. However, the returned 'failed' code is merely cosmetic: the actual result of the validity check is what is used to determine whether or not the authentication succeeded.

-------
Supported client method orders:

publickey,keyboard-interactive
publickey,password
publickey,keyboard-interactive,password
publickey,password,keyboard-interactive

Any other combination of authentication methods will fail.

Fix:
Implemented stricter error handling in authentication checking.

670011-2 : SSL forward proxy does not create the server certchain when ignoring server certificates

Component: Local Traffic Manager

Symptoms:
Forward proxy not working correctly when the server certificates are ignored. SSL forward proxy does not create the server certchain when ignoring server certificates, this prevents the client side from trusting the server cert and the SSL handshake hangs and fails after timeout.

Conditions:
-- SSL forward proxy or SSL intercept is configured.
-- Ignore server certificate configured in the server SSL profile.

Impact:
Client cannot establish SSL connection with server due to SSL handshake always timing out.

Workaround:
None.

Fix:
The system now generates the server certchain (even when the server SSL profile ignores server certificates) and passes it to the client SSL, so that the client SSL can forge the cert and finish the SSL handshake.

669818-2 : Higher CPU usage for syslog-ng when a syslog server is down

Solution Article: K64537114

Component: TMOS

Symptoms:
Higher CPU usage for syslog-ng when a syslog server is down.

Conditions:
A remote log server is added but it is not available.

Impact:
Potentially higher than expected CPU usage.

Workaround:
To mitigate this issue, use either of the following:
-- Ensure that the remote log server is available.
-- Remove the remote log server from the configuration.

669364-1 : TMM core when server responds fast with server responses such as 404.

Component: Fraud Protection Services

Symptoms:
TMM core when server responds fast with server responses such as 404.

Conditions:
-- FPS gets a request with a WebSafe URL (usually global URL - declared by signatures update).
-- Server response is fast (based on URL/headers).
-- FPS need to take some action on response.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
FPS now handles these conditions without a tmm crash.

669359 : WebSafe might cause connections to hang

Component: Fraud Protection Services

Symptoms:
In a loaded environment, FPS might free a connection context without cleaning up the state.

Conditions:
This occurs in a loaded environment (xoff events present).

Impact:
A connection might stall until abandoned by client.

Workaround:
None.

Fix:
when freeing a connection context, FPS will clear internal egress state.

669341 : Category Lookup by Subject.CN will result in a reset

Component: Access Policy Manager

Symptoms:
Category Lookup Agent is unable to find the Subject.CN, so it initiates an SSL Handshake failure.

==> /var/log/apm <==
crit tmm[11181]: 01790602:2: [C] 10.20.100.1:11980 -> 10.11.10.101:443: (ERR_NOT_FOUND) Error processing URL Classification query from CatEngine

Conditions:
Category Lookup agent configured to use Subject.CN. May also apply if a Category Lookup agent is configured to use SNI, but the client does not send an SNI, resulting in the agent trying to use the Subject.CN.

Impact:
Cannot use Subject.CN as a data source for category lookup agent.

Workaround:
None.

Fix:
The category lookup agent is now able to find the Subject.CN.

669288-3 : Cannot run tmsh utils unix-* commands in Appliance mode when /shared/f5optics/images does not exist.

Solution Article: K76152943

Component: TMOS

Symptoms:
From tmsh, running util unix-ls /var/log fails with the following error:

exception: (Failed to canonicalize "/shared/f5optics/images") (util/RealpathHelper.cpp, line 49), continuing...
Data Input Error: /var/log is not an accessible directory for the current mode.

Conditions:
-- A BIG-IP system configured for Appliance mode.
-- Upgrading from a pre-v12.x to v12.x or later.
-- Using a platform that does not have a /shared/f5optics/images directory.

These include the following BIG-IP blades and appliances:
B4400, i4x00, i10x00, i2x00, i7x00, i5x00

Impact:
There is no shell access to the file system when the BIG-IP system is in Appliance mode. This is the intended purpose of Appliance mode. Therefore, unix-* commands are the only way to list directories, and perform other operations specific to the operating system.

Workaround:
To work around this issue, create the /shared/f5optics/images directory. To do so, do the following:

1. Boot the BIG-IP system into single-user mode.

2. Create the directory /shared/f5optics/images with the following command:
mkdir -m 777 -p /shared/f5optics/images.

3. Reboot the BIG-IP system, and allow it to start up normally.

Fix:
The reported exception does not occur, and unix-* commands commands issued in Appliance mode run as expected.

669025-1 : Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate

Solution Article: K11425420

Component: Local Traffic Manager

Symptoms:
SSL Forward Proxy signs a forged certificate with a hash algorithm. This selected hash algorithm is the weakest algorithm from the certificates in the server certificate chain except the self-signed certificate.

Some of the intermediate CA certificates in the cert chain use the SHA1 hash algorithm. This kind of intermediate CAs usually is are the BIG-IP system's ca-bundle. BIG-IP receives the cert chain including the intermediate CA and forges the cert with SHA1, which is rejected by some web clients.

Conditions:
-- The BIG-IP system is configured to use SSL Forward Proxy or SSL Intercept.
-- Some intermediate CA in the web server's cert chain is using a weak algorithm like SHA1 to sign certificates.
-- The web client rejects the weak-algorithm-signed certificate.

Impact:
Clients cannot access the web server due to SSL handshake failure.

Workaround:
None.

Fix:
This fix excludes trusted CA certificates in hash algorithm selection. This may prevent forged certificate from using SHA1 hash algorithm.

668802-3 : GTM link graphs fail to display in the GUI

Solution Article: K83392557

Component: Local Traffic Manager

Symptoms:
When a BIG-IP administrator tries to view the GTM link graphs in the GUI, the system reports 'General database error retrieving information'.

statsd reports an error in /var/log/ltm

err statsd[6318]: 011b030d:3: Graph '/Common/Link_AS394043' not found

Conditions:
-- BIG-IP DNS/GTM is licensed and provisioned.
-- BIG-IP DNS/GTM links are configured.
-- Trying to view the GTM link graphs in the GUI.

Impact:
Unable to view BIG-IP DNS/GTM link graphs.

Workaround:
None.

Fix:
The GTM graphs are available as expected.

668521-2 : Bigd might stall while waiting for an external monitor process to exit

Component: Local Traffic Manager

Symptoms:
The bigd process restarts due to a hearbeat failure. /var/log/ltm will contain a message similar to:
warning sod[5444]: 01140029:4: HA daemon_heartbeat bigd fails action is restart.

Conditions:
External monitors are in use. External monitors include user-defined external monitors as well as built-in external monitors (for example, SNMP, LDAP, etc.)

High system load makes this more likely to occur.

Impact:
bigd will restart due to a heartbeat failure and monitoring will be interrupted.

Workaround:
Mitigations:
-- If possible, reduce the system load on the BIG-IP system.
-- If possible, use a built-in monitor type.

Fix:
bigd no longer stalls while waiting for an external monitor process to exit.

668352-2 : High Speed Logging unbalance in log distribution for multiple pool destination.

Component: TMOS

Symptoms:
Remote High Speed Logging may send logs in an imbalance when configured to use multiple logging pools.
The imbalance may occur if the logging destination remained idle for a while (no logs sent) after initial configuration.

Conditions:
-- Remote High Speed Logging destination configured with multiple pools.
-- The logging destination idle after initial configuration for more than 5 seconds.

Impact:
-- Log distribution imbalance.

Workaround:
There is no workaround at this time.

Fix:
Logs distributed equally on destination pools.

668252-2 : TMM crash in PEM_DIAMETER component

Solution Article: K22784428

Component: Policy Enforcement Manager

Symptoms:
TMM crashes when the route to PCRF is lost.

Conditions:
-- PEM establishes connection with the diameter endpoint (Gx / Gy).
-- The route to the diameter endpoint is lost (interface down / route deleted).

Impact:
TMM diameter module tries to communicate, does not handle the error, and crashes. Module reboot. Traffic disrupted while tmm restarts.

Workaround:
Mitigation: Ensure that the network interface configuration routing diameter packet is not manually brought down.

No workaround for externally triggered failures.

Fix:
The system now handles connections established with the diameter endpoint when the route to PCRF is lost.

668048-1 : TMM memory leak when manually enabling/disabling pool member used as HSL destination

Solution Article: K02551403

Component: TMOS

Symptoms:
High Speed Logging fails to free an allocated cache memory resulting in memory leak. A small linear increase in mds_btree_nodes memory utilization may occur.

Conditions:
- Remote High Speed Logging configured.
- Server-side connections dropped or closed. OR
- High Speed Logging pool members removed.

Impact:
Increase in mds_btree_nodes memory utilization.

Workaround:
There is no workaround at this time.

Fix:
High Speed Logging frees allocated memory correctly.

667872-1 : Websafe's 'Apply cookies to base domain' feature doesn't work for non standard ports

Component: Fraud Protection Services

Symptoms:
'Apply cookies to base domain' feature doesn't work for non standard ports.

Conditions:
'Apply cookies to base domain' is enabled and
connection is over non-standard ports (not 80, 443, etc.).

Impact:
Cookies won't be applied to base domain, thus WebSafe functionality will be broken and missing cookie alerts will be sent.

Workaround:
Use only standard ports.

Fix:
FPS now correctly parses base-domain, including port (if exists).

667318-3 : BIG-IP DNS/GTM link graphs fail to display in the GUI.

Component: Local Traffic Manager

Conditions:
-- BIG-IP DNS/GTM is licensed and provisioned.
-- BIG-IP DNS/GTM links are configured.

Impact:
Unable to view BIG-IP DNS/GTM link graphs.

Workaround:
None.

Fix:
BIG-IP DNS/GTM link graphs are now available in the GUI.

667278-3 : DSC connections between BIG-IP units may fail to establish

Component: TMOS

Symptoms:
The device service clustering (DSC) connection between two BIG-IP units may fail to establish. One unit will log messages similar to the following example:

-- err mcpd[7912]: 01071af4:3: Inbound CMI connection from IP (192.168.100.1) denied because it came from VLAN (v1542), not from expected VLAN (tmm).

While the unit at the other end of the connection will log messages similar to the following example:

-- notice mcpd[5730]: 01071432:5: CMI peer connection established to 192.168.200.1 port 6699 after 0 retries
May 31 20:58:04 BIG-IP-c-sea notice mcpd[5730]: 0107143c:5: Connection to CMI peer 192.168.200.1 has been removed

Conditions:
This issue occurs when the Self-IP addresses used for Config-Sync by the two BIG-IP units are not in the same IP subnet, and special routing is configured between the BIG-IP units. Examples of special routing include a gateway pool or dynamic routing configurations with multiple routes to the same destination (i.e., ECMP routing).

Impact:
Config-Sync and device discovery operations will fail between affected units.

Workaround:
You can work around this issue by using Self-IP addresses for Config-Sync that are on the same IP subnet or rely on simpler routing to achieve connectivity (i.e., a single route).

Fix:
Config-Sync and device discovery operations no longer fail.

667138-1 : LTM 12.1.2 HF1 - Upgrade to 12.1.2 HF1 fails with err "folder does not exist"★

Component: TMOS

Symptoms:
After upgrade from 10.2.4 to 12.1.2, full config load fails.

Conditions:
The pre-upgrade version must be 10.2.4 and the pre-upgrade config must have user-defined partitions.

Impact:
After upgrade, if changes are made to the running config (in memory; not on disk), then the config files on disk from upgrade cannot be restored.

Workaround:
10.2.4 config on upgrade is stored at /config/bigpipe/. So, a workaround is to load defaults, then merge the original config using bigpipe.

/usr/libexec/bigpipe merge /config/bigpipe/*.conf

Fix:
Full load after upgrade from 10.2.4 now succeeds.

667028-1 : DNS Express does not run on i11000 platforms with htsplit disabled.

Component: Global Traffic Manager (DNS)

Symptoms:
tmm processes enter a restart loop when trying to run DNS Express (DNSX) on i11000 platforms with htsplit disabled.

Conditions:
-- i11000 platform.
-- htsplit disabled (sys db scheduler.splitplanes.ltm set to false).
-- Trying to run DNSX.

Impact:
tmm processes enter a restart loop. In this condition, DNSX does not run, though other DNS functions are unaffected.

Workaround:
Enable htsplit using the following command:

modify sys db scheduler.splitplanes.ltm value true

Fix:
tmm no longer cores under these conditions. However, you cannot use DNSX with htsplit disabled; htsplit must be enabled.

Note: DNSX works as expected with htsplit enabled, both before and after the fix.

666790-2 : Use HSB HiGig MAC reset to recover both FCS errors and link instability

Component: TMOS

Symptoms:
In addition to HiGig Link instability, FCS errors can be seen on internal switch and HSB Higig link. This is likely some PHY-related issues and can cause instability in communication links.

One symptom associated with this might be that a blade cannot become active and join the cluster.

Conditions:
FCS errors reported in tmm/hsbe2_internal_lbb_hgm. Traffic failure observed on some VIPs or self IPs.

Impact:
Link unstable, frame loss.
TMOS MPI and CDP packet loss and internal blade communication issues.

HSB lockup and accumulated FCS errors observed from stats and log.

Workaround:
A switch port reset might be used to recover this failure. Note, however: that procedure might cause potential HSB lockups.

Fix:
FCS errors and link instability no longer occur.

666454-2 : Edge client on Macbook Pro with touch bar cannot connect to VPN after OS X v10.12.5 update

Solution Article: K05520115

Component: Access Policy Manager

Symptoms:
Edge client running on Macbook Pro 2016 with a touch bar interface cannot connect to VPN in a full tunneling configuration with 'Prohibit routing table modification' option selected.

Edge client's svpn.log shows an error entry similar to
2017-05-18,13:55:17:000, 16637,16638,svpn, 1, , 870, CMacOSXRouteTable::UpdateIpForwardEntry2(), EXCEPTION - write failed, 22, Invalid argument.

Conditions:
This occurs when all of the following conditions are met:
1) Edge client is running on Macbook Pro that has the iBridge interface (e.g., one with the touch bar).
2) VPN is configured in full tunneling configuration
3) Mac OS X version is v10.12.5.

Note: You can find the interface on the Macbook Pro in the Network Utility under the Info tab.

Impact:
VPN connection will fail.

Workaround:
Use one of the following workarounds:
- Disable 'Prohibit Routing table change' in the network access configuration.
- Enable 'Allow access to local subnets'.
- Enable a split tunneling configuration.

666032-3 : Secure renegotiation is set while data is not available.

Component: Local Traffic Manager

Symptoms:
Secure renegotiation is set while data is not available, which causes a crash in certain connections.

Conditions:
This occurs when handling SSL secure renegotiation in certain connections.

Impact:
Crashes happen to certain SSL connections.

Workaround:
None.

Fix:
Secure renegotiation is set while data is not available no longer causes a crash in certain connections.

665905 : Signature System corruption from specific ASU prevents ASU load after upgrade

Solution Article: K83305000

Component: Application Security Manager

Symptoms:
After loading Attack Signature Update "ASM-SignatureFile_20170403_145743.im" on 11.5.4 HF2 (or later) and upgrading to certain software versions, attempts to perform Signature Update fail.

Conditions:
-- Loading Attack Signature Update "ASM-SignatureFile_20170403_145743.im".
-- Using v11.5.4 HF2 (or later).
-- Upgrading the device to 11.6.1, 12.1.0, 12.1.1, or 12.1.2.

Impact:
Attempts to perform Signature Update fail.

Workaround:
The mistaken Signature System can be deleted using the following SQL:

----------------------------------------------------------------------
UPDATE PLC.NEGSIG_SIGNATURE_SYSTEMS set system_id = 14 where system_id = (select system_id FROM PLC.NEGSIG_SYSTEMS where system_name = 'Apache');
DELETE FROM PLC.NEGSIG_SYSTEMS where system_name = 'Apache';
----------------------------------------------------------------------

Fix:
Database corruption introduced by loading Attack Signature Update 'ASM-SignatureFile_20170403_145743.im' is now corrected upon upgrade.

665778-1 : Non-admin BIG-IP users can now view/re-deploy iApps through TMUI.

Solution Article: K34503519

Component: iApp Technology

Symptoms:
Non-admin BIG-IP users cannot view deployed iApps, so they cannot redeploy the iApp. The system presents an error and does not allow access to the component view or the reconfiguration view. The error shown is 'An error has occurred while trying to process your request.'

Conditions:
-- Login to the BIG-IP system as a non-admin.
-- Try to view components or reconfigure iApps.

Impact:
Cannot view/re-deploy iApps.

Workaround:
Use TMSH to view/re-deploy iApps.

There are two TMUI workarounds to view/re-deploy iApps. Once you employ one of the workarounds, a Manager user can reconfigure the iApp successfully.

Note: After successful submission, the system posts the error described, and the Manager still cannot access the Component list or iApps editing screens.

-- Click on 'app_name' link anywhere in the system where iApp-related objects are listed. For example, if the iApp created a virtual server, click the Application column link on the 'Local Traffic :: Virtual Servers : Virtual Server List' page.

-- Have an Admin user provide the direct link to app. To do so, perform the following procedure:
1. Login as Admin to the BIG-IP system.
2. Navigate to iApps :: Application Services : Applications :: <app_name>.
3. Get the direct link to the app reconfigure page by hovering over the Settings icon and then clicking 'Direct link to this page'. Note: This link will work as long as 'app_name' and template name have not been modified. The URL appears similar to the following:
https://10.10.10.10/tmui/Control/jspmap/tmui/application/reenter.jsp?mode=app&name=/ptn1/abcd.app/abcd&template_name=/Common/f5.microsoft_exchange_2010_2013_cas.v1.6.1
4. Logout as Admin and login as Manager.
5. Paste the app direct link in the browser's address bar and press Enter.

Fix:
Non-admin BIG-IP users can now view/re-deploy iApps through TMUI.

665656-1 : BWC with iSession may memory leak

Component: TMOS

Symptoms:
A memory leak may occur when BWC is configured with iSession.

Conditions:
-- BWC is configured with iSession.
-- The BWC policy is removed or reset.

Impact:
A memory leak.

Workaround:
None.

Fix:
The memory leak is prevented when BWC and iSession are configured together and a BWC policy is removed or reset.

665354-2 : Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log

Component: TMOS

Symptoms:
The most common symptom is a reboot of the unit without much detail in the normal tmm or ltm logs. From there, inspect the SEL logs. In the SEL logs, you will see a message about a bad_tlp_status, followed shortly by a message about completion_time_out_status.

Those two messages together indicate this known issue.

Conditions:
-- There are empty 10 GB ports or 10 GB ports that have optics but are not connected to a proper link.
-- Running on one of the following platforms: i2600, i2800, i4600, i4800.

Impact:
The unit intermittently reboots.

Workaround:
To prevent the issue from occurring, you must populate all 10 Gb ports with optic cables and ensure they are connecting to a working peer link. A single 10 Gb empty or improperly connected port can cause a system reboot.

If that is not possible, however, there is no workaround, and you must contact F5 Technical Support to request a software update or engineering hotfix.

Important: A device Return Materials Authorization (RMA) will not prevent this issue.

Fix:
There is a BIG-IP system software update to disable the 10 Gb FPGA mac receiver until a valid link is detected. This eliminates the issue and prevents the ultra jumbo packet from being sent to the FPGA datapath.

664930-2 : Policy automatic learning mode changes to manual after failover

Component: Application Security Manager

Symptoms:
Policy automatic learning mode changes to manual when a failover occurs.

Conditions:
-- ASM provisioned.
-- Device group with ASM policy sync configured for multi-blade devices.
-- ASM Policy is in automatic learning mode.
-- A failover occurs.

Impact:
The policy changes from automatic learning mode to manual.

Workaround:
None.

Fix:
Policy automatic learning mode no longer changes to manual when a failover occurs. Automatic learning mode will now be disabled only in active/active configurations.

664829-1 : BIG-IP sometimes performs unnecessary reboot on first boot

Component: TMOS

Symptoms:
Some versions of the BIG-IP Virtual Edition (VE) software incorrectly determine that the size of its disk has changed, and re-sizes the partition table and causes a reboot to occur. This is likely to occur only on VE guests.

Conditions:
-- First boot of VE.
-- Software version that exhibits this issue.

Note: A specific software version for a specific cloud environment either always exhibit this, or never does.

Impact:
Additional, unnecessary minor filesystem size adjustment and additional time for a reboot to occur.

Workaround:
None.

Fix:
An additional, unnecessary reboot of a BIG-IP Virtual Edition during its first boot-up should no longer occur.

664535-1 : Diameter failure: load balancing fails when all pool members use same IP Address

Component: Service Provider

Symptoms:
Case1: Run 2 Servers with same IP but different ports. Send 10 request from 1 client.
Result: All 10 requests from client are delivered to 1 server. Same result when use-local-connection is disabled.

Case2: Run 2 Servers with same IP but different ports but this time use MR::message route iRule command to route messages between hosts. Send 10 request from 1 client.
Result: All 10 requests from client are delivered to 1 server.

Conditions:
Load balancing scenario with single client and two pool members. The servers use same IP, different ports.

Impact:
All the requests from the same client are delivered to 1 server only.

Workaround:
Use different IP address in the pool member. Or use different IP address as the client request.

Fix:
Load balancing scenario with single client and two pool members now completes successfully even when all pool members use same IP Address.

664063-1 : Azure displays failure for deployment of BIG-IP from a Resource Manager template

Component: TMOS

Symptoms:
When deploying BIG-IP images through Azure Resource Manager or Marketplace Solution templates, the Azure portal will never display success. A timeout will eventually occur and the deployment will appear to have failed.

Conditions:
Deployment from an Azure Resource Manager or Solution template, including the BIG-IP WAF Solution from the Azure Security Center.

Impact:
A successful deployment will appear to have failed when monitoring the status in the Azure portal.

Workaround:
None.

Fix:
Deployments of BIG-IP from Azure Resource Manager or Marketplace Solution templates, or the BIG-IP WAF Solution from the Azure Security Center, now show the correct deployment status.

663580-1 : logrotate does not automatically run when /var/log reaches 90% usage

Component: TMOS

Symptoms:
The alertd daemon does not run logrotate when the diskmonitor utility detects that /var/log has less than 10% free space.

Conditions:
/var/log has less than 10% free space.

Impact:
The /var/log filesystem might become completely full, preventing new log messages from being written.

Note: K8865: Overview of the diskmonitor utility (https://support.f5.com/csp/article/K8865) provides a desription for expected behavior.

Fix:
The alertd daemon now correctly recognizes the log message from diskmonitor to initiate logrotate.

663521-2 : Intermittent dropping of multicast packets on certain BIG-IP platforms

Component: TMOS

Symptoms:
The switch device on the VIPRION B2250 and B4300 blades and the BIG-IP 10x00, i10x00, i7x00 and i5x00 platforms might drop multicast packets under certain high traffic conditions.

Conditions:
-- Certain high-traffic conditions.
-- Running on the specified blades/platforms.

Note: These dropped packets are counted under the 'drop_out' column from 'show net interface all-properties'.

Impact:
Dropped multicast packets, possibly impacting multicast protocols.

Workaround:
None.

Behavior Change:
Under certain high traffic conditions, multicast and broadcast packets will no longer be dropped.

663506-7 : apmd crash during ldap cache initialization

Solution Article: K30533350

Component: Access Policy Manager

Symptoms:
apmd crashes.

Conditions:
- LDAP module is in use in an access policy,
- APM end-users are logging in, while administrator modifies AAA LDAP Server or LDAP Agent,
- Cache update takes a while (too many groups in domain and/or slow network).

Impact:
BIG-IP cannot process user logon request, until apmd is restarted and LDAP cache is updated

Workaround:
The best practice is to update policy/AAA LDAP Server when BIG-IP is not under load. Then make one logon manually. apmd updates caches on first APM end-user's logon. Once caches update, all the further logons should happen much faster and should not cause any problems

Fix:
APMD now handles the generation of LDAP Query / AD Query nested group cache correctly during high authentication load.

663366-3 : SEGV fault can occur during tmm 'panic' on i4x00 and i2x00 platforms.

Component: TMOS

Symptoms:
On the i4x00 and i2x00 platforms, TMM can encounter a second SEGV fault while crashing from an initial 'panic'.

Conditions:
-- i4x00 and i2x00 platforms.
-- TMM encounters a second SEGV fault while crashing from an initial 'panic'.

Impact:
TMM is crashing due to a 'panic'. No additional impact, as traffic is already disrupted while tmm restarts.

Workaround:
None.

Fix:
This release fixes the driver shutdown code to prevent SEGV during TMM panic.

663326-2 : Thales HSM: "fipskey.nethsm --export" fails to make stub keys

Component: Local Traffic Manager

Symptoms:
When using "fipskey.nethsm --export -i /shared/tmp/testkey.pem -o thaleskey" to export a key file from BIG-IP and import into HSM, the HSM fails to generate the stub key at /config/ssl/ssl.key/ on the BIG-IP system.

Conditions:
-- Thales HSM is installed.
-- Running 'fipskey.nethsm --export' to export a key file from BIG-IP and import it to the Thales HSM.

Impact:
Even the key has been stored in HSM, the BIG-IP is still unable to use it because of its lacking stub key to be configured on the BIG-IP system.

Workaround:
This can be worked around by directly using the Thales command, for example:

[root@localhost:Active:Standalone] config # generatekey --import pkcs11 certreq=yes
type: Key type? (DES3, RSA, DES2) [RSA] >
pemreadfile: PEM file containing RSA key? []
> /shared/tmp/testkey.pem
embedsavefile: Filename to write key to? []
> /config/ssl/ssl.key/thales2
plainname: Key name? [] > thales2
x509country: Country code? [] > US
x509province: State or province? [] > WA
x509locality: City or locality? [] >
x509org: Organisation? [] > F5
x509orgunit: Organisation unit? [] > AS
x509dnscommon: Domain name? [] >
x509email: Email address? [] > test@test.com
nvram: Blob in NVRAM (needs ACS)? (yes/no) [no] >
digest: Digest to sign cert req with? (md5, sha1, sha256, sha384, sha512)
[default sha1] >

Fix:
When using 'fipskey.nethsm --export -i /shared/tmp/testkey.pem -o thaleskey' to export a key file from BIG-IP and import into HSM, the HSM now generates a stub key and stores it at /config/ssl/ssl.key/ on the BIG-IP system, as expected.

663073-1 : GSLB Pool member Manage page combo box has an issue that can cause the wrong pool member to be removed from the available list when adding a member to the selected list.

Component: Global Traffic Manager (DNS)

Symptoms:
GSLB Pool member Manage page combo box has an issue that can cause the wrong pool member to be removed from the available list when adding a member to the selected list.

Conditions:
When adding a pool member via the combo box, if you click the arrow to expand the dropdown list and select a member by clicking on it, that member name is added to the text box.

If you then mouse over other members in the dropdown list, and then click the Add button, the system adds the selected member to the list, but also removes the wrong member from the combo box: more specifically, it removes the member that was last highlighted by the mouse over.

Impact:
Available pool members might be potentially lost from the combo box until a page reload.

Note: The pool members are not gone from the system; they are still present, just not displayed.

Workaround:
Either use TMSH or place the mouse cursor away from the combo box, and use the text box to narrow down the content in the dropdown list. Then use the arrow keys and the Enter key to select the desired pool member.

Fix:
Changed the behavior of the combo box when a member is selected by clicking on it in the dropdown list. Adding a selected pool member as described above will cause the combo box to correctly remove that pool member from the combo box.

663063-2 : Disabling pool member used in busy HSL TCP destination can result service disruption.

Component: TMOS

Symptoms:
Manually disabling an otherwise available pool member from a pool used as HSL TCP destination can result in tmm crash and service disruption.

This is more likely to occur when HSL destination is using 'balanced' distribution.

Conditions:
-- Busy HSL destination configured with TCP protocol, balanced distribution, and using pool.
-- Manually disabling a pool member.

Impact:
Service disruption while tmm recovers. HA fail-over event. Traffic disrupted while tmm restarts.

Workaround:
You can avoid the issue in either of these ways:
-- Do not manually disable busy pool members that can still respond to TCP handshake.
-- Disable the service on the pool member first.

Fix:
TMM crash no longer occurs when HSL TCP pool member with pending connection is manually disabled.

662881-2 : L7 mirrored packets from standby to active might cause tmm core when it goes active.

Solution Article: K10443875

Component: Local Traffic Manager

Symptoms:
L7 mirrored packets from standby to active might cause tmm core when it goes active.

Conditions:
-- Spurious ACK sent to the standby unit that is mirrored over to the active unit for processing.
-- Matching connection on the active has not been fully initialized.

Impact:
tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Spurious ACK no longer causes outage, instead the packet is dropped.

662639-2 : Policy Sync fails when policy object include FIPS key

Component: Access Policy Manager

Symptoms:
Policy sync failed with a vague error:

err mcpd[5597]: 01071600:3: APM PSync: Atom attribute (fips_exported_key) data type (blob) in class (certificate_key_file_object) object name (/Common/fips1.key) blob value is not empty - no handler for blob Object dump: **certificate_key_file_object:/Common/fips1.key ...

Conditions:
-- Sync-only device group configuration.
-- FIPS cards in use.
-- On one device:
   + Create FIPS key and certificate:
     1. Go to System::Certificate Management::Traffic Certificate Management::SSL Certificate List::Create.
     2. For 'Security Type' field of 'Key Properties' section, select 'FIPS'.
   + Create a rewrite profile:
     1. Go to Access Policy :: Portal Access :: Rewrite :: Create New Profile.
     2. Under 'JavaPatcher Settings' select 'Signer' and 'Signer Key' to the one created above (e.g., 'fips1.crt' and 'fips1.key', respectively).
   + Create an access profile.
   + Create a virtual server and attach the access profile and rewrite profile to it.
     (Note: You must also include other dependent settings, such as a connectivity profile.)
3. Start a policy sync from the device.

Impact:
Feature failure for specific configurations.

Workaround:
None.

Fix:
Now APM policy sync succeeds even when policy includes FIPS key.

662364-2 : MRF DIAMETER: IP ToS not passing through with DIAMETER

Component: Service Provider

Symptoms:
IP layer's ToS is not passing through MRF Diameter.

Conditions:
-- The IP ToS bit is received in the clientside connection.
-- ip-tos-to-client is set as pass-through.

Impact:
The ToS from the client does not reach the server.

Workaround:
Use an iRule to preserve the ToS from the client and set it to serverside's connection.

Fix:
The ToS bit that arrives from the clientside connection is able to pass-through with Diameter MRF.

662331-1 : BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.

Solution Article: K24331010

Component: TMOS

Symptoms:
The BIG-IP system logs INVALID-SPI messages but does not remove the associated Security Associations (SAs) corresponding to the message.

Note: There are three parts to this issue, as recorded in the following bugs: 569236, 583285, and 662331.

Conditions:
This can occur if an IPsec peer deletes a phase2 (IPsec) SA and does not send a 'notify delete' message to the other peer. The INVALID-SPI message is most likely to be seen when the peer deletes an SA before the SA's agreed lifetime.

Impact:
If the BIG-IP is always the Initiator, the Responder will not initiate a new tunnel if the Responder only handles responses to the BIG-IP clients' traffic. The BIG-IP system continues to use the IPsec SA it believes to be still up. When an SA expires prematurely, some IPsec peers will reject an inbound SPI packet with an ISAKMP INVALID-SPI notify message. If the INVALID-SPI message does not cause new SAs to be created, there will be a tunnel outage until the SA lifetime expires on the defunct SA held on the BIG-IP system.

Workaround:
Manually remove the invalid SA on the BIG-IP system by running the following command:
delete /net ipsec ipsec-sa spi <invalid_spi>

Fix:
Now, when the BIG-IP system receives INVALID-SPI messages, it deletes the invalid Security Association as well as logging the INVALID-SPI message, so the tunnel can initiate again.

Note: There is a three-part fix provided for this issue, as provided in the following bugs: 569236, 583285, and 662331.

662085-1 : iRules LX Workspace editor in TMUI fails to display all workspace contents after install of large Node.js packages

Component: Local Traffic Manager

Symptoms:
Using Node.js package manager (NPM) to install a large Node.js package in the TMUI results in truncated contents in the workspace.

Conditions:
Installing large Node.js packages using the TMUI.

Impact:
The workspace contents will be truncated. Some of the package contents will be missing, or boilerplate F5 elements (f5-nodejs, package.json, etc.) will not be shown.

Workaround:
None.

Note: TMSH recognizes the entire file structure of node_modules (e.g., package.json and module folders of f5-nodejs and async), but TMUI does not.

Fix:
All contents from the workspace filesystem are now shown and are editable from the TMUI.

662022-5 : The URI normalization functionality within the TMM may mishandle some malformed URIs.

Solution Article: K34514540

661764-2 : It is possible to configure a number of CPUs that exceeds the licensed throughput

Solution Article: K53762147

Component: TMOS

Symptoms:
The system does not prevent you from selecting a number of CPUs that exceeds the license's throughput limit.

Conditions:
Configure a number of CPUs that exceeds the licensed throughput, for example, configuring 4 CPUs on a 2Mbps license on a VE system.

Impact:
Depending on the operations performed, it is possible for tmm to core.

Workaround:
None, other than configuring only the available number of CPUs.

Fix:
The system now detects when a configuration invalid for the license is in use and fails gracefully, presenting an error message explaining the failure.

660532-2 : Cannot specify the event parameter for redirects on the policy rule screen.

Solution Article: K21050223

Component: TMOS

Symptoms:
Cannot specify the event parameter for redirects on the policy rule screen.

System presents the following error: An error occurred: transaction failed:010716e2:3: Policy '/Common/Drafts/test', rule 'test-rule3'; an action precedes its conditions.

Conditions:
This occurs when setting a policy rule action's "event" parameter in the GUI when configuring redirects.

Impact:
Cannot specify the event parameter.

Workaround:
None.

Fix:
This release has an option for choosing event for redirect action.

660170-1 : tmm may crash at ~75% of VLAN failsafe timeout expiration

Solution Article: K28505910

Component: Local Traffic Manager

Symptoms:
When VLAN failsafe is configured, and the VLAN failsafe timeout is 3/4 expired, tmm wants to generate ICMP traffic to evoke a network response. When this occurs, the system might experience a crash.

Conditions:
- VLAN failsafe is configured on a VLAN, for example with the recommended VLAN failsafe timeout of 90 sec.
- The VLAN does not observe ARP/ndp traffic for 3/4 of the timeout, 67.5 seconds.
- ICMP traffic generated to provoke a network response can under certain circumstances cause a TMM crash.

Impact:
TMM crashes, failover is triggered, as it would with a fully expired VLAN-failsafe-timeout condition (note that failover with a fully expired VLAN failsafe is correct behavior).

Traffic on other VLANs might be disrupted while TMM restarts. (Traffic on the VLAN-failsafe-triggered VLAN is already disrupted, causing the timeout to expire.)

Workaround:
1. To allow for VLAN failsafe to be updated for any frame, run the following command with VLAN failsafe enabled, run the following command:
tmsh modify failover.vlanfailsafe.resettimeronanyframe enable

This configuration increases the confidence that in the case of a timeout expiry a real traffic disruption is detected.

2. Set the timeout of VLAN failsafe to 4/3 of the setting you want, for example, to have a timeout setting of 90, specify 120. With this setting, failover occurs at 90 seconds for a fully quiescent network.

Note: Having a fully quiescent network is a rare occurrence and likely indicates that another issue is occurring anyway.

Fix:
Generating ICMP traffic from TMM is no longer exposed to a potential crash in an invalid configuration or a completely quiet network, when generating ICMP traffic to provoke a network response on an expiring timer of VLAN failsafe, assuming the following configuration:

- VLAN failsafe is configured.
- VLAN failsafe expired 3/4 of the configured timeout (e.g., 67.5 seconds of 90 seconds ).

659969-1 : tmsh command for gtm-application disabled contexts does not work with none and replace-all-with

Component: Global Traffic Manager (DNS)

Symptoms:
The command for distributed-app's disabled-contexts does not work with the options 'none' and 'replace-all-with'.

Conditions:
Issuing gtm-application disabled contexts commands including the options 'none' and 'replace-all-with'.

Impact:
Command does not complete successfully. This is an internal validation issue.

Workaround:
None.

659912-1 : GSLB Pool Member Manage page display issues and error message

Component: Global Traffic Manager (DNS)

Symptoms:
The GSLB Pool Member Manage page displays an error message 'Entry could not be matched against existing objects' when using the static-target checkbox to add a member that does not exist on the BIG-IP config.

Also when editing a pool member, the pool member's name will not be auto-selected in the combo box.

Conditions:
-- GSLB pool configured.
-- Members available for addition to the pool.

Note: This issue can happen when creating a pool in the members section as well as on the pool members manage page.

Impact:
Degraded usability.

Workaround:
Use TMSH to add a static-target and to edit pool members.

Fix:
Fixed issue with the edit button and issue that prevented adding as a static-target a GSLB pool member that was not part of the GTM config. Now, if static target is enabled, you can type the name of the target without the target being configured on the system.

659899-1 : Rare, intermittent system instability observed in dynamic load-balancing modes

Solution Article: K10589537

Component: Local Traffic Manager

Symptoms:
The dynamic pool member load-balancing modes require a precision measurement of active connection counts and/or rates. Rare, intermittent system instability has been observed in dynamic pool member selection when a new connection arrives. TMM may restart, leaving a core file.

Conditions:
LTM pool configured to use a dynamic load-balancing mode ('ltm pool NAME load-balancing-mode MODE' where MODE is one of the dynamic load-balancing modes, such as dynamic-ratio-member, least-connections-node, predictive-node, etc.). The dynamic modes use the session database to share data among all TMM instances, and under extremely rare conditions, the session database may become unreliable.

Impact:
TMM restarts and leaves a core file. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The dynamic load-balancing modes are now more tolerant of errors from the underlying session database.

659791-2 : TFO and TLP could produce a core file under specific circumstances

Solution Article: K81137982

659567-1 : iRule command PEM::session functions differently in 12.1.x and 13.0.0 than it did in prior versions

Component: Policy Enforcement Manager

Symptoms:
When the RADIUS discovery virtual server and the traffic listener virtual server sit in two different route domains, the iRule command 'PEM::session info $sub subscriber-id' may not be able to fetch the subscriber-id.

Conditions:
-- Running v12.1.x or v13.0.0.
-- RADIUS server.
-- Use of iRule command PEM::session.

Impact:
'PEM::session info state/subscriber-id' commands might not return the expected session info.

Workaround:
None.

Fix:
iRule command PEM::session functions differently in 12.1.x and 13.0.0 than it did in prior versions. The commands now consider route domains.

659371-2 : apmd crashes executing iRule policy evaluate

Component: Access Policy Manager

Symptoms:
Following a restart, if apmd executes an iRule policy evaluate before its reinitialization is complete, apmd can crash.

Conditions:
If apmd restarts due to a crash or explicit restart command but tmm remains active, then iRule policy evaluate commands can reach apmd before it completes initialization and it will crash.

Impact:
apmd crashes and restarts, preventing end users from logging in.

Workaround:
NOne.

Fix:
Now APMD has a more robust initialization process to ensure that it does not execute access policies from iRule commands before it is ready.

659057-1 : BIG-IP iSeries: Retrieving the gateway from the Host via REST through the LCD

Component: TMOS

Symptoms:
The LCD on BIG-IP iSeries appliances must detect whether the system is in IPv4 or IPv6 context before retrieving the gateway from the Host via REST. If two gateways are configured (IPv4 and IPv6) only whichever is first in the list is returned via REST and will be set on the Host.

Conditions:
If two gateways are configured (IPv4 and IPv6).

Impact:
Incorrect gateway retrieval can create bad configs which would impact traffic resulting in failed ping attempts, destination unreachable errors, request timeouts, etc.

Workaround:
No workaround at this time.

Fix:
LCD code now retrieves the correct gateway when switching between IPV4 and IPV6 context.

658852-5 : Empty User-Agent in iSessions requests from APM client on Windows

Component: Access Policy Manager

Symptoms:
'User-Agent' might be empty in some '/isession' requests from APM client on Microsoft Windows. Having empty User-Agent headers is not in RFC compliance and forces some firewall to block the connection. This might result in failure to establish a VPN tunnel.

Conditions:
'/isession' requests from APM client on Windows.

Impact:
Failure to establish a VPN tunnel.

Workaround:
None.

Fix:
Now all connections from Windows APM VPN client contain 'User-Agent' headers, as expected.

658636-2 : When creating LTM or DNS monitors through batch/transaction mode newlines are improperly escaped.

Solution Article: K51355172

Component: TMOS

Symptoms:
- LTM/DNS monitors created via tmsh batch/transactions improperly escape newline characters.
- Expected escaping: \r\n
- Actual escaping: \\r\\n
- Impact: The URI sent is not correct,

Conditions:
When creating LTM or DNS monitors through batch/transaction mode when strings contain newline characters. For example, using the following commands to batch-create:

create gtm monitor http one_test_mon { send "GET / HTTP/1.0\r\nHost: abc.example.com\r\nUser-Agent: slb-healthcheck\r\nConnection: Close\r\n\r\n" recv "200"}
submit cli transaction
list gtm monitor http one_test_mon

The system creates the following monitor:

gtm monitor http one_test_mon {
    defaults-from http
    destination *:*
    interval 30
    probe-timeout 5
    recv 200
    send "GET / HTTP/1.0\\r\\nHost: abc.example.com\\r\\nUser-Agent: slb-healthcheck\\r\\nConnection: Close\\r\\n\\r\\n"

Impact:
Cannot use batch/transaction mode in TMSH to create LTM or DNS monitors. Cannot use LTM or DNS monitors created using batch/transaction mode in tmsh.

Workaround:
Create the monitor directly in tmsh without using batch/transaction mode.

658574-2 : An accelerated flow transmits packets to a stale (incorrect) destination MAC address.

Solution Article: K61847644

Component: TMOS

Symptoms:
An accelerated flow can send to a stale destination MAC address after the ARP packet with the updated MAC address is received.

Warning: disabling auto-lasthop is not enough when they want BIG-IP to use updated destination MAC address.

Conditions:
A flow is accelerated with a destination MAC address that changes while the flow is accelerated.

Impact:
The BIG-IP system sends packets to a stale (incorrect) destination MAC address. In this case, the new MAC address is not updated for the accelerated flow and the flow will continue to send traffic using the original MAC address.

Workaround:
Disable HW acceleration. Prevent the downstream destination MAC address from changing. For example, if the downstream unit is a BIG-IP active/standby configuration, then use MAC masquerading to prevent the MAC address from changing.

658321-2 : Websafe features might break in IE8

Component: Fraud Protection Services

Symptoms:
IE8 transform all custom HTTP headers names to lowercase
in case header name configured with upper-case characters, WebSafe feature might break.

Conditions:
custom HTTP header configured with upper case characters
client is IE8.

Impact:
FPS plugin will not find the header, as it received lower-case but configured with upper-case characters
as a result, WebSafe functionality is broken (functionality which involve the custom HTTP header, e.g. ajax username header)

Workaround:
Set custom HTTP header name to lower case only.

Fix:
FPS now performs case-insensitive matches for custom HTTP headers.

658261-2 : TMM core after HA during GY reporting

Component: Policy Enforcement Manager

Symptoms:
If intra-chassis failover is triggered in a loaded chassis, the tmm crashes in some cases of GY reporting

Conditions:
-- Failover is triggered,
-- The daglib hash redistributes the subscriber DATA to different slots.
-- Existing flows continue on the slots that were allocated using the old hash of daglib.

Note: This is a rarely encountered issue that occurred in a setup with 8 slots and 750 thousand subscribers.

Impact:
Slot reboots. May trigger more hash rearrangement. Traffic disrupted while tmm restarts.

Workaround:
None.

658214-2 : TCP connection fail intermittently for mirrored fastl4 virtual server

Solution Article: K20228504

Component: Local Traffic Manager

Symptoms:
In some cases, a mirrored FastL4 virtual server may fail to forward the SYN on the server-side after receiving the context-ack from the peer. Note: This is a connection-failure through the active system, not simply a failure to mirror to the peer.

Symptoms include:
-- TCP connection failures.
-- Possibly other packets lost.

Conditions:
-- FastL4 virtual server.
-- Mirroring is enabled.
-- Certain traffic interleaving might be necessary for this intermittent problem to occur.

Impact:
FastL4 mirroring does not always forward SYN to server after receiving context ACK. Connections fail.

Workaround:
Set the tm.fastl4_ack_mirror dv variable using the following command: tmsh modify sys db tm.fastl4_ack_mirror value disable.

Fix:
In this release, mirrored FastL4 virtual server now forward the SYN on the server-side after receiving the context-ack from the peer as expected.

658148-2 : TMM core after intra-chassis failover for some instances of subscriber creation

Solution Article: K23150504

Component: Policy Enforcement Manager

Symptoms:
If intra-chassis failover is triggered in a loaded chassis, the tmm crashes in some cases of subscriber creation.

Conditions:
-- The chassis is loaded with many blades.
-- The HA configuration is intra-chassis.
-- RADIUS subscriber is added with custom attributes.
-- The subscriber attributes are corrupted or erased.

Impact:
TMM crashes. The slot reboots, potentially triggering further daglib hash changes. May result in cascading core under load. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
If intra-chassis failover is triggered in a loaded chassis, the tmm no longer crashes in some cases of subscriber creation.

657713-5 : Gateway pool action may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart.

Solution Article: K05052273

Component: Local Traffic Manager

Symptoms:
As a result of this issue, you may encounter one or more of the following symptoms:

-- TMM generates a core file in the /shared/core directory.
-- Your BIG-IP system logs a SIGFPE to the /var/log/tmm file at the same time TMM produces a core file and restarts.
-- In one of the /var/log/tmm log files, you may observe error messages similar to the following example:

notice panic: ../modules/hudfilter/hudfilter.c:1063: Assertion "valid node" failed.
notice ** SIGFPE **

Conditions:
This issue occurs when all of the following conditions are met:

-- Your BIG-IP system is configured to route traffic using a gateway pool.
-- The gateway pool is configured with Action On Service Down = Reject.
-- The pool monitor marks all members of the gateway pool as unavailable.
-- A connection is rejected by the gateway pool.

Impact:
The BIG-IP system temporarily fails to process traffic while the TMM process restarts. If the BIG-IP system is configured for high availability (HA), the system fails over to a peer system.

Workaround:
Set service-down-action to none or reselect.

Fix:
Gateway pool action no longer triggers TMM to produce a core file and restart.

657632-4 : Rarely if a subscriber delete is performed following HA switchover, tmm may crash

Component: Policy Enforcement Manager

Symptoms:
If a subscriber delete is performed following a HA switchover, tmm may coredump. The probability of this scenario is rare, where a subscriber may have been freed during switchover and a subsequent forced delete command quickly follows.

Conditions:
-- A subscriber delete command followed by a HA switchover.
-- During the switchover, the subscriber was freed.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now removes the subscriber index from the table if present in these cases.

657502-2 : JS error when leaving page opened for several minutes

Component: Fraud Protection Services

Symptoms:
Google Chrome delays JS execution when the tab is not active.
Therefore anti-debug module acts as if someone is trying to debug JS code.

Conditions:
-- JS runs in hidden tab in Google Chrome.
-- Anti-debug functionality is active.
-- Page is left open for several minutes.

Impact:
Errors in console and JS logic is incorrectly executed.

Workaround:
Identify hidden tab and pause anti-debug functionality.

Fix:
The system now correctly handles JS code running in a hidden tab and pauses anti-debug check.

656912-4 : Various NTP vulnerabilities

Solution Article: K32262483

656900-1 : Blade family migration may fail

Component: TMOS

Symptoms:
Migrating the configuration from a B2100 blade to a newer variant, as documented in the "Migrating the Configuration on B2000 Series Blades" page in the "VIPRION Systems: Blade Migration" manual, may show output indicating a failure.

Conditions:
All such blade upgrades.

Impact:
The line 'load ucs failed!' should be ignored. If the line '/var/local/ucs/upgradeConfig-your-serial-number.ucs is loaded.' is present, then the UCS load was in fact successful and you can proceed with the instructions.

Workaround:
The line 'load ucs failed!' should be ignored. If the line '/var/local/ucs/upgradeConfig-your-serial-number.ucs is loaded.' is present, then the UCS load was in fact successful and you can proceed with the instructions.

655807-5 : With QoS LB, packet rate score is calculated incorrectly and dominates the QoS score

Solution Article: K40341291

Component: Global Traffic Manager (DNS)

Symptoms:
When choosing QoS Load balance, packet rate is dominating the score.

Conditions:
QoS load balance.

Impact:
Load balance decision is mostly impacted by packet rate.

Workaround:
None.

Fix:
Corrected a calculation error for QoS score involving packet rate.

655793-1 : SSL persistence parsing issues due to SSL / TCP boundary mismatch

Solution Article: K04178391

Component: Local Traffic Manager

Symptoms:
When the SSL client or server system is set up to send SSL messages whose boundaries do not align with underlying TCP boundaries, the parser fails when SSL persistence is enabled.

So, any SSL record spanning over multiple TCP segments (in this case it's ServerHello, Certificate, and ServerHelloDone) triggers the issue with the SSID error RST cause.

This can also result from a message size exceeding the maximum configured size (default is 32K).

Conditions:
[1] SSL persistence is enabled.
[2a] SSL message boundary does not align with underlying TCP segment boundary. One example of boundary mismatch is when the TCP MTU size is changed to a lower value (around 1200 bytes). Even then there may be specific values for which the boundaries match and parsing succeeds.
[2b] The message size is greater than the maximum configured size (default 32k).

Impact:
When the parsing fails, the SSL client or server hangs and times out. In other words, SSL traffic is affected.

The SSL parsing should succeed regardless of a match or mismatch between SSL message boundary and TCP segment boundary.

Workaround:
Disable SSL persistence.

Fix:
The system now switches the state of the SSL persistence to pass through all remaining messages, since no further parsing is needed.

655671-1 : Polling time waiting for I2C bus transactions in the bcm56xxd daemon needs to be reduced

Component: TMOS

Symptoms:
On platforms that run the bcm56xxd daemon, the polling time that the system waits for I2C bus transactions to complete runs too long. On systems with I2C bus issues, this can lead to bcm56xxd core files, because the bcm56xxd daemon doesn't reset the watchdog so the watchdog timer kills the process.

Conditions:
This is an issue only when there is a stuck I2C bus, which occurs rarely.

Impact:
bcm56xxd process may core and restart. That typically resets the I2C bus, which resolves any issues.

Workaround:
None. Typically, the issue resolves itself.

Fix:
The number of times the bcm56xxd process polls for an I2C bus transaction to complete is reduced to prevent bcm56xxd core files.

655649-2 : BGP last update timer incorrectly resets to 0

Component: TMOS

Symptoms:
In ZebOS, every time the scan timer resets it also incorrectly resets the BGP last update timer as shown under the imish command 'sh ip route'.

Output from 'sh ip route':

4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:32
               [20/0] via 10.10.1.6, eno33554952, 00:00:32
...
4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:33
               [20/0] via 10.10.1.6, eno33554952, 00:00:33
...
4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:00 <<<< shouldn't reset
               [20/0] via 10.10.1.6, eno33554952, 00:00:00

Conditions:
Once ZebOS has learned a route from a BGP peer the route will show up under 'sh ip route' and the BGP last update timer will incorrectly reset.

Impact:
If BGP routes are being redistributed into other protocols, the route may flap in the destination process.

Workaround:
None.

Fix:
BIG-IP no longer resets the last update time of learned routes via BGP and BGP routes redistributed into other protocols no longer flap.

655628-1 : TCP analytics does not release resources under specific sequence of packets

Component: Local Traffic Manager

Symptoms:
TCP analytics does not release memory when a specific sequence of packets is observed, and memory usage increases as more such flows occur.

Conditions:
-- A TCP analytics profile is configured to collect clientside/serverside analytics data.
-- AVR is provisioned.
-- FastL4 and HTTP profiles are configured.
-- A specific sequence of packets (on the serverside) occurs.

Impact:
Main memory occupied by TCP analytics is not released which might lead to memory exhaustion on the BIG-IP system.

Workaround:
Turn off collecting TCP analytics data for the virtual server.

Fix:
TCP analytics now releases resources properly.

655617-1 : Safari, Firefox in incognito mode on iOS device cannot pass persistent client identification challenge

Solution Article: K36442669

Component: Application Security Manager

Symptoms:
When running Safari or Firefox in incognito mode on iOS devices, browser gets TCP RST and will not be able to pass client-side challenge. The system posts the following error in tmm log: failed parsing header 3.

Conditions:
1. Web scraping is configured.
2. Persistent client identification is enabled.
3. Using Safari or Firefox on iOS devices.

Impact:
Browser cannot access the site.

Workaround:
Turn off persistent client identification.

Fix:
Safari, Firefox in incognito mode on iOS device can now pass persistent client identification challenge.

655500 : Rekey SSH sessions after one hour

Component: TMOS

Symptoms:
Common Criteria requires that SSH session be rekeyed at least every hour

Conditions:
SSH connections to or from the BIG-IP system.

Impact:
SSH sessions are rekeyed in response to the quantity of data transferred, or on user demand, but not on the basis of elapsed time

Workaround:
If time-based rekeying is required in your environment, edit the SSH configuration to include a RekeyLimit with both data and time parameters using a command similar to the following:
tmsh modify sys sshd include 'RekeyLimit 256M 3600s'

Outbound SSH client connections can be modified by adding the same RekeyLimit configuration to /config/ssh/ssh_config or by including that option on the command line when calling the ssh client.

Fix:
SSH sessions are now rekeyed every hour regardless of the quantity of data transferred.

655470 : IP Intelligence logging publisher removal can cause tmm crash

Solution Article: K79924625

Component: Advanced Firewall Manager

Symptoms:
TMM restart immediately after removing global ip-intelligence logging publisher.

Conditions:
1) Global IP Intelligence logging enabled.
2) While new incoming connections are handled by the system, delete the global logging publisher using the following command:
modify security log profile global-network ip-intelligence { log-publisher none }

Impact:
Traffic disrupted while tmm restarts. This is an intermittent, timing-related issue.

Note: Because deleting the global ip-intelligence logging configuration publisher is uncommon, and might occur once, at setup, this issue is unlikely to manifest.

Workaround:
There is no workaround, other than to not delete the ip-intelligence global logging publisher when heavy traffic is being handled.

Fix:
Error handling now checks for NULL publisher and prevents the TMM restart.

655445-2 : Provide the ability to globally specifiy a DSCP value.

Component: Global Traffic Manager (DNS)

Symptoms:
The DSCP value is not configurable for some types of traffic, which can lead to dropped traffic during adverse network conditions.

Conditions:
Under adverse network conditions, monitor traffic can be dropped by the network.

Impact:
BIG-IP DNS incorrectly reports resources as unavailable because monitor traffic is dropped by the network due to congestion with unrelated traffic.

Workaround:
None.

Fix:
Setting the new db variable tm.egressdscp to a value other than the default value of 0, results in the system setting the DSCP value for outgoing traffic to the configured value.

655357-2 : Corrupted L2 FDB entries on B4450 blades might result in dropped traffic

Solution Article: K06245820

Component: TMOS

Symptoms:
ARP replies reach front panel port of B4450 blades but fail to reach TMMs.

This occurs because the switch in the B4450 blade has an L2 learning issue in the switch fabric that requires the system to correct the new L2 FDB entries learned on Higig trunks. The L2 module runs in poll mode by default, which is exposed to a 3-second race window in software, during which learning events in the switch hardware for a given L2 FDB entry can be lost. That can lead to corrupted L2 FDB entries and cause traffic hitting the corrupted L2 FDB entries to fail.

Conditions:
-- An L2 FDB entry is learned on Higig trunk.
-- Multiple L2 learning events happen on the L2 FDB entry during the 3-second race window in software.

Impact:
The traffic hitting the corrupted L2 FDB entry will be dropped by the switch.

Workaround:
Delete the corrupted L2 FDB entries and cause the switch to re-learn them.

To do so, identify the affected VLAN and flush L2 FDB entries on that VLAN using the following command: tmsh delete net fdb vlan {vlan_name}.

Fix:
A db variable switchboard.l2.mitigation was introduced to configure this feature.

-- A value of "enable" allows packets to be forwarded in the case of corrupted L2 FDB entries. Packets will be hashed on source and destination addresses. Enabling forwarding this way is only a temporary measure.

-- A value of "monitor" does not forward packets but will count packets which were affected by corrupted L2 FDB entries. The stat table switch/l2_mitgation, updated every 11 seconds, reports packet counts. Differences in packet counts are logged to /var/log/ltm.

-- A value of "disable" disables both forwarding and packet counting. Packet counts are reset.

655314 : When failing to load a UCS, the hostname is still changed, only in 12.1.2 or 13.0.0★

Component: TMOS

Symptoms:
The platform-migrate option to the UCS load command is supposed to reject UCS archives generated on BIG-IP software v10.x. It does this; however, the hostname of the BIG-IP system changes to the one in the UCS.

Conditions:
You are trying to do a platform-migrate load to 12.1.2 or 13.0.0 of a UCS originating on a system running v10.x.

Impact:
The hostname is changed, but no other configuration is modified.

Workaround:
Set the hostname back to its old value.

Fix:
The hostname is now left unmodified.

655233-1 : DNS Express using wrong TTL for SOA RRSIG record in NoData response

Solution Article: K93338593

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Express returns an incorrect TTL for the SOA RRSIG record in a NoData response.

Conditions:
-- DNS Express configured.
-- A query that results in a NoData response and DNSSEC signing requested.

Impact:
This brings the behavior in line with RFC2308. There is no known functional impact.

Workaround:
There is no workaround.

Fix:
The TTL of the RRSIG record now matches the TTL of the covered SOA record.

655211-1 : bigd crash (SIGSEGV) when running FQDN node monitors

Solution Article: K25384206

Component: Local Traffic Manager

Symptoms:
bigd processing FQDN node monitors may crash due to a timing issue when processing probe responses.

Conditions:
bigd is configured for FQDN node monitors.

Impact:
bigd crashes (SIGSEGV). The system restarts bigd automatically, and monitoring resumes. No other action is needed.

Workaround:
Although no workaround is available for bigd configured for FQDN node monitors, this crash occurs due to a timing issue, and should be rare.

Fix:
bigd no longer crashes (SIGSEGV) when running FQDN node monitors due to a timing issue.

655059-3 : TMM Crash

Solution Article: K37404773

655021-2 : BIND vulnerability CVE-2017-3138

Solution Article: K23598445

654599-1 : The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed

Solution Article: K74132601

Component: Global Traffic Manager (DNS)

Symptoms:
Tomcat can potentially drop requests made by the client via the Web GUI on the GSLB Pool Members Manage page.

Conditions:
The config contains a large amount (in the thousands) of GSLB virtual servers or wide IP's, resulting in the action not being completed.

Impact:
The "Finished" button on that page does not save the changes made on that page.

Workaround:
Use TMSH.

Fix:
Fixed an issue with saving GSLB data via the GUI in large configurations.

654549-1 : PVA support for uncommon protocols DoS vector

Component: TMOS

Symptoms:
A new HSB bitstream for VIPRION B4450 blades is needed to support IP uncommon protocols for DoS Vector.

Conditions:
Using the B4450 blade.

Impact:
No support for IP uncommon protocols for DoS Vector.

Workaround:
None.

Fix:
HSB v3.2.13.0 bitsteam for VIPRION B4450 blades now provides support for IP uncommon protocols for DoS Vector.

Behavior Change:
This bitstream now supports IP uncommon protocols for DoS Vector. Any number of protocols with values between 0-255 can be simultaneously enabled.

654513-6 : APM daemon crashes when the LDAP query agent returns empty in its search results.

Solution Article: K11003951

Component: Access Policy Manager

Symptoms:
APM daemon crashes when the LDAP query agent returns no search results.

Conditions:
APM provisioned with AD authentication setup.

Impact:
APM daemon crashes, need to restart RBA and WebSSO. This is a very rarely encountered issue.

Workaround:
Add LDAP Auth agent before the LDAP query to the existing policy.

Note: Adding the extra agent, LDAP Auth agent, in the policy will preserve the functionality and features, enabling the policy to fail in LDAP Auth agent, instead of crash in LDAP Query agent.

Fix:
Now APM daemon no longer crashes when the LDAP query agent returns a specific type of null result from its search.

654109-2 : Configuration loading may fail when iRules calling procs in other iRules are deleted

Solution Article: K01102467

Component: Local Traffic Manager

Symptoms:
Loading of the configuration fail with a message indicating a previously deleted iRule cannot be found:

01020036:3: The requested rule (/Common/rule_uses_procs) was not found.

Conditions:
- iRule A is calling another iRule B using proc calls
- iRule A is attached to a virtual server.
- Detaching and deleting iRule A.
- Loading the config (or performing config sync).

Impact:
iRules are still referenced after implicit deletion (via load).
Configuration does not load.

Workaround:
Force reloading of the MCP binary database.

For specific steps, see K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).

Fix:
Configuration loading no longer fails when iRules calling procs in other iRules are deleted.

654011-2 : Pool member's health monitors set to Member Specific does not display the active monitors

Solution Article: K33210520

Component: TMOS

Symptoms:
When you configure a pool to have member-specific health monitoring, the active monitor no longer displays in the GUI.

Conditions:
Have a pool member with Health Monitors set to Member Specific.

Impact:
The specified active monitors will be saved but won't be displayed as active.

Workaround:
Use tmsh to view a pool member's active monitors.

Fix:
Pool member's Health Monitors set to Member Specific now display active monitors.

653993-3 : A specific sequence of packets to the HA listener may cause tmm to produce a core file

Solution Article: K12044607

653880 : Kernel Vulnerability: CVE-2017-6214

Solution Article: K81211720

653729-2 : Support IP Uncommon Protocol

Component: Advanced Firewall Manager

Symptoms:
A BIG-IP system can have CPU usage be non-uniformly distributed across the datapath (tmm) threads, such that the overall CPU usage is low, but individual datapath threads may show high usage of a subset of the CPUs on the system. This can be observed by viewing the per-CPU usage, and can manifest as spuriously dropped packets/flows.

Conditions:
A BIG-IP system receives packets that have uncommon IP protocols – those not parsed by the BIG-IP system.

Impact:
The packets are eventually dropped but may drive a subset of the CPUs in the system to very high usage. As CPU increases, potentially reaching 100%, then the BIG-IP system will start dropping packets and the system might eventually fail.

Workaround:
None.

Fix:
The system now supports packets that have uncommon IP protocols.

Behavior Change:
This change adds the capability of specifying various IP protocols as 'uncommon' protocols. Using this list of uncommon protocols can have the system mitigate an attack from uncommon protocols.

To do so, perform the following procedure:
1. Set the sys db tunable dos.uncommon.replace.illegal to true (it is false by default).
2. Set the 8 sys db tunables dos.uncommon.protocols[0-7] to specify which protocols should be considered uncommon (by default all protocols except TCP/UDP/ICMPv4/ICMPv6/SCTP - bits 1/6/17/58/132 are uncommon).
- dos.uncommon.protocols0 represents bits 31:0 of a 256-bit vector
- dos.uncommon.protocols1 represents bits 63:32 of a 256-bit vector
- dos.uncommon.protocols2 represents bits 95:64 of a 256-bit vector
- dos.uncommon.protocols3 represents bits 127:96 of a 256-bit vector
- dos.uncommon.protocols4 represents bits 159:128 of a 256-bit vector
- dos.uncommon.protocols5 represents bits 191:160 of a 256-bit vector
- dos.uncommon.protocols6 represents bits 223:192 of a 256-bit vector
- dos.uncommon.protocols7 represents bits 255:224 of a 256-bit vector

Setting the specific bit to '1' means that the specified protocol is considered 'uncommon', and setting the specific bit to '0' means that the specified protocol is not considered 'uncommon'.

Then the DoS vector IP Unknown Protocol can be used to mitigate an attack from the above-specified 'Uncommon Protocols'.

653511-2 : Intermittent connection failure with SNAT/automap, SP-DAG and virtual server source-port=preserve

Solution Article: K45770397

Component: Local Traffic Manager

Symptoms:
Connections can fail intermittently when multiple clients use the same ephemeral port to connect to BIG-IP and are SNATted to the same address.

Conditions:
When SNAT/Automap is configured with SP-DAG and virtual server source-port setting is "preserve".

Impact:
Service interruption due to intermittent connection failures.

Workaround:
None.

Fix:
Connections no longer fail intermittently with SNAT/automap, SP-DAG and virtual server source-port=preserve.

653453 : ARP replies reach front panel port of the B4450 blade, but fail to reach TMMs.

Component: TMOS

Symptoms:
ARP replies reach the front panel port of the B4450 blade, but fail to reach TMMs. This is caused by a L2 defect in the Broadcom Trident2+ switch B4450 blade uses.

Conditions:
The switch learned a corrupted L2 FDB entry on internal HiGig trunk.

Impact:
The traffic hitting the corrupted L2 FDB entry will be dropped by the switch.

Workaround:
Identify the affected VLAN and flush L2 FDB entries on that VLAN using the following command: tmsh delete net fdb vlan {vlan_name}.

Fix:
Resolved an issue on Broadcom Trident2+ switch B4450 blades use in which ARP replies reached the front panel port, but failed to reach TMMs.

Behavior Change:
A new BigDB variable is added to control in which mode the l2xmsg module in Broadcom SDK should run.

bcm56xxd.l2xmsg.mode: poll/fifo (default)

The BIG-IP system used to always run l2xmsg module in poll mode. Now, the BIG-IP system will run l2xmsg mode in fifo by default.

653376-5 : bgpd may crash on receiving a BGP update with >= 32 extended communities

Component: TMOS

Symptoms:
bgpd may crash when receiving a BGP update with >= 32 extended communities

Conditions:
A configured BGP peer sends a route update including and attribute containing 32 or more extended communities.

Impact:
bgpd may crash causing the BGP peering to reset

Workaround:
Ensure that peers do not send 32 or more extended communities to the BIG-IP in BGP routing updates.

Fix:
bgpd no longer crashes on receiving a BGP update with >= 32 extended communities

653285-1 : PEM rule deletion with HSL reporting may cause tmm coredump

Component: Policy Enforcement Manager

Symptoms:
tmm coredump caused by deletion of a PEM policy rule with HSL reporting configured and passing active traffic. tmm crash.

Conditions:
PEM policy rule with HSL reporting is deleted while passing subscriber traffic.

Impact:
tmm coredump causes traffic disruption and restart of tmm.

Workaround:
None.

Fix:
PEM rule deletion with HSL reporting no longer causes tmm coredump.

653234 : Many objects must be reconfigured before use when loading a UCS from another device.★

Component: TMOS

Symptoms:
Many objects are ignored by the platform-migrate option, and must be reconfigured before use when loading a UCS from another device.

Conditions:
UCS is being loaded from another device, using the platform-migrate option.

Impact:
Risk of configuration load failures.

Workaround:
None, other than reconfiguring for the destination device.

Fix:
The platform-migrate option for UCS loading has been modified so that nearly all configuration is loaded. Now, the only things you must configure are the management IP and license, then you can load the UCS. The end result should be a successfully loaded configuration, but with empty VLANs and trunks. You should be able to pass traffic once you reconnect these VLANs to interfaces.

Behavior Change:
The platform-migrate option for UCS loading has been modified so that nearly all configuration is loaded. Now, the only things you must configure are the management IP and license, then you can load the UCS. The end result should be a successfully loaded configuration, but with empty VLANs and trunks. You should be able to pass traffic once you reconnect these VLANs to interfaces.

653225-1 : coreutils security and bug fix update

Component: TMOS

Symptoms:
A race condition was found in the way su handled the management of child processes.

Impact:
A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions. (CVE-2017-2616)

Workaround:
install latest hotfix

Fix:
fixed in coreutils-8.4-46.el6

653224-1 : Multiple GnuTLS Vulnerabilities

Solution Article: K59836191

653217-2 : Multiple Samba Vulnerabilities

Solution Article: K03644631

653014-1 : Apply Policy failure if an custom Blocking Page is configured with an underscore in the header name

Component: Application Security Manager

Symptoms:
An issue was introduced when dealing with custom Blocking pages containing an HTTP Header that has an underscore in the name.

Conditions:
A custom Blocking page is defined containing an HTTP Header that has an underscore in the name.

Impact:
Set Active fails

Workaround:
Use hyphens instead of underscores in the header name.

Fix:
Underscores in HTTP Headers in Blocking Response pages are handled correctly.

652973-2 : Coredump observed at system bootup time when many DHCP packets arrived at BigIP

Component: Policy Enforcement Manager

Symptoms:
During system bootup, system coredump is observed when many DHCP packets arrive before system is fully ready and many flow entry creation failures are observed

Conditions:
1)BIG-IP DHCP proxy is in forwarding mode
2)DHCP relay agent in front of BIG-IP modifies giaddr field of DHCP packets to its own IP address
3)DHCP packets arrive during system bootup and before system is fully ready(some vlans, interfaces and routes are not fully up)

Impact:
System crash and coredump

Workaround:
Make sure system has come up completely before sending DHCP packets to the box

652796-1 : When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled.

Component: Access Policy Manager

Symptoms:
ECA may be constantly restarting on BIG-IP appliance that has over 24 CPU cores.

Conditions:
-- BIG-IP appliance has over 24 CPU cores or BIG-IP Virtual Edition (VE) platform has over 24 CPU cores.
-- APM is provisioned.

Impact:
ECA NTLM functionality will not be accessible to the users.

Workaround:
If ECA functionality is not required - disable process by running 'bigstart stop eca'.

If ECA functionality is needed:

1. Stop eca by running "bigstart stop eca'.

2. Modify file '/etc/bigstart/scripts/eca' as follows:

a) Replace line:
cpu_count=$(get_number_cpu)

with line:
tmm_count=$(get_tmm_count)

b) Replace line:
exec /usr/sbin/${service} -n ${cpu_count}

with line:
exec /usr/sbin/${service} -n ${tmm_count}

3. Save the file, and restart the process by running 'bigstart start eca'.

Fix:
ECA no longer restarts when used on a platform with over 24 CPU cores and under 64 CPU cores.

652792-1 : When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled.

Component: Access Policy Manager

Symptoms:
urldb may be constantly restarting on a BIG-IP appliance that has over 24 CPU cores.

Conditions:
-- BIG-IP appliance has over 24 CPU cores or BIG-IP Virtual Edition (VE) platform has over 24 CPU cores.
-- APM is provisioned.

Impact:
URLDB functionality will not be accessible to the users.

Workaround:
If URLDB functionality is not required - disable process by running 'bigstart stop urldb'.

If urldb functionality is needed:

1. Stop urldb by running "bigstart stop urldb'.

2. Modify file '/etc/bigstart/scripts/urldb' as follows:

a) Replace line:
cpu_count=$(get_number_cpu)

with line:
tmm_count=$(get_tmm_count)

b) Replace line:
exec /usr/sbin/${service} -n ${cpu_count}

with line:
exec /usr/sbin/${service} -n ${tmm_count}

3. Save the file, and restart the process by running 'bigstart start urldb'.

Fix:
urldb no longer restarts when used on a platform with over 24 CPU cores and under 64 CPU cores.

652691-1 : Installation fails if only .iso.384.sig (new format signature file) is present★

Component: TMOS

Symptoms:
Tab completion only will complete the names of ISO images that have an old style signature format ("BIG-IP-version-build.iso.sig"), not the new style ("BIG-IP-version-build.iso.384.sig"). Then, installation will fail even if you type out the full name.

Conditions:
This only happens when signature checking is enabled for ISO images. You can determine this by looking at the value of the DB variable "liveinstall.checksig".

Impact:
Tab completion will not show the ISO image, and even if you type out the full name, the installation will fail. An error message will appear in "show sys software status" and /var/log/liveinstall.log .

Workaround:
Put both types of signature file (.iso.sig and .iso.384.sig) on the device.

Fix:
Tab completion and installation will now work if the old signature file format (.iso.sig) is missing, and only the new signature format (.iso.384.sig) is present.

652689-2 : Displaying 100G interfaces

Solution Article: K14243280

Component: TMOS

Symptoms:
Interfaces' Active Media Type and Media Speed rows display none.

Conditions:
Having a server with 100G interfaces.

Impact:
Cannot use GUI to determine interfaces' Active Media Type and Media Speed.

Workaround:
Use tmsh to see the affected interface.

Fix:
100G interfaces now display correctly.

652638-2 : php - Fix DOS vulnerability in gdImageCreateFromGd2Ctx()

Component: TMOS

Symptoms:
The gdImageCreateFromGd2Ctx function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted image file.

Impact:
The gdImageCreateFromGd2Ctx function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted image file.

Fix:
install latest hotfix/image

652539 : Multiple Bash Vulnerabilities

Solution Article: K73705133

652535-1 : HTTP/2 stream reset with PROTOCOL_ERROR when frame header is fragmented.

Solution Article: K54443700

Component: Local Traffic Manager

Symptoms:
HTTP/2 RST_STREAM is seen with PROTOCOL_ERROR when frame header is fragmented.

Conditions:
HTTP/2 profile is enabled on the virtual. The frame header gets fragmented because of TCP segmentation.

Impact:
HTTP/2 stream is reset.

Workaround:
None.

Fix:
HTTP/2 parser changed to handle header splitting across multiple buffers.

652516 : Multiple Linux Kernel Vulnerabilities

Solution Article: K31603170

652484-2 : tmsh show net f5optics shows information for only 1 chassis slot in a cluster

Component: TMOS

Symptoms:
When you run tmsh show net f5optics, f5optics version information is displayed for one blade of a multi-blade chassis.

Conditions:
This occurs when running the tmsh show net f5optics command on VIPRION.

Impact:
The f5optics version is not displayed for all of the blades.

Fix:
f5optics version information for all blades within a chsasis is displayed when the user issues tmsh show net f5optics from the primary blade.

652445-2 : SAN with uppercase names result in case-sensitive match or will not match

Solution Article: K87541959

Component: Local Traffic Manager

Symptoms:
SSL certificates with SAN domain names with uppercase characters will fail to match SNI requests for that domain name.

Conditions:
Multiple client-ssl profiles configured with SNI associated with a single virtual where the SAN (Subject Alternative Name) contains DNS names with uppercase characters.

Impact:
SNI does not match, resulting in the wrong certificate being returned to the client, which potentially results in a security warning in the client application due to a non-matching domain.

Workaround:
Use lowercase characters for SAN domain names in SSL certificates.

Fix:
SNI match is now case-insensitive.

652200-1 : Failure to update ASM enforcer about account change.

Solution Article: K81349220

Component: Application Security Manager

Symptoms:
There is an error updating BD with the following information:
Errors:
------------
  bd_agent|ERR|...|F5::BdAgent::handle_bd_pipe_message,,Some records sent to enforcer were not handled

  ECARD|ERR |...|account_id_table_management.cpp:0222|Failed to PUT table
  ECARD|ERR |...|temp_func.c:0850|CONFIG_TYPE_ACCOUNTS message had errors in block_index: 0. status=9
-------------

Conditions:
In a high availability environment (with manual failover and ASM) with a UCS load that contains policies with the same names.

Impact:
Traffic is blocked due to Unknown HTTP selector

Workaround:
Use one of the following Workaround:
A) Deactivate and reactivate the affected policy.
B) Restart ASM on the affected device.

Fix:
The system now correctly handles a UCS containing policies with the same names in a high availability environment (with manual failover and ASM).

652151-1 : Azure VE: Initialization improvement

Solution Article: K61757346

652094-2 : Improve traffic disaggregation for uncommon IP protocols

Solution Article: K49190243

Component: TMOS

Symptoms:
The traffic of uncommon IP protocols on VLAN running default DAG is sent to one TMM by default.

Conditions:
Traffic of uncommon IP protocols on VLAN configured with default DAG.

Impact:
Traffic for uncommon IP protocols not distributed evenly among available processing units.

Workaround:
None.

Fix:
The system now correctly distributes traffic for uncommon IP protocols based on src IP and dest IP.

The traffic of uncommon IP protocols on VLAN running default DAG is sent to one TMM by default. This DAG enhancement allows the default DAG to disaggregate traffic of uncommon IP protocols based on src IP and dest IP. Two more DB variables are added to control DAG behavior for uncommon IP protocols.

ipproto.lookupip: enable/disable (default)
ah.lookupip: enable/disable (default)

Setting ipproto.lookupip to enable will disaggregate uncommon IP protocols based on src IP and dest IP. DB ipproto.lookupip applies to all IP protocols except for TCP, UDP, SCTP, IGMP, AH, ESP, GRE, ICMP, ICMPv6.

Setting ah.lookupip to enable will disaggregate AH traffic based on src IP and dest IP.

Behavior Change:
The traffic of uncommon IP protocols on VLAN running default DAG is sent to one TMM by default. This DAG enhancement allows the default DAG to disaggregate traffic of uncommon IP protocols based on src IP and dest IP. Two more DB variables are added to control DAG behavior for uncommon IP protocols.

ipproto.lookupip: enable/disable (default)
ah.lookupip: enable/disable (default)

Setting ipproto.lookupip to enable will disaggregate uncommon IP protocols based on src IP and dest IP. DB ipproto.lookupip applies to all IP protocols except for TCP, UDP, SCTP, IGMP, AH, ESP, GRE, ICMP, ICMPv6.

Setting ah.lookupip to enable will disaggregate AH traffic based on src IP and dest IP.

652052-3 : PEM:sessions iRule made the order of parameters strict

Component: Policy Enforcement Manager

Symptoms:
In the versions before 12.0, the order of parameters for "PEM::SESSIONS" rule was flexible. It was made strict because of the new validation infrastructure in 12.0. This breaks some existing iRules.

The system will report a validation error such as:

01070151:3: Rule [/Common/test_irule] error: /Common/test_irule:2: error: ["invalid argument subscriber-type"][PEM::session create $ip subscriber-type e164 user-name $user imsi $imsi subscriber-id $callingstationid]

Conditions:
Some parameters, for example, subscriber-id come before the parameter user-name.

Impact:
Configuration that was valid in earlier versions is not accepted in newer versions. This may result in the configuration failing to load during an upgrade and return an MCP validation error.

Workaround:
Change the order of the parameters.

652004-2 : Show /apm access-info all-properties causes memory leaks in tmm

Solution Article: K45320415

Component: Access Policy Manager

Symptoms:
When tmsh is used to view session information, memory will leak on each request to pull the session information from tmm. This is a small leak but can be significant issue when all sessions are examined or the sessions are examined multiple times in a short time interval.

Conditions:
when using show /apm access-info all-properties

Impact:
Memory will leak in tmm daemons. This affects all modules that use tmm.

Workaround:
The only workaround is not to use the mcp interface by tmm daemon, or to restart the tmms periodically after using the interface multiple times.

Fix:
Accessing APM session variables via tmsh (e.g., 'tmsh show /apm access-info all-properties') no longer causes a small TMM memory leak.

651772-3 : IPv6 host traffic may use incorrect IPv6 and MAC address after route updates

Component: Local Traffic Manager

Symptoms:
IPv6 traffic generated from the host, either from a host daemon, monitors, or from the command line, may use an MAC and IPv6 source address from a different VLAN.

Conditions:
- Multiple vlans with IPv6 configured addresses.
- Multiple routes to the same destination, either the same or more specific, default routes, etc. that cover the traffic destination.
- Changes in routes that will cause the traffic to the destination to shift from one vlan and gateway to another. This can be typically observed with dynamic routing updates.

Impact:
Traffic to the destination may fail due to using incorrect source IPv6/MAC address.
This may cause monitor traffic to fail.

Workaround:
Continuous traffic to the IPv6 link-local nexthops can avoid this issue.
This may be achieved by a script or an external monitor pinging the nexthop link-local address using the specific vlan.

Fix:
IPv6 host traffic no longer use incorrect IPv6 and MAC address after route updates.

Behavior Change:
Introduction of sys db ipv6.host.router_probe_interval, to control sysctl net.ipv6.conf.default.router_probe_interval value. This value is default to 5s.

651651-3 : bigd can crash when a DNS response does not match the expected value

Solution Article: K54604320

Component: Local Traffic Manager

Symptoms:
bigd can crash when a response returned from a DNS request does not match the expected value.

Conditions:
Monitoring DNS server(s), or using FQDN.

Impact:
Potential bigd core and restart; may cause endless restart loop as long as DNS monitor instance is configured.

Workaround:
No workaround at this time.

Fix:
Prevented bigd from crashing when a response returned from a DNS request does not match the expected value.

651640-3 : queue full dropped messages incorrectly counted as responses

Component: Service Provider

Symptoms:
negative number of active response messages reported on sipsession profile stats

Conditions:
If a request message is dropped because the sip filter's ingress message queue is full, the wrong stats is incremented

Impact:
Counting the dropped request messages as response messages causes the calculation of the accepted response messages to be incorrectly calculated, thus producing a negative value.

Fix:
correct stats fields are incremented

651476 : bigd may core on non-primary bigd when FQDN in use

Component: Local Traffic Manager

Symptoms:
When using FQDN node/pool member resolution, a non-primary bigd process may core under certain circumstances. A non-primary bigd is any process instance other than zero in a multi-bigd scenario, or any bigd process on a non-primary blade in a chassis.

Conditions:
FQDN is in use.

Impact:
bigd may core and be restarted in a loop, causing some monitor instances to not be serviced. This may cause node/pool member flapping, or may cause certain nodes or pool members to be effectively not monitored.

Workaround:
Use static IPs instead of FQDN for node/pool member address assignment.

Fix:
Known causes of the bug have been fixed.

651221-2 : Parsing certain URIs may cause the TMM to produce a core file.

Solution Article: K25033460

651155-1 : HSB continually logs 'loopback ring 0 tx not active'

Component: TMOS

Symptoms:
In the TMM log files, HSB reports that 'loopback ring 0 tx not active'.

Conditions:
Unknown.

Impact:
Excessive logging. This may also cause an HSB lockup to not be detected.

Workaround:
None.

651106 : memory leak on non-primary bigd with changing node IPs

Component: Local Traffic Manager

Symptoms:
On BIG-IP systems with the multiple blades, or a BIG-IP system with multiple bigd processes running (bigd.1, bigd.2, etc.), if the system has FQDN nodes configured, all secondary bigd processes will consume an unusually high amount of memory, and bigd cores may exist when the FQDN node IP addresses change frequently.

Conditions:
FQDN nodes configured on a system, and the system (as a whole) has multiple bigd processes running, either across multiple blades or multiple bigd instances on a single blade. As configuration changes are made to FQDN nodes causing IP addresses to change, bigd on the non-primary places memory consumption may be unusually high.

Impact:
bigd memory leak; possible bigd crash.

Workaround:
Mitigation: use static IP nodes and pool members rather than FQDN.

651001-1 : massive prints in tmm log: "could not find conf for profile crc"

Component: Advanced Firewall Manager

Symptoms:
Massive messages in tmm log:
"could not find conf for profile crc"

messages are shown while traffic is passing.

Conditions:
1. Have dos profile attached to vs. dos profile does not have dos application enabled.
2. Have ASM policy attached to VS with Web Scraping on/session hijacking/session awarness with DID collection/brute force with DID collection.

Impact:
Massive prints in tmm log that can cause tmm to abort. Traffic disrupted while tmm restarts.

Workaround:
Have DOS application enabled (even if doing nothing).

Fix:
disable prints.

650422-2 : TMM core after a switchover involving GY quota reporting

Component: Policy Enforcement Manager

Symptoms:
Core dump in the code path for async subscriber lookup causes core-dump.

Conditions:
This core happens in an intra-chassis HA configuration, if GY is configured & HA switchover is forced.

Impact:
An initial coredump (or HA switchover) forces multiple core dumps. Traffic disrupted while tmm restarts.

650349 : Creation or reconfiguration of iApps will fail if logging is configured

Solution Article: K50168519

Component: TMOS

Symptoms:
If logging destination of any type is configured (ArcSight, IPFIX, remote high speed logging, etc.), creation or reconfiguration of iApps will fail. The following error will be reported in /var/log/webui.log and displayed in the GUI: The connection to mcpd has been lost, try again.

Conditions:
Logging is configured: filter, destination, and publisher.

Impact:
Cannot create new iApps or reconfigure existing ones.

Workaround:
Remove logging configuration.

Fix:
Can now create or reconfigure iApps if logging is configured.

650317-3 : The TMM on the next-active panics with message: "Missing oneconnect HA context"

Component: Local Traffic Manager

Symptoms:
The next-active TMM panics with message: "Missing oneconnect HA context" on a virtual which doesn't have one-connect on the active.

Conditions:
A mirrored virtual is configured with one-connect on the next-active but no one-connect profile is present on the active. This can occur when the config-sync connection between peers is down or auto-sync on the device group is disabled. The next-active expects a one-connect HA context but the active does not send it.

Impact:
Connections on the active are not mirrored while the next-active restarts.

Workaround:
Resolving configuration differences between the active and next-active will prevent this panic.

Fix:
Mirrored connections which fail to find an HA context on the next-active are not established on the next-active.

650292-2 : DNS transparent cache can return non-recursive results for recursive queries

Component: Local Traffic Manager

Symptoms:
If a non recursive query is cached by the DNS transparent cache, subsequent recursive queries provide the non-recursive answer.

Conditions:
DNS transparent cache that receives a non-recursive query whose result is stored in the cache.

Impact:
Non recursive responses for recursive requests.

Workaround:
An iRule can be attached to the listener to disable the cache if the "rd bit" is not set in the DNS request.

Fix:
The RD bit is now handled as expected. If a recursive request is received, a non-recursive cached entry is ignored, and replaced, when the recursive request is answered.

650286-2 : REST asynchronous tasks permissions issues

Solution Article: K24465120

650152-1 : Support AES-GCM acceleration in Nitrox PX wlite VCMP platforms

Component: Local Traffic Manager

Symptoms:
In Nitrox PX platforms, vCMP guests can't accelerate AES-GCM traffic, which might cause high CPU usage.

Conditions:
For those vCMP guests deployed on Nitrox PX-based platforms, and SSL cipher is configured to use AES-GCM.

The following blades support the Nitrox PX and vCMP combination: VIPRION B4200, B4300, B2100, and B2150 blades.

Impact:
High CPU usage.

Workaround:
No workaround.

Fix:
Added AES-GCM hardware acceleration support for Nitrox PX-based vCMP.

650081-1 : FP feature causes the blank page/delay on IE11

Component: Advanced Firewall Manager

Symptoms:
When PBD and FP are both enabled, there is a very high client-side latency, especially on Microsoft Internet Explorer (IE).
On IE, sometimes the challenge remains on a blank page, never moving on to the site from the back-end server.

Conditions:
If you use ASM dos with fingerprint, but it causes the delay/blank page on browser Microsoft Internet Explorer v11 (IE11).

Impact:
Delay or blank page when clients access the page using IE11.

Workaround:
None

Fix:
Improved the client-side run-time of the JavaScript challenge and prevented it from getting stuck on Internet Explorer.

650074-1 : Changed Format of RAM Cache REST Status output.

Component: Local Traffic Manager

Symptoms:
The REST API returned cache contents in displayable form, not tagged field form.

Conditions:
Using REST API.

Impact:
Text must be parsed as if the caller plans to post-process it.

Workaround:
To present the data in some other format, the text can be displayed as is, but must be parsed as if the caller plans to post-process it.

Fix:
Now RAM Cache REST Status output is returned in field format, and must be parsed by a JSON parser and formatted for display. If you were using the previous format, you must now parse the JSON and re-format the data for display.

Behavior Change:
REST API calls for ramcache stats now returns data as formatted JSON.

650059-1 : TMM may crash when processing VPN traffic

Solution Article: K20087443

650002-1 : tzdata bug fix and enhancement update

Component: TMOS

Symptoms:
There have been changes to timezone data that impact tzdata packages:

* Mongolia no longer observes Daylight Saving Time (DST).

* The Magallanes Region of Chile has moved from a UTC-04/-03 scheme to UTC-03 all year. Starting 2017-05-13 at 23:00, the clocks for the Magallanes Region will differ from America/Santiago.

Conditions:
-- Mongolia during DST portion of the year.
-- Comparing clock times in the America/Santiago zone with those in the Magallanes Region.

Impact:
Timezone data provided in tzdata will not match the area's time. Clocks for the Magallanes Region will differ from America/Santiago (its current timezone).

Workaround:
None.

Fix:
To accommodate for Mongolia no longer observing DST, the new America/Punta_Arenas zone was created. Changes were also made to support other timezone changes.

* The zone1970.tab file has been added to the list of files to be installed with the tzdata packages installation.

Note: Users of tzdata are advised to upgrade tzdata to zdata-2017b-1.el6

649949-1 : Intermittent failure to do a clean install on iSeries platforms from USB DVD-ROM★

Component: TMOS

Symptoms:
Following the instructions at https://support.f5.com/csp/article/K13117 will occasionally fail on iSeries platforms, with the system being unable to find the installation media.

If this happens, running the following command will fail.

image2disk --instslot=HD1.1 --setdefault --nosaveconfig

Conditions:
This can occur on iSeries platforms while performing a clean installation.

Impact:
The /dev/cdrom softlink points to the virtual CD-ROM drive in iSeries platforms instead of the physical USB DVD-ROM drive. This prevents image2disk from automatically finding the installation media.

Workaround:
After the failure, while in MOS, determine USB CDROM device name, mount it, and tell image2disk specifically where it is:

bash (try 'info') / > dmesg | grep "sr0\|sr1"
sr0: scsi3-mmc drive: 62x/62x writer dvd-ram cd/rw xa/form2 cdda tray <-- cdrom name
sr 6:0:0:0: Attached scsi CD-ROM sr0
sr1: scsi-1 drive
sr 7:0:0:0: Attached scsi CD-ROM sr1

bash (try 'info') / > mount -r -t iso9660 /dev/srX /cdserver
bash (try 'info') / > image2disk --instslot=HD1.1 --nosaveconfig /cdserver

In the mount command, replace "/dev/srX" with whichever device is the physical drive.

649933-1 : Fragmented RADIUS messages may be dropped

Component: Service Provider

Symptoms:
Large RADIUS messages may be dropped when processed by iRules.

Conditions:
This occurs when a RADIUS message that exceeds 2048 bytes is processed by an iRule containing the RADIUS::avp command.

Impact:
The RADIUS message will be dropped, and an error will be logged that resembles:

Illegal argument (line 1) (line 1) invoked from within "RADIUS::avp 61 "integer""

Workaround:
Remove RADIUS::avp commands from iRules processing large messages, or ensure that no RADIUS client or server will send large messages.

649929-1 : saml_sp_connector not properly deleted in a transaction that removes the saml resource and servers referring to it

Component: Access Policy Manager

Symptoms:
Cannot delete saml_sp_connector from a transaction even when all related objects are specified.

Conditions:
When deleting saml_sp_connector from a transaction along their associated objects.

Impact:
Cannot delete saml_sp_connector and associated objects.

Workaround:
Delete objects in the following order:
SSOResource
SSOSAMLConfig
SPConnector

Fix:
The apm sso saml_sp_connector object can now be deleted from a transaction involving all the related objects regardless of the order in which the objects are specified.

649907-2 : BIND vulnerability CVE-2017-3137

Solution Article: K30164784

649904-2 : BIND vulnerability CVE-2017-3136

Solution Article: K23598445

649866-1 : fsck should not run during first boot on public clouds

Component: TMOS

Symptoms:
Although it is not needed, filesystem check runs during the first boot. This increases the boot time, especially for images that were created more than 180 days before the first boot, because twice year, booting up runs a more comprehensive fsck operation.

Conditions:
This occurs when booting up public cloud configurations of Virtual Edition (VE).

Impact:
Potentially unacceptable long boot times.

Workaround:
None.

Fix:
fsck does not run during first boot on public cloud configurations of VE. Running fsck is postponed until the second boot. If the more comprehensive fsck operation is required, it runs during the second boot as well.

649617-2 : qkview improvement for OVSDB management

Component: TMOS

Symptoms:
The user can configure ovsdb-server in the BIG-IP system to communicate with an OVSDB-capable controller.

If the user wants the BIG-IP system to connect to an OVSDB-capable controller via a SSL connection, the user needs to configure a certificate and a certificate key in the TMSH command "sys management-ovsdb". Later on, if the user invokes qkview to collect system information, the configured certificate key can be collected in qkview.

Conditions:
The following conditions need to be met:

- BIG-IP has the SDN services license.

- The TMSH command "sys management-ovsdb" is set to "enabled". Note that this is set to "disabled" by default.

- The TMSH command "sys management-ovsdb cert-key-file" is set to a certificate key. Note that this is set to "none" by default.

Impact:
If the user invokes qkview to collect system information, the certificate key configured in the command "sys management-ovsdb cert-key-file" will be collected in qkview.

Workaround:
If OVSDB management is currently set to "enabled" in the BIG-IP system, then the user can reset "sys management-ovsdb cert-file" and "sys management-ovsdb cert-key-file" to "none" before calling qkview to collect system information.

In general, if OVSDB management has ever been set to "enabled", the user with the bash shell access can check if the file /var/run/openvswitch/BIG-IP_ovs_cert_key exists and delete it before calling qkview to collect system information.

Fix:
The certificate key configured in the "sys management-ovsdb" will not be collected when invoking qkview.

649571-1 : Limits set in Server SSL Profile are not enforced if the server ignores BIG-IP's renegotiation ClientHello

Component: Local Traffic Manager

Symptoms:
The BIG-IP system does not act on the absence of renegotiation.

Conditions:
A BIG-IP system acts as TLS client, a TLS server ignores renegotiation request. Finite TLS session data or time limits are configured in Server SSL Profile on the BIG-IP system.

An example of such a TLS server is Apache/2.4.10 on Fedora Linux.

Impact:
Limits, such as data limits ("Renegotiate Size" in Server SSL) or time limits ("Renegotiate Period" in Server SSL) are not enforced with finite "Handshake Timeout".

Workaround:
None.

Fix:
BIG-IP system acting as TLS client (Server SSL Profile) now shuts down the connection if a TLS server did not continue with TLS renegotiation within "Handshake Timeout" seconds after the ClientHello, corresponding to the renegotiation initiation, was sent by the BIG-IP system.

649564-2 : Crash related to GTM monitors with long RECV strings

Component: Global Traffic Manager (DNS)

Symptoms:
gtmd core dump related to GTM monitors with long RECV strings.

Conditions:
Sufficiently large RECV (receive) string on a GTM Monitor.

Impact:
Core dump. Traffic might be disrupted while gtmd restarts.

Workaround:
None.

Fix:
Fixed an issue relating to a crash when a GTM monitor has a sufficiently large receive string configured.

649171-4 : tmm core in iRule with unreachable remote address

Component: Local Traffic Manager

Symptoms:
TCP::unused_port <remote_addr> <remote_port> <local_addr> [<hint_port>] with a non reachable remote_addr, tmm cores

Conditions:
This occurs when using TCP::unused_port in an iRule and the remote address is not reachable

Impact:
Traffic disrupted while tmm restarts.

Workaround:
create faux route for the destination address

648990 : Serverside SSL renegotiation does not occur after block cipher data limit is exceeded

Component: Local Traffic Manager

Symptoms:
If you have a virtual server with a serverssl profile configured that serves large (>2GB) files, you may see these errors in /var/log/ltm:

info tmm[17859]: 01260034:6: Block cipher data limit exceeded.

Conditions:
This occurs when a serverssl profile is in use, and the server-side traffic exceeds 2GB.

Impact:
Serverssl renegotiation does not occur, log message is displayed.

648954-5 : Configuration validation (e.g., ConfigSync) may fail after an iRule is deleted, if the iRule made procedure calls

Solution Article: K01102467

Component: Local Traffic Manager

Symptoms:
Configuration validation fails spuriously, including potentially as a result of a ConfigSync or modifying an iRule, with an error similar to the following:

01020036:3: The requested rule (/Common/rule_uses_procs) was not found.

Referencing an iRule that previously existed, but has been deleted (or is being deleted as a result of a ConfigSync).

Conditions:
-- iRule using procedures in a different iRule.
-- iRule attached to virtual server.

Impact:
iRule procs are still referenced after deletion. Configuration validation fails spuriously.

Workaround:
Force reloading of the MCP binary database.

For specific steps, see K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).

648879-2 : Linux kernel vulnerabilities: CVE-2016-6136 CVE-2016-9555

Solution Article: K90803619

648865-2 : Linux kernel vulnerability: CVE-2017-6074

Solution Article: K82508682

648786-5 : TMM crashes when categorizing long URLs

Component: Traffic Classification Engine

Symptoms:
TMM crashes when categorizing long URLs.

Conditions:
URL categorization with long URLs.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM now can handle really long URLs for URL categorization.

648766-1 : DNS Express responses missing SOA record in NoData responses if CNAMEs present

Solution Article: K57853542

Component: Global Traffic Manager (DNS)

Symptoms:
A valid NoData response can contain CNAMEs if a partial chase occurred without final resolution. DNS Express is not including the expected SOA record in this scenario.

Conditions:
-- DNS Express configured.
-- Partial CNAME chase resulting in incomplete resolution.

Impact:
A valid DNS response with a a partial chase but missing the SOA record may not be considered authoritative due to the missing record.

Workaround:
None.

Fix:
The SOA record is now included as appropriate.

648715-2 : BIG-IP i2x00 and ix4x00 platforms send LLDP, STP, and LACP PDUs with a VLAN tag of 0

Component: Local Traffic Manager

Symptoms:
LACP, STP, and LLDP PDUs sent from either of the i2x00 or i4x00 platforms have a VLAN tag added to the PDU when they shouldn't.

Conditions:
Provision any of the three protocols: LLDP, STP, or LACP and the PDU sent by the BIG-IP will incorrectly have a VLAN tag with a tag-id of 0 added to the PDU.

Impact:
Some 3rd party devices may reject the packet. This will adversely affect operation of the affected protocol.

Workaround:
None.

Fix:
This release ensures that the VLAN tag is stripped before the PDU is sent onto the wire.

648617 : JavaScript challenge repeating in loop when URL has path parameters

Component: Advanced Firewall Manager

Symptoms:
The JavaScript challenge is repeating in a loop on URLs which have path parameters (when the URL contains the ';' character). The request never reaches the back-end server.
This happens in the following challenges:
* Proactive Bot Defense with Suspicious Browsers enabled
* Client-Side Integrity Defense
In the rest of the challenges, the challenges will succeed, but POST requests will not be reconstructed correctly and sent as a multipart message to the back-end server.

Conditions:
URLs contain the ';' character, AND:
Either:
* Proactive Bot Defense with Suspicious Browsers enabled, OR
* Client-Side Integrity Defense is enabled and is used as a DoSL7 mitigation during an attack.

Impact:
Requests with ';' character will be blocked and the browser will repeat the challenge in a loop.

Workaround:
None

Fix:
The JavaScript challenge no longer gets stuck in a loop on URLs which have path parameters.

648544-5 : HSB transmitter failure may occur when global COS queues enabled

Solution Article: K75510491

Component: TMOS

Symptoms:
An HSB transmitter failure may occur if global COS queues enabled. The HSB transmitter failure is logged in the TMM log files.

Conditions:
With global COS queues enabled, the HSB's watchdog loopback packets are sent on HSB ring 2, instead of ring 0. If HSB ring 2 is heavily utilized, this could cause the loopback packets to be dropped. If this occurs, then the watchdog may trigger an HSB transmitter failure.

Impact:
If this issue occurs then the BIG-IP is rebooted.

Workaround:
Do not use global COS queues.

Fix:
Loopback packet priority is now set during runtime to guarantee transmit on mgmt ring 0.

648286-2 : GSLB Pool Member Manage page fails to auto-select next available VS/WiP after pressing the add button.

Component: Global Traffic Manager (DNS)

Symptoms:
The combobox does not auto-select the next entry in the list of virtual servers/wide IPs after pressing the Add button and successfully adding an entry to the member list.

Conditions:
-- Have at least two entries in the combobox.
-- Add one of the entries to the member list.

Impact:
The other entry is not selected automatically (as it was in BIG-IP versions 12.1 and earlier). Must manually select each entry to add to the member list.

Loss of functionality from earlier releases.

Workaround:
Manually select each entry to add to the member list.

Fix:
Restored behavior that selects the next available entry in list after pressing the Add button on GSLB Pool's Member manage page.

648056-2 : bcm56xxd core when configuring QinQ VLAN with vCMP provisioned.

Solution Article: K16503454

Component: TMOS

Symptoms:
bcm56xxd constantly crashes, device goes off-line.

Conditions:
Reboot the system with QinQ VLANs configured and vCMP provisioned.

Impact:
Device goes off-line.

Workaround:
None.

Fix:
bcm56xxd no longer crashes when QinQ VLANs are configured and vCMP provisioned.

648053-1 : Rewrite plugin may crash on some JavaScript files

Component: Access Policy Manager

Symptoms:
Rewrite plugin may crash parsing JavaScript files in US ASCII encoding.

Conditions:
JavaScript file in US ASCII encoding (not in UTF-8).

Impact:
Rewrite plugin may crash parsing this file. No response is sent to client.

Workaround:
It is possible to change/add 'charset' parameter in response header 'Content-type' to 'UTF-8' by iRule.

Fix:
Now Portal Access rewrite correctly handles JavaScript data if the web page uses US ASCII encoding.

648037-2 : LB::reselect iRule on a virtual with the HTTP profile can cause a tmm crash

Component: Local Traffic Manager

Symptoms:
tmm crashes after the LB::reselect iRule fails to connect to the server.

Conditions:
This issue can occur when a virtual server is configured with HTTP and the LB::reselect iRule. If the LB::reselect fails to connect to the server and there is not a monitor on the pool, tmm will crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure a monitor for the pool.

Fix:
Fixed a tmm crash related to LB::reselect

647988-3 : HSL Balanced distribution to Two-member pool may not be balanced correctly.

Solution Article: K15331432

Component: TMOS

Symptoms:
When configuring a two-member pool as HSL destination and using "balanced" distribution, logs from iRule HSL::send may end up balanced to a single pool member.

Conditions:
- Two-member pool configured as remote-high-speed-log destination.
- The remote-high-speed-log distribution is set to "balanced"
- Data-Plane logging using for example but not limited to: iRule HSL::send.

Impact:
Log message may not be distributed correctly resulting in more load on a single pool member.

Workaround:
None.

Fix:
Logs are distributed more equally on pool members in "balanced" distribution HSL.

647944-2 : MCP may crash when making specific changes to a FIX profile attached to more than one virtual server

Component: TMOS

Symptoms:
When a FIX profile is attached to more than one virtual server, making specific edits to the profile may result in MCP crashing and restarting.

Conditions:
A FIX profile is be in use and attached to more than one virtual server. You then edit the profile (and click "Update") in this order:

- Change the Error Action from "Don't Forward" to "Drop Connection"
- Add a new mapping to the Sender and Tag Substitution Data Group Mapping.

Impact:
Traffic disrupted while mcpd restarts.

Fix:
Prevented MCP from crashing when the FIX profile is edited.

647137 : bigd/tmm con vCMP guests

Component: Local Traffic Manager

Symptoms:
bigd/tmm con vCMP guests.

Conditions:
Set up vCMP guest on VIPRION B2100, B4200, or B4300 blades.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround.

Fix:
This release corrects this issue so the crash no longer occurs.

647108-1 : Deletion of saml-idp-connector may fail depending on the order in which related objects are deleted within a transaction

Component: Access Policy Manager

Symptoms:
The system posts messages similar to the following even when the server associated to the connector is also being deleted in the same transaction:
01070734:3: Configuration error: apm aaa saml-idp-connector: Cannot delete saml-idp-connector /Common/saml_connector because it is being used by aaa-saml-server (/Common/saml_server_test1

Conditions:
When deleting saml-idp-connector first then the associated saml server.

Impact:
Cannot delete saml-idp-connector and associated server in that specific order.

Workaround:
Delete saml server first and then delete the saml connector.

Fix:
Now saml-idp-connector can be deleted with associated objects in any order from a transaction.

646928-1 : Landing URI incorrect when changing URI

Component: Access Policy Manager

Symptoms:
User accesses resource1, and an access policy starts. Before the policy completes, the user changes to resource2. There is a warning page that the session already exists, and the user clicks to create a new session. After the policy completes, the user is directed to the landing URI of the resource1.

Conditions:
Attempting to change landing URI in the middle of an access policy

Impact:
End-user is inconveniently directed to the first resource instead of the second.

Fix:
Now the "To open a new session, please click here." link on the APM logout page reflects the last used landing URI rather than the first used landing URI.

646760 : Common Criteria Mode Disrupts Administrative SSH Access

Component: TMOS

Symptoms:
If Common Criteria mode is enabled the administrative SSH interface on BIG-IP may become unavailable.

Conditions:
CC-mode enabled.

Impact:
SSH interface not available, sshd may fail to start.

Workaround:
There is no workaround at this time.

Fix:
Correct SSH configuration when in CC mode

646643-2 : HA standby virtual server with non-default lasthop settings may crash.

Solution Article: K43005132

Component: Local Traffic Manager

Symptoms:
A long-running high availability (HA) Standby Virtual Server with non-default lasthop settings may crash TMM.

Conditions:
-- HA standby virtual server is configured on the system with non-default lasthop configurations (e.g., lasthop pools or autolasthop disabled, etc).

-- That virtual server receives more than 2 billion connections (2 billion is the maximum value of a 32-bit integer).

Impact:
TMM on the next-active device crashes. The Active device is not affected. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
HA standby virtual server configured with non-default lasthop configurations no longer crashes.

646615-1 : Improved default storage size for DNS Express database

Component: Global Traffic Manager (DNS)

Symptoms:
A tweak has been made to the DNS Express database to improve the initial database size.

Conditions:
DNS Express with configured zones.

Impact:
Possibly reduced database size.

Workaround:
N/A as this is an improvement.

Fix:
A tweak has been made to the DNS Express database to improve the initial database size.

646604-5 : Client connection may hang when NTLM and OneConnect profiles used together

Solution Article: K21005334

Component: Local Traffic Manager

Symptoms:
In deployments where a NT LanManager (NTLM) authentication profile and a OneConnect profile are used together in a LTM virtual server to label an authenticated connection to a Domain Controller (DC); if the persisted connection to the DC is re-used, the connection may hang. A connection in this state may not be cleaned up by the sweeper, resulting in a memory leak.

Conditions:
The NTLM and OneConnect profiles are associated with a LTM virtual server.

Impact:
A client connection won't be serviced and TMM memory will leak. Over a long time period, this may result in more widespread service disruptions.

Workaround:
Avoid the use of OneConnect profiles on virtual servers that use NTLM profiles. The connections to the Domain Controller won't be pooled, but all other features will be retained.

Fix:
Fixed a problem that prevented NTLM and OneConnect profiles from working properly on the same LTM virtual server.

646511-1 : BD crashes repeatedly after interrupted roll-forward upgrade★

Component: Application Security Manager

Symptoms:
After roll-forward upgrade of version 12.1.x with ASM traffic data is interrupted, BD crashes repeatedly.

Conditions:
Roll-forward upgrade with ASM traffic data from version 12.1.x (with or without hotfixes) to any 12.1.x or later is interrupted by restart/reboot.

Impact:
BD crashes repeatedly on subsequent attempts to start ASM.

Workaround:
Disable roll-forward upgrade of ASM traffic data before upgrade:

tmsh modify sys db ucs.asm.traffic_data.save value disable

Fix:
ASM completes roll-forward upgrade with traffic data correctly, even after upgrade process is interrupted.

646443-1 : Ephemeral Node may be errantly created in bigd, causing crash

Component: Local Traffic Manager

Symptoms:
When FQDN Ephemeral Nodes are being used at the same time as static Node objects, and there is change in those objects, either via DNS resolver changes or manual changes to static nodes, there exists a chance where one may be misidentified as the other during an update, causing a crash in bigd.

Conditions:
FQDN Nodes and Static Nodes being used. Change in node settings or creation/deletion of nodes.

Impact:
Bigd crashes, causing interruption in monitoring.

Workaround:
Avoid use of FQDN Nodes and Pool Members; use only static-IP Nodes/Members instead.

Fix:
Fixed case where misidentification may occur, resulting in bigd running without crashing.

645805 : LACP PDUs generated by lacpd on i4x00/i2x00 platforms contain bad ethernet src mac address

Component: TMOS

Symptoms:
LACP PDUs generated by the 'lacpd' on the i4x00 & i2x00 platforms contain the wrong Ethernet source MAC address.

Conditions:
LACP configured on an trunk interface on i4x00 or i2x00 platforms.

Impact:
Some Cisco and Juniper switches discard these PDUs. They send PDUs as if the BIG-IP is not transmitting with a all-zeros 'Partner' section System ID. This renders LACP inoperable, and simply does nothing if the far end is configured for 'Passive'.

Fix:
Insure correct Source MAC address is inserted into the PDU.

645717 : UCS load does not set directory owner

Component: TMOS

Symptoms:
When loading a UCS file the directory /etc/ssh will become owned by the first user in the UCS with an .authorized_keys file.

Conditions:
UCS loaded that contains users with .authorized_key files

Impact:
Ownership of /etc/ssh is set to a non-root user after UCS load. This does not interfere with normal system operation or SSH authentication but does not follow secure coding practices

Workaround:
Ownership of on /etc/ssh can be restored with the command: chown root /etc/ssh

Fix:
UCS load now explicitly sets ownership of the /etc/ssh directory to root.

645684-2 : Flash application components are loaded into wrong ApplicationDomain after Portal Access rewriting.

Component: Access Policy Manager

Symptoms:
Flash ActionScript3 application components are loaded into incorrect ApplicationDomain and in some rare cases this may cause errors in application.

Conditions:
This can occur when viewing Flash video while connected to APM.

Impact:
Flash applications might fail to render through Portal Access.

Workaround:
None

Fix:
Flash files accessed through Portal Access are now loading components into correct Application Domain. This improves compatibility with Flash apps.

645663 : Crypto traffic failure for vCMP guests provisioned with more than 12 vcpus.

Component: Local Traffic Manager

Symptoms:
Accelerated crypto and compression traffic may fail; stuck queue reports appear in logs.

Conditions:
Guests provisioned with more than 12 vcpus, and crypto or compression traffic passed through hardware acceleration.

Impact:
Can cause the hardware accelerator to fail and require host reboot.

Workaround:
Limit guest provisioning to 12 vcpus.

Fix:
Allow guests provisioned with more than 12 vcpus to operate without stalling hardware accelerators.

645615-2 : zxfrd may fail and restart after multiple failovers between blades in a chassis.

Solution Article: K70543226

Component: Global Traffic Manager (DNS)

Symptoms:
zxfrd may fail and restart after multiple failovers between blades in a single chassis.

Conditions:
DNS Express must be configured in a multi-blade chassis. If a blade transitions from active to backup to active states and the DNS Express (tmmdns.bin) database has been re-created while the blade was in backup status, zxfrd may fail when attempting to reference old data.

Impact:
zxfrd will create a core file and restart, picking up where it left off.

Workaround:
None.

Fix:
The cause of the failure is now addressed.

645480-3 : Unexpected APM response

Solution Article: K45432295

645179-6 : Traffic group becomes active on more than one BIG-IP after a long uptime

Component: TMOS

Symptoms:
Traffic-groups become active/active for 30 seconds after a long uptime interval.

Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime.

For example:

-- For 7 traffic groups, the interval is ~710 days.
-- For 15 traffic groups, the interval is ~331 days.

Conditions:
-- Two or more BIG-IP systems defined in a device group for sync/failover.
-- There is one or more traffic groups configured.
-- The BIG-IP systems have a long uptime.

Impact:
Outage due to traffic-group members being active on both systems at the same time.

Workaround:
There is no workaround.

The only option is to reboot all the BIG-IP units in the device group on a regular interval. The interval is directly dependent on the number of traffic groups.

Fix:
Traffic groups no longer becomes active on more than one BIG-IP system in a device group after a long uptime interval.

645101-2 : OpenSSL vulnerability CVE-2017-3732

Solution Article: K44512851

645058-3 : Modifying SSL profiles in GUI may fail when key is protected by passphrase

Component: Local Traffic Manager

Symptoms:
When a client SSL profile has a Certificate Key Chain (CKC) entry with a passphrase-protected key, attempting to modify/update the profile via the GUI may fail, and produce an error similar to the following:

01070313:3: Error reading key PEM file <Key_File_Path> for profile <Profile_Name>: error:0906A068:PEM routines:PEM_do_header:bad password read.

This can occur even when the passphrase already in the SSL profile is correct.

Conditions:
Upgrading a BIG-IP system from a version prior to BIG-IP v11.5.0 to v11.5.0 or later, while having a passphrase-protected key specified in the profile.

Alternately, creating an SSL profile with a custom cert-key-chain name that references a passphrase-protected key, e.g.:

tmsh create ltm profile client-ssl example-profile defaults-from clientssl cert-key-chain replace-all-with { no { cert protected.crt key protected.key passphrase password } }

Impact:
User cannot update client SSL profile via the GUI.

Workaround:
Modifications to the profile can be made from tmsh. Alternately, delete the CKC and recreate it.

Fix:
User can now update client SSL profile after upgrading a BIG-IP system from a version prior to BIG-IP v11.5.0 to v11.5.0 or later, while having a passphrase-protected key specified in the profile.

645036-3 : Removing pool from virtual server does not update its status

Solution Article: K85772089

Component: Local Traffic Manager

Symptoms:
Removing a pool from a virtual server does not update the virtual server's status.

Conditions:
1) Create a pool and assign a monitor to it.
2) Ensure the pool goes green.
3) Create a virtual server without assigning the pool to it.
4) Ensure the virtual server stays blue (unknown).
5) Associate the pool to the virtual server.
6) Ensure the virtual server goes green (available).
7) Remove the pool from the virtual server.
8) The virtual server should go back to blue (unknown); however, it doesn't and stays green.

Impact:
The virtual will appear to be associated with a monitored pool when it is not. This should have no functional impact on the virtual server, since a virtual server without a pool has no traffic to pass, and associating a pool with the virtual server will reflect the pool status.

Workaround:
Restart the BIG-IP system. The status should be blue/unchecked once again after the BIG-IP is restarted.

Note: Restarting the BIG-IP system might have an impact on existing traffic. Because this issue is cosmetic, this workaround is not recommended for BIG-IP systems in production.

Fix:
Associating a pool with the virtual server now correctly updates the virtual server status.

644975-4 : /var/log/maillog contains errors when ssmtp is not configured to use a valid mailhost

Component: TMOS

Symptoms:
Entries in /var/log/maillog similar to the following:
err sSMTP[25793]: Unable to connect to "localhost" port 25.

Conditions:
This happens when certain crontab configuration files do not specify MAILTO="" at the top, and some of the scripts appearing in those files output something to STDOUT or STDERR. This causes the system to try to send an email with that output, which will fail when ssmtp is not configured to use a valid mailhost.

Impact:
Error messages logged to /var/log/maillog. Note that the maillog file is rotated so it doesn't fill up the /var/log volume.

Workaround:
1) Run the "crontab -e -u root" command; this will open the root user's crontab configuration in your default text editor.

2) Move the MAILTO="" line to the top of the file, right under the "# cron tab for root" banner.

3) Save the file and exit the text editor to install the root user's new crontab configuration.

4) Using a text editor of your choice, replace MAILTO=root with MAILTO="" in the /etc/crontab file.

5) Using a text editor of your choice, replace MAILTO=root with MAILTO="" in the /etc/cron.d/0hourly file.

6) To verify that MAILTO=root does not appear anywhere else, run the following command: grep -i -r mailto /etc/cron*.

7) If the previous command shows MAILTO=root still appears in some files, also modify those file so that MAILTO=root becomes MAILTO="".

Fix:
The crontab configuration files now specify MAILTO="" at the top, so the /var/log/maillog errors no longer occur.

644970-1 : Editing a virtual server config loses SSL encryption on iSession connections

Component: Wan Optimization Manager

Symptoms:
Editing a virtual server configuration causes iSession connection resets or unencrypted iSession connections to be established, because the virtual server's dynamically configured default server-ssl profile has been deleted.

Conditions:
A virtual server has a server-side iSession profile with data-encrypt enabled. This virtual server also lacks client-ssl and server-ssl profiles.

Impact:
After editing the virtual server, iSession connections fail to be established if the destination iSession listener has a client-ssl profile with allow-non-ssl disabled. If the destination iSession listener has allow-non-ssl enabled, unencrypted iSession connections are established.

Workaround:
Modify the virtual server's configured server-side iSession profile. For example toggle the iSession profile from A to B and then back to A.

Fix:
Editing a virtual server configuration no longer deletes
an iSession dynamically configured default server-ssl profile.

644946-2 : Enabling mirroring on SIP or DIAMETER router profile effects per-client connection mode operation

Solution Article: K05053251

Component: Service Provider

Symptoms:
When the mirror flag is enabled in the siprouter and diameterrouter profiles, outgoing per-client create connection will be usable by any client connection from the same IP address.

Conditions:
This occurs when the mirror flag is enabled in the siprouter and diameterrouter profiles.

Impact:
In the siprouter and diameterrouter profiles, enabling mirroring incorrectly enables the internal ignore_peer_port flag, which causes the router to not consider the remote port of the client side connection when determining which of an outgoing per-client connection can be used for forwarding messages.

Workaround:
None.

Fix:
The ignore_peer_port flag is no longer affected by the setting of the mirror flag, which is correct functionality.

644904-5 : tcpdump 4.9

Solution Article: K55129614

644873-2 : ssldump can fail to decrypt captures with certain TCP segmenting

Solution Article: K97237310

Component: Local Traffic Manager

Symptoms:
ssldump fails to decrypt a capture. In rare circumstances, ssldump can crash.

The ssldump might display output similar to the following:
1 25 0.4781 (0.0000) S>CShort record
Unknown SSL content type 224
1 26 0.4781 (0.0000) S>CShort record
Unknown SSL content type 142
...
1 30 0.4781 (0.0000) S>CShort record
1 31 0.6141 (0.1359) S>CV231.213(45857) application_data

Conditions:
ssldump is decrypting traffic where an SSL record header spans TCP segments.

Impact:
ssldump can fail to fully decrypt the capture starting at the frame where the SSL record spans a TCP segment. Depending on the remaining data in the TCP stream, ssldump can crash.

Workaround:
None.

Fix:
ssldump now successfully decrypt a capture, so ssldump no longer crashes.

644855-2 : irules with commands which may suspend processing cannot be used with proactive bot defense

Component: Advanced Firewall Manager

Symptoms:
A request is dropped.

Conditions:
1. The proactive bot defense is assigned to the virtual.
2. An iRule which suspends processing is assigned to the virtual. (includes a command like the "after" commands")

For more information on which TCL commands park, see K12962: Some iRule commands temporarily suspend iRule processing, available at https://support.f5.com/csp/article/K12962

Impact:
All requests which issue the proactive bot defense and the iRule will get dropped.

Workaround:
N/A

Fix:
irules which suspends the execution won't cause a request drop when the proactive bot defense is assigned.

644851-2 : Websockets closes connection on receiving a close frame from one of the peers

Component: Local Traffic Manager

Symptoms:
Websocket connection should be closed once an endpoint has both sent and received a Close control frame. BIG-IP closes connection on receiving a close frame from peer and does not wait for close frame from other endpoint. This results in data sent in the other direction to be dropped.

Conditions:
Websocket and HTTP profile are attached to the virtual.

Impact:
One endpoint sends a Websocket Close control frame. Other endpoint continues sending data which is dropped by BIG-IP.

Fix:
Half-close of connection will be triggered instead of closing the connection entirely.

644799-1 : TMM may crash when the BIG-IP system processes CGNAT traffic.

Solution Article: K42882011

Component: TMOS

Symptoms:
TMM may crash when the BIG-IP system processes CGNAT traffic.

Conditions:
A TMM connflow related to CGNAT traffic is expired.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes when the BIG-IP system processes CGNAT traffic.

644723-1 : cm56xxd logs link 'DOWN' message when an interface is admin DISABLED

Component: TMOS

Symptoms:
If you disable an interface, the interface is erroneously logged as DOWN:

Feb 12 23:14:09 i5800-R18-S30 info bcm56xxd[8210]: 012c0015:6: Link: 1.1 is DOWN

Conditions:
This is logged when disabling an interface.

Impact:
Log message says the interface is DOWN, it should say DISABLED.

644694 : FPS security update check ends up with an empty page when error occurs.

Component: Fraud Protection Services

Symptoms:
While checking for security updates in FPS, GUI may display an empty page caused by internal errors, such as network errors or temporary downtime.

Conditions:
-- Provision and license FPS.
-- Check for security updates.

Impact:
Empty page is presented, with no indication of what error occurred.

Workaround:
Use TMSH or REST API to perform an update check.

Fix:
Now, when an error occurs, the error will be displayed.

644693-3 : Fix for multiple CVE for openjdk-1.7.0

Solution Article: K15518610

644565-1 : MRF Message metadata lost when routing message to a connection on a different TMM

Component: Service Provider

Symptoms:
The system might choose to create a new outgoing connection when there is an available exiting connection that can be used.

Conditions:
When a message is forwarded to another TMM for delivery, an internal state might be lost.

Impact:
Messages should be delivered correctly as the metadata is lost after routing. There might be an impact if routing is retried and the ignore-peer-port setting is lost. This might cause a new connection to be created when an available existing connection exists.

Workaround:
None.

Fix:
The system now ensures that the ignore-peer-port flag is preserved when forwarding a message to a connection on another TMM.

644490-1 : Finisar 100G LR4 values need to be revised in f5optics

Component: TMOS

Symptoms:
The original tuning values for the Finisar 100G LR4 optics don't support module tuning. You might see FCS errors.

Conditions:
FCS errors can be observed with the shipping Finisar 100G LR4 tuning values.

Impact:
Occasional packet loss at the 100G physical layer.

Workaround:
Use 100G SR4 optics modules on the link if possible.

Fix:
FCS errors no longer occur using the latest Finisar 100G LR4 tuning values.

For information on installing and using the latest f5optics package (build 48.0 or later) that contains these tuning values, see F5 Platforms: Accessories (https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/f5-plat-accessories.html).

644489-1 : Unencrypted iSession connection established even though data-encrypt configured in profile

Solution Article: K14899014

Component: Wan Optimization Manager

Symptoms:
iSession connections may be intermittently established as unencrypted even though they are configured to be secure.

Conditions:
Either of two scenarios can result in an unencrypted iSession connection being established:
1) An error occurs during dynamic server-ssl profile replacement.
2) Both the WOM local-endpoint and destination WOM remote-endpoint lack server-ssl profiles.

In both cases the virtual server must have a server-side iSession profile with data-encrypt enabled and the remote virtual must have a client-ssl profile with allow-non-ssl enabled.

Impact:
An unencrypted iSession connection may be established which is inconsistent with configuring data-encrypt as enabled in the sever-side iSession profile.

Workaround:
Configure the client-ssl profile with allow-non-ssl disabled (the default value) to reject non-SSL connections.

Fix:
The outgoing connection is aborted if the server-side iSession profile is configured with data-encrypt enabled and either of the two following scenarios occurs:
1) The destination remote-endpoint and the local-endpoint lack server-ssl profiles.
2) An error occurs during dynamic server-ssl profile replacement.

644447-2 : sync_zones script increasingly consumes memory when there is network connectivity failure

Component: Global Traffic Manager (DNS)

Symptoms:
sync_zones memory usage exponentially increases during network disruption

Conditions:
Network interruption occurs during the "Retrieving remote DNS/named configuration" stage of a gtm_add operation.

Impact:
Memory increases exponentially, potentially resulting in an eventual out-of-memory condition.

Workaround:
None.

Fix:
sync_zones script now exits successfully at network failure.

644418-2 : Do not consider self-signed certificate in hash algorithm selection when Forward Proxy forges a certificate

Component: Local Traffic Manager

Symptoms:
SSL Forward Proxy signs a forged certificate with a hash algorithm. This selected hash algorithm is the weakest algorithm from the certificates in the server certificate chain including the self-signed certificate.
Many of the self-signed certificates use the SHA1 hash algorithm, which is not acceptable to many sites. The SSL handshake may be rejected.

Conditions:
This may occur when SSL Forward Proxy is in use.

Impact:
Forged certificate with SHA1 hash algorithm may be rejected during SSL handshake and the SSL handshake will then fail.

Workaround:
None.

Fix:
In this release, the system excludes self-signed certificates in hash algorithm selection (which is correct behavior). This may prevent forged certificate from using SHA1 hash algorithm

644404-1 : Extracting SSD from system leads to Emergency LCD alert★

Component: TMOS

Symptoms:
When an SSD in a dual-SSD system configuration is extracted, an emergency alert may be issued on the LCD. This does not match the actual severity (Warning) as reported in the LTM log.

Conditions:
Dual SSDs in any BIG-IP system where one has been selected for removal.

Impact:
LCD reports an Emergency-level alert, which does not match the actual Warning severity reported in the LTM log.

Workaround:
Clear the Emergency alert from the LCD.

Fix:
The classification for SSD removal has been changed to 'Warning' to match the LTM log level.

644220-3 : Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page

Solution Article: K37049259

Component: Global Traffic Manager (DNS)

Symptoms:
Under LTM :: Virtual Servers :: Properties, the "Link" value sometimes displays "none" when it should display an actual link name.

Conditions:
This happens under certain configuration of Self IP / GTM Servers / GTM Links / LTM Virtual Servers.

Impact:
When conditions are met, the Virtual Server's link information displayed is not correct.

Workaround:
None.

Fix:
Virtual Server's assigned Link on the LTM Virtual Server Properties page is now displayed correctly.

644184-4 : ZebOS daemons hang while AgentX SNMP daemon is waiting.

Solution Article: K36427438

Component: TMOS

Symptoms:
ZebOS daemons hang while AgentX SNMP daemon is unresponsive.

Conditions:
- Dynamic routing is enabled.
- SNMP is enabled.
- SNMP is unresponsive which could be caused by several issues such as snmpd calling an external script that takes several moments to return or mcpd is slow to respond to snmpd queries.

Impact:
Dynamic routing may be halted for the duration of AgentX daemon being busy.

Workaround:
If snmpd is calling external scripts that take several moments to return, then stop using the external script.

Fix:
ZebOS daemons no longer hangs while AgentX is waiting.

644112-2 : Permanent connections may be expired when endpoint becomes unreachable

Solution Article: K56150996

Component: Local Traffic Manager

Symptoms:
Permanent connections, such as those used between tunnel endpoints, can be deleted when the route to the remote endpoint is removed.

Conditions:
-- Permanent connection, such as a tunnel.
-- Routing updates, either from explicit static or dynamic routes, or modifying self IP addresses.

Impact:
Tunnel, or other affected connection, will not pass traffic.

Workaround:
Remove and re-add the affected connection: e.g., delete and re-configure tunnel.

Fix:
Routing updates can no longer lead to expired permanent connections.

643777-2 : LTM policies with more than one IP address in TCP address match may fail

Component: Local Traffic Manager

Symptoms:
An LTM policy using a rule that attempts to match based on a list of IP addresses may fail if more than one IP address is used.

Conditions:
LTM policy rule with a 'tcp match address' statement that attempts to match against more than one IP address.

Impact:
The action configured with the match may not be taken.

Workaround:
Use one of the following workarounds:
- Use a subnet instead of single IP addresses.
- Use a datagroup with the list of IP addresses to match.
* Datagroup option available beginning in v13.0.0.

Fix:
The BIG-IP system now correctly matches several IP addresses in LTM policies.

643631 : Serverside connections on virtual servers using VDI may become zombies.

Component: Local Traffic Manager

Symptoms:
Listing connections with "tmsh show sys connection all-properties" (please be cautious executing this command as it could have performance impact) will show connections with only a server side whose age is greater than the configured idle timeout. As more zombie connections accumulate, the BIG-IP may run out of memory.

Conditions:
APM provisioned and VDI (Virtual Desktop Infrastructure) is configured on the affected virtual.

Impact:
Zombie connections consume memory that cannot be reclaimed. Potential out-of-memory condition.

Workaround:
None.

Fix:
Expired serverside connections are properly torn down.

643602-2 : 'Select All' checkbox selects items on hidden pages

Component: Fraud Protection Services

Symptoms:
In FPS GUI, clicking 'Select All' when the list contains more than 10 items, selects all items and not just the items on the current page, as expected.

Conditions:
-- FPS provisioned and licensed.
-- Check 'Select All' and click Delete on a list page containing enough items to span more than one page, for example:

On the Security :: Fraud Protection Service :: Anti-Fraud Profile :: Mobile Security :: Man in the Middle Detection page, add 20 domains. This creates two pages of domains on the list page. When you then check 'Select all' and click Delete, all 20 domains are deleted instead of the expected 10 visible on the page.

Impact:
Unexpected behavior: items are deleted from pages that are not visible.

Workaround:
Check one or more items individually for deletion.

Fix:
Clicking the 'Select All' checkbox now selects all items on the currently visible page.

643582-2 : Config load with large ssl profile configuration may cause tmm restart

Component: Local Traffic Manager

Symptoms:
When doing a config load with a large number of ssl profiles tmm may become busy enough to cause mcp tcp connection to go down and cause tmm restart.

Conditions:
Doing a full config load with large number of ssl profiles.

Impact:
Possible tmm restart.

Workaround:
Doing incremental sync of changes can avoid this issue.

Fix:
A full configuration reload with large number of ssl profiles may cause tmm restart.

643547-1 : APMD initialization may fail when large number of access policy agents are configured in access policies installed on BIG-IP

Solution Article: K43036745

Component: Access Policy Manager

Symptoms:
Requests to /my.policy are not getting HTTP responses.

Log file '/var/log/apm' contains large number of error messages about failed XML data creation:

err apmd[5076]: 01490207:3: SAML Agent XML thread specific data creation error: ERR_FAIL.

Conditions:
The BIG-IP system is used with APM provisioned, and there are a large number of access policy agents configured across all access policies.

The issue occurs only at APMD startup time, e.g., when the BIG-IP system is reloaded, a new image is installed, or the apmd service is manually restarted.

When issue happens /var/log/apm will contain a large number of similar error messages :

err apmd[5076]: 01490207:3: SAML Agent XML thread specific data creation error: ERR_FAIL

Impact:
APMD will not able to process any requests.

Workaround:
For some configurations and platforms, you can use the following steps to recover:

- Remove all unused access policies (if applicable).
- Restart apmd.

Fix:
Now APMD initialization will no longer fail at XML initialization when a large number of access policies/agents are present in the configuration.

643404-2 : 'tmsh system software status' does not display properly in a specific cc-mode situation★

Solution Article: K30014507

Component: TMOS

Symptoms:
If software image verification is enabled, the system must first verify a software archive with a cryptographic signature file before using it. If that file is not available, the software change will (intentionally) not proceed. It is also intended that 'tmsh system software status' will explain the condition. But instead, it shows 'failed (reason unknown)'.

Conditions:
Trying to initiate a software change, but there is no signature file available that corresponds to the selected software archive if any of the following is also true:
-- The system is in Common Criteria mode (db var Security.CommonCriteria).
-- The system is in FIPS compliance mode (db var security.fips140.compliance).
-- Signature checking is manually enabled (db var LiveInstall.CheckSig).

Impact:
It is difficult to ascertain why the software change cannot be made.

Workaround:
The installation logs a more detailed explanation for the failure. In the case of Common Criteria mode, it is essential to have the signature file in the same images directory as the .iso image you intend to install.

To do so, copy the .sig file from the F5 Downloads site to the image location, and try the installation again.

Fix:
The 'tmsh show system software status' now displays the relevant issue, for example:
failed (No signature verification possible for image /shared/images/BIG-IP-12.1.2.0.0.249.iso).

Although you must still download the .sig file from F5 Downloads, it's clear what the failure is and what to do next.

643396-2 : Using FLOW_INIT iRule may lead to TMM memory leak or crash

Solution Article: K34553627

Component: Local Traffic Manager

Symptoms:
Memory leak in TMM or even crash may be observed if using FLOW_INIT event in iRules.

Conditions:
iRule triggered by FLOW_INIT event is in use. Note: The leak is difficult to observe, and the crash requires specific steps, so encountering this issue is relatively uncommon.

Impact:
TMM memory leak or crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a memory leak in the FLOW_INIT iRule event.

643294 : IGMP and PIM not in self-allow default list when upgrading from 10.2.x★

Component: TMOS

Symptoms:
IGMP or PIM not in self-allow by default after upgrade.

Conditions:
Upgrade from 10.2.x.

Impact:
Advance routing with multicast or PIM does not work, when configured after upgrade with default self-allow.

Workaround:
Manually add PIM or IGMP to self-allow default.

643210-2 : Restarting MCPD on Secondary Slot of Chassis causes deletion of netHSM keys on SafeNet HSM

Solution Article: K45444280

Component: Local Traffic Manager

Symptoms:
When mcpd (re)starts on a secondary slot, part of the initialization process triggers the delete of any netHSM keys on the SafeNet HSM.

Conditions:
This occurs on a chassis that is configured to use a SafeNet netHSM.

Impact:
The key is removed from the HSM and must be reimported to the HSM from a backup, if it exists.

Workaround:
When rebooting a secondary blade, temporarily remove the BIG-IP from the network it uses to connect to the SafeNet HSM. Once the BIG-IP is Active, it is safe to reconnect it to the network.

Fix:
The BIG-IP no longer deletes keys from the Safenet HSM when the key is deleted from the BIG-IP system. Now, you must manually delete keys using fipskey.nethsm or 'cmu delete'.

Important! Delete operations cannot be undone. Before deleting keys on the HSM using one of these commands, make sure that the key is not used by any BIG-IP, because the key deletion on the HSM is irreversible.

Behavior Change:
Beginning with this release, the BIG-IP system will not delete a key from the SafeNet HSM when you delete the corresponding key on the BIG-IP system: You must manually delete the key on the HSM using either fipskey.nethsm or 'cmu delete'.

Important! Delete operations cannot be undone. Before deleting keys on the HSM using one of these commands, make sure that the key is not used by any BIG-IP, because the key deletion on the HSM is irreversible.

643187-2 : BIND vulnerability CVE-2017-3135

Solution Article: K80533167

643143-2 : ARP and NDP packets should be QoS/DSCP marked on egress

Component: Local Traffic Manager

Symptoms:
There is currently no way to prioritize ARP/NDP traffic on BIG-IP or configure QoS on TMM-originated ARP/NDP packets.

Conditions:
ARP and/or NDP is in use.

Impact:
When the BIG-IP system's CPU is saturated, there is a possibility that ARP and NDP packets might be dropped.

Workaround:
N/A

Fix:
You can now configure QoS on TMM-originated ARP/NDP packets.

To have ARP and NDP packets be treated with high priority internally within the BIG-IP system, set the following database keys to 'high':
-- arp.priority
-- ipv6.nbr.priority

To explicitly assign the 802.1p/q priority (QoS bits), set the following database keys:
-- arp.vlanpriority
-- ipv6.nbr.vlanpriority

Note: The 802.1q/p QoS priority applies to queries that originate on the BIG-IP system. Replies generated by BIG-IP will preserve the QoS value received in the request.

These variables are set with the following commands:

tmsh modify sys db arp.priority value (normal|high)
tmsh modify sys db arp.vlanpriority value [-1-7]
tmsh modify sys db ipv6.nbr.priority value (normal|high)
tmsh modify sys db ipv6.nbr.vlanpriority value [-1-7]

Behavior Change:
You can now configure QoS on TMM-originated ARP/NDP packets.

To have ARP and NDP packets be treated with high priority internally within the BIG-IP system, set the following database keys to 'high':
-- arp.priority
-- ipv6.nbr.priority

To explicitly assign the 802.1p/q priority (QoS bits), set the following database keys:
-- arp.vlanpriority
-- ipv6.nbr.vlanpriority

Note: The 802.1q/p QoS priority applies to queries that originate on the BIG-IP system. Replies generated by BIG-IP will preserve the QoS value received in the request.

These variables are set with the following commands:

tmsh modify sys db arp.priority value (normal|high)
tmsh modify sys db arp.vlanpriority value [-1-7]
tmsh modify sys db ipv6.nbr.priority value (normal|high)
tmsh modify sys db ipv6.nbr.vlanpriority value [-1-7]

643121-1 : Failed installation volumes cannot be deleted in the GUI.

Component: TMOS

Symptoms:
Failed installation volumes aren't displayed under Disk Management and, therefore, cannot be deleted.

Conditions:
Have a failed installation volume.

Impact:
Cannot use the GUI to delete

Workaround:
Use tmsh to delete failed installation volumes using a command similar to the following:
tmsh delete /sys software volume <HDx.y>.

For example, to delete software volume HD1.0, use the following command:
tmsh delete /sys software volume HD1.0.

Fix:
Failed installation volumes can now be deleted in the GUI.

643054-2 : ARP and NDP packets should be CoS marked by the swtich on ingress

Component: Local Traffic Manager

Symptoms:
When ARP and NDP requests are dropped, ARP caches can time out, and peer nodes may fail to resolve the BIG-IP system's self-IP addresses or virtual servers.

Conditions:
TMM0 is saturated and dropping packets.

Impact:
ARP requests can be dropped, and peer devices, such as routers and monitored devices, can fail to resolve the BIG-IP system's address.

Workaround:
None.

Behavior Change:
Two DB variables are added to raise the internal traffic priority for ingress ARP/NDP packets in switch.

arp.priority : high/normal(default)
ipv6.nbr.priority : high/normal(default)

Setting arp.priority to high raises ARP packet priority.
Setting ipv6.nbr.priority to high raises NDP packet priority.

643013 : DAGv2 introduced on i5600, i5800, i7600, i7800, i10600, i10800 platforms in v12.1.3

Component: TMOS

Symptoms:
DAGv2 is a new DAG type and is designed to run on new platforms, including i5600, i5800, i7600, i7800, i10600, i10800 platforms. DAGv2 was not ready when these platforms were first released. DAGv2 is enabled on these platforms in v12.1.3.

Conditions:
i5600, i5800, i7600, i7800, i10600, i10800 platforms.

Impact:
No functional impact. This is simply an announcement of a change in the DAG version.

Workaround:
None.

Fix:
DAGv2 introduced on i5600, i5800, i7600, i7800, i10600, i10800 platforms in v12.1.3.

642983-1 : Update to max message size limit doesn't work sometimes

Solution Article: K94534313

Component: Device Management

Symptoms:
There is a cap on all REST request/response message size. By default it is set to 32 MB, and you can modify it to higher limit using /mgmt/shared/server/messaging/settings/8100 REST endpoint. But the REST framework may not apply this change.

When this occurs, you will see 501 Bad Gateway error from Apache and error message link "java.lang.IllegalArgumentException: 47177925 is more than 33554432" in restjavad log (/var/log/restjavad.0.log).

Conditions:
This can occur when requesting or receiving more than 32 MB of data via iControl REST.

Impact:
REST framework applies message body limit only on incoming request and response. If incoming request results in requests to iControl REST or restnoded, the same settings (message body limit) are not applied.

Workaround:
None.

Fix:
Messaging settings are applied on requests/responses, rather than on RestServer as forwarded outgoing requests/responses will not have server instance attached to request.

642982-3 : tmrouted may continually restart after upgrade, adding or renaming an interface★

Solution Article: K23241518

Component: TMOS

Symptoms:
tmrouted continually restarts when it fails to resolve the interface index for a VLAN, VLAN group, or tunnel.

Conditions:
-- Dynamic routing configured.
-- Non-default partition name or VLAN names greater than 15 characters.

Impact:
Dynamic routing does not function. This may include monitors not functioning properly and marking pool members down incorrectly.

Workaround:
Shorten VLAN, VLAN group, or tunnel name, or move the interface into the Common partition.

Fix:
tmrouted no longer restarts when using long VLAN, VLAN group, or tunnel names in a non-default partition.

642952 : platform_check doesn't run PCI check on i11800

Component: TMOS

Symptoms:
When "platform_check misc" is run, it will return

Miscellaneous Tests
PCI: NOT RUN
Test not available on this platform

Conditions:
This always happens.

Impact:
No platform check for PCI is executed.

Workaround:
There is no workaround.

Fix:
It is fixed, platform check for PCI is executed.

642874-1 : Ready to be Enforced filter for Policy Signatures returns too many signatures

Solution Article: K15329152

Component: Application Security Manager

Symptoms:
Signatures that have not passed the staging period are shown when the filter is set to only show those that are ready to be enforced.

Conditions:
Signatures exist on a policy that have not passed their staging period and have no learning suggestions for them.

Impact:
Incorrect results are shown as a result of the filter.

Workaround:
The result should be inspected to see if the staging period has passed for each individual signature.

Fix:
The "Ready to be Enforced" filter works correctly.

642723-3 : Western Digital WD1600YS-01SHB1 hard drives not recognized by pendsect

Component: TMOS

Symptoms:
In version 11.4.0, when pendsect was introduced, the Western Digital WD1600YS-01SHB1 hard drive was not supported. This drive was used in very early shipments of the 1600/3600 products.

If you are running 11.4.0 and have a WD1600YS-01SHB1, you might see the following errors in /var/log/ltm:

-- notice pendsect[1662]: skipping drive -- Model: WDC WD1600YS-01SHB1
-- notice pendsect[1662]: No known drives detected for pending sector check. Exiting

Conditions:
-- Running 11.4.0.
-- Using WD1600YS-01SHB1 hard drives.

Impact:
The only impact is a pendsect notice in /var/log/ltm. The hard drive operates as expected.

Workaround:
There is no mitigation or workaround for this issue.

Fix:
The WD1600YS-01SHB1 hard drive was added to the supported list of hard drives in versions 11.5.x, 11.6.x, and 12.1.3.

642703-2 : Formatting installation using software v12.1.2 or v13.0.0 fails for i5000, i7000, i10000, i11000, i12000 platforms.★

Component: TMOS

Symptoms:
Installation from external media (PXE or USB) fails with error:

error: status 768 returned by command: /sbin/lvcreate -L -4719088K -n dat.share vg-db-cpmirror
info: >++++ result:
info: Negative size is invalid
info: Run `lvcreate --help' for more information.
info: >----
error: MultiVolume_add cpmirror.dat.share failed.

Conditions:
-- i5000, i7000, i10000, i11000, and i12000 platforms.
-- Installation from external media (PXE or USB).
-- Running software v12.1.2 or v13.0.0.

Impact:
System is non-functional. It will not work at all, until an 'installation from external media' is performed. There is no software on the system because the operation failed during the early stages of a formatting installation.

Workaround:
Use an earlier version for the formatting installation, such as 12.1.1, and then upgrade to the target version.

Fix:
The error no longer occurs; the formatting installation succeeds.

642659-2 : Multiple LibTIFF Vulnerabilities

Solution Article: K34527393

642400-2 : Path MTU discovery occasionally fails

Component: Local Traffic Manager

Symptoms:
Connections using a TCP profile that receive an ICMP needsfrag message may incorrectly ignore the message. This may cause Path MTU discovery to fail.

Conditions:
TCP profile assigned to VIP. Smaller MTU on data path than on TCP endpoints.

Impact:
The connection may stall as large TCP segments are continually retransmitted.

Workaround:
Configure the MSS in the TCP profile to match the lowest MSS. Use or disable Path MTU discovery with the tm.pathmtudiscovery database key.

Fix:
Path MTU discovery functions correctly with the TCP profile.

642330-2 : GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.★

Component: Global Traffic Manager

Symptoms:
When you upgrade from an affected version, the config gets saved before moving to the new version, thus dropping the enclosing quotes and causing a load failure when booting into the new version.

Conditions:
Configuration where monitor string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.

Impact:
Configuration fails to load.

Workaround:
Manually edit each string in the BIG-IP_gtm.conf to include enclosing quotes in order to get the config to load the first time.

Fix:
Configs load successfully after upgrade. Surrounding quotes, if missing, are added to strings in the BIG-IP_gtm.conf file after upgrade. For example:
\"service_status\":\"on\".+\"maintenance\":\"off\" in the recv, send recv-disable and username fields. Output of list gtm monitor and bigip.conf match. Reloading the same config via tmsh does not cause unintentional changes, such as losing a level of escape in monitor strings.

642314-2 : CNAME ending with dot in pool causes validation problems after upgrade from 11.x to 12.x or v13.x★

Solution Article: K24276198

Component: TMOS

Symptoms:
gtm config load failure after upgrade from v11.x to v12.x or v13.x.

Conditions:
Create GTM pool with canonical-name ending with dot - for example "cname-with-dot.com." in v11.x and then upgrade to v12.x or v13.x.

Impact:
gtm config load failure after upgrade.

Workaround:
Remove trailing dots or set "Domain Validation" to "none".

Fix:
Upgrading from 11.x to 12.x or 13.x with GTM Pool with canonical-name removes trailing FQDN dot.

642284 : Closing a PCP connection while an asynchronous mapping request is in progress may result in memory corruption.

Component: Carrier-Grade NAT

Symptoms:
Memory corruption caused by closing a PCP connection while requests are being processed.

Conditions:
This can occur when a PCP client sends multiple requests and closes before receiving the replies. When the client OS receives a reply it will send an ICMP destination unreachable message which causes the BIG-IP to close the PCP connection. If the PCP connection is closed while a request is being processed, memory corruption may occur when the request completes.

Impact:
When memory corruption occurs, TMM may crash or assert. Traffic disrupted while tmm restarts.

Fix:
Closing the PCP connection will not cause memory corruption.

642221-2 : Incorrect entity is used when exporting TCP analytics from GUI

Component: Application Visibility and Reporting

Symptoms:
When exporting statistics from the TCP Analytics page, the resulted data is for the default "view by" entity rather than the one that's actually selected

Conditions:
This occurs in Statistics :: Analytics : TCP, when you are viewing any dimension other than the default, and clicking Export.

Impact:
Incorrect data is being exported.

Workaround:
Use tmsh.

Fix:
The correct entity is now used when exporting TCP analytics from GUI, so the correct data is being exported.

642058-1 : CBL-0138-01 Active Copper does not work on i2000/i4000/HRC-i2800 Series appliances

Component: TMOS

Symptoms:
CBL-0138-01 will not come up or show link on i2000/i4000/HRC-i2800 series appliances.

The following message will appear on the LCD:
0 01/30/17 09:02:59 error 0x1660016 Interface 5.0 detected a non 10GbE optic

The following message will appear in /var/log/ltm:
err pfmand[7630]: 01660016:3: Interface 5.0 detected a non 10GbE optic

The interface will report in tmsh as down:
tmsh show net interface 5.0

--------------------------------------------------------
Net::Interface
Name Status Bits Bits Pkts Pkts Drops Errs Media
In Out In Out
--------------------------------------------------------
5.0 down 0 0 0 0 0 0 none

Conditions:
i2000/i4000/HRC-i2800 series appliances and CBL-0138-01.

Impact:
The CBL-0138-01 will not work.

Workaround:
None.

Fix:
CBL-0138-01 Active Copper now works correctly on i2000/i4000/HRC-i2800 Series appliances.

642039-2 : TMM core when persist is enabled for wideip with certain iRule commands triggered.

Component: Global Traffic Manager (DNS)

Symptoms:
tmm cores with SIGSEGV.

Conditions:
This occurs when persist is enabled for wideip, and an iRule with the following commands triggered:
forward
reject
drop
discard
noerror
host

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable persist on wideip.

Note: Although this is not an ideal workaround, it provides a way that to use those iRule commands without causing a tmm core.

Fix:
TMM no longer coreswhen persist is enabled for wideip with certain iRule commands triggered.

642015-2 : SSD Manufacturer "unavailable"

Component: TMOS

Symptoms:
On systems with an SSD, the manufacturer displayed in 'tmsh show sys hardware' may appear as "unavailable"..

Conditions:
BIG-IP system with SSD installed.

Impact:
No functional impact, cosmetic only.

Workaround:
No workaround but the issue is only cosmetic and does not indicate an issue with the system.

Fix:
SSD Manufacturer now displays "Samsung" as expected.

641612-2 : APM crash

Solution Article: K87141725

641574 : AVR doesn't report on virtual and client IP in DNS statistics

Solution Article: K06503033

Component: Application Visibility and Reporting

Symptoms:
On the analytics DNS page, the virtual and client IP stats will be shown as "Aggregated".

Conditions:
This can be seen in DNS analytics, when view-by virtual or client-ip is selected.

Impact:
DNS statistics show incomplete results.

Workaround:
None.

Fix:
AVR now provides the complete report results on virtual and client IP in DNS statistics.

641512-4 : DNSSEC key generations fail with lots of invalid SSL traffic

Component: Local Traffic Manager

Symptoms:
DNSSEC keys can rollover periodically. This will fail, leading to no keys to sign DNSSEC queries (no RRSIG records) when the BIG-IP is handling a lot of SSL traffic with invalid certificates.

The system posts the following log signature in /var/log/ltm:
err tmm1[12393]: 01010228:3: DNSSEC: Could not initialize cipher context for key /Common/x1-zsk.

Conditions:
DNSSEC keys configured with periodic rollover. The certificate path queues an error (situations include but not limited to lots of SSL traffic with invalid certificates).

Impact:
DNSSEC key generations fail to be accepted by the TMM so that when the prior generation expires there is no valid certificate to sign DNSSEC queries.

Workaround:
Restart the TMM after the new key generation is created.

Fix:
DNSSEC key generations now complete successfully, even with a lot of SSL traffic with invalid certificates.

641491-2 : TMM core while running iRule LB::status pool poolname member ip port

Solution Article: K37551222

Component: Local Traffic Manager

Symptoms:
An iRule response to a DNS request may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart. As a result of this issue, you may encounter one or more of the following symptoms:

-- The BIG-IP system may temporarily fail to process traffic as it recovers from the TMM restart, and devices configured as an HA pair may fail over.
-- The BIG-IP system generates a TMM core file to the /shared/core directory.

Conditions:
This issue occurs when all of the following conditions are met:

-- Your BIG-IP DNS system is configured with a wide IP that utilizes an iRule.
-- The iRule uses the DNS_REQUEST event command LB::status to check a pool member status.
-- The iRule pool address and port are separated by white space.

Example iRule syntax:

gtm rule pool_member_selection {
    when DNS_REQUEST {
        LB::status pool pool-one member 10.0.0.10 80
    }
}

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use format 'ip:port' or vsname instead of 'ip port. Following are two examples:
1.
gtm rule rule_crash_test {
    when DNS_REQUEST {
        LB::status pool pool-one member 10.2.108.100:80
    }
}

2.
gtm rule rule_crash_test {
    when DNS_REQUEST {
        LB::status pool pool-one member pool_vs_name
    }
}

Fix:
An iRule response to a DNS request no longer triggers TMM to produce a core file and restart.

641482-2 : Subscriber remains in delete pending state until CCR-t ack has success as result code is received

Component: Policy Enforcement Manager

Symptoms:
BIG-IP subscriber session will remain in delete pending (stale) state if the Result-code received Acknowledgement from Gx or Gy and is marked as Failure for CCR-T request.

Conditions:
The stale session happens, during subscriber termination and if any CCR-T request for Gx or Gy receives an acknowledgement with non-SUCCESS in Result-code AVP

Impact:
The subscriber session in BIG-IP will stay in delete pending state (stale)

Workaround:
A tmm restart will cleanup all the stale sessions

Fix:
Fix will cleanup the session if a CCR-T acknowledgement is received irrespective of the Result-code AVP

641445-1 : iControl improvements

Solution Article: K22317030

641390-5 : Backslash removal in LTM monitors after upgrade★

Component: TMOS

Symptoms:
After upgrading, BIG-IP fails to load the configuration and reports that a monitor failed to load.

Conditions:
-- Specific backslash escaping in LTM monitors.
-- Upgrading from 11.5.x, 11.6.0, 11.6.1, 11.6.2, or 11.6.3 to 12.0.0, 12.1.0, 12.1.1, 12.1.2, or 13.0.0.

Note: This issue is specific to LTM monitors. It does not occur in BIG-IP DNS/GTM monitors.

For example, to have two backslashes in the value, you specify three backslashes. The first backslash is the 'escape' character.

ltm monitor https /Common/my_https {
    adaptive disabled
    cipherlist DEFAULT:+SHA:+3DES:+kEDH
    compatibility enabled
    defaults-from /Common/https
    destination *:*
    interval 5
    ip-dscp 0
    recv "Test string"
    recv-disable \\\"Test\\\"me\\\" <-- pertinent string value (can be in recv, send or username attributes too).
    send Test
    time-until-up 0
    timeout 16
    username test\\\"me
}

Impact:
The monitor fails to load.

Workaround:
Manually correct the string to be the way it was before upgrade, then the configuration will load.

Fix:
Upgrade no longer results in incorrectly removing backslashes for some LTM monitor attributes.

641360-2 : SOCKS proxy protocol error

Solution Article: K30201296

641256-1 : APM access reports display error

Solution Article: K43523962

641248 : IPsec-related tmm segfault

Component: TMOS

Symptoms:
The tmm cores and all connections are reset.

Conditions:
Race condition during IPsec tunnel tear down.

Impact:
The tmm restarts and all connections reset. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The IPsec-related tmm segfault has been corrected.

641013-5 : GRE tunnel traffic pinned to one TMM

Component: TMOS

Symptoms:
GRE tunnel traffic can be sent to one TMM if BIG-IP doesn't proxy the GRE tunnel and uses forwarding virtual to handle GRE tunnel traffic.

Conditions:
Use forwarding virtual to handle GRE tunnel traffic.

Impact:
GRE tunnel traffic can overwhelm the one TMM and cause performance degradation.

Workaround:
None.

Fix:
Improved GRE tunnel traffic handling so traffic does not overwhelm one TMM and cause performance degradation.

640903-1 : Inbound WideIP list page on Link Controller takes a long time to load when displaying 50+ records per screen

Component: Global Traffic Manager (DNS)

Symptoms:
Extremely long page load on Link Controller Inbound Wide IP list page.

Conditions:
The preference settings "Records per screen" must be a high value. 50 or more will start causing the page to load very slowly.

Impact:
Extremely long page load time.

Workaround:
Prior to the fix, the workaround is to set the preference settings "Records per screen" to a low value. The default value of 10 is fine.

Fix:
The page can now load hundreds of records on a single screen under 3 seconds.

640824-1 : Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★

Solution Article: K20770267

Component: Application Security Manager

Symptoms:
Upon first start after upgrade, the following error messages appear in asm log:
-------------------------
notice boot_marker : ---===[ HD1.2 - BIG-IP 12.1.1 Build 0.0.184 <HD1.2> ]===---
info set_ibdata1_size.pl[18523]: Setting ibdata1 size finished successfully, a new size is: 8466M
info tsconfig.pl[21351]: ASM initial configration script launched
info tsconfig.pl[21351]: ASM initial configration script finished
info asm_start[19802]: ASM config loaded

crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined

crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Cannot remove all partitions, use DROP TABLE instead

crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::ConfigSync::load_traffic_data): Could not import table data PRX.REQUEST_LOG - ASM configuration save aborted

info perl[21860]: 01310053:6: ASM starting
-------------------------

Conditions:
-- ASM provisioned.
-- Local request logging enabled.
-- Upgrade of a maintenance release, hotfix, or engineering hotfix.

Impact:
Upgrade fails.

Workaround:
Upgrade by the means of saving a UCS, performing a clean install and then loading the UCS.

In the manual save/load UCS process, the upgrade of the Request Log can be disabled, which will workaround the error and the UCS will load fine.

There are two options to disable the upgrade of the Request Log, when upgrading by the means of a UCS:
-------------------
1) Do not load a Request Log, when loading a UCS:
# tmsh modify sys db ucs.asm.traffic_data.load value never

2) Do not save a Request Log, when saving a UCS:
# tmsh modify sys db ucs.asm.traffic_data.save value disable
-------------------

Fix:
Roll-forward upgrade including traffic data now works correctly.

640768 : Kernel vulnerability: CVE-2016-10088

Solution Article: K05513373

640636-3 : F5 Optics seen as unsupported instead of misconfigured when inserted into wrong port on B4450 Blade

Component: TMOS

Symptoms:
Inserting a 40G optic into a 100G port, or inserting a 100G optic into a 40G shows the optic as "Unsuported Optic". That is not correct, it may be a supported optic, just inserted in the wrong port.

Conditions:
B4450 Blades with 100G or 40G optics inserted in a port that does not support that speed optic.

Impact:
The user may be confused on why the optic is not working, the error message is misleading when the optic is inserted in the wrong port.

Workaround:
If the optic shows up in "tmsh list net interface" as "Unsuported Optic" remove the optic and verify that the optic speed matches the port.

Fix:
The "tmsh list net interface" will now show:

module-description "F5 Qualified Optic in invalid port"

And the LCD warning message will show:
Optic OPT-XXXX not valid in Interface <InterfaceNumber>.

640521-1 : EdgeClient does not render Captive Portal login page which uses jQuery library for mobile devices

Component: Access Policy Manager

Symptoms:
Connect to a public network which has Captive Portal and the Captive Portal uses jQuery library for mobile devices. EdgeClient does not render login page for such Captive Portal.

Conditions:
Use public network with Captive Portal that uses jQuery library for mobile devices.

Impact:
EdgeClient can not establish VPN connection.

Workaround:
Use a browser to authenticate to Captive Portal. For locked client, there is no suitable workaround.

Fix:
Now Edge Client can successfully interact with a greater number of wifi captive portals.

640510-3 : BWC policy category attachment may fail during a PEM policy update for a subscriber.

Component: Policy Enforcement Manager

Symptoms:
The correct BWC category is not applied resulting in incorrect BWC handling of subscriber traffic.

Conditions:
PEM policies against a subscriber should be modified such that the BWC policy stays the same while the BWC category changes.

Impact:
Use cases dependent on BWC can be impacted.

Fix:
Code changes were added such that BWC policy and category changes through PEM are handled correctly.

640457-2 : Session Creation failure after HA

Component: Policy Enforcement Manager

Symptoms:
Under some HA scenarios, the subscriber session will be lost. If such a deleted session is added (the same subscriber-id), the addition attempt fails.

Conditions:
Intra-chassis HA is configured. One of the blades goes down & comes back up very rapidly & some subscriber sessions are lost.
An attempt to add the lost subscriber again fails.

Impact:
A set of subscribers lost during HA will never be added back.

Workaround:
No workaround.

640407-1 : Usage of iRule commands that try to get or set connection state during CLIENT_CLOSED iRule event may core with MRF

Solution Article: K41344483

Component: Service Provider

Symptoms:
A core may occur with message routing framework (MRF) virtuals or transport-config connections if trying to use certain iRule commands during CLIENT_CLOSED event.

Conditions:
Use of an iRule command that gets or sets state in a MRF protocol filter or MR proxy during CLIENT_CLOSED iRule event may core. This is because CLIENT_CLOSED event is raised after all state has been freed for the current connection.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use iRule command to get or set state during CLIENT_CLOSED iRule event.

640376-3 : STPD leaks memory on 2000/4000/i2000/i4000 series

Component: Local Traffic Manager

Symptoms:
STPD process on any 2000/4000/i2000/i4000 series platform that sends BPDUs will grow in physical memory usage indefinitely so long as its role in the tree results in sending BPDU packets. The memory usage will be faster for each interface that is sending BPDUs.

Conditions:
Spanning tree is enabled on any 2000/4000/i2000/i4000 series platform and the device has a role in the tree that results in sending BPDUs on one or more interfaces. Memory can be seen to increase when tracking with Linux top commands.

ex. top -b -n 1 | grep stpd

The 5th and 6th columns 'VIRT' and 'RES' slowly increase over time, indicating the memory leak.

Impact:
Memory leak resulting in indefinite consumption of available physical memory over time.

Workaround:
While the memory leak itself cannot be mitigated without a hotfix, the problem can be avoided if the tree can be configured in such a way that the defect affected platforms don't generate BPDUs. This can be done by choosing a root such that the defect affected platforms will have its interfaces to be in blocking mode, or if possible, to be in passthrough mode.

Fix:
BPDU process source code fixed to release memory allocated for each BPDU packet created and sent.

640352-2 : Connflow can be leaked when DHCP proxy in forwarding mode with giaddr set in DHCP renewal packet

Solution Article: K01000259

Component: Local Traffic Manager

Symptoms:
Connflow entry memory are leaked when BIG-IP DHCP proxy is configured in forwarding mode and the DHCP relay agent between
the DHCP client and the BIG-IP system sets giaddr field to itself after connflows created are aged out in a particular order.

Conditions:
1) BIG-IP DHCP proxy is configured in forwarding mode.
2) DHCP relay agent sits between the DHCP client and the BIG-IP system sets giaddr field in DHCP renewal packet to itself (this has been observed in Cisco devices), so that DHCP renewal packet will be sent to a relay agent by DHCP servers.
3) Connflow created to giaddr(relay agent) ages out before
connflows created to DHCP clients.

Impact:
Some connflows are not freed. Memory leak occurs. Eventually memory is exhausted.

Workaround:
None.

Fix:
Ref count handing for giaddr connflows are now decremented when the client side connflow is removed, preventing the memory leak.

639750-1 : username aliases are not supported

Component: Fraud Protection Services

Symptoms:
in is a common practice to use aliases for username. for example, an app might allow users to login with either their ID, cell number, or nickname.
WebSafe doesn't support username aliases.

Conditions:
This is encountered when your application uses username aliases.

Impact:
You are unable to use username aliases in your applications.

Workaround:
None.

Fix:
providing new ANTIFRAUD irule command for setting username (replace username alias with the "real" username)

639744-1 : Memory leak in STREAM::expression iRule

Solution Article: K84228882

Component: Local Traffic Manager

Symptoms:
If you are using the STREAM::expression iRule with APM, the stream filter can leak memory.

Conditions:
This can occur when using the STREAM::expression iRule with an APM virtual.

Impact:
This causes a memory leak in tmm.

Workaround:
None.

Fix:
This release fixes a memory leak in STREAM::expression iRule.

639729-2 : Request validation failure in AFM UI Policy Editor

Solution Article: K39428424

639486-4 : TMM crash due to PEM usage reporting after a CMP state change.

Component: Policy Enforcement Manager

Symptoms:
TMM crash due to a code assertion resulting in potential loss of service.

Conditions:
A CMP state change due to a card reboot, disable, enable, insert or remove should have occurred while or right before a PEM usage reporting action.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Instead of asserting, handled the error condition gracefully.

639395-2 : AVR does not display 'Max read latency' units.

Solution Article: K91614278

Component: Application Visibility and Reporting

Symptoms:
AVR does not display units for 'Max Read Latency'.

Conditions:
AVR, ASM, DoS, or AFM are provisioned.

Impact:
No units are displayed.

Workaround:
1. Edit the following file: /etc/avr/monpd/monp_disk_info_measures.cfg.
2. Add the following line at line 63: units=microsecond.
3. Restart monpd.

Fix:
Added units (microsecond) to AVR report.

639236-1 : Parser doesn't accept Contact header with expires value set to 0 that is not the last attribute

Solution Article: K66947004

Component: Service Provider

Symptoms:
Incoming SIP REGISTER messages are rejected by the SIP MRF parser when they contain Contact header expires value set to 0 that is not the last attribute

Conditions:
If the Contact header has an expires value of 0 and it's not the last attribute, for example:
Contact: <sip:+414000400@10.0.0.42:5060>;expires=0;q=0.1.

Impact:
REGISTER is rejected with a '400 Bad request' error message

Workaround:
None.

Fix:
Updated SIP parser to handle a Contact header with an expires value set to 0 that is not the last attribute.

639193-1 : BIG-IP devices configured with Manual Sync, deleting parent policy causes sync to fail.

Solution Article: K03453591

Component: Advanced Firewall Manager

Symptoms:
In high availability (HA) environment where BIG-IP devices are configured for Manual Sync, deleting parent policy causes sync to fail.

Conditions:
This occurs when you delete the parent of a policy that was used as the parent of another policy. For example:
1. Clone Policy A and create Policy B.
2. Clone Policy B and create Policy C.
3. Delete Policy B.

Impact:
Manual sync operation fails.

Workaround:
Use one of the following Workarounds:
A. Enable automatic sync for HA configurations.
B. Run the following commands:
   tmsh save sys config partitions all
   tmsh load sys config partitions all
   Sync

Fix:
In HA environments containing BIG-IP devices configured for Manual Sync, deleting parent policy no longer causes sync to fail.

638997-2 : Reboot required after disk size modification in a running BIG-IP VE instance.

Component: TMOS

Symptoms:
- BIG-IP VE supports disk size modification during the lifetime of a running instance to expand or reduce the disk size that was allocated at the time of deployment.

- A reboot is required after any such modification in the disk size for the changes to take effect. In previous versions, the reboot happened automatically but an affected BIG-IP VE will not have the reboot happening automatically.

- Due to the lack of reboot, changes in disk size do not take effect on the BIG-IP system.

Conditions:
Modifying disk size in a running BIG-IP VE instance.

Impact:
Changes in the disk size do not take effect till BIG-IP system is rebooted.

Workaround:
Manually reboot the running BIG-IP VE instance after making changes in disk size.

Fix:
Reboot required after disk size modification in a BIG-IP VE instance.

638935-3 : Monitor with send/receive string containing double-quote may cause upgrade to fail.★

Component: TMOS

Impact:
Configuration fails to load.

Workaround:
Manually edit each string in the bigip.conf to include enclosing quotes in order to get the config to load the first time.

Fix:
Configs load successfully after upgrade. Surrounding quotes, if missing, are added to strings in the bigip.conf file after upgrade. For example:
\"service_status\":\"on\".+\"maintenance\":\"off\" in the recv, send recv-disable and username fields. Output of list ltm monitor and bigip.conf match. Reloading the same config via tmsh does not cause unintentional changes, such as losing a level of escape in monitor strings.

If you have an escaped quote in your configuration, and are moving to a configuration with this the dependency of this fix, you cannot reload the configuration or the license which also reloads the configuration. Doing so, will cause the config load to fail.

638881-1 : Incorrect fan status displayed when fan tray is removed on BIG-IP iSeries appliances

Component: TMOS

Symptoms:
When the fan tray is removed, the fan status in tmctl tables and 'tmsh show sys hardware' are not updated correctly to reflect the current status of the fan tray i.e. not-present.

Conditions:
When the fan tray is physically removed.

Impact:
It is important to be aware of the fan status since malfunctioning of the fan tray can result in thermal shutdown when temperature thresholds are reached. Having incorrect/incomplete status would result in delayed corrective actions if a problem should arise.

Workaround:
No workaround at this time.

638825-2 : SNMP Get of sysInterfaceMediaActiveSpeed returns wrong value for 100000SR4-FD

Component: TMOS

Symptoms:
Value returned for sysInterfaceMediaActiveSpeed OID has value of 80 for interface with type 100000SR4-FD instead of value of 100000.

Conditions:
This always occurs for this type of interface.

Impact:
User sees wrong value for this interface in SNMP get. Value is correct in tmsh 'show net interface'.

Workaround:
Use tmsh to obtain the value by running the following command: show net interface. Note: There is no workaround in SNMP.

638799-1 : Per-request policy branch expression evaluation fails

Component: Access Policy Manager

Symptoms:
Per-request policy branch expression evaluation fails and you see the following in /var/log/ltm:

info tmm[20278]: 01870007:6: /Common/<policy>:Common:640446c9: Executed expression (expr { [mcget {perflow.category_lookup.failure}] == 1 || [mcget {perflow.response_analytics.failure}] == 1 }) from policy item (Category Lookup) with return value (Failed)

Conditions:
Per-request policy branch expression evaluation fails for any non-Access (non-APM) iRule events that are attached to the virtual server.

The evaluation does not trigger for some requests when, in the same connection, the virtual server gets a request for an internal Access whitelisted URL, and then request for backend resource URIs.

Impact:
Per-request policy branch expression evaluation fails. If Access gets a request for whitelisted URL, the system disables all iRule events except the following:

   #define ACCESS_ALLOWED_IRULE_EVENTS ( \
       ((UINT64)1 << TCLRULE_ACCESS_SESSION_STARTED) | \
       ((UINT64)1 << TCLRULE_ACCESS_SESSION_CLOSED) | \
       ((UINT64)1 << TCLRULE_ACCESS_POLICY_AGENT_EVENT) | \
       ((UINT64)1 << TCLRULE_ACCESS_POLICY_COMPLETED))

Workaround:
None.

Fix:
Per-request policy branch expression evaluation now complete successfully for non-Access (non-APM) iRule events that are attached to the virtual server.

638780-3 : Handle 302 redirects for VMware Horizon View HTML5 client

Component: Access Policy Manager

Symptoms:
Starting from v4.4, Horizon View HTML5 client is using new URI for launching remote sessions, and supports 302 redirect from old URI for backward compatibility.

Conditions:
APM webtop with a VMware View resource assigned.
HTML5 client installed on backend is of version 4.4 or later.

Impact:
This fix allows for VMware HTML5 clients v4.4 or later to work properly through APM.

Workaround:
For versions 11.6.x and 12.x:
===============================

priority 2
when HTTP_REQUEST {
    regexp {(/f5vdifwd/vmview/[0-9a-f\-]{36})/} [HTTP::uri] vmview_html5_prefix dummy
}

when HTTP_RESPONSE {
    if { ([HTTP::status] == "302") && ([HTTP::header exists "Location"]) } {
        if { [info exists vmview_html5_prefix] } {
            set location [HTTP::header "Location"]
            set location_path [URI::path $location]
            if { $location_path starts_with "/portal/" } {
                set path_index [string first $location_path $location]
                set new_location [substr $location $path_index]
                regsub "/portal/" $new_location $vmview_html5_prefix new_location
                HTTP::header replace "Location" $new_location
            }
            unset vmview_html5_prefix
        }
    }
}

======================
For version 13.0:
priority 2
when HTTP_REQUEST {
    regexp {(/f5vdifwd/vmview/[0-9a-f\-]{36})/} [HTTP::uri] dummy vmview_html5_prefix
}

when HTTP_RESPONSE {
    if { ([HTTP::status] == "302") && ([HTTP::header exists "Location"]) } {
        if { [info exists vmview_html5_prefix] } {
            set location [HTTP::header "Location"]
            set location_path [URI::path $location]
            if { $location_path starts_with "/portal/" } {
                set path_index [string first $location_path $location]
                set new_location "$vmview_html5_prefix[substr $location $path_index]"
                HTTP::header replace "Location" $new_location
            }
            unset vmview_html5_prefix
        }
    }
}

Fix:
Handle 302 redirects for VMware View HTML5 client are now handled properly.

638715-3 : Multiple Diameter monitors to same server ip/port may race on PID file

Solution Article: K77010072

Component: Local Traffic Manager

Symptoms:
Two 'Diameter_monitor' instances probing the same server (IP/port) from different pools may interfere with each other, causing one of the monitor instances to fail. This is caused by a possible race in creating a PID file for this 'Diameter_monitor' configuration.

Conditions:
Configuration with multiple Diameter monitors probing the same server IP/port.

Impact:
One Diameter monitor may fail, while the other Diameter monitor to the same server IP/port succeeds. On subsequent probe-retry, the failed monitor may now succeed.

Workaround:
A possible work-around is to establish different monitor periods for the two pools (such as 28 seconds and 31 seconds), so a simultaneous probe-collision will fail one monitor once, which upon retry will succeed (as three monitor failures are required for a virtual server to be marked down).

Fix:
The fix includes the monitor-template name in the generation of the PID file, which ensures multiple Diameter monitor instances probing the same server (IP/port) do not interfere with each other.

638629-2 : Bot can be classified as human

Component: Application Security Manager

Symptoms:
A bot is classified as human in a rare case.

Conditions:
Web scraping is turned on. The CSHUI is tried on the user.

Impact:
Bot traffic gets classified as human by ASM.

Workaround:
N/a

Fix:
Fixed the CSHUI algorithm to have better bot detection.

638556-2 : PHP Vulnerability: CVE-2016-10045

Solution Article: K73926196

638137 : CVE-2016-7117 CVE-2016-4998 CVE-2016-6828

Solution Article: K51201255

637666-2 : PHP Vulnerability: CVE-2016-10033

Solution Article: K74977440

637561-1 : Wildcard wideips not handling matching queries after tmsh load sys from gtm conf file twice

Component: TMOS

Symptoms:
The wildcard wideip is not functioning as a wildcard wideip, but as a regular wideip.

Conditions:
Run tmsh load after the wildcard wideip is created:
# tmsh load sys conf gtm-only.

Impact:
Wildcard wideips are not returning wildcard requests correctly.

Workaround:
reload mcpdb using commands:
# touch /service/mcpd/forceload
# bigstart restart mcpd

Fix:
Wildcard wideips now handle matching queries after tmsh load sys from gtm conf file twice.

637559-1 : Modifying iRule online could cause TMM to be killed by SIGABRT

Component: TMOS

Symptoms:
If iRule is used by several virtual servers, and you edit the iRule online, it could cause TMM to be eventually killed by SOD (watchdog).

Conditions:
This can occur under the following conditions:
1. The iRule is used by large number of virtual servers.
2. You edit the iRule and save changes.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
If iRule is used by several virtual servers, and you edit the iRule online, it no longer causes TMM to be eventually killed by SOD (watchdog).

637308-8 : apmd may crash when HTTP Auth agent is used in an Access Policy

Solution Article: K41542530

Component: Access Policy Manager

Symptoms:
apmd may crash when HTTP Auth agent is used in an Access Policy.

Conditions:
This might occur on heavy load, when AAA HTTP Server is configured in 'Form based' or 'Custom body' mode.

The probability of occurrence is greater if there are session variables specified in the AAA HTTP Server configuration.

Impact:
apmd daemon crash. APM cannot process requests until apmd starts up again.

Workaround:
Use basic auth, or do not use HTTP Auth.

Fix:
apmd no longer crashes when HTTP Auth agent is used in an Access Policy.

637181-4 : VIP-on-VIP traffic may stall after routing updates

Component: Local Traffic Manager

Symptoms:
After a routing update traffic for an existing connection sent to a VIP-on-VIP virtual server may be sent directly to the destination address instead of to the inner virtual server.

Conditions:
VIP-on-VIP configuration and static or dynamic routing changes.

Impact:
Existing connections to the outer VIP may stall.

Workaround:
None.

Fix:
Connections to VIP-on-VIP virtual servers no longer stall after routing updates.

636918-2 : Fix for crash when multiple tunnels use the same traffic selector

Component: TMOS

Symptoms:
Given multiple tunnels with the same traffic selector, a crash could sometimes occur.

Conditions:
Same traffic selector used with more than one tunnel.

Impact:
Possible tmm restart if problem happens. Traffic disrupted while tmm restarts.

Workaround:
Use different traffic selectors for different tunnels.

Fix:
Fixed a tmm crash related to traffic selectors used with more than one tunnel.

636744-1 : IKEv1 phase 2 SAs not deleted

Solution Article: K16918340

Component: TMOS

Symptoms:
The BIG-IP system will not start phase 1 or phase 2 ISAKMP negotiation after an Active -> Standby -> Active failover within a short period of time.

Conditions:
The HA Active BIG-IP system goes Standby and then becomes Active again within the phase 2 lifetime.

Impact:
IPsec tunnel(s) is/are not initiated by the BIG-IP system. Network connectivity is broken between the private networks.

Workaround:
Option 1: Switch to IKEv2 and 12.x, which skips the problem altogether. This combination will mirror the SAs and so deleting existing SAs upon failover is not required.

Option 2: Edit /config/failover/active and add the following two lines at the end:

logger -p local0.notice "Employ ID636744 workaround. Purge IPsec phase2 SAs."
tmsh delete net ipsec ipsec-sa

636702-3 : BIND vulnerability CVE-2016-9444

Solution Article: K40181790

636699-5 : BIND vulnerability CVE-2016-9131

Solution Article: K86272821

636541-3 : DNS Rapid Response filters large datagrams

Component: Global Traffic Manager (DNS)

Symptoms:
Assigning a profile with DNS rapid response enabled to a virtual server on a P8 chassis might result in problems with blades and the cluster.

Depending on the timing of operations (config is loaded and tmm restarts), blades might never join the cluster properly and you will see errors similar to the following looping in /var/log/tmm:
notice CDP: exceeded 1/2 timeout for PG 0
notice CDP: PG 0 timed out
notice CDP: New pending state ff -> fe
notice CDP: New pending state fe -> ff
notice CDP: Selected DAG state from PG 0 for CMP state ff with clock 2445394
notice CDP: exceeded 1/2 timeout for PG 0
notice CDP: PG 0 timed out
notice CDP: New pending state ff -> fe
notice CDP: New pending state fe -> ff
notice CDP: Selected DAG state from PG 0 for CMP state ff with clock 2445416

Conditions:
-- Assigning a profile with DNS rapid response enabled to a virtual server.
-- P8 chassis.
-- Large datagrams being passed.

Impact:
DNS Rapid Response filters large datagrams. Blades might never join the cluster.

Workaround:
There is no workaround at this time.

Fix:
The system now passes through any datagrams too big for DNS rapid response.

636535 : HSB lockup in vCMP guest doesn't generate core file

Solution Article: K24844444

Component: TMOS

Symptoms:
If an HSB lockup occurs in a vCMP guest, the system does not generate a core file.

Conditions:
HSB lockup, which occur rarely.

Impact:
Limited ability to diagnose failures due to HSB lockups.

Workaround:
None.

Fix:
Whenever an HSB lockup occurs in a vCMP guest, the system generates a core file.

636520-3 : Detail missing from power supply 'Bad' status log messages

Solution Article: K88813435

Component: TMOS

Symptoms:
When an internal hardware sensor alert is received indicating a 'Bad' power supply status, no detail is included which indicates which characteristic of the power supply's state is resulting in a 'Bad' overall status for the power supply.
In this scenario, the message logged at default logging level contains information similar to the following:
... crit chmand[...]: 012a0013:2: Blade 0 hardware sensor critical alarm: Power Supply 2 GPIO status(SPAFFIV03G): Bad

Conditions:
This occurs when the system posts an internal hardware sensor alert.

Impact:
Unable to diagnose cause of 'Bad' power supply status at default logging level to determine whether the probable cause is due to a power supply hardware fault or a possible external power source issue.

Workaround:
If power supply errors continue to be logged:

1. Set the libhal logging level to 'Debug':
tmsh mod sys db log.libhal.level { value "Debug" }

2. Let the system run in this configuration for at least a few minutes to collect a number of chmand error logs, such as:
... debug chmand[...]: 012a0007:7: Power Supply 1 alert objid:0x16f local:1 status:0x3 pin:0x2 action:0xd
... debug chmand[...]: 012a0007:7: Received Sensor Alert: sensor id 0x16f slot 0xff
... debug chmand[...]: 012a0007:7: Power Supply 1 alert objid:0x16f local:1 status:0x1 pin:0x2 action:0x3.

3. Set the libhal logging level back to 'Notice':
tmsh mod sys db log.libhal.level { value "Notice" }

4. Take a qkview or an archive of /var/log/ltm, and engage F5 Professional Services for further analysis.

Fix:
When an internal hardware sensor alert is received indicating a 'Bad' power supply status, additional detail is now logged to help identify the cause of the 'Bad' overall status for the power supply.

636397-1 : bd cores when persistent storage configuration and under some memory conditions.

Component: Application Security Manager

Symptoms:
bd cores. Log signature in /var/log/bd looks similar to the following:

BD_MISC|ERR |Jan 02 14:24:06.422|27867|io_manager_init.c:0395|internal_keep_alive: BD shrinking...,going down - BD will be right back.
ptr BD_MISC|CRIT |Jan 02 14:24:06.422|27867|signals.c:0073|Received SIGSEGV - Core Dumping.

Conditions:
There is persistent storage configuration. There is high memory usage.

Impact:
bd crash. Traffic resets and/or failover

Workaround:
None.

Fix:
This release fixes a bd crash due to specific memory conditions and persistent storage.

636370 : Application Layer Encryption AJAX support

Component: Fraud Protection Services

Symptoms:
WebSafe doesn't support parameters encryption in Single Page Applications (using AJAX)

Conditions:
Application uses AJAX for sending parameters to web server

Impact:
Encryption won't work for Single Page Applications

Workaround:
N/A

Fix:
Adding AJAX encryption support (full payload encryption)

for 12.1.2-hf, enabling this feature requires:

tmsh modify sys db antifraud.internalconfig.string1 value <AJAX-HEADER-NAME>

AJAX-HEADER-NAME existence will enable AJAX support for current request and its value may contain the username used in current request (if configured and exists)

Note that activating AJAX support in releases > 12.1.2-hf is done differently (configured in profile, not in db)

636290 : vCMP support for B4450 blade

Component: TMOS

Symptoms:
vCMP is not supported in the B4450 blade

Conditions:
This occurs on the B4450 blade on specific BIG-IP software versions, for more information on supported vCMP versions see K14088: vCMP host and compatible guest version matrix, available at https://support.f5.com/csp/article/K14088

Impact:
You are unable to configure vCMP on the B4450 blade.

Fix:
vCMP is supported on the B4450 blade in this version.

636254-2 : Cannot reinitiate a sync on a target device when sync is completed

Component: Access Policy Manager

Symptoms:
After a policy sync is successful, re-initating a sync fails with the following error:
"PolicySyncMgr: Sync already in progress for policy xxx"

Conditions:
This occurs rarely when performing a sync after a successful sync.

Impact:
You cannot re-sync a policy. This is a rare occurrence, and after waiting a small amount of time sync should start working again.

Fix:
Now APM Policy Sync no longer hangs in rare cases with the message: "PolicySyncMgr: Sync already in progress for policy xxx"

636044-1 : Large number of glob patterns affects custom category lookup performance

Solution Article: K68018520

Component: Access Policy Manager

Symptoms:
The number of glob patterns in a custom category linearly affects custom category lookup compute times. For example, twice as many glob patterns will roughly double the CPU resources required to compute a match.

Conditions:
A large number of custom category glob patterns. The precise number is not so important as the observed effect of slow response times. However, more than 1000 glob patterns is known to cause a significant observed performance degradation.

Impact:
Slow response times to HTTP requests.

Workaround:
It may be possible to compress the large collection of glob patterns into fewer patterns.

Fix:
Glob pattern matching has been extended to be context sensitive. If the pattern includes the marker "://", a glob immediately before it is restricted to the scheme, and a glob immediately after it is restricted to the hostname. If the match can be satisfied with prefix matching, the pattern will be processed with a prefix comparison rather than as a glob. Also, multiple glob patterns are combined together to create a more optimal match pattern. If custom categories patterns use the context sensitive feature, custom category lookup will be optimized.

635961-1 : gzipped and truncated files may be saved in qkview

Component: TMOS

Symptoms:
When looking at the files in the qkview, some files might be both gzipped and truncated, when only one or the other is expected.

Conditions:
This occurs for certain files that are large enough to require truncation and gzipping.

Impact:
Minimal impact, as the extra file can be ignored. This is primarily an issue of wasting image space.

Workaround:
Ignore the extra copy of the file.

Fix:
Files are no longer both gzipped and truncated.

635933-3 : The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable

Solution Article: K23440942 K13361021

635754-1 : Wildcard URL pattern match works inncorectly in Traffic Learning

Solution Article: K65531575

Component: Application Security Manager

Symptoms:
In the policy with URL learning mode set to ALWAYS, wildcard URL matching for *.[Pp][Nn][Gg]", "*.[Jj][Pp][Gg]", "*.[Gg][Ii][Ff]" will prevent you from adding other wildcard destinations using policy builder.

Conditions:
Policy builder enabled. PolicyBuilder creates the wildcard urls "*.[Pp][Nn][Gg]", "*.[Jj][Pp][Gg]", "*.[Gg][Ii][Ff]".
If you need to manually create another wildcard url "/polo/images/*", the pattern match will be incorrect and you will not be able to accept the learning suggestion.

Impact:
You will not be able to accept the learning suggestion to the correct wildcard URL.

Workaround:
In order to get suggestions on the correct wildcard match, remove "png" from the URL list in the policy: To do so, navigate to Security :: Application Security :: Policy Building :: Learning and Blocking Settings :: URLs :: File types for which wildcard HTTP URLs will be configured (e.g., *.jpg).

Also make sure that you have correct wildcard order. Go to
Security :: Application Security :: URLs :: Wildcards Order :: HTTP URLs.

"/polo/images/*" should be above "*.[Pp][Nn][Gg]" in the list. If it is not, move it using "Up" button".

Fix:
Wildcard URL pattern match now works as expected in Traffic Learning

635561-1 : Heavy URLs statistics are not shown after upgrade.

Component: Application Visibility and Reporting

Symptoms:
Heavy URLs statistics are not shown after upgrade.

Conditions:
Upgrading to newer version

Impact:
Missing statistics.

Workaround:
No workaround

Fix:
Upgrade and verify all heavy URLs statistics are shown.

635541 : "Application CSS Locations" is not inherited if changing parent profile

Component: Fraud Protection Services

Symptoms:
"Application CSS Locations" is not inherited if changing parent profile, which can cause to the following error while saving: Application CSS Locations cannot be empty.

Conditions:
This occurs in the GUI when FPS provisioned when the system is configured with phishing detection license.

Impact:
Cannot use FPS GUI to configure Application CSS Locations.

Workaround:
Use tmsh or the REST API to configure Application CSS Locations.

Fix:
"Application CSS Locations" is inherited if parent profile is changed. No errors are shown while saving.

635412 : Invalid mss with fast flow forwarding and software syn cookies

Solution Article: K82851041

635314-5 : vim Vulnerability: CVE-2016-1248

Solution Article: K22183127

635274-1 : SSL::sessionid command may return invalid values

Solution Article: K21514205

Component: Local Traffic Manager

Symptoms:
The SSL::sessionid iRule command might return random, invalid values. This also causes high CPU usage on TMM. This occurs when the SSL ID retrieved from SSL is on the stack and gets overwritten prior to use, resulting in a persist lookup loop which causes the high CPU. The issue is also associated with the SSL::sessionid iRule command because SSL::sessionid and SSL persistence use the same internal mechanism to retrieve the SSL session ID.

Conditions:
This issue occurs when either of the following conditions exists:
-- An iRule exists that queries the SSL::sessionid.
-- An SSL persist profile is configured on the virtual server.

Impact:
The iRule might not work as expected.
High CPU usage.

Workaround:
Do not use the SSL:sessionid iRule.

Fix:
The SSL::sessionid iRule returns the session ID as expected.

635257-2 : Inconsistencies in Gx usage record creation.

Solution Article: K41151808

Component: Policy Enforcement Manager

Symptoms:
Duplicate usage records may be created or expected usage records may be missing.

Conditions:
A subscriber session is associated with the following policies:

1. At least 1 PEM policy with multiple rules containing the same usage monitoring key and applicationId or URLcat filter will result in the creation of duplicate usage records.

2. At least 2 PEM policies containing one or more rules with the same MK across policies will result in failure to create expected usage records.

Impact:
Failure to create usage records. Duplicate usage records will reduce the effective usage records supported per session. Both can result in inconsistencies with billing use cases.

Workaround:
To prevent duplicate usage records, do not create PEM policies with multiple rules that have the same usage monitoring key and applicationId or UrlCat filter.

To make sure all expected usage records are created, do not use the same monitoring key across multiple policies for the same subscriber.

Fix:
Checks to create usage records are now done using the same keys that are used to create them, so there are no duplicate usage records created or expected usage records missing.

635252-1 : CVE-2016-9256

Solution Article: K47284724

635233-3 : Missing some Custom AVPs in CCRu for non-existent policy and CCRt messages

Component: Policy Enforcement Manager

Symptoms:
CCR-u send in response to a non-existent policy may be missing some of the custom AVPs such as IMSI, E164 etc even if the AVPs are marked mandatory. The same will be true in the case of CCR-t.

Conditions:
This situation happens in the case when BIG-IP send a CCR-u when the policy name received from PCRF is non-existent in bigip. Also in the case of CCR-t

Impact:
CCR-u and CCR-t may miss some of the subscriber attributes such as IMSI, E164

Workaround:
No Workaround

Fix:
Add the custom AVPs in the case of CCR-u as well CCR-t, if those attributes are enabled for reporting in the protocol profile

635129 : Chassis systems in HA configuration become Active/Active during upgrade★

Component: TMOS

Symptoms:
When devices in a Device Service Cluster are upgraded, multiple devices will become Active simultaneously.

The affected versions erroneously clear their management-ip during reboot and synchronize this to other members of the Device Service Cluster. If the system is not performing an upgrade, the error is repaired as the device starts up, and has no visible effect. If an upgrade is being performed, the management-ip cannot be repaired, and the Device Service Cluster members lose contact with each other, and all become Active.

Conditions:
This problem occurs on VIPRION chassis systems, either running natively, or as a VCMP guest, when upgrading from the affected versions (12.1.0, 12.1.1, 12.1.2), to any other version. The problem occurs on any upgrade, whether on the list of affected versions, or a later version.

Impact:
When multiple devices become Active simultaneously, traffic is disrupted.

Workaround:
There is no workaround other than to remain in Active/Active state until all Chassis are finished upgrade. See https://support.f5.com/csp/article/K43990943 for more information on how to mitigate this issue.

Fix:
The erroneous management-ip change is not made, and the HA failover mechanism operates correctly across upgrade.

635116-1 : Memory leak when using replicated remote high-speed logging.

Solution Article: K34100550

Component: TMOS

Symptoms:
As a result of a known issue when a system uses a High Speed Logging (HSL) configuration with replication across the HSL pool TMM may leak memory.

Conditions:
Remote HSL setup with distribution set to replicated in the log destination configuration.
More than one poolmember, and one of them becomes unavailable.

Impact:
TMM will leak memory at a rate proportional to the amount of logging.
Over time this may cause an outage should TMM run out of memory.

Workaround:
Do not use replication in the HSL destination configuration.

Fix:
TMM no longer leaks memory when using a replicated HSL setup.

634779-1 : In SSL Forward Proxy, an uninitialized variable may overflow a buffer and cause TMM to produce a core file

Solution Article: K43945001

634576 : TMM core in per-request policy

Solution Article: K48181045

Component: Access Policy Manager

Symptoms:
TMM might core in cases when per-request policy encounters a reject ending and the server-side flow is not available.

Conditions:
APM or SWG per-request policy with reject ending.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer cores when per-request policy encounters reject ending.

634371-2 : Cisco ethernet NIC driver

Component: TMOS

Symptoms:
The Cisco Ethernet NIC driver is version 2.1.1.67

Conditions:
N/A

Impact:
Cisco recommends using the updated version 2.3.0.12

Fix:
Cisco VIC Ethernet NIC Driver 2.3.0.12 is now used.

634265-2 : Using route pools whose members aren't directly connected may crash the TMM.

Solution Article: K34688632

Component: Local Traffic Manager

Symptoms:
The TMM crashes when trying to resolve routes using route pools whose members are not directly connected.

Conditions:
A configuration has route pools whose members aren't directly connected. Additionally, this is an issue only in configurations where the TMM doesn't proxy traffic but sources traffic. An example is an sFLOW configuration.

Impact:
Traffic disrupted while tmm restarts. The TMM crashes whenever a connection tries to resolve such a route.

Workaround:
Create route pools with directly connected members.

Fix:
Using route pools whose members aren't directly connected no longer crashes the TMM.

634252 : TMM crash with per-request policy in SWG explicit

Solution Article: K99114539

Component: Access Policy Manager

Symptoms:
TMM crash is seen intermittently when evaluating per-request access policies for SWG-explicit use cases.

Conditions:
Although the exact conditions required for this issue are unknown, evaluating per-request access policies for SWG-explicit use cases might be related.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM crash is no longer seen when evaluating per-request access policies for SWG-explicit use cases.

634215-1 : False detection of attack after restarting dosl7d

Component: Application Visibility and Reporting

Symptoms:
False detection of an attack.

Conditions:
Restarting dosl7d during traffic.

Impact:
False attack is reported.

Workaround:
No workaround

Fix:
Restart dosl7d during moderate traffic and verify no false attack is reported.

634115-1 : Not all topology records may sync.

Solution Article: K10608314

Component: TMOS

Symptoms:
Some GTM topology records may silently not be synchronized to other devices in the sync group.

Conditions:
One known case occurs when topology records have overlapping subnet specifiers (such as 1.0.0.0/8 and 1.0.0.0/9). It is possible that there are other conditions that might cause this issue.

Impact:
Other devices in the GTM sync group will have an incomplete set of topology records, so the returned DNS answers may differ from the expected values.

Workaround:
After updating topology records, run the following command to force a push of all GTM objects: run cm config-sync force-full-load-push to-group gtm.

Fix:
Some GTM topology records may have silently not been synchronized to other devices in the sync group. This is now resolved; all topology objects will be synchronized to all expected devices.

634078-2 : MRF: Routing using a virtual with SNAT set to none may select a source port of zero

Component: Service Provider

Symptoms:
If a virtual server has a SNAT setting of none and the 'source-port' attribute set to 'preserve' or 'preserve-strict', the outgoing connection will be created with a source port of zero (0) instead of the remote port of the originating connection.

Conditions:
This occurs when a message routing SIP profile is in use.

Impact:
Source port is set to 0.

Workaround:
None.

Fix:
Source port is now set to the source port of the client when SNAT is set to none. This is correct behavior.

634015-3 : Potential TMM crash due to a PEM policy content triggered buffer overflow

Component: Policy Enforcement Manager

Symptoms:
Failure to add a PEM policy to a subscriber session in addition to a TMM crash.

Conditions:
PEM configured with a large number of policy rules that goes beyond the maximum supported PEM resources.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Buffer allocation checks have been added in that result in an error log along in case of a buffer overflow.

634001-2 : ASM restarts after deleting a VS that has an ASM security policy assigned to it

Component: Application Security Manager

Symptoms:
ASM restarts with the following errors:

'ltm' log error:
--------
err mcpd[9458]: 0107102e:3: gtm_vs_score refers to nonexistent virtual server (/<partition>/<app>/<vsname>).
--------

'ts_debug.log' error:
--------
asm|INFO|0107102e:3: gtm_vs_score refers to nonexistent virtual server (/<partition>/<app>/<vsname>).
--------

Conditions:
ASM provisioned
Deleting a virtual server that has an ASM security policy assigned to it.

Impact:
ASM restart

Workaround:
None.

Fix:
ASM no longer restarts when deleting a virtual server that has an ASM security policy assigned to it.

633879-1 : Fix IKEv1 md5 phase1 hash algorithm so config takes effect

Solution Article: K52833014

Component: TMOS

Symptoms:
BIG-IP does not recognize the choice of md5 as hash algorithm in phase1 negotiation for IKEv1, but the GUI indicates it is available and configured.

Conditions:
Using either the command line or web UI to change hash algorithm to md5 in IKEv1 phase1.

Impact:
You are unable to configure md5 as hash algorithm in IKEv1, despite the UI and command line indicating this as an option.

Workaround:
You may be able to select md5, then save and then restart, this would set up the daemon from a config file instead of via incremental config parsing. So while it would not work right after being changed in the UI, the md5 option may work after a restart.

Fix:
The choice of md5 for hash algorithm now works correctly and immediately for an IKEv1 peer. The message causing this is now parsed correctly so md5 is recognized and used.

633723-3 : New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot

Component: Local Traffic Manager

Symptoms:
A new db variable has been added to print diagnostic information when Cavium Nitrox devices encounter a 'request queue stuck' error. When this occurs, the system posts a log message such as:
crit tmm1[19936]: 01010260:2: Hardware Error(Co-Processor): cn1 request queue stuck.

Conditions:
-- A Cavium Nitrox 'request queue stuck' error occurs.
-- The db variable 'crypto.ha.action' is set to reboot.

Impact:
The system will automatically run 'nitrox_diag' to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.

The system immediately fails over to the standby system, but will then spend approximately one minute gathering diagnostic information before rebooting.

See https://support.f5.com/csp/article/K95944198 for more information about nitrox_diag.

Workaround:
None.

Fix:
The system now automatically gathers nitrox data collection when request queue stuck errors occur.

Behavior Change:
Under rare conditions, the system will take approximately one additional minute to reboot.

If a Cavium Nitrox 'request queue stuck' error occurs and the db variable 'crypto.ha.action' is set to reboot, the system will automatically run 'nitrox_diag' to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.

When the error happens, failover to the standby system will still happen immediately. The delay occurs only on rebooting the system that has already gone to standby mode.

633512-1 : HA Auto-failback will cause an Active/Active overlap, or flapping, on VIPRION.

Component: TMOS

Symptoms:
When a preferred device becomes available and takes over due to an Auto-Failback configuration, the takeover is not performed as a smooth handoff, but instead results in both devices becoming Active for the network failover timeout period (3 seconds).

Conditions:
This problem affects traffic groups on VIPRION systems configured with HA Order and Auto-Failback enabled.

Impact:
Since both nodes are Active for (by default) 3 seconds, this may cause network traffic to be dropped or interrupted during the overlap interval. In addition, the Active/Active overlap may not resolve in favor of the preferred device. When this happens, the preferred device attempts to Auto-Failback again after the Auto-Failback expires, and the process repeats forever.

Workaround:
Do not configure Auto-Failback on VIPRION.

Fix:
The devices perform a clean handoff during Auto-Failback, with no Active/Active overlap.

633413-1 : IPv6 addr can't be deleted; not able to add ports to addr in DataGroup object in GUI

Component: TMOS

Symptoms:
IPv6 addr can't be deleted; not able to add ports to addr in a data-group using the GUI. System posts an error similar to the following:
err mcpd[31438]: 01070378:3: The requested data group IP member network address (10.10.12.184) does match the netmask (ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff).

Conditions:
Modify IPv6 data-group in the GUI on the Local Traffic :: iRules :: Data Group List.

Impact:
Get error with unrelated IPv4 address.

Workaround:
Use tmsh to delete data group IP addresses in an iRules data group.

Fix:
You can now add/remove/edit IPv6 and IPv4 within an existing iRules data group.

633391-1 : GUI Error trying to modify IP Data-Group

Component: TMOS

Symptoms:
While trying to add/remove/edit IPv6&IPv4 within an existing data group list for iRules, the properties page throws a parsing error.

Conditions:
Try to modify the value field under Address Records Row whether string/int, and click Update

Impact:
There is an "Error parsing IP address" messave at the top of the page. You cannot modify internal data groups using GUI. You can delete and re-create the entry, but cannot modify it.

Workaround:
Use tmsh to modify the record field of the data groups.

Fix:
You can now modify the IPv6&IPv4 value within an existing data group.

Behavior Change:
users would be able to modify and update data groups

633181-1 : A CSR generated from Configuration Utility or tmsh may have an empty 'Attributes' or 'Requested Extensions' section

Component: TMOS

Symptoms:
Certificate signing requests generated from the Configuration Utility or in tmsh on affected versions may have an empty 'Attributes' or 'Requested Extensions' section if no data was supplied for these fields during CSR generation. The correct behavior is to supply an empty set (a0:00) for the Attributes section and to omit the 'Requested Extensions' section if no data were supplied for these fields.

Conditions:
- Running an affected version of BIG-IP software
- Using tmsh or the Configuration Utility to generate the CSR
- Not filling in 'E-mail Address' and/or 'Subject Alternative Name' sections while generating the CSR

Impact:
Impact varies according to the CA signing the request. An empty attribute section is generally well-tolerated but may be incompatible with some CA's.

Workaround:
Use openssl from the bash command line to generate CSR's.
Solution article K14534 contains the appropriate procedure.

632875-3 : Non-Administrator TMSH users no longer allowed to run dig

Component: Global Traffic Manager

Symptoms:
TMSH users without the Administrator role are allowed to run dig, which may allow access to files in the local filesystem.

Conditions:
Execute dig via TMSH

Impact:
File access restrictions for TMSH users without the Administrator role are not properly enforced when executing the dig command.

Fix:
TMSH users who are do not have Administrator roles can no longer run the dig utility through TMSH.

Behavior Change:
dig command is no longer allowed to be run through TMSH by non-admin users.

632731-2 : specific external logging configuration can cause TMM service restart

Component: Advanced Firewall Manager

Symptoms:
When external logging is configured for ACL rule hits, and the logging server connection is routed through a Forwarding Virtual, the ACL logging causes a TMM crash and service disruption.

Conditions:
The problem is seen when all the following conditions match:

1. External Logging server configured for ACL rule match.

2. External logging server is routed through a Forwarding Virtual (the destination IP of the external logging server matches a Forwarding Virtual's destination address/mask and hence gets routed through the Forwarding VIP).

3. The forwarded logging destination connection causes a crash in TMM.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use one of the following workarounds:
--Avoid configuring remote logging to be forwarded through a Forwarding Virtual.
-- Do not have logging enabled on the forwarding Virtual.

Fix:
Connections originated from the BIG-IP to the remote logging server are not subjected to ACL checks, which prevents generation of logs for log server connection, which prevents the error conditions.

632685 : bigd memory leak for FQDN nodes on non-primary bigd instance

Component: Local Traffic Manager

Conditions:
FQDN nodes configured on a system, and the system (as a whole) has multiple bigd processes running, either across multiple blades or multiple bigd instances on a single blade. As configuration changes are made to FQDN nodes, bigd on the non-primary places memory consumption may be unusually high.

Impact:
bigd memory leak; possible bigd crash.

Workaround:
None.

632668-5 : When a BIG-IP using BFD sessions is forced offline, the system continues to send "State Up" BFD packets for ~30 seconds

Component: TMOS

Symptoms:
When a BIG-IP using statically configured BFD sessions (i.e. "bfd session <IP> <IP>" in the ZebOS configuration) is forced offline, it continues to send "State Up" BFD packets for an additional ~30 seconds.

Conditions:
System is using statically configured BFD sessions. System is forced offline.

Impact:
The BFD peer thinks the BIG-IP is still online and may send packets to it.

Fix:
Ensure BFD "State Up" packets are not sent when the BIG-IP is forced offline.

632552-2 : tmm crashes when CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event

Solution Article: K08634156

Component: Local Traffic Manager

Symptoms:
tmm crashes.

Conditions:
When CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event which is fired before either event.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Move the script in _CLOSED events to another events.

Fix:
tmm no longer crashes when CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event.

632504-1 : APM Policy Sync: Non-LSO resources such as webtop are listed under dynamic resource list

Solution Article: K31277424

Component: Access Policy Manager

Symptoms:
Non-LSO resources such as webtop, even they are assigned via a normal resource assign agent, are listed under dynamic resource as opposed to static one.

Conditions:
- Create a webtop resource.
- Create an access profile.
- Launch VPE to assign webtop resource via a normal resource assign agent ("Advanced Resource Assign").
- Click on "Sync policy" button to bring up the policy sync dialog, click on "Advanced Settings" drop-down button and select "Static resources".

Impact:
No impact when default settings are configured for policy sync. Only in advanced setting is it confusing that a static resource is only listed in the dynamic resource list, with a prompt to include it as dynamic resource. Doing so does not cause any harm, but is unnecessary.

Workaround:
If it is a static resource, do not select it as dynamic resource.

Fix:
Static non-LSO resources such as webtop will be listed in static resource list in the advanced setting dialog for policy sync.

632499-1 : APM Policy Sync: Resources under webtop section are not sync'ed automatically

Solution Article: K70551821

Component: Access Policy Manager

Symptoms:
Resources put under webtop section such as webtop link, portal access requires to be included as dynamic resource or else sync will fail.

Conditions:
- Create a webtop section source such as portal access.
- Create a webtop section and add the above-create portal access to it.
- Create an access profile and add the webtop section resource via a resource assign agent in VPE.
- Sync the profile.

Impact:
Sync will fail and some configured resources will not be available on the other devices.

Workaround:
Includes those resources as dynamic resources in Policy Sync advanced settings.

Fix:
Now administrators can sync access profiles with resources under webtop sections without including them manually as dynamic resources.

632472-1 : Frequently logged "Silent flag set - fail" messages

Component: Access Policy Manager

Symptoms:
APM logs excessive messages similar to the following:

2016-12-07,21:46:10:864, 1740,884,APPCTRL, 2, \UBindSecurityMgr.h, 119, UBindSecurityMgrImpl::GetWindow, Silent flag set - fail

Conditions:
This can occur when connecting to APM via the Edge Client.

Impact:
Excessive messages are logged. These messages can be ignored.

632423-4 : DNS::query can cause tmm crash if AXFR/IXFR types specified.

Component: Global Traffic Manager (DNS)

Symptoms:
Passing "AXFR" or "IXFR" as the type to the DNS::query iRule command can cause a tmm crash.

Conditions:
DNS Express must be enabled when one of the XFR types is used in the DNS::query iRule command.

Impact:
tmm will crash and restart every time this command is issued. Traffic disrupted while tmm restarts.

Workaround:
Do not explicitly use AXFR or IXFR query types.

If the [DNS::question type] command is being used to dynamically pass in the type, add a preceding check similar to the following:

if { not [DNS::question type] ends_with "XFR" } {
set rrs [DNS::query dnsx [DNS::question name] [DNS::question type]]
}

Fix:
The iRule now provides an error message in /var/log/ltm indicating that AXFR and IXFR are not valid types to use with the DNS::query command, and no tmm crash occurs as a result.

632386-1 : EdgeClient cannot establish iClient control connection to BIG-IP if another control connection exists

Component: Access Policy Manager

Symptoms:
When a iClient control connection, between Edge Client and BIG-IP, exists for a given session id, a new iClient control connection for the same session id cannot be established until the existing connection is torn down. When the client interface is down or the client changes networks, it takes time for the BIG-IP to detect that the existing control connection is down. During this time, if the client attempts to establish a new control connection (interface up or different network), BIG-IP rejects the new connection request.

Conditions:
EdgeClient attempts to open a new iClient control connection with the same session id as that of an existing control connection and without explicitly closing the current connection. This could happen when the client interface is down or clients changes the network it is on.

Impact:
Edge Client cannot establish a iClient control connection and hence a tunnel to the BIG-IP.

Fix:
When BIG-IP sees a new iClient control connection request for a session id for which another iClient control connection exists, the existing connection is closed and the new connection request is attempted to be accepted.

632344-2 : POP DIRECTIONAL FORMATTING causes false positive

Component: Application Security Manager

Symptoms:
ASM reports false positive violation for the XML request.

Conditions:
This occurs when using "%E2%80%AC" POP DIRECTIONAL FORMATTING as a input in the XML request.

Impact:
When one of the following 3 byte chars arrives to the XML parser, the payload considered as malformed XML:
LEFT-TO-RIGHT EMBEDDING (202a).
RIGHT-TO-LEFT EMBEDDING (202b).
POP DIRECTIONAL FORMATTING(202c).

Workaround:
None.

Fix:
This release now supports the following 3 byte chars within the XML parser:
LEFT-TO-RIGHT EMBEDDING (202a).
RIGHT-TO-LEFT EMBEDDING (202b).
POP DIRECTIONAL FORMATTING(202c).

632326-2 : relax_unicode_in_xml/json internal may still trigger a false positive Malformed XML violation

Solution Article: K52814351

Component: Application Security Manager

Symptoms:
You observe Malformed XML violations on valid XML, even with the relax_unicode_in_xml flag set. The same can apply to JSON with the relax_unicode_in_json flag.

Conditions:
Valid XML containing unicode characters is passed through ASM, and the relax_unicode_in_xml flag is enabled.

Impact:
False positive Malformed XML violations may still be reported.

Workaround:
N/A

Fix:
XML and JSON unicode now operates as expected when using the relax_unicode_in_xml or relax_unicode_in_json internal parameter.
To set these parameters, run the following commands:
/usr/share/ts/bin/add_del_internal add relax_unicode_in_xml 1.
/usr/share/ts/bin/add_del_internal add relax_unicode_in_json 1.
bigstart restart asm.

632324-2 : PVA stats does not show correct connection number

Component: Local Traffic Manager

Symptoms:
do command tmsh show sys pva-traffic global

The current connection number showed up may not be correct

Conditions:
This occurs when there is PVA Traffic

Impact:
Wrong stats number for current PVA connections

Fix:
Fixed incorrect statistics for PVA Traffic

632069-3 : Sudo vulnerabilities: CVE-2016-7032, CVE-2016-7076

Component: TMOS

Symptoms:
On VE platforms, under certain conditions, the sudo utility does not correctly enforce all restrictions specified in its configuration file.

Conditions:
VE platform
Authenticated user with advanced shell access

Impact:
BIG-IP does not depend on the restrictions related to these vulnerabilities, and sudo is only present on VE platforms. Only VE users who have modified the sudo configuration by editing its configuration file directly are impacted.

Fix:
Update sudo package to improve security

632060-1 : restjavad is unable to read the dtca.key files resulting in Error: Failed to read key: invalid header★

Component: iApp Technology

Symptoms:
when upgrading to 12.1.1, 12.1.2 or 13.0 releases, executing a command similar to

curl -k -u admin:admin https://127.0.0.1:443/mgmt/shared/device-discovery-tasks causes the following error:

"errorMessage": "Could not connect to host 10.0.0.160. Please ensure there are no licensing, firewall, port lockdown or network connectivity issues. Error: Failed to read key /config/filestore/files_d/Common_d/trust_certificate_key_d/:Common:dtca.key_12100_2: invalid header",

Conditions:
Upgrading from releases prior to 12.1.1 to 12.1.1 or 12.1.2 or 13.0

Impact:
if your device has an iApps LX application, then that application sill not synchronize to the standby device. So if a failover occurs, then the iApps LX application will seem to disappear, and traffic will not pass through the application.

Workaround:
If you have upgraded and are in this condition, and you need to use iAppsLX, you can perform the following procedure to recover.

Impact of procedure: this procedure disables HA and requires you to rebuild your HA environment. You only need to use this procedure if you absolutely need to run an iAppLX.

1. Reset device trust, then re-establish device trust, your device group(s), and your traffic group(s)
2. At the BIG-IP command line for each of the devices, run the following command:
clear-rest-storage

Fix:
Upgrade to 13.1 or 13.0.x hot fix

632005-1 : BIG-IP as SAML SP: Objects created by IdP connector automation may not be updated when remote metadata changes

Component: Access Policy Manager

Symptoms:
When BIG-IP is used as SAML Service provider (SP), IdP connector creation can be automated using list of URIs containing IdP metadata.

Symptom for this issue:
When remotely published metadata changes - BIG-IP will not be able to modify previously created idp-connector object(s) to reflect the changes.

When issue happens, the error similar to following is logged in /var/log/saml_automation.log :

"apm aaa saml-idp-connector *NAME* import-metadata only supports create operations."

Conditions:
BIG-IP is used as SP. IdP connector creation is automated. Metadata published on automation URIs changes.

Impact:
BIG-IP configuration will not contain the latest changes reflected in published IdP metadata.

This may have different impact based on how metadata is changed.
Impact can be from none to user authentication failure (e.g. when IdP signing certificate is changed).

Workaround:
When error is encountered:
- Manually remove affected idp-connector configuration object
- Restart samlidpd service : "bigstart restart samlidpd"

As a result, SAML connector automation will re-create new idp-connector objects will current up-to-date metadata files.

Fix:
BIG-IP is able to modify previously created idp-connector object(s) to reflect the changes when connector automation is deployed.

632001-1 : For Thales net-HSMs, fipskey.nethsm now defaults to module protected keys

Component: Local Traffic Manager

Symptoms:
fipskey.nethsm uses a Thales utility to actually generate/export keys. This utility looks at files in .../kmdata/local to determine what type of protection to use. If there are any softcard or OCS files, then the key will be token protected. If there aren't any files then the key will be module protected.

This can be a problem for BIG-IP since that entire folder is synced down to it, so OCS or softcard files unrelated to the BIG-IP operation will change fipskey.nethsm's behavior.

Conditions:
Use fipskey.nethsm to generate/export a nethsm-protected key while there are OCS or softcard files in the BIG-IP system's .../kmdata/localfolder.

Impact:
Key protection type changes based on the presence of softcard or OCS files in .../kmdata/local.

Workaround:
Explicitly use the -c or --protect option to define the protection type when generating/exporting keys.

Fix:
fipskey.nethsm will now default to making a module-protected key regardless of the presence of OCS or softcard files in .../kmdata/local.

Scripts that export or generate token or softcard protected keys will now need to explicitly set the protection type via the -c or the --protect option in all situations.

631866-2 : Cannot access LTM policy rules in the web UI when the name contains certain characters

Component: TMOS

Symptoms:
Access LTM policy rules in the web UI when the name contains percent (%) or slash (/) displays an empty page.

Conditions:
The LTM policy rule name being accessed contains the characters percent (%) or slash (/).

Impact:
The policy rule properties page displays an empty page.

Workaround:
Update the LTM policy rule using tmsh.

Fix:
LTM policy rules can be accessed as expected in the web UI regardless of their names.

631862-1 : Stream is not finalized when OWS response has Transfer-Encoding header with zero-size chunk

Solution Article: K32107573

Component: Local Traffic Manager

Symptoms:
When OWS sends a chunked response and the only chunk has a zero size, HTTP2 profile receives neither the response's body nor indication that the response has zero size.

Conditions:
A virtual server must have HTTP2 profile, and OWS must serve a response with Transfer-Encoding: chunked and a zero size chunk (empty body).

Impact:
On a stream with such response, BIG-IP doesn't generate a frame which would have END_STREAM flag. Some browsers may not handle the response properly. For example, a redirect may not be performed when the stream is not finalized. It results in incorrect page rendering on a client.

Workaround:
Use following iRule for broken URLs:

when HTTP_RESPONSE {
  if {[HTTP::header exists "Transfer-Encoding"] && [HTTP::status] eq 301} {
    HTTP::respond 301 -version 1.1 noserver Location [HTTP::header Location] Date [HTTP::header Date] Content-Type [HTTP::header Content-Type] Connection [HTTP::header Connection]
  }
}

A condition may be changed to narrow the iRule for specific URLs.
HTTP::respond may be modified to include other important headers and serve a proper status code.

Fix:
When OWS serves Transfer-Encoding chunked with zero size chuck, BIG-IP properly handles the response and sends END_STREAM flag finalizing the response.

631841-7 : NTP vulnerability CVE-2016-9311

Solution Article: K55405388

631737-1 : ArcSight cs4 (attack_type) is N/A for certain HTTP Compliance sub-violations

Solution Article: K61367823

Component: Application Security Manager

Symptoms:
ArcSight cs4 (attack_type) is reported as "N/A" for a violation whose sub-violation does not have a specific attack_type_code.

Conditions:
This occurs when there are HTTP Compliance sub-violations such as "Header name with no header value" that do not correlate to any attack_type. Other attack types are as follows:
-- HTTP Protocol Compliance/ High ASCII characters in headers.
-- HTTP Protocol Compliance/ Host header contains IP address.
-- HTTP Protocol Compliance/ CRLF characters before request start.
-- HTTP Protocol Compliance/ Header without header value.
-- HTTP Protocol Compliance/ Body in GET/HEAD requests.
-- Evasion technique/ directories traversals.

Impact:
When one of these violations occurs, the system does not assign the appropriate attack type to the logged request in the log or in the remote logger. The system reports the ArcSight remote logger message as attack_type="N/A". (If no other violation was found.)

Workaround:
None.

Fix:
Now, when ArcSight cs4 (attack_type) HTTP Compliance sub-violations do not correlate to any attack_type, the system assigns the parent violation's attack type when reporting the violation.

631722 : Some HTTP statistics not displayed after upgrade

Component: Application Visibility and Reporting

Symptoms:
Some statistics will disappear after upgrade due to bug in HTTP statistics backup.

Conditions:
Upgrading to newer version

Impact:
Not all statistics are shown.

Workaround:
No workaround

Fix:
Fixed an issue where some ASM HTTP statistics would disappear after upgrade.

631688-7 : Multiple NTP vulnerabilities

Solution Article: K55405388 K87922456 K63326092 K51444934 K80996302

631627-4 : Applying BWC over route domain sometimes results in tmm not becoming ready on system start

Component: TMOS

Symptoms:
Rebooting after applying BWC to route domain stops vlan traffic on VCMP guest. You will experience connection failures when bandwidth Controller (bwc) and Web Accelerator are enabled.

Running the tmsh show sys ha-status all-properties command will indicate that tmm is in "ready-for-world", but the Fail status will read "Yes" when this is triggered.

Conditions:
BWC enabled and associated with a route domain, Web Accelerator is enabled, and the system is rebooted.

Impact:
The system does not comes up fully. TMM does not reach a ready state and will not pass traffic.

Workaround:
Remove BWC from route domain and then reapply the BWC back.

Fix:
BWC enabled and associated with a route domain, Web Accelerator enabled, and the system is rebooted, now results in the system and TMM coming up fully and passing traffic.

631582 : Administrative interface enhancement

Solution Article: K55792317

631472-1 : Reseting classification signatures to default may result in non-working configuration

Component: Traffic Classification Engine

Symptoms:
Configuration will not load when running "tmsh load ltm classification signature default" or clicking Reset to Defaults button on Traffic Intelligence :: Applications : Signature Update page.

Conditions:
1. You upgrade classification signatures to an IM package, and reference one of the newly added applications / categories in your configuration (e.g., PEM classification filter).
2. You reset classification signatures back to default by running "tmsh load ltm classification signature default" or selecting "Reset To Defaults" on the Traffic Intelligence :: Applications : Signature Update page.

Impact:
Configuration will not load.

Workaround:
Remove application that came with the new IM from the configuration.

Fix:
The release solves the problem of potentially non-working configurations after classification signatures were reset to default.

631444-2 : Bot Name for ASM Search Engines is case sensitive

Component: Application Security Manager

Symptoms:
CS challenge is returned for request with known search engine which is sent with different case than configured.

Conditions:
ASM profile is configured on the VS; DoS profile is not configured on the VS.

Impact:
Known search engines will get CS challenge.

Workaround:
Have DoS profile on the VS, in which the only feature turned on is Bot Signature, in report only, where only search engine category is turned on.

Fix:
making the ASM Search Engines case insensitive

631172-4 : GUI user logged off when idle for 30 minutes, even when longer timeout is set

Component: TMOS

Symptoms:
GUI user is auto-logged off when idle for 30 minutes, even though the configured idle timeout is longer.

Conditions:
User logged in to gui and idle for 20-30 minutes

Impact:
User is logged out of the GUI.

Workaround:
None.

Fix:
GUI user is no longer auto-logged off when idle for 30 minutes when the configured idle timeout is longer.

631131-3 : Some tmstat-adapters based reports stats are incorrect

Component: Application Visibility and Reporting

Symptoms:
Stats are being collected in a wrong way for tmstat tables that are using partial-key. This leads to wrong values on reports.

Conditions:
Using partial key from tmstat-table on tmstat-adapter

Impact:
Wrong stats values for some reports.

Fix:
Tmstat-Adapters is now using the correct API from tmstat-framework which simulate a 'group-by' function on the query, and thus provide the correct result-set.

631025-1 : 500 internal error on inline rule editor for certain firewall policies

Component: Advanced Firewall Manager

Symptoms:
While attempting to use the inline rule editor on a firewall policy, the system returns a 500 internal error. Viewing and editing the same policy in tmsh works as expected.

Conditions:
-- This occurs when editing certain firewall policies in the GUI.
-- The issue is specific to policies with rules that meet the following criteria:

a) At least two addresses with the same first three octets.
b) Addresses should have non-default partition.

141.146.155.40%1 { }
141.146.155.41%1 { }

Impact:
Unable to view or edit the policy, page returns an error

Workaround:
You can view these rules in the GUI by disabling the inline rule editor.

Fix:
Fixed an issue with certain AFM rules generating a 500 internal error in the GUI.

630929-1 : Attack signature exception list upload times-out and fails

Solution Article: K69767100

Component: Application Security Manager

Symptoms:
httpd_errors log:
------------
err httpd[<PID>]: [error] [client <client_IP>] PHP Fatal error: Maximum execution time of 30 seconds exceeded in /var/ts/dms/common/classes/Thrift/packages/asmconfig/f5_thrift.php on line <line_ID>, referer: https://<BIG-IP_MGMT_IP>/dms/policy/pl_header_normalization.php
------------

Conditions:
ASM provisioned.
Attack signature exception list uploaded.

Impact:
Attack signature exception list upload times-out and fails.

Workaround:
N/A

Fix:
Improved the Attack signature exception list upload process to take much less time.

630661-2 : WAM may leak memory when a WAM policy node has multiple variation header rules

Solution Article: K30241432

Component: WebAccelerator

Symptoms:
When a WAM policy node has multiple variation header rules, a memory leak occurs upon evaluation of each request.

Conditions:
WAM policy with node utilizing multiple variation header rules.

Impact:
Potential per-request memory leakage driven by client traffic.

Workaround:
The only workaround is to ensure that individual WAM policy nodes have fewer than two header variation rules.

Fix:
WAM no longer leaks memory when evaluation policy nodes which utilize two or more header variation rules.

630622-1 : tmm crash possible if high-speed logging pool member is deleted and reused

Component: TMOS

Symptoms:
When deleting and then re-using a high-speed logging pool member that is in use, a rare tmm crash may occur.

Conditions:
High-speed logging profile configured, high-speed logging pool configured, and a pool member is removed and re-added while the pool is in use.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Rare tmm crash no longer occurs if high-speed logging pool member is deleted and reused.

630611-1 : PEM module crash when subscriber not fund

Solution Article: K84324392

Component: Policy Enforcement Manager

Symptoms:
Under rare circumstances, PEM usage reporting for a subscriber will cause a crash.

Conditions:
PEM subscriber info is missing for the current tmm, e.g., after a CMP state change.

Impact:
PEM/TMM SIGSEV.

Workaround:
None.

Fix:
PEM usage reporting for a subscriber no longer causes a crash when PEM subscriber info is missing for the current tmm.

630610-5 : BFD session interface configuration may not be stored on unit state transition

Solution Article: K43762031

Component: TMOS

Symptoms:
'bfd session' statements missing in ZebOS 'running-config'.

Conditions:
State transitions from online to offline.

Impact:
BFD configuration will become missing in ZebOS running config and no BFD sessions will be established.

Workaround:
Re-add statements manually.

Fix:
BFD session interface configuration is now stored on unit state transition.

630571-1 : Edge Client on Mac OSX Sierra stuck in a reconnect loop

Solution Article: K35254214

Component: Access Policy Manager

Symptoms:
Upon waking laptop Edge Client stuck in a reconnect loop.

Conditions:
Full-Tunnel, no Local LAN Access profile; when opening the device lid, which attempts to reconnect to the VPN service. This occurs only with MAC OS X 10.12.1.

Impact:
Cannot connect to VPN, and the Edge Client gets stuck in a reconnect loop.

Workaround:
Allow local subnet access set to enabled.

Fix:
In this release, using MAC OS X 10.12.1 now resumes a connection to VPN using the Edge Client.

630546-1 : Very large core files may cause corrupted qkviews

Component: TMOS

Symptoms:
If a core file is found on a slave blade in a chassis, that is too large for qkview to include, this can cause the qkview file for the blade to be corrupted.

Conditions:
qkview is run when core files greater than 2.4 GB exist in /var/core.

Impact:
iHealth will not parse the qkview.

Workaround:
Copy the core files on the slave blade from /etc/core to a back up location and delete the original files before creating the qkview.

Fix:
qkview files run when core files greater than 2.4 GB exist in /var/core now complete as expected.

630475-5 : TMM Crash

Solution Article: K13421245

630356-1 : JavaScript challenge follow-up to POST is sent as GET in iframe from IE/Edge

Component: Advanced Firewall Manager

Symptoms:
The JavaScript challenge that is sent to a POST request within an iframe will have a follow-up request of GET when coming from Microsoft Internet Explorer or Edge browser. The request reconstruction is incorrect, and the back-end server does not receive the request payload.
This is relevant to all types JavaScript challenges: Proactive Bot Defense, DoSL7 Client-Side Integrity Defense, Device-ID Challenge, or CAPTCHA Challenge.

Conditions:
JavaScript challenge is used in a POST request, when one of the following features in enabled: Proactive Bot Defense, DoSL7 Client-Side Integrity Defense, Device-ID Challenge, or CAPTCHA Challenge.

Impact:
POST requests will be sent as GET and the request payload will not reach the back-end server.

Workaround:
None.

Fix:
JavaScript challenges to POST requests are sent correctly to the back-end server when coming from iframe in Microsoft Internet Explorer/Edge browsers.

630306-1 : TMM crash in DNS processing on UDP virtual server with no available pool members

Component: Local Traffic Manager

Symptoms:
TMM crash when processing requests to a DNS virtual server.

Conditions:
The issue can occur if a UDP DNS virtual receives a request when no pool members are available to service the request and a DNS iRule is suspended due to previous requests.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Mitigation is to ensure at least one pool member is available whenever the DNS virtual is processing traffic, or to avoid iRule commands that can suspend processing.

Ensure datagram LB mode is enabled on UDP DNS virtuals.

Fix:
This release prevents a crash in DNS processing on UDP virtual server with no available pool members.

630150-1 : Websockets processing error

Solution Article: K51351360

629871-2 : FTP ALG deployment should not rewrite PASV response 464 XLAT cases

Component: Carrier-Grade NAT

Symptoms:
Deploying NAT64 part of a 464 XLAT solution may overwrite PASV response 464 XLAT cases.

Conditions:
FTP ALG deployment.

Impact:
PASV response 464 XLAT cases overwritten.

Workaround:
None.

Fix:
Deploying NAT64 part of a 464 XLAT solution no longer overwrites PASV response 464 XLAT cases.

629845-2 : Disallowing TLSv1 connections to HTTP causes iControl/REST issues

Component: Device Management

Symptoms:
When HTTP disallows TLSv1 connections, UCS via iControl/REST fails with the following in the logs:

[SEVERE][86][08 Nov 2016 16:47:20 UTC][com.f5.rest.icontrol.IControlRunnable] (iControl execution) AxisFault[; nested exception is:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure]:
[WARNING][87][08 Nov 2016 16:47:20 UTC][8100/tm/shared/sys/backup/52d67805-3aab-4260-8770-a690154c698e/worker UcsBackupTaskWorker] Failed to restore from backup: backup_test.ucs

Conditions:
This occurs when TLSv1 is explicitly disallowed in the HTTP profile.

Impact:
iControl REST clients are unable to connect.

Workaround:
None.

Fix:
Explicitly disallowing TLSv1 in the HTTP profile no longer causes iControl/REST issues.

629801-2 : Access policy is applied automatically on target device after policy sync, when there is a also a FODG in the trust domain.

Component: Access Policy Manager

Symptoms:
After syncing an access policy, the access policy change on the other device should be prompting you to apply the policy, but instead it applies the policy automatically.

Conditions:
Two or more devices configured in a trust group, one device group is a failover device group, and one device group is a sync-only device group with automatic sync enabled.

A key component that triggers this symptom is that the failover device group is listed first in the configuration. When this occurs, the policy will be applied automatically, which shouldn't occur.

Impact:
Policy changes are automatically applied, when they should only be synced with a prompt to apply after the sync.

Workaround:
None.

Fix:
After syncing an access policy, the access policy change on the other device in the trust group now prompts you to apply the policy, which is correct behavior.

629698-1 : Edge client stuck on "Initializing" state

Component: Access Policy Manager

Symptoms:
It takes a lot of time to reestablish the VPN connection when the Edge Client switches to network with Captive Portal authentication. Edge client freezes on "Initializing" state for around 1 minute.

Conditions:
This can occur on the Edge Client with Captive Portal configured.

Impact:
Edge client is stuck on "Initializing" for an excessive amount of time.

629663-1 : CGNAT SIP ALG will drop SIP INVITE

Solution Article: K23210890

Component: Service Provider

Symptoms:
SIP INVITE message is dropped.

Conditions:
Subscriber registers and then attempts to call out.

Impact:
Subscriber not able to make calls.

Workaround:
None.

Fix:
The system now uses the expiration value from the SIP message i.e. either from expires parameter or the Expire header to update the timeout of the registration record.

629627-1 : FPS Log Publisher is not grouped nor filtered by partition

Component: Fraud Protection Services

Symptoms:
If there are several log publishers assigned to different partitions, it is not clear which log publisher is assigned to which partition.

All log publishers are displayed regardless of the partition selected.

Conditions:
Provision FPS.
Two or more partitions
Two or more log publishers assigned to different partitions

Impact:
All log publishers are displayed regardless of partition.

Workaround:
None.

Fix:
Log publishers are now grouped in GUI and filtered by the currently selected partition.

629573-1 : No drill-down filter for virtual-servers is mentioned on exported reports when using partition

Component: Application Visibility and Reporting

Symptoms:
The selected filters will not appear in exported reports for virtual servers created under non 'Common' partitions.

Conditions:
When using virtual-servers and ASM policies under a non 'Common' partition, exported reports will not display the the selected drill-down filters.

Impact:
Exported reports will be displayed without the filters.

Workaround:
None.

Fix:
Exported reports will take into consideration partitions which will make the drill-down filters appear as expected.

629530-2 : Under certain conditions, monitors do not time out.

Solution Article: K53675033

Component: Global Traffic Manager

Symptoms:
Some monitored resources are marked as "Unknown" when the actual status is "offline".

Conditions:
This can rarely occur when the monitor timeout period elapses when either no response has been received, or a response has been received indicating that the resource is "down" and the monitor is configured to ignore down responses. It is more likely to occur when many monitor timeout periods elapse at the same time, and the monitor timeout value is evenly divisible by the monitor's monitor interval.

Impact:
The status of the monitored resource is incorrect. This does not materially affect the operation of the system since resources marked "Unknown" will not be used.

Workaround:
Disable the affected resources, and then enable them again.

Fix:
The resource status is now correct under all monitor timeout conditions.

629499-9 : tmsh show sys perf command gives an error "011b030d:3: Graph 'dnsx' not found"

Component: TMOS

Symptoms:
When you run the command tmsh show sys perf, you get an error:
011b030d:3: Graph 'dnsx' not found

This can also occur with other tmsh commands related to performance statistics, like show sys perf dnssec and show sys perf dnsexpress.

Conditions:
It is not known what exactly triggers this, it is caused by a timing issue that occurs during system initialization of multi-blade chassis.

Impact:
Certain tmsh sys perf commands fail to work and give an error.

Workaround:
Restart statsd on all blades once the chassis is up.

e.g.

"bigstart restart statsd" on each blade.

Fix:
statsd has been updated to reparse the statsd config file before rebuild it's config so that it doesn't lose the unsupported tables in it's list.

629412-3 : BIG-IP closes a connection when a maximum size window is attempted

Component: Local Traffic Manager

Symptoms:
HTTP2 provides flow control options which allow you to limit the amount of data on flight. A client can send an increment for a window size to an initial value set by standard to 65,535 bytes. BIG-IP used 64K value inherited from SPDY, causing overflow when the client tried to increment the value to its maximum.

Conditions:
HTTP2 profile is configured on a virtual, and client sends a WINDOW_UPDATE frame to increment the value to its maximum.

Impact:
BIG-IP considers the window size overflow as a protocol violation thus it shuts the connection down not serving any request.

Workaround:
None.

Fix:
With a correct value for initial window size (for both a connection and a stream) BIG-IP correctly processes an increment request of the window size to its maximum.

629178-1 : Incorrect initial size of connection flow-control window

Solution Article: K42206046

Component: Local Traffic Manager

Symptoms:
When a client establishes an HTTP2 connection, both endpoints can update their flow-control windows for the connection but their initial sizes of connection flow-control windows must be 65,535. BIG-IP erroneously sets it immediately to a configured value instead. Discrepancy in the window size calculation can result in cancelling of the client's requests.

Conditions:
A virtual server that has an HTTP2 profile with a custom value for receive-window exceeding 79 (Kilobytes).

Impact:
BIG-IP updates another endpoint with a WINDOW_UPDATE frame for the connection once it reaches a certain threshold. It doesn't happen when receive-window is set above 79 (Kilobytes). If a client has a large request (e.g., POST with a large amount of data), it resets the stream with HTTP2 RST_STREAM frame, canceling the request.

Workaround:
Configure receive-window attribute in HTTP2 profile to a value below 80 (Kilobytes).

Fix:
The fix in this release allows BIG-IP to behave according to RFC and send WINDOW_UPDATE frames, preventing the connection flow-control window from exhaustion on a remote endpoint.

629145-1 : External datagroups with no metadata can crash tmm

Component: Local Traffic Manager

Symptoms:
If a large data group exists or the db variable tmm.classallocatemetadata is set to disabled, tmm may crash if the class match iRule matches 9 or more items in the datagroup.

Conditions:
External datagroups in use, a class match iRule will produce at least 9 matches, and the datagroup is extremely large or the db variable tmm.classallocatemetadata is set to disabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a tmm crash related to large datagroups.

629127-1 : Parent profiles cannot be saved using FPS GUI

Component: Fraud Protection Services

Symptoms:
Any parent profile (profile that has bee inherited) cannot be saved in FPS GUI.

Conditions:
Provision FPS
License FPS.
1 or more child profiles.

Impact:
User configurations may not be saved.

Workaround:
Can use TMSH or REST.

629085-1 : Any CSS content truncated at a quoted value leads to a segfault

Solution Article: K55278069

Component: TMOS

Symptoms:
Any CSS content truncated at a quoted value leads to a segfault.

Example:
...
.c1 {background-image: url('some

Conditions:
CSS ends without closing quote in value.

Example:
...
.c1 {background-image: url('some

Impact:
TMM or rewrite segfault. Traffic disrupted while tmm restarts.

Workaround:
Use a particular iRule.

Fix:
CSS content truncated at a quoted value no longer leads to a segfault.

629069-2 : Portal Access may delete scripts from HTML page in some cases

Component: Access Policy Manager

Symptoms:
If JavaScript uses Range.createContextualFragment() call to insert new scripts into HTML document, in some cases Portal Access may delete one of the scripts in the page.

Conditions:
JavaScript with Range.createContextualFragment() call which is used to add new scripts by subsequent insertBefore()/insertAfter() calls.

Impact:
Web application may not work correctly.

Workaround:
None.

Fix:
Now web apps delivered via APM Portal Access can use Range.createContextualFragment(), insertBefore(), and insertAfter() javascript properly.

628972-2 : BMC version 2.51.7 for iSeries appliances

Component: TMOS

Symptoms:
Firmware on BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx needs to be upgraded to BMC version 2.51.7.

Conditions:
-- BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.
-- Upgrading firmware.

Impact:
This is a firmware upgrade.

Workaround:
None.

Fix:
This release contains BMC version 2.51.7 which includes the fix for a BMC firmware update failure on the following BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.

Behavior Change:
This release contains BMC version 2.51.7 which includes the fix for a BMC firmware update failure on the following BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.

628897-1 : Add Hyperlink to gslb server and vs on the Pool Member List Page

Component: Global Traffic Manager (DNS)

Symptoms:
Hyperlinks to the GSLB Server and Virtual-server are missing from the GSLB Pool Member list page.

Conditions:
This can be seen in the DNS :: GSLB : Pools : Pick a pool : Members tab

Impact:
You are unable to to quickly get to the server and virtual server from this page.

Workaround:
Manually navigate to associated server and Virtual Server.

Fix:
Hyperlinks for associated server and VS are not showing on the Pool Member list page.

628890-1 : Memory leak when modifying large datagroups

Component: Local Traffic Manager

Symptoms:
When modifying large external datagroups, a significant memory leak may occur.

Conditions:
This can occur when a large datagroup is in use and is modified.

Impact:
Memory is leaked, and the amount of memory leaked can be significant.

Workaround:
None.

Fix:
Fixed a memory leak related to modifying large datagroups.

628869-4 : Unconditional logs seen due to the presence of a PEM iRule.

Component: Policy Enforcement Manager

Symptoms:
TMM log files will fill up.

Impact:
Limits the gathering and traversal of relevant data from the TMM logs if the condition is encountered several times.

Workaround:
Do not use an iRule containing the following iRule command: PEM::subscriber config policy get.

Fix:
Unconditional logs are no longer seen in response to the presence of a PEM iRule.

628836-4 : TMM crash during request normalization

Solution Article: K22216037

628832-4 : libgd vulnerability CVE-2016-6161

Solution Article: K71581599

628739-1 : BIG-IP iSeries does not disallow configuring of management IP outside the management subnet using the LCD

Component: TMOS

Symptoms:
Configuring the management IP outside the management subnet succeeds without error.

Conditions:
On the LCD, navigate to the 'Setup' tab, and select 'Management'.
1. Set the default Gateway for the network.
2. Now set an IP address outside the Gateway subnet.
3. Notice no errors and commit is successful.

Impact:
Admin IP and Gateway for management route (/Common/default) not in a connected network.

Workaround:
Do not configure the IP and Gateway outside the management route.

Fix:
LCD no longer allows invalid configuration of mgmt IP (with gateway IP outside mgmt subnet).

628735-1 : Displaying Hardware SYN Cookie Protection field in TCP/FastL4/FastHTTP profiles

Component: TMOS

Symptoms:
The Hardware SYN Cookie Protection field is not displayed in the GUI configuration screen for TCP/FastL4/FastHTTP profiles, despite hardware support for the feature existing on the
platform.

Conditions:
Configuring TCP/FastL4/FastHTTP profiles in the BIG-IP GUI.

This occurs on vCMP guests, on the 10350N, i5600, i5800, i7600, i7800, i10600, i10800 platforms, and on VIPRION systems using the B4450 or B4450N blades.

Impact:
The Hardware SYN Cookie Protection field is not displayed.

Workaround:
Use tmsh to set the Hardware SYN Cookie Protection field.

Fix:
The system no longer uses a static list of platforms that have an HSB as a basis for displaying the Hardware SYN Cookie Protection option in the GUI, so the field is shown as expected.

628687-2 : Edge Client reconnection issues with captive portal

Component: Access Policy Manager

Symptoms:
Edge Client stuck at 'Reconnecting' when losing connection to Captive Portal with certificate warning.

Conditions:
Connect to APM through a captive portal.

Impact:
EdgeClient stuck at "Reconnecting".

Workaround:
None.

Fix:
Edge Client no longer hangs at 'Reconnecting' when losing connection to Captive Portal with certificate warning.

628685-2 : Edge Client shows several security warnings after roaming to a network with Captive Portal

Solution Article: K79361498

Component: Access Policy Manager

Symptoms:
Network is blocked by a captive portal. Captive portal uses HTTPS. Periodic-session-check reports SSL certificate is not trusted because access to APM is redirected (to captive portal).

Conditions:
Create a VPN tunnel over WiFi.
Place the computer in sleep/hibernate.
Move to a new network with Captive Portal with SSL and resume from sleep/hibernate.

Impact:
Numerous security warnings.

Workaround:
None.

Fix:
Edge Client no longer shows several security warnings after roaming to a network with Captive Portal.

628623-1 : tmm core with AFM provisioned

Component: Advanced Firewall Manager

Symptoms:
tmm cores on the secondary blade while passing traffic.

Conditions:
This can occur intermittently with AFM provisioned while passing traffic, even if AFM is not in use.

Impact:
Traffic disrupted while tmm restarts.

628351-1 : Redirect loops on URLs with Path Parameters when Proactive Bot Defense is enabled

Component: Advanced Firewall Manager

Symptoms:
When Proactive Bot Defense is enabled, requests to URLs with Path Parameters (URLs containing a semicolon ;) may get stuck on a redirect loop. This typically applies to URLs which do not respond with HTML content or to URLs with low traffic.

Conditions:
-- Proactive Bot Defense is enabled.
-- URLs use Path Parameters (containing the semicolon ; character).

Impact:
Clients cannot access the web server, getting caught in an infinite redirect loop.

Workaround:
None.

Fix:
Requests to URLs with ";" no longer get stuck in a redirect loop when Proactive Bot Defense is enabled.

628348-1 : Cannot configure any Mobile Security list having 11 records or more via the GUI

Component: Fraud Protection Services

Symptoms:
Any item added to a list with more than 10 records in Mobile Security section is ignored.

Conditions:
Provision FPS
License mobilesafe
add 11 records to a list

Impact:
User configuration may not be saved.

Workaround:
Use TMSH or Rest.

Fix:
GUI allows adding items to lists with more than 10 records.

628337-1 : Forcing a single injected tag configuration is restrictive

Component: Fraud Protection Services

Symptoms:
Injected tags configuration in profile is globally controlled from the db variable antifraud.injecttags, and forces all protected pages to have a common set of HTML tags. If your web application has pages that do not work with the injected tags, then this will cause the application to work improperly.

Conditions:
This occurs when the injected tags db variable (antifraud.injecttags) is configured.

Impact:
Your web application may have pages that do not handle the tags properly and may malfunction.

Workaround:
Configure injected tags in a way which can applied to all URLs protected in a profile. If it is not possible due to some URL HTML structure, HTML must be modified.

Fix:
Injected tags configuration has been moved to the URL level.

628311-3 : Potential TMM crash due to duplicate installed PEM policies by the PCRF

Solution Article: K87863112

Component: Policy Enforcement Manager

Symptoms:
Potential TMM crash due to duplicate installed PEM policies by the PCRF.

Conditions:
- PEM enabled with Gx and Gy.
- PEM policies configured with Gy quota management.
- PCRF installs an already-installed policy against a subscriber.

Impact:
Loss of service. Traffic disrupted while tmm restarts.

Workaround:
Configure the PCRF to not install an already-installed policy against a subscriber.

Fix:
PEM now prevents PCRF from installing an already-installed policy against a subscriber.

628202-4 : Audit-forwarder can take up an excessive amount of memory during a high volume of logging

Component: TMOS

Symptoms:
During a period where a lot of data is logged (such as the loading of a large configuration), audit_forwarder can use up a large amount of memory.

Conditions:
audit_forwarder is used with config.auditing.forward.type set to either "none" or "radius" and config.auditing set to "verbose" or "all".

Impact:
The excessive memory usage may result in processes getting restarted. Once the logging is done, audit_forwarder will not release all of the used memory.

Workaround:
Setting config.auditing value to "enable" or "disable" will slow or stop the excessive memory usage.

Fix:
Prevented audit_forwarder from using more memory than it needs.

628164-3 : OSPF with multiple processes may incorrectly redistribute routes

Solution Article: K20766432

Component: TMOS

Symptoms:
When OSPF is configured with multiple processes that each redistribute different type routes, LSAs may be created in a process for a route of the type other than the one configured for redistribution into that process.

Conditions:
OSPF routing with multiple processes configured. Each OSPF process configured with a different route type redistributed.

Impact:
Incorrect routing information in the network when OSPF converges.

Workaround:
Redistribute the leaked route type into the affected OSPF process and use a route map that filters out all routes.

Fix:
OSPF no longer leaks LSAs between processes redistributing different types of routes.

OSPF routes are now created synchronously when the LSA database is updated. If routes are rapidly deleted and re-added, OSPF will send maxage LSAs followed by new LSAs. This is potentially a behavior change where, previously, only a single updated LSA would have been sent.

628009-1 : f5optics not enabled on Herculon iSeries variants HRC-i2800, HRC-i5800, HRC-i10800

Component: TMOS

Symptoms:
The f5optics functionality is not initialized on Herculon iSeries variants.

Conditions:
This occurs on the following Herculon iSeries platforms: HRC-i2800, HRC-i5800, HRC-i10800.

Impact:
None. No f5optics optics module database is presently provided for Herculon platforms. Herculon uses no optics modules that require tuning (e.g., 100G).

Workaround:
None.

Fix:
With the fix, if an optics module data base is provided via an f5optics install, f5optics will become operational on Herculon. An f5optics database will be provided if optics modules requiring tuning are ever used with Herculon.

627972-2 : Unable to save advanced customization when using Exchange iApp

Solution Article: K11327511

Component: Access Policy Manager

Symptoms:
When Policy created using Microsoft Exchange iApp script, Advanced Customization (usually of logon page) might fail with error similar to the following: 01020066:3: The requested Customization Template File (/Common/Exchange.app/exch_custom_logon_ag logon.inc) already exists in partition Common.

Conditions:
Usually: HA Pair, iApp exchange created profile, in general any advanced customization where name not equals customization_group_name:filename is affected.

Impact:
Unable to edit advanced customization, functionality is unaffected.

Workaround:
edit bigip.conf
apm policy customization-group /Common/Exchange_2010.app/exch_custom_logon_ag {
    templates {
        logon.inc {
            name /Common/Exchange_2010.app/exch_custom_logon:logon.inc
        }
    }
}
change
name /Common/Exchange_2010.app/exch_custom_logon:logon.inc
to customizaton_group_name:filename i.e.

name /Common/Exchange_2010.app/exch_custom_logon_ag:logon.inc

Fix:
Can now save advanced customization when using Microsoft Exchange iApp.

627961-3 : nic_failsafe reboot doesn't trigger if HSB fails to disable interface

Component: TMOS

Symptoms:
The HSB driver attempts a nic_failsafe in the case of failing to disable the interface.

Conditions:
The driver disables nic_failsafe prior to triggering the nic_failsafe. This is in hsb_ifdown_go_dead.

Impact:
TMM may restart continuously resulting in interfaces bouncing constantly.

Workaround:
Reboot the device.

Fix:
This release fixes issues where nic_failsafe reboot did not happen on HSB failures.

627916-1 : Improve cURL Usage

Solution Article: K81601350

627914-1 : Unbundled 40GbE optics reporting as Unsupported Optic

Component: TMOS

Symptoms:
When a 40G interface is configured "bundle disabled" the optic module in use on the interface will be declared as an "Unsupported optic" module even though the optic module is F5 branded.

Conditions:
Using unbundled 40GbE optics.

Impact:
This is a cosmetic problem. The interface is able to function as intended.

Workaround:
No workaround, problem is cosmetic.

Fix:
The fix for the defect results in no longer declaring an otherwise supported optics module as unsupported when bundling is configured disabled on the interface.

627907-1 : Improve cURL usage

Component: Advanced Firewall Manager

Symptoms:
In some cases, cURL usage within AFM does not comply with standards.

Conditions:
AFM active and configured to use external credentials

Impact:
Non-compliant cURL usage

Fix:
Improve cURL usage

627898-2 : TMM leaks memory in the ECM subsystem

Component: TMOS

Symptoms:
TMM leaks memory in the ECM subsystem.

Conditions:
This issue occurs when the user has imported one or more SSL certificates onto the system and named them in such a way that the "ca-bundle.crt" string appears in their names. For example, "my-ca-bundle.crt". With this configuration in place, TMM leaks memory each time the configuration is modified.

Impact:
TMM will run out of free memory. This will initially impact traffic and could eventually lead to TMM crashing. Traffic disrupted while tmm restarts.

Workaround:
You can work around this issue by renaming your SSL certificates so that their names don't contain the "ca-bundle.crt" string.

Fix:
TMM no longer leaks memory in the ECM subsystem.

627798-3 : Buffer length check for quota bucket objects

Component: Policy Enforcement Manager

Symptoms:
For quota bucket (Rating Groups) object, BIG-IP allocates a large buffer locally, and doesn't expect it to be over-run as the objects are expected to be smaller

Conditions:
Any quota bucket objects which are being inserted in PEM database

Impact:
For quota bucket objects which are in PEM database, the buffer is usually large enough, so there should not be any impact. But if the quota bucket ever gets larger, then potential corruption of the quota bucket information could occur. This could trigger a tmm core. Traffic disrupted while tmm restarts.

Workaround:
quota bucket with fewer rules

627747-1 : Improve cURL Usage

Solution Article: K20682450

627574-1 : After upgrade to BIG-IP v12.1.x, Local Traffic Policies in partitions other than Common cannot be converted into a draft.

Component: Local Traffic Manager

Symptoms:
If a BIG-IP system has Local Traffic Policies defined in a non-Common partition, and the system is upgraded to version 12.1.0, 12.1.1, or 12.1.2, attempting to create a new draft of the policy by selecting "Create Draft" will fail and give an error message similar to:

err mcpd[8140]: 01070734:3: Configuration error: Can't associate policy rule (/Partition1/Drafts/policy_name policy_name_policy_rule) folder does not exist

Conditions:
A system is upgraded to version v12.1.x with Local Traffic Policies in a non-default partition.

Impact:
You cannot modify existing Local Traffic Policies.

Workaround:
Manually create a 'Drafts' folder in the appropriate partition, e.g.:

tmsh create sys folder /Partition1/Drafts

Alternately, create a new (different) policy in the specified partition, and then delete it. Doing this has a side-effect of creating the Drafts folder.

627433-1 : HSB transmitter failure on i2x00 and i4x00 platforms

Component: TMOS

Symptoms:
On the BIG-IP i2x00 and i4x00 platforms, tmm enters an infinite 'restart' loop after a 'bigstart restart' or 'bigstart restart tmm' command if traffic is actively flowing through the TMM. This is the result of an HSB transmitter failure.

Conditions:
Traffic actively flowing through the tmm and you issue 'bigstart restart' or 'bigstart restart tmm'.

Another instance occurs when syncing the datasync-global-dg device-group for an HA configuration on iSeries platforms.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure all traffic is stopped before issuing the 'bigstart restart' or 'bigstart restart tmm' commands.

Set HSB::failures_before_reset in /config/tmm_init.tcl to a high value, such as 1000 (default is 50) may resolve the issue, depending on the conditions this issue occurred.

Fix:
TMM restart loop no longer occurs following 'bigstart restart' on i2x00 and i4x00 platforms.

627403-2 : HTTP2 can can crash tmm when stats is updated on aborting of a new connection

Component: Local Traffic Manager

Symptoms:
HTTP2 allocates a block of memory for collecting stats on a connection. If the connection is aborted for any reason, tmm may try to update stats prior the memory is allocated.

Conditions:
HTTP2 profile is configured and assigned to a virtual.

Impact:
Traffic disrupted while tmm restarts.

Fix:
A fix stops HTTP2 from accessing stats prior memory is allocated preventing TMM crash for this reason.

627360-1 : Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★

Component: Application Security Manager

Symptoms:
These errors come up in asm log, upon first start after upgrade:
-------------------------
2016-11-02T08:33:09-06:00 localhost notice boot_marker : ---===[ HD1.2 - BIG-IP 12.1.1 Build 0.0.184 <HD1.2> ]===---
Nov 2 08:35:34 c5af5ltm1b info set_ibdata1_size.pl[18523]: Setting ibdata1 size finished successfully, a new size is: 8466M
Nov 2 08:36:03 c5af5ltm1b info tsconfig.pl[21351]: ASM initial configration script launched
Nov 2 08:36:17 c5af5ltm1b info tsconfig.pl[21351]: ASM initial configration script finished
Nov 2 08:36:23 c5af5ltm1b info asm_start[19802]: ASM config loaded

Nov 2 08:37:40 c5af5ltm1b crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined

Nov 2 08:38:28 c5af5ltm1b crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Cannot remove all partitions, use DROP TABLE instead

Nov 2 08:38:28 c5af5ltm1b crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::ConfigSync::load_traffic_data): Could not import table data PRX.REQUEST_LOG - ASM configuration save aborted

Nov 2 08:38:33 c5af5ltm1b info perl[21860]: 01310053:6: ASM starting
-------------------------

Conditions:
ASM provisioned
Local request logging enabled
Upgrade of a maintenance release, HF or EHF

Impact:
Upgrade fails

Workaround:
Upgrade by the means of saving a UCS, performing a clean install and then loading the UCS.

In the manual save/load UCS process, the upgrade of the Request Log can be disabled, which will workaround the error and the UCS will load fine.

There are two options to disable the upgrade of the Request Log, when upgrading by the means of a UCS:
-------------------
1) do not load a Request Log, when loading a UCS:
# tmsh modify sys db ucs.asm.traffic_data.load value never

2) do not save a Request Log, when saving a UCS:
# tmsh modify sys db ucs.asm.traffic_data.save value disable
-------------------

627279-2 : Potential crash in a multi-blade chassis during CMP state changes.

Component: Policy Enforcement Manager

Symptoms:
tmm on a blade may crash during a CMP and PEM change.

Conditions:
Multi-blade chassis undergoing a CMP state change. Additionally requires PEM policy changes resulting in usage record updates.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use an HA pair and have the active chassis fail over during a CMP state change. Allow for the new stand by chassis to complete its CMP state change activity.

Fix:
Handle sessionDB failures gracefully.

627257-2 : Potential PEM crash during a Gx operation

Component: Policy Enforcement Manager

Symptoms:
Tmm may core during a Gx operation

Conditions:
Requires a PEM virtual with Gx, Sd or Gy enabled. This occurs when tmm starts.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Perform proper validation checks as part of API processing.

627246-1 : TMM memory leak when ASM policy configured on virtual server

Solution Article: K09336400

Component: Local Traffic Manager

Symptoms:
TMM memory leak in hud_oob when ASM policy configured on virtual server.

Conditions:
-- ASM policy is configured on a virtual server.
-- URL access via the virtual server.

Impact:
System leaks 64 bytes of memory. TMM might run out of memory and eventually crash.

Workaround:
None. But disabling ASM policy configuration on the virtual server can alleviate the problem.

Fix:
A memory leak in hud_oob when ASM policy configured on virtual server has been fixed.

627214-3 : BGP ECMP recursive default route not redistributed to TMM

Component: TMOS

Symptoms:
ECMP recursive routes are not properly redistributed to TMM, resulting in an incorrect routing table.

Conditions:
Dynamic routing configured with multiple equal cost paths reachable through a recursive nexthop.

Impact:
Packets are not routed to all ECMP nexthops.

Workaround:
None.

Fix:
ECMP routes with a recursive nexthop are now used correctly by TMM.

627203-1 : Multiple Oracle Java SE vulnerabilities

Solution Article: K63427774

627117-1 : crash with wrong ceritifcate in WSS

Component: Application Security Manager

Symptoms:
BD crash.

Conditions:
Web services security is turned on.
a bad / wrong / missing certificate is attached.

Impact:
Traffic drop until the BD is back (or failover).

Workaround:
The workaround would be to fix the attached certificate.

Fix:
Fix an issue with wrong certificates.

627059-1 : In some rare cases TMM may crash while handling VMware View client connection

Component: Access Policy Manager

Symptoms:
TMM crashes.

Conditions:
VMware View client uses PCoIP to connect to backend via APM.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed rare TMM crash during handling of VMware View client PCoIP connection

626910-1 : Policy with assigned SAML Resource is exported with error

Component: Access Policy Manager

Symptoms:
If Access Profile's Access Policy has saml resource assigned export is failing with error.

Conditions:
1. Access profile/access policy
2. Saml resource is assigned

Impact:
Unable to Export Policy

Fix:
Work order is restored

626851-2 : Potential crash in a multi-blade chassis during CMP state changes.

Solution Article: K37665112

Component: Policy Enforcement Manager

Symptoms:
CMP state change can result in a blade crash.

Conditions:
CMP state change with a PEM profile enabled on a virtual. The former can be triggered using a TMM restart/unrelated crash, blade insertion or blade administrative state change.

Impact:
Blade crash resulting in potential loss of service.

Workaround:
Deploy PEM in an HA-pair with a chassis fail over configured to occur if at most one blade on the active chassis fails.

Fix:
The system now gracefully handles sessionDB errors due to a CMP state change.

626839 : sys-icheck error for /var/lib/waagent in Azure.

Component: TMOS

Symptoms:
On a BIG-IP deployed in Azure cloud, sys-icheck reports readlink error for /var/lib/waagent directory as following:

ERROR: ....L.... /var/lib/waagent

Conditions:
BIG-IP deployed in Azure cloud.

Impact:
sys-icheck reports "rpm --verify" errors for /var/lib/waagent. This doesn't have any functional impact on the product but looks like factory RPM settings were modified externally and incorrectly.

Workaround:
No workaround exists for this issue.

Fix:
sys-icheck error for /var/lib/waagent in Azure.

626721-5 : "reset-stats auth login-failures" command for unknown users causes secondary mcpd processes to restart

Component: TMOS

Symptoms:
Running the command "tmsh reset-stats auth login-failures <username>" on a bladed system can cause the mcpd process to restart on secondary blades if the <username> is not an actual user on the system. The /var/log/ltm log file will contain errors messages similar to:

Configuration error: Configuration from primary failed validation: 01020036:3: The requested username (username) was not found.... failed validation with error 16908342

Conditions:
This occurs on VIPRION systems when running the command for a user that doesn't exist on the other blades.

Impact:
mcpd processes on secondary blades restart, possibly causing loss of traffic and a failover (if in a device cluster).

Workaround:
Run the command "tmsh reset-stats auth login-failure <username>" using only valid usernames.

Fix:
Prevented the command "tmsh reset-stats auth login-failure <username>" from restarting mcpd instances on secondary blades when <username> is an unknown user. The bad command is intercepted at the primary blade and is dealt with there.

626596 : Statistics :: Analytics :: Hardware Acceleration menu contains misspelled menu item: 'Assited Connections'.

Component: TMOS

Symptoms:
Statistics :: Analytics :: Hardware Acceleration menu contains misspelled menu item: 'Assited Connections' instead of 'Assisted Connections'.

Conditions:
-- Running vCMP.
-- System provides hardware acceleration.
-- Statistics :: Analytics :: Hardware Acceleration menu.

Impact:
Spelling of 'Assited' instead of the expected 'Assisted'.

Workaround:
N/A

Fix:
Changed spelling of 'Assited' to 'Assisted'.

626542-2 : Unable to set maxMessageBodySize in iControl REST after upgrade★

Component: Device Management

Symptoms:
After upgrading and attempting to set maxMessageBodySize via iControl REST, you get an error indicating the command is not implemented:

{"code":400,"message":"onPut Not implemented","originalRequestBody":"{\"maxMessageBodySize\": \"111111111\"}","referer":"127.0.0.1","restOperationId":216941,"kind":":resterrorresponse"}

Conditions:
This occurs when upgrading from v11.6.1 to v12.1.0, v12.1.1,or v12.1.2, and applying the UCS from the 11.6.1 release. The error is generated because new defaults were added but they are not set on UCS restore.

Impact:
Command fails, unable to set maxMessageBodySize.

Workaround:
If you encounter this after an upgrade and UCS restore, you can run the following commands from the BIG-IP command line:

1. curl -X DELETE http://localhost:8100/shared/storage?key=shared/server/messaging/settings/8100.
2. bigstart restart restjavad.

Fix:
You can now set maxMessageBodySize via iControl REST after upgrading.

626438-1 : Frame is not showing in the browser and/ or an error appears

Component: Advanced Firewall Manager

Symptoms:
frame going blank when ASM policy enabled. this will trigger the following JS error in clients console:
Uncaught TypeError: Cannot read property '3' of undefined

Conditions:
Asm policy enabled. Device id is enabled theough one of the supporting features

Impact:
Site not operating correctly.

Workaround:
N/a

Fix:
Fixed device id javascript issue that prevented a frame from being displayed .

626434-6 : tmm may be killed by sod when a hardware accelerator does not work

Component: Local Traffic Manager

Symptoms:
tmm may hang and crash (killed by the switchover daemon, sod), when the Cavium hardware accelerator does not come back after the reset from the driver.

Conditions:
This is a rarely seen occurrence. It is triggered when the Cavium hardware accelerator stops working.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Power cycling the system might correct the error.

Fix:
The system now prints out an error message in the log file, improving the way tmm handles the failure.

626386-1 : SSL may not be reassembling fragments correctly with a large-sized client certificate when SSL persistence is enabled

Solution Article: K28505256

Component: Local Traffic Manager

Symptoms:
On a BIG-IP device, whenever a large-sized client certificate is sent by an SSL client to a virtual service, and SSL persistence is enabled, the SSID parser does not reassemble fragmented ClientKeyExchange messages correctly. It interprets the next incoming fragment - part of the CertificateVerify message - as a new record, incorrectly calculates its length and ends up waiting endlessly for more bytes to receive the record.

Conditions:
When SSL persistence is enabled and a large-sized client
certificate is sent by the SSL client to the BIG-IP device.

Impact:
Client connection hangs during the handshake. No impact to any other module.

Workaround:
Disable SSL persistence.

Fix:
SSL now reassembles fragments correctly with a large-sized client certificate when SSL persistence is enabled.

626360 : TMM may crash when processing HTTP2 traffic

Solution Article: K22541983

626311-2 : Potential failure of DHCP relay functionality credits to incorrect route lookup.

Solution Article: K75419237

Component: Local Traffic Manager

Symptoms:
DHCP requests from client to server may not make it through.

Conditions:
-- BIG-IP system configured as a DHCP relay.
-- Input variable (flow_key) incorrectly initialized.

Impact:
Clients might not get an IP address from the DHCP server.

Workaround:
None.

Fix:
Input variable (flow_key) is initialized properly to prevent a potential route-lookup failure.

626141-3 : DNSX Performance Graphs are not displaying Requests/sec"

Component: Global Traffic Manager

Symptoms:
The DNSX Performance graphs have a X and Y axis of Requests/second but the data actually shows total requests.

Conditions:
Always.

Impact:
The data displayed in the graph is not correct.

626106-3 : LTM Policy with illegal rule name loses its conditions and actions during upgrade★

Component: Local Traffic Manager

Symptoms:
BIG-IP version 12.0.0 introduced more strict checking on the characters allowed in policy and rule names, and it also introduced an auto-migration feature to convert any disallowed characters to an underscore (_). Allowed characters in policy and rule names are:
A-Z a-z 0-9 . / : % -
Spaces are allowed between these characters.

When there is a pre-v12.0 Policy that contains an illegal character, the rule has each illegal character converted to a legal one. But conditions and actions, which are joined to the rule by name were not similarly adjusted. After migration, LTM Policy rule does not have any conditions or actions referring to its new name.

Conditions:
- Pre-v12.0 BIG-IP
- Policy and/or rule names contain illegal characters like: * < > ( ) [ ]
- Upgrade to v12.0 or later

Impact:
Policy rule name is changed, illegal characters converted to benign underscore (_). The upgraded configuration will load successfully, but the Rule's associated conditions and actions are not changed, and still point to the policy by its former name, effectively becoming orphaned. Inspecting rule using UI or tmsh shows conditions and actions missing.

Workaround:
The bigip.conf file can be manually edited to fix illegal characters and configuration reloaded.

625860-2 : Improved handling of crypto hardware decrypt failures on B4450 platform.

Solution Article: K55102452

625832-4 : A false positive modified domain cookie violation

Component: Application Security Manager

Symptoms:
An unexpected modified domain cookie violation on system that has more than 127 policies configured.

Conditions:
This occurs when more than 127 policies are configured. The violation modified domain cookie is turned on and there are enforced cookies.

Impact:
A false positive violation.

Workaround:
Remove the modified domain cookie violation from blocking.

Fix:
Fixed a false positive modified domain cookie violation.

625824-1 : iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory

Component: TMOS

Symptoms:
iControl calls related to Management::KeyCertificate might leak memory slowly, that causes swap space to increase continuously and might lead to exhaustion of swap space

Conditions:
This occurs with the iControl command bigip.Management.KeyCertificate.certificate_export_to_pem

Impact:
iControlPortal.cgi memory increases

Workaround:
Restart httpd to reload the iControl daemon.

Fix:
Fixed a memory leak associated with iControl

625784 : TMM crash on BigIP i4x00 and i2x00 with large ASM configuration.

Component: TMOS

Symptoms:
With large ASM configurations (50 virtual servers, 50 ASM policies), TMM will continuously crash on boot-up or restart.

Conditions:
Large ASM configurations (50 virtual servers, 50 ASM policies).

Impact:
TMM continuously crashes and restarts, system is unusable.

Workaround:
None

Fix:
None

625783-1 : Chassis sync fails intermittently due to sync file backlog

Component: Application Security Manager

Symptoms:
Chassis sync may fail intermittently if policies are changed and applied in a short interval.

Conditions:
Policies are changed and applied in a short interval on a chassis platform.

Impact:
Disk partition /var may fill up and synchronized changes may not appear on secondary blades.

Fix:
ASM configuration sync on chassis platform now works more reliably.

625703-2 : SELinux: snmpd is denied access to tmstat files

Component: TMOS

Symptoms:
When a custom SNMP MIB is created by using Tcl scripts or other methods, the snmpwalk will fail to access the created MIB data.

Conditions:
Custom created MIBs.

Impact:
Access to that MIB is denied.

Workaround:
None.

Fix:
When a custom SNMP MIB is created by using a Tcl scripts or other methods, the snmpwalk no longer fails to access the created MIB data.

625671-4 : The diagnostic tool dnsxdump may crash with non-standard DNS RR types.

Component: Global Traffic Manager (DNS)

Symptoms:
If the dnsxdump diagnostic tool is run when the DNS Express database has a DNS resource record using a non-standard type, the process may crash providing incomplete diagnostic output.

Conditions:
Running dnsxdump with a DNS Express database containing non-standard resource record types.

Impact:
dnsxdump provide incomplete diagnostic output, stopping on the zone containing the resource record with the non-standard type.

Workaround:
This is primarily known to be caused by non-standard RR types created for WINS records. Removing the WINS records from the master nameserver, will allow dnsxdump to work again after the next zone transfer.

Fix:
dnsxdump handles non-standard resource record types.

625542-1 : SIP ALG with Translation fails for REGISTER refresh.

Component: Service Provider

Symptoms:
SIP-MBLB-ALG-Translation mode doesn't translate SIP REGISTER refresh message when arriving on the original flow.

Conditions:
1. LSN Pool selected on CLIENT_ACCEPTED event.
2. SIP REGISTER request refresh happens on the original flow.

Impact:
SIP Register message egressed will not have translation applied i.e. the CONTACT and VIA header will not be translated.

Workaround:
None

Fix:
SIP REGISTER refresh processing identifies the translation used for the original SIP REGISTER and applies that translation to the SIP REGISTER refresh message.

625474-1 : POST request body is not saved in session variable by access when request is sent using edge client

Component: Access Policy Manager

Symptoms:
POST body sent by Edge Client is not saved in the session db session variable by access hudfilter.

Conditions:
- Configure BIG-IP as SAML Service Provider. To simplify reproduction change Access Policy execution timeout to few seconds.
- Use Edge Client to connect to BIG-IP.
- Saml Agent will redirect user for authentication to IdP
- Wait for few seconds for access policy to time out on BIG-IP.
- Enter credentials/complete authentication on IdP
- User will be redirected back to BIG-IP as SP. At this moment APM will create a new session, and will evaluate access policy again.

Impact:
SAML Agent will now fail with the following error:
SAML Agent: <AgentNameHere> cannot find assertion information in SAML request

Workaround:
Removing the ‘Origin’ header from the request with iRule does fix the issue, and the POST body becomes available to access hudfilter.

Fix:
Check for receipt of HUDEVT_REQUEST_DONE before falling through from EV_ACCESS_TCL_COMPLETION to EV_ACCESS_REQUEST_DONE in client wait for request body to ensure proper storage of POST request body in sessiondb.

625456-5 : Pending sector utility may write repaired sector incorrectly

Component: TMOS

Symptoms:
When the pendsect process detects a pending sector and performs a repair of that sector, incorrect data may be written to an incorrect location on the hard disk.
This may result in corruption of files on the BIG-IP volume that may not be detected for an indeterminate period of time after the pending sector was repaired.

When a pending sector is repaired, a message similar to the following is logged to :
warning pendsect[17377]: Recovered Pending LBA:#########
(where ######### is the Logical Block Address of the repaired sector)

For more information on the pendsect utility, see:
SOL14426: Hard disk error detection and correction improvements

Conditions:
This may occur on BIG-IP appliances or VIPRION blades which contain hard disks which use 4096-byte physical sectors.

Currently-known affected platforms include:
BIG-IP 5000-/7000-series appliances
BIG-IP 10000-series appliances
VIPRION B4300 blades
VIPRION B2100 blades

Due to manufacturing changes and RMA replacements, additional platforms may potentially be affected.

The smartctl utility can be used to identify hard disks using 4096-byte physical sectors:

# smartctl --scan
/dev/sda -d scsi # /dev/sda, SCSI device

# smartctl -i /dev/sda | grep "Sector Size"

Affected:
Sector Sizes: 512 bytes logical, 4096 bytes physical

Not Affected:
Sector Size: 512 bytes logical/physical

Impact:
Potential corruption of unknown files on BIG-IP volumes.

625372-5 : OpenSSL vulnerability CVE-2016-2179

Solution Article: K23512141

625275-1 : Unable to add and modify URL parameters containing square brackets "[]" in FPS GUI

Component: Fraud Protection Services

Symptoms:
When trying to add URL parameters containing square brackets "[]" in FPS GUI >> URL the parameters name become "0". If trying to modify, the parameters are not saved.

Conditions:
Provision FPS
Create URL

Impact:
FPS GUI

Workaround:
via tmsh, an example:

tmsh modify security anti-fraud profile criteria urls modify { /xml.php { parameters add { "mouse\[2]" } } }

Fix:
It is now possible to add parameters containing square brackets in FPS GUI.

625221-5 : Support for overriding SPDAG address bit selection and L1 buckets on P8

Component: TMOS

Symptoms:
Traffic is highly imbalanced among TMMs in the chassis when using SPDAG (cmp-hash src-ip/dst-ip).

Conditions:
When using SPDAG (cmp-hash src-ip/dst-ip), the P8 DAG uses a subset of the bits of IPv4/IPv6 addresses. Traffic may not have enough entropy in the selected bits to be able to distribute evenly among the TMMs in the chassis.

Impact:
With traffic being imbalanced, a small group of TMMs in the entire chassis may be overloaded. The high load may cause a failover. The new active peer will be hit with the same traffic imbalance.

Workaround:
If the environment can control the allocation of remote IP addresses, allocate IP addresses with more entropy in the bottom 16 bits.

Fix:
The DB variable "dag.config" may be used to override the P8 DAG's address bit selection. The DB variable modifies low-level internals of the P8 DAG which are not published. This interface shouldn't be used generally by customers. The intention is that PD can craft a suitable config from sample traffic. Finding a good config is not straight forward.

625198-1 : TMM might crash when TCP DSACK is enabled

Component: Local Traffic Manager

Symptoms:
TMM crashes

Conditions:
All of the below are required to see this behavior:

DSACK is enabled

MPTCP, rate-pace, tail-loss-probe, and fast-open are disabled.

cmetrics-cache-timeout is set to zero; congestion control is high-speed, new-reno, reno, or scalable; AND Nagle is not set to 'auto'.

an iRule exists that changes any of the conditions above besides DSACK.

various client packet combinations interact in certain ways with the iRule logic.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Change any of the conditions above.

Fix:
TCP maintains state appropriately to avoid crash.

625172-1 : tmm crashes when classification is enabled and ftp traffic is flowing trough the box

Component: Traffic Classification Engine

Symptoms:
tmm crash

Conditions:
1. classification profile attached to the virtual server
2. ftp traffic flows through the system
3. complex configuration with iRules and multiple modules enabled

Impact:
Traffic disrupted while tmm restarts.

Workaround:
remove classification profile from the virtual server

Fix:
Incorrect memory management in one of classification matching mechanisms led to a crash.

625159-1 : Policy sync status not shown on standby device in HA case

Component: Access Policy Manager

Symptoms:
After policy sync, policy sync statuses are not shown in admin GUI on standby device in a failover device group.

Conditions:
- Create a failover device group whose members are in a bigger sync-only device group for policy.
- Initiate a policy sync from an active device
- Check policy sync stats on standby device

Impact:
It does not affect sync functionality and user still can see the sync status on an active device.

Workaround:
Check sync status on an active device in the group.

Fix:
User will be able to see the sync statuses on a standby device, including itself as well as the list of devices in the whole sync-only group where sync is performed.

625106-2 : Policy Sync can fail over a lossy network

Component: Local Traffic Manager

Symptoms:
Policy Sync fails.

Conditions:
BIG-IPs are connected over a lossy link.

Impact:
HA redundancy fails.

Workaround:
tmsh modify sys db TM.TCPProgressive.AutoBufferTuning value disabled

Fix:
Change configuration as described.

625098-3 : SCTP::local_port iRule not supported in MRF events

Component: Service Provider

Symptoms:
SCTP::local_port iRule not supported in MRF events

Conditions:
If MRF events are used, such as MR_INGRESS, MR_EGRESS and MR_FAILED events are used.

Impact:
SCTP::local_port won't work under MR events.

Fix:
After the fix, SCTP::local_port iRule will be supported in MRF events.

625085 : lasthop rmmod causes kernel panic

Component: TMOS

Symptoms:
If someone attempts to unload the lasthop kernel module, it will cause a kernel panic.

Conditions:
Attempting to unload the lasthop kernel module.

Impact:
The system reboots.

Workaround:
Avoid running the following command:

# rmmod lasthop

Fix:
The lasthop kernel module should never be unloaded. The system now prevents the lasthop kernel module from being unloaded, so no kernel panic occurs.

624966-2 : Edge client starts new APM session when Captive portal session expire

Component: Access Policy Manager

Symptoms:
When a Captive portal session expires during Network Access,
Edge-Client shows the Captive portal Authentication page. If the user doesn't authenticate for some amount of time (30-60sec) the Edge Client tries to disconnect the current session. When the user successfully authenticates, Edge Client starts new APM session instead of waiting until the user authenticates on Captive page.

Conditions:
This can occur when Captive portal is configured and the session expires.

Impact:
The Edge Client starts a new session when it should re-use the existing session.

624903-6 : Improved handling of crypto hardware decrypt failures on 2000s/2200s or 4000s/4200v platforms.

Solution Article: K55102452

624876-1 : Response Policy Zones can trigger even after entry removed from zone

Component: Global Traffic Manager (DNS)

Symptoms:
If an entry (resource record) is removed from a response policy zone it is possible that it may still trigger as a match for RPZ.

Conditions:
-- An RPZ zone contains an entry, for example badzone.example.com.
-- That entry is subsequently removed.

Impact:
The badzone.example.com entries will continue to be blocked by RPZ, even though the item has been removed.

Workaround:
Delete /var/db/zxfrd.bin and /var/db/tmmdns.bin and restart the system using the following command: bigstart restart zxfrd.

This recreates the databases without the remnants of the deleted entries.

Fix:
The deleted entries are now properly handled and no longer trigger incorrect matches.

624831-2 : BWC: tmm crash can occur if dynamic BWC policy is used at max-user-rate over 2gbps

Component: TMOS

Symptoms:
tmm crashes while using Bandwidth Control (BWC) dynamic policies.

Conditions:
max-user-rate is set at 2gbps or higher.

Impact:
tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
Use a maximum of 1gbps for dynamic BWC policy max-user-rate.

Fix:
tmm crashes while using Bandwidth Control (BWC) dynamic policies with max-user-rate set at 2gbps or higher.

Behavior Change:
no

624826-2 : mgmt bridge takes HWADDR of guest vm's tap interface

Component: TMOS

Symptoms:
MGMT interface becomes unreachable and stops responding to traffic. Whenever guest is in provisioned state MAC address assigned to mgmt is correct (taken from base MAC). Whenever guest is in deployed state MAC address on host mgmt interface changes and is exactly the same as mgmt_vm_tap MAC.

Conditions:
The platform shipped with a "low" F5 base_mac

A Linux bridge by default takes as its mac the lowest mac of its constituent interfaces. This did not cause a problem before because F5 Networks systems' baseMacs have historically been "low", e.g., with legacy_baseMacs in {00:01:D7, 00:0A:49, 00:23:E9}.

When a guest tap interface is added to the mgmt bridge, the bridge takes its Linux default action, which is to take as its mac the lowest mac address of its constituent interfaces. With the comparison min(eth0's mac, guestTap's mac) returning guestTap's mac, the mgmt bridge incorrectly assumes a guestTapIntfc mac.

Impact:
Connectivity to the vCMP host platform is lost when the guest is deployed.

Workaround:
Use ifconfig to ensure that the mac address of the mgmt bridge never changes from eth0. For example, the following command sets as the mac of this bridge, the value passed in Mac.

ifconfig <bridgeName= mgmt> hw ether <Mac of Eth0>

Note: This assumes that eth0 will always be contained in the mgmt bridge.

Fix:
The system now uses ifconfig to assign the mac of interface eth0 to bridge mgmt.

624805-1 : ILX node.js process may be restarted if a single operation takes more than 15 seconds

Component: Local Traffic Manager

Symptoms:
There is an ILX node.js process restart that occurs, conditional on the code and operations of the node.js process. The restart occurs when one specific operation (code path in your node.js app) takes longer than 15 seconds to complete.

Conditions:
-- Running ILX with a node.js RPC or streaming setup.
-- A single operation takes more than 15 seconds.

Impact:
Connflow is dropped, traffic processing for the flows handled by that process stops until it restarts fully.

Workaround:
To work around this issue, you can time yourself in your node.js app, to either make sure operations complete within the timeframe, or determine where operations exceed the 15 second limit and rework the code so that operations complete within 15 seconds.

Fix:
There is no longer a time restriction on a single operation.

624744-1 : Potential crash in a multi-blade chassis during CMP state changes.

Component: Policy Enforcement Manager

Symptoms:
Potential TMM crash resulting in flows being impacted.

Conditions:
A multi-blade chassis with PEM needs to undergo a CMP state change with flows on the active blade.

Impact:
Traffic disrupted while tmm restarts.

Fix:
NULL check has been added prior to calling a callback for asynchronous handling.

624733-1 : Potential crash in a multi-blade chassis during CMP state changes.

Component: Policy Enforcement Manager

Symptoms:
Potential TMM crash resulting in flows being impacted.

Conditions:
A multi-blade chassis with PEM needs to undergo a CMP state change with flows on the active blade.

Impact:
Traffic disrupted while tmm restarts.

Fix:
NULL check has been added to facilitate a graceful failure during asynchronous handling.

624692-3 : Certificates with ISO/IEC 10646 encoded strings may prevent certificate list page from displaying

Component: TMOS

Symptoms:
SSL Certificate List page displays "An error has occurred while trying to process your request." or unable to view certificate information via iControl/REST.

Conditions:
Certificate with multi-byte encoded strings.

Impact:
Unable to view certificate list page or view certificate information via iControl/REST.

624616-1 : Safenet uninstall is unable to remove libgem.so

Component: Local Traffic Manager

Symptoms:
When uninstalling Safenet client 6.2 from a BIG-IP chassis, it can't remove libgem.so and generates the following error:

rm: cannot remove `/usr/lib64/openssl/engines/libgem.so': Read-only file system.

Conditions:
This can be triggered when uninstalling the safenet client using the command safenet-sync.sh -u.

Impact:
Uninstall is unable to complete.

Workaround:
None.

Fix:
When uninstalling Safenet client 6.2 from a BIG-IP chassis, the system can now remove libgem.so, so there is no error condition, and uninstall can complete as expected.

624570-1 : BIND vulnerability CVE-2016-8864

Solution Article: K35322517

624526-3 : TMM core in mptcp

Solution Article: K10002335

624457-5 : Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195

Solution Article: K10558632

624370-1 : tmm crash during classification hitless upgrade if virtual server configuration is modified

Component: Traffic Classification Engine

Symptoms:
tmm crash

Conditions:
1. classification hitless upgrade is triggered
2. pending (not saved) changes on any of the virtual servers

Impact:
Traffic disrupted while tmm restarts.

Fix:
Change of virtual server configuration triggers new library to be loaded during upgrade which wasn't expected by hitless upgrade mechanism and led to tmm crash. This is fixed in versions starting with 12.1.2.

624361-1 : Responses to some of the challenge JS are not zipped.

Component: TMOS

Symptoms:
Performance is affected on the JS challenge.

Conditions:
The following is turned on in the application dos configuration :
CS challenge, or PBD challenge when Suspicious browsers are disabled or the Device-ID challenge.

Impact:
1. These responses consume more CPU and more Bandwidth than needed.
2. Client-side latency is degraded.
3. More disk space is utilized than needed

Workaround:
None.

Fix:
Some of the JS challenge have better performance now.

624263-4 : iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response

Component: TMOS

Symptoms:
For profiles, iControl REST does not provide visibility for profile property override when "none" is specified, including references, passwords, and array of strings.

Conditions:
-- Use iControl REST API.
-- string, enum, or vector of enum/string property explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf.

Impact:
The iControl REST API response skips these elements. iControl REST does not provide visibility for profile property overrides.

Workaround:
None.

Fix:
iControl REST API now returns elements (i.e., string, enum, or vector of enum/string property that is explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf) with a value "none". The exclusion to this policy is the secured attributes. Secured attributes are always excluded from the iControl REST API response.

624228-1 : Memory leak when using insert action in pem rule and flow gets aborted

Component: Policy Enforcement Manager

Symptoms:
Memory keeps increasing in PEM after several hours of live service.

Conditions:
Insert action in pem rule and response spawning multiple segments. Connection gets aborted midway.

Impact:
Connections can get reset once memory usage increases beyond threshold

Fix:
free xfrags when aborting flows

624198-1 : Unable to add multiple User-Defined alerts with the same search category

Component: Fraud Protection Services

Symptoms:
Adding 2 or more User-Defined alerts causes to DB exception error.

Conditions:
Provision FPS
Malware Detection license

Add multiple User-Defined alerts with the same "Search In" category.

Impact:
Can impact detection of certain malware.

Workaround:
Adding single record each time.
Use TMSH or Rest.

Fix:
GUI allows adding multiple User-Defined alerts of the same search category.

624193-2 : Topology load balancing not working as expected

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, load balancing decisions can result in an unequal or unexpected distribution.

Conditions:
Occurs when topology load balancing is used for a wide IP and more than one pool share the highest assigned score for a particular load balancing decision.

Impact:
The resulting load balancing decisions can lead to an unequal or unexpected distribution of pool selections.

Workaround:
Topology records and pools can be configured to avoid the conditions which cause the condition.

Fix:
A system DB variable, gtm.wideiptoporandom, has been added. When this system DB variable is assigned the value of "enable" and more than one pool shares the highest assigned score for a given load balancing decision, a random pool is selected.

624155-2 : MRF Per-Client mode connections unable to return responses if used by another client connection

Component: Service Provider

Symptoms:
When an outgoing connection is created in per-client mode, that connection is exclusively for use by the client whose message was routed to the destination. All messages (response or requests) received by the server are automatically forwarded to the client. The messages received from the server are forwarded to the original connection from the client (even if it has been closed).

Conditions:
The connection from the client closes and the client connects again.

Impact:
Messages from the new client connection will be routed using the previously created outgoing connection. But messages received from the server will be forwarded to the original connection from the client which is closed. These message will fail to be delivered.

Workaround:
None.

Fix:
When message arrive from a new client connection, the outgoing connection will be to forward messages received from the server to the new connection.

624023-3 : TMM cores in iRule when accessing a SIP header that has no value

Component: Service Provider

Symptoms:
When used an iRule to access a SIP header attribute with no value, TMM cores.

Conditions:
Use iRule to access the value of SIP message header attribute with no value.
Eg:
"Supported: " IEOL
"Session-Expires:" IEOL

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No Workaround.

Fix:
Fix includes adjusting the buffer offset properly to handle the empty header attributes while parsing the SIP message.

623940-3 : SSL Handshake fails if client tries to negotiate EC ciphers but does not present ec_point_formats extension in ClientHello

Component: Local Traffic Manager

Symptoms:
If client tries to negotiate EC ciphers but does not present ec_point_formats extension, SSL handshake fails.

The ltm error log message looks like:
*****************************************************
Oct 12 11:25:08 gtm2 warning tmm1[21167]: 01260009:4: Connection error: ssl_select_suite:6799: no shared ciphers (40)
Oct 12 11:25:08 gtm2 warning tmm1[21167]: 01260026:4: No shared ciphers between SSL peers 10.1.6.50.36563:10.1.6.15.443.
*****************************************************

Conditions:
If client tries to negotiate EC ciphers but does not present ec_point_formats extension, SSL handshake fails.

Impact:
SSL Handshake fails.

623930-3 : vCMP guests with vlangroups may loop packets internally

Component: TMOS

Symptoms:
If a vlangroup is configured within a vCMP guest, under some circumstances unicast packets may be looped between the switchboard and the BIG-IP guest. This is most likely to occur when the guest is part of an HA pair.

Conditions:
vCMP guest, vlangroups.

Impact:
High CPU utilization and potentially undelivered packets.

Workaround:
Correctly configure proxy ARP excludes on the vlangroup and increase the FDB timeout by setting the vlan.fdb.timeout database key to a larger value such as 3600.

Fix:
Packets are no longer looped between vlangroup children on vCMP guests.

623927-2 : Flow entry memory leaked after DHCP DORA process

Solution Article: K41337253

Component: Policy Enforcement Manager

Symptoms:
After DHCP discover/offer/request/ack process (DORA), client side connection flow entry memory is not freed.

Conditions:
Run the DHCP DORA process through BIG-IP (in relay mode or forwarding mode, and wait for client connection flow entry ages out.

Impact:
The system leaks flow entry memory. Over a long period of time, system memory will eventually run out.

Workaround:
None.

Fix:
After DHCP discover/offer/request/ack process (DORA), client side connection flow entry memory is now freed, so no memory leak occurs.

623922-5 : TMM failure in PEM while processing Service-Provider Disaggregation

Solution Article: K64388805

Component: Policy Enforcement Manager

Symptoms:
TMM failure in PEM while processing Service-Provider Disaggregation.

Conditions:
System crashes when traffic flows and rules get executed on the flow.

Impact:
System crashes.

Workaround:
Set Service-Provider Disaggregation to sp as suggested by documentation.

Fix:
There is no longer a TMM failure in PEM while processing Service-Provider Disaggregation.

623885-4 : Internal authentication improvements

Solution Article: K41107914

623562-3 : Large POSTs rejected after policy already completed

Component: Access Policy Manager

Symptoms:
When the policy has already completed, access still rejects POSTs greater than 64k. Client will see a reset, and these error messages will appear on the BIG-IP:

/var/log/ltm
Oct 18 19:10:04 bigip6 err tmm[14242]: 01230140:3: RST sent from 10.2.61.80:8080 to 10.2.61.10:55280, [0x1d4cb2c:2863] APM HTTP body too big

/var/log/apm
Oct 19 09:42:37 bigip3922mgmt err tmm1[7636]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: hud_access_process_ingress, Line: 2960

Conditions:
Policy has already been fully evaluated to allow. Then the client sends a large POST. Only applies to POSTs made to '/'. Would not apply if the URL is something else like '/test'. Also does not apply to clientless modes, where the db key tmm.access.maxrequestbodysize can be used to increase the maximum POST body size allowed.

Impact:
Clients are unable to send POST bodies to '/' that are larger than 64kb, even though the policy has already been evaluated to allow.

Workaround:
Move the resource from '/' to another URL.

Fix:
The logic of '/' in this area was changed to be consistent with other URLs.

623518-1 : Unable to add users in User Enforcement list under user-defined partition. Update check fails in user-defined partition

Component: Fraud Protection Services

Symptoms:
If a profile is assigned to a user-defined partition, it is not possible to add users to User Enforcement list.

Also, if a user-defined partition is selected, the GUI will not display a message if a there are available signatures/engine updates.

Conditions:
Provision and license FPS.
Create user-defined partition.

Impact:
You are unable to manage the profile in the user-defined partition.

Workaround:
Use tmsh to add users.

Fix:
Users can be added to User Enforcement list and a message will be displayed if a new update is available.

623491-2 : After receiving the first Gx response from the PCRF, the BWC action against a rule is lost.

Component: Policy Enforcement Manager

Symptoms:
The BWC action against a rule is lost and the traffic flow is capped at the maximum bandwidth configured in the BWC policy.

Conditions:
A flow should be associated with a PEM rule that has atleast a BWC action along with a Gx reporting action.

Impact:
The traffic flow is not capped by the correct BWC action, instead it is capped by the maximum configured bandwidth in the BWC policy.

Fix:
The BWC policy is restored correctly after a policy update.

623401-1 : Intermittent OCSP request failures due to non-optimal default TCP profile setting

Component: TMOS

Symptoms:
The connection between BIG-IP and OCSP responder is not reliable since it uses the default internal TCP configuration which doesn't fit the usage well.

Conditions:
When the OCSP stapling option is enabled in the clientSSL profile that is in use by a virtual server.

Impact:
The BIG-IP as a SSL server fails to staple the OCSP response to the SSL client. In other words, the certificate status messages are not added in the Server Hello message in the TLS handshakes to the SSL client.

Workaround:
The fix proposed an optimal TCP configuration used by the connection between BIG-IP and OCSP responder which makes the connection reliable now. Therefore the virtual server can now always correctly staple the certificate status in the Server Hello message to the SSL client.

623391-5 : cpcfg cannot copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size★

Component: TMOS

Symptoms:
cpcfg fails with errors similar to:

Getting configuration from HD1.2
info: Copying configuration to HD1.1
info: Applying configuration to HD1.1
info: >++++ result:
info: Extracting manifest: /var/local/ucs/config.ucs
info: /: Not enough free space info: 739487744 bytes required
info: 259965952 bytes available
info: /var/local/ucs/config.ucs: Not enough free disk space to install!
info: Operation aborted.

Conditions:
Use cpcfg for a UCS that is larger than free space on root filesystem of target volume set.

Impact:
You cannot use cpcfg to copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size

Workaround:
Run the below to fix /etc/mtab on target (HD1.3 is used in this example; substitute the correct target volume) before cpcfg:
- volumeset -f mount HD1.3
- grep HD1.3 /proc/mounts | sed 's_/mnt/HD1.3_/_g;s_//_/_g' > /mnt/HD1.3/etc/mtab
- volumeset -f umount HD1.3

Fix:
cpcfg could incorrectly calculate the amount of free space required, refusing to do the copy unless the / filesystem on the target volume had sufficient space to do the copy (not taking into account /config, /usr, /var, and other filesystems). This has been resolved and this free space calculation is done correctly.

623336-4 : After an upgrade, the old installation's CA bundle may be used instead of the one that comes with the new version of TMOS★

Component: TMOS

Symptoms:
When installing a new version of TMOS, the installer will choose the bundle by looking at the current installation and what came with the target version, choosing the newer one. This check is performed incorrectly, and the old bundle may accidentally be chosen.

Conditions:
This happens when /config/ssl/ssl.crt/ca-bundle.crt in the old version contains an RCS revision number near the top of the file, and the newer TMOS version does not contain a revision number. (This is a change in the format of the file generated by the organization providing F5 with this bundle.)

Impact:
Upgrades to versions that ship the "non-RCS" files will incorrectly retain the ca-bundle.crt from the previous version, instead of keeping the newer version that shipped with those versions.

This can result in certificate verification failures (e.g. for an OCSP stapling profile), or a BIG-IP creating an inconsistent/incomplete certificate chain for a virtual server.

Workaround:
On every device affected by this, or on every blade in a VIPRION system affected by this:

1. Update /config/ssl/ssl.crt/ca-bundle.crt with the version that ships with this software version:
   cp /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt

2. Reboot the system and clear the MCPD binary database. Refer to SOL13030, but essentially:
    touch /service/mcpd/forceload && reboot

3. After reboot, verify that the two files match (they should have the same checksum):
   md5sum /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt

Fix:
When installing a new version of TMOS, the installer will choose the bundle by looking at the current installation and what came with the target version, choosing the newer one. This check was performed incorrectly, and the old bundle could accidentally have been chosen. This has been fixed, and the newer version of the file is correctly chosen.

623119 : Linux kernel vulnerability CVE-2016-4470

Solution Article: K55672042

623093-1 : TIFF vulnerability CVE-2015-7554

Solution Article: K38871451

623055-1 : Kernel panic during unic initialization

Component: TMOS

Symptoms:
During system initialization, the kernel panics during unic initialization.

Conditions:
This can occur on BIG-IP Virtual Edition if an error (on memory allocation, io etc.) occurs during unic initialization.

Impact:
The kernel panics, system will not boot.

Fix:
Initialize resources to fail gracefully on error.

623037-2 : delete of pem session attribute does not work after a update

Component: Policy Enforcement Manager

Symptoms:
it will not be possible to delete the session attribute through rules.

Conditions:
rules with session attribute update & delete

Impact:
unable to delete session attribute

623023-1 : Unable to set DNS Topology Continent to Unknown via GUI

Component: Global Traffic Manager (DNS)

Symptoms:
No option in dropdown menu to select Unknown Continent when configuring DNS Topology Record via GUI. Existing Topology Records will be displayed as "Continent is", instead of "Continent is Unknown".

Conditions:
Attempting to configure a DNS Topology Record via the GUI.

Impact:
Unable to set the Continent field to 'Unknown' via GUI.

Workaround:
Set the continent via tmsh using the command `create gtm topology ldns: continent -- server: continent --`

Fix:
The dropdown menu now has an option to select an "Unknown" Continent.

622913-2 : Audit Log filled with constant change messages

Component: Application Security Manager

Symptoms:
Frequent changes by Policy Builder fill the audit log too quickly and can affect viewing the Security Logs:

Error 502 Bad Gateway when clicking "Application Security" logs

Conditions:
Frequent Policy Builder changes occur and no ASM device group is configured.

Impact:
Disk space usage and errors viewing the Application Security logs

Workaround:
Workarounds:
1) Turn off "Recommend Sync when Policy is not applied". (Security ›› Options : Application Security : Preferences)

2) Enable ASM sync on a device group.

Fix:
Updates to the audit log are throttled at max 1/minute.

622877-1 : i2000 and i4000 series appliances may show intermittent DDM alarms/warnings at powerup that clear right away

Component: TMOS

Symptoms:
Messages like the following in /var/log/ltm:

Oct 14 12:22:26 localhost err pfmand[5637]: 01660011:3: DDM interface: 6.0 transmit power too low alarm. Transmit power:0.0515 mWatts
Oct 14 12:22:26 localhost err pfmand[5637]: 01660011:3: DDM interface:6.0 receive power too low alarm. Received power:0.0000 mWatts
Oct 14 12:23:29 localhost err pfmand[5637]: 01660013:3: DDM interface:6.0 transmit power too low alarm cleared
Oct 14 12:23:29 localhost err pfmand[5637]: 01660013:3: DDM interface:6.0 receive power too low alarm cleared
'

Conditions:
i2000 or i4000 series appliances with DDM enabled and a reboot or restart of the pfmand daemon

Impact:
No functional impact, these are not valid DDM alarms or warnings.

Workaround:
Ignore DDM errors that clear right away after powerup or pfmand restart.

Fix:
During DDM initialization clear any alarms or warnings cached in the hardware registers.

622856-1 : BIG-IP may enter SYN cookie mode later than expected

Component: Local Traffic Manager

Symptoms:
BIG-IP entry to SYN cookie mode may not occur even though traffic pattern would dictate that it should.

Conditions:
Verified accept enabled on a Virtual IP.
Large volume of traffic being processed by BIG-IP.

Impact:
BIG-IP does not enter SYN cookie mode at the expected time.

Workaround:
Disable verified accept on all VIP TCP profiles.

Fix:
BIG-IP correctly enters SYN cookie mode when traffic pattern
dictates that it should.

622790-1 : EdgeClient disconnect may take a lot of time when machine is moved to network with no connectivity to BIG-IP

Component: Access Policy Manager

Symptoms:
Edge Client takes a lot of time to disconnect when machine is moved to network with no connectivity to BIG-IP

Conditions:
* VPN is established
* Machine is moved to different network (with no BIG-IP) connectivity
* EdgeClient stays in "Disconnecting..." state for few minutes

Impact:
User have to wait until Disconnect procedure is complete

Fix:
Now Edge Client uses 5000msec timeout in order to complete logout HTTP request. This is enough in normal conditions

622735 : TCP Analytics statistics does not list all virtual servers

Component: Application Visibility and Reporting

Symptoms:
In "Statistics :: Analytics : TCP", displaying the stats by virtual server will only allow the option of "Aggregated".

Conditions:
This occurs on virtual servers with the TCP Analytics profile attached.

Impact:
GUI does not list all virtual servers that have the TCP Analytics profile attached.

Fix:
Fixed an issue with displaying TCP Analytics statistics for virtual servers.

622662-7 : OpenSSL vulnerability CVE-2016-6306

Solution Article: K90492697

622619-5 : BIG-IP 11.6.1 - "tmsh show sys log <item> range" can kill MCPD

Component: TMOS

Symptoms:
MCPd cpu utilization is high and renders it unresponsive.

Conditions:
A ranged log query where the log files are excessively large, e.g., 1 GB uncompressed.

Impact:
MCPd is killed due to being unresponsive, which restarts multiple daemons.

Workaround:
Lower the logging level, thereby decreasing the size of the file which must be parsed.

622496 : Linux kernel vulnerability CVE-2016-5829

Solution Article: K28056114

622386-1 : Internet Explorer getting blocked when Web Scraping and Proactive Bot Defense are both enabled

Component: Application Security Manager

Symptoms:
Internet Explorer browsers will get into an endless loop of requests, never reaching the back-end server, when accessing a Virtual Server which is enabled with both the Web Scraping feature, and the Proactive Bot Defense, if the mode of Proactive Bot Defense is set to During Attacks.

Conditions:
1. ASM Security Policy is attached to the Virtual Server, and has Web Scraping's Bot Detection set to Alarm & Block.
2. Within Web Scraping, both Fingerprint and Persistent Client Identification are disabled.
3. DoS profile is attached to the Virtual Server, and has Proactive Bot Defense set to During Attacks.
4. Users are using the Internet Explorer browser.

Impact:
Internet Explorer browser users are getting blocked from accessing the back-end server.

Workaround:
Two options for workaround:
1. Set Proactive Bot Defense to Always instead of During Attacks.
2. Enable either Fingerprint or Persistent Client Identification in the Web Scraping configuration.

Fix:
Internet Explorer users are no longer blocked when accessing a Virtual Server which has both Web Scraping enabled, and Proactive Bot Defense set to During Attacks.

622281-1 : Network DoS logging configuration change can cause TMM crash

Component: Advanced Firewall Manager

Symptoms:
Whenever a DoS Network logging profile is assigned or removed from a Virtual Server, it could cause random TMM crash.

Conditions:
The problem happens only with runtime config change.

Any logging profile config settings which was configured already and which gets loaded on TMM startup does not have this problem. Since this problem is a one time event on config change, TMM restart will pickup the config change and will work without any problem after the one time crash and TMM restart.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Invalid memory reference after free resulted in crash, which is fixed.

622244-2 : Edge client can fail to upgrade when always connected is selected

Component: Access Policy Manager

Symptoms:
Attempt to upgrade an Edge client may fail if the Always Connected mode is enabled

Conditions:
Always Connected is selected in BIG-IP when upgrading the client

Impact:
Upgrade will fail

Workaround:
Disable the Always Connected mode

Fix:
Upgrade functions as intended regardless of connection mode

622220-2 : Disruption during manipulation of PEM data with suspected flow irregularity

Component: Policy Enforcement Manager

Symptoms:
tmm crashes.

Conditions:
It is not known exactly what conditions trigger this; it was observed with Policy Enforcement Manager configured. It may occur when a new blade is added or HA event occurs and flows get rebalanced before the session is established.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a tmm crash related to manipulating Policy Enforcement Manager data.

622199 : sys-icheck reports error with /var/lib/waagent

Component: TMOS

Symptoms:
On Azure cloud, running sys-icheck may report an error with /var/lib/waagent.

On BIG-IP version 12.0.0:
ERROR: ....L.... /var/lib/waagent
L - readLink(2) path mismatch

On BIG-IP version 12.1.0 and 12.1.1:
ERROR: .M....... /var/lib/waagent

M - Mode differs (includes permissions and file type)

Conditions:
This occurs on BIG-IP running on Azure cloud.

Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.

Fix:
Fixed an issue with waagent that was causing sys-icheck to fail.

622194 : sys-icheck reports error with ssh_host_rsa_key

Component: TMOS

Symptoms:
On Azure cloud, running sys-icheck may report an error with /config/ssh/ssh_host_rsa_key and ssh_host_rsa_key.pub

ERROR: SM5...... /config/ssh/ssh_host_rsa_key
ERROR: SM5...... /config/ssh/ssh_host_rsa_key.pub

Conditions:
This occurs on BIG-IP running on Azure cloud when running the sys-icheck utility.

Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.

Fix:
Fixed an issue with ssh_host_rsa_key and ssh_host_rsa_key.pub that was causing sys-icheck to generate an error.

622183-5 : The alert daemon should remove old log files but it does not.

Component: TMOS

Symptoms:
When the utilization of the log filesystem goes above the configuration setting 'sys db logcheck.alertthres' (default 90%), it is intended that the alert daemon should delete old log files. It does not.

Conditions:
System activity generates a high number of log messages, and/or a user puts large files in /var/log.

Impact:
The log filesystem may become completely full, and new log messages cannot be saved.

Fix:
The alert daemon will now remove old log files as intended.

622178-1 : Improve flow handling when Autolasthop is disabled

Component: Local Traffic Manager

Symptoms:
Modifications made to improve flow handling in configurations which disabled Autolasthop.

Conditions:
Autolasthop disabled.

Impact:
Modifications made to improve flow handling in configurations which disabled Autolasthop.

622133-1 : VCMP guests may incorrectly obtain incorrect MAC addresses

Component: TMOS

Symptoms:
vCMP guests may be re-configured to use MAC addresses based off an all zero MAC address (00:00:00:00:00:00).

The 'tmsh show net vlan' command will show the vlan interfaces having mostly 0's in the MAC address:

-------------------------------------
Net::Vlan: external
-------------------------------------
Interface Name external
Mac Address (True) 00:00:00:00:00:01
MTU 1500
Tag 3702
Customer-Tag

-------------------------------------
Net::Vlan: internal
-------------------------------------
Interface Name internal
Mac Address (True) 00:00:00:00:00:02
MTU 1500
Tag 3703
Customer-Tag

Conditions:
For this to manifest the vCMP host vcmpd process will have to have had a prior crash or be killed.
In this scenario vcmpd on restart uses a default zero-base MAC address for the guests.
The guests will not use the new zero-based MAC until services are restarted on the guest, on which the new MAC address will take effect.

Impact:
This can cause network issues and conflicts if occurring on multiple guests in the same VLAN as the same MAC addresses will be used.

Workaround:
Restart the guest from the hypervisor.

Fix:
vCMP no longer uses zero-based MACs on vcmpd crash/kill.

622126-1 : PHP vulnerability CVE-2016-7124

Solution Article: K54308010

622017-8 : Performance graph data may become permanently lost after corruption.

Solution Article: K54106058

Component: Local Traffic Manager

Symptoms:
During an upgrade, system reboot or restart of the statsd daemon, if a performance graph /var/rrd/*.info file is corrupt, the system is expected to backup the performance data before replacing it and starting with new empty graph data. It is then possible to manually recover the previous performance data.

However, if the /shared/rrd.backup directory already exists, the system restarts the performance graph with new data without backing up the previous data.

Conditions:
During startup of the statsd daemon (such as after an upgrade or reboot), the issue occurs if the following two conditions are present:
* The /var/rrd/<filename>.info files are corrupt (CRC value does not match contents).
* The /shared/rrd.backup directory exists.

Impact:
The previous performance graph data is not displayed, and is no longer available for manual recovery.

Workaround:
Old performance graph data can be extracted from the var/rrd directory of a QKView taken prior to the beginning of the problem.

Fix:
Corrupt performance graph RRD data is now backed up to the /shared/rrd.backup directory during startup even if the directory already exists.

621976-4 : OneDrive for Business thick client shows javascript errors when rendering APM logon page

Component: Access Policy Manager

Symptoms:
OneDrive for Business thick client shows javascript errors when rendering APM logon page

Conditions:
APM is used as federated auth provider for Microsoft Azure. User uses OneDrive for Business thick client to authenticate.

Impact:
User experience is impacted, however clicking thru javascript errors eventually leads to successful authentication and working OneDrive for Business app.

Workaround:
Click thru javascript error dialogs.

Fix:
OneDrive for Business thick client is now fully supported when authenticating against APM as federation provider for Microsoft Azure.

621974-4 : Skype For Business thick client shows javascript errors when rendering APM logon page

Component: Access Policy Manager

Symptoms:
Skype For Business thick client shows javascript errors when rendering APM logon page

Conditions:
APM is used as federated auth provider for Microsoft Azure. User uses Skype For Business thick client to authenticate.

Impact:
User experience is impacted, however clicking thru javascript errors eventually leads to successful authentication and working Skype For Business app.

Workaround:
Click thru javascript error dialogs.

Fix:
Skype For Business thick client is now fully supported when authenticating against APM as federation provider for Microsoft Azure.

621957-2 : Timezone data on AOM not syncing with host

Component: TMOS

Symptoms:
Updating the timezone on the host does not sync to the AOM, because certain tzdata files are placed in the wrong directories.

Conditions:
A system using tzdata version v2016i-1 may encounter this problem. If the following files exist:

/usr/share/zoneinfo/posix/zoneinfo/posix/F5zone.tab
/usr/share/zoneinfo/right/zoneinfo/right/F5zone.tab
/usr/share/zoneinfo/zoneinfo/F5zone.tab

then the system has this problem.

Impact:
Time on the AOM is incorrect.

Workaround:
If the following files exist:

/usr/share/zoneinfo/posix/zoneinfo/posix/F5zone.tab
/usr/share/zoneinfo/right/zoneinfo/right/F5zone.tab
/usr/share/zoneinfo/zoneinfo/F5zone.tab

move them to:

/usr/share/zoneinfo/F5zone.tab
/usr/share/zoneinfo/posix/F5zone.tab
/usr/share/zoneinfo/right/F5zone.tab

Fix:
Timezone data on AOM now syncs correctly with host again

621937-1 : OpenSSL vulnerability CVE-2016-6304

Solution Article: K54211024

621935-6 : OpenSSL vulnerability CVE-2016-6304

Solution Article: K54211024

621909-4 : Uneven egress trunk distribution on 5000/10000 platforms with odd number of trunk members

Solution Article: K23562314

Component: TMOS

Symptoms:
When a trunk on the BIG-IP 5000 or 10000 platforms has an odd number of members, the traffic distribution to those interfaces will be unbalanced. Some interfaces will see more traffic than others.

Conditions:
This can occur for two reasons:
-- Purposefully configuring an odd number of members.
-- A port goes down in a trunk that has an even number of members.

Impact:
Uneven traffic distribution.

Workaround:
None.

Fix:
This release fixes uneven egress trunk distribution on the BIG-IP 5000 or 10000 platforms when there is an odd number of ports.

621870-2 : Outage may occur with VIP-VIP configurations

Component: Local Traffic Manager

Symptoms:
In some VIP-VIP configurations, a system outage may occur while processing traffic.

Conditions:
VIP-VIP configuration

Impact:
System outage

Workaround:
None.

621808-1 : Proactive Bot Defense failing in IE11 with Compatibility View enabled

Component: Advanced Firewall Manager

Symptoms:
Internet Explorer 11 browsers which have "Compatibility View" enabled (under Compatibility View Settings IE menu), will fail the JavaScript challenge, when Proactive Bot Defense is enabled and the "Block requests from suspicious browsers" checkbox is checked.

The challenged request will be blocked using a TCP_RST flag, and the browser will show "This page can’t be displayed" is seen in the browser.

Conditions:
1. DoS profile that is attached to the Virtual Server has Proactive Bot Defense is enabled and "Block requests from suspicious browsers" checkbox is checked.
2. Internet Explorer 11 browsers in which the site's domain is inserted to the "Compatibility View Settings" in the browser's menu.

Impact:
Legitimate browsers get blocked when accessing the site.

Workaround:
None

Fix:
Internet Explorer 11 browsers with "Compatibility View" enabled on the site no longer get blocked when Proactive Bot Defense is enabled on the DoS profile.

621736-6 : statsd does not handle SIGCHLD properly in all cases

Component: Local Traffic Manager

Symptoms:
- Performance graphs are not updating or are not existant.
- proc_pid_stat shows statsd time not increasing
- Top also shows that statsd is not taking any processor time.

Infact statsd is stuck on a wait in a signal handler.

Conditions:
If statsd receives a SIGCHLD signal it will get stuck and not process anything.

The following can trigger the issue:

rm -rf /shared/rrd.backup
- sed -i "s/^#CRC.*$/#CRC $RANDOM/" /var/rrd/throughput.info
- kill -HUP $(pgrep -f /usr/bin/statsd)

Impact:
No performance graphs are collected / generated

Workaround:
Restart statsd:
- bigstart restart statsd

621524-2 : Processing Timeout When Viewing a Request with 300+ Violations

Component: Application Security Manager

Symptoms:
When attempting to view a request that triggered hundreds or thousands of violations, a timeout is encountered.

Conditions:
Attempting to view a request that triggered hundreds or thousands of violations

Impact:
A timeout is encountered.

Workaround:
increase the "max_execution_time" timeout in /usr/loca/lib/php.ini from 30 to 240 seconds.

Fix:
Processing high violation requests is now more efficient.

621452-1 : Connections can stall with TCP::collect iRule

Solution Article: K58146172

Component: Local Traffic Manager

Symptoms:
Connection does not complete.

Conditions:
-- A TCP::collect command is in use.
-- The first packet received after the SYN carries data.

The Initial Sequence number in the SYN, plus the length of the data in the first packet, plus 1, is greater than-or equal to 2^31.

Note: APM VDI profiles internally use TCP::collect, so virtual servers with VDI profiles may be affected as well.

Impact:
Connection fails.

Workaround:
There is no workaround at this time.

Fix:
The system no properly sets state variables associated with TCP::collect.

621447-1 : In some rare cases, VDI may crash

Component: Access Policy Manager

Symptoms:
VDI process crashes and connections to VDI resources are aborted.

Conditions:
VDI receives unexpected session variable result which is meant for some other VDI thread.

Impact:
Existing VDI connections are aborted and the user needs to login again.

Fix:
VDI should gracefully handle the error condition and should not crash

621423 : sys-icheck reports error with /config/ssh/ssh_host_dsa_key

Component: TMOS

Symptoms:
On Azure cloud, running sys-icheck may report an error with /config/ssh/ssh_host_dsa_key and other files:

ERROR: missing /config/ssh/ssh_host_dsa_key
ERROR: missing /config/ssh/ssh_host_dsa_key.pub
ERROR: missing /config/ssh/ssh_host_key
ERROR: missing /config/ssh/ssh_host_key.pub

Conditions:
This occurs on BIG-IP running on Azure cloud.

Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.

Fix:
Fixed an issue with files in /config/ssh/ that was causing sys-icheck to report errors.

621422 : i2000 and i4000 series appliances do not warn when an incorrect optic is in a port

Component: TMOS

Symptoms:
A 1G optic is inserted in a port that only supports 10G optics, or a 10G optic is inserted in a port that only supports 1G optics.

The invalid optic may show a link light, and no warning appears on the LCD.

Conditions:
i2000 or i4000 platforms ports do not auto-negotiate between 1G and 10G optics. Ports are assigned to one or the other speed.

Impact:
User may not understand why optic is not working correctly

Workaround:
Move the optic to the correct port.

621401 : When HA is configured on BIG-IPs managed by BIG-IQ, the AVR reporting from BIG-IQ may fail under the load

Component: Device Management

Symptoms:
When BIG-IQ is monitoring more than 1 BIG-IP in a HA clustser, AVR reporting on the BIG-IQ may fail if one of the BIG-IPs is under heavy load.

Conditions:
BIG-IQ monitoring BIG-IPs in a HA cluster
BIG-IPs running AFM and/or ASM
BIG-IQ used to monitor AFM and/or ASM reporting.
At least one of the BIG-IPs is under significant load so as to cause delays in responding to BIG-IQ requests.

Impact:
AVR reporting will stop functioning.

Workaround:
bigstart restart restjavad

621386-1 : restjavad spawns too many icrd_child instances

Solution Article: K91988084

Component: TMOS

Symptoms:
icrd_child process keeps crashing and can lead to an out-of-memory condition.

Conditions:
This occurs due to a race condition while restarting the icrd daemon.

Impact:
icrd might crash.

Workaround:
None.

Fix:
Fixed race condition that caused the system to run out of memory by spawning too many icrd_child processes.

621371-2 : Output Errors in APM Event Log

Solution Article: K43523962

621337-6 : XSS vulnerability in the BIG-IP and Enterprise Manager Configuration utilities CVE-2016-7469

Solution Article: K97285349

621273-1 : DSR tunnels with transparent monitors may cause TMM crash.

Component: TMOS

Symptoms:
The TMM may crash if the BIG-IP system is configured with a DSR tunnel with a transparent monitor.

Conditions:
The BIG-IP system is configured with a DSR tunnel with a transparent monitor and the DB variable tm.monitorencap is set to "enable".

Impact:
Traffic disrupted while tmm restarts.

Fix:
The TMM does not crash.

621259-3 : Config save takes long time if there is a large number of data groups

Component: TMOS

Symptoms:
Config save takes a long time to complete

Conditions:
This occurs when there is a large number (~2000) of data-group objects in the configuration

Impact:
When take longer than 90 seconds soap iControl will time out.
This make it impossible to manage via EM

621242-1 : Reserve enough space in the image for future upgrades.

Component: TMOS

Symptoms:
Increased the reserved free space in VM image from 15% to 30% to accommodate upgrades to future versions. Each next version tends to be bigger and require more disk space to install. The increased reserved space will allow upgrading to at least next 2 versions.

Conditions:
VE in local hypervisors and VE in the Cloud (AWS, Azure).

Impact:
Extends the disk image to reserve more disk space for upgrades.

Workaround:
N/A

Fix:
Increased the reserved free space on VE images.

621239-2 : Certain DNS queries bypass DNS Cache RPZ filter.

Component: Global Traffic Manager (DNS)

Symptoms:
A DNS query with the DO-bit set to 1 will bypass the RPZ filter on a DNS Cache.

Conditions:
A DNS Cache configured with RPZ.

Impact:
Queries with DO-bit set to 1 will bypass the RPZ filter and be answered normally.

Fix:
The DO-bit is now ignored with respect to RPZ filtering.

621225 : LTM log contains misleading error messages for front panel interfaces, "PCI Device not found for Interface X.0"

Component: TMOS

Symptoms:
When BIG-IP is initially booted or re-started, there are certain conditions under which the LTM log may report the following message for front panel interfaces, "PCI Device not found for Interface <X.0>", where X can be in the range of 1-6. These messages are misleading because the front panel interfaces do not have any PCI devices associated with them and should not have been flagged as errors.

Conditions:
i2600/i2800 products intermittently produce these messages upon power-up or BIG-IP re-start.

Impact:
They are false alarms in the log. The associated interfaces do not have said PCI devices.

Fix:
Removed the possibility of getting false alarm messages in the LTM log for front panel interfaces 1.0-6.0 that claim, "PCI Device not found for Interface X.0".

621210-2 : Policy sync shows as aborted even if it is completed

Component: Access Policy Manager

Symptoms:
After syncing a policy in a sync-only device group, the policy appears to be synced to the target successfully, however, the remote HA pair devices show status as canceled/aborted.

Conditions:
It is not known exactly what triggers this condition. It was observed in a 4-device trust group consisting of 2 sync/failover groups and a single sync-only device group for all 4 devices. After the sync the status reported as cancelled/aborted.

Impact:
Sync status is displayed incorrectly, even after the sync was successful.

Workaround:
None.

Fix:
Policy sync now shows as completed when it is completed.

621126-2 : Import of config with saml idp connector with reuse causes certificate not found error

Component: Access Policy Manager

Symptoms:
Export and then Import with reuse of config that has SAML Idp Connector as part of configuration would fail with Object not found or Certificate not found error:

Import Error: 01070734:3: Configuration error: /Common/my_cert.crt certificate not found.

Conditions:
Exporting and then importing with "Reuse existing objects" checked. Normal import is ok.

Impact:
Importing fails.

Workaround:
On From box:Disconnect Idp configuration, export config.
On To box:Recereate Idp configuration, import, reconnect it.

Fix:
Importing with reuse is fixed.

621115-1 : IP/IPv6 TTL/hoplimit may not be preserved for host traffic

Component: Performance

Symptoms:
Traffic to and from the Linux host has TTL set to 255 or hop limit set to 64. This may impact any protocols that scrutinize the TTL such as IGMP or BGP.

Conditions:
IP/IPv6 TTL/hoplimit for host traffic.

Impact:
IGMP packets will not be passed from TMM to the Linux host and remote routers may reject IGMP packets from the BIG-IP.

BGP neighbors may reject packets from the BIG-IP.

Workaround:
Adjust TTL verification restrictions on peer devices.

Fix:
The IP/IPv6 TTL/hoplimit of host traffic is no longer modified when it traverses TMM.

620929-4 : New iRule command, MR::ignore_peer_port

Component: Service Provider

Symptoms:
For incoming connections where the client used a ephemeral source port, subsequents connections from the same client may connect using a different ephemeral port. Without being able to identify the current connection as equivalents to other connections from the same IP, it will not be discoverable as an equivalent connection.

Conditions:
For incoming connections where the client used a ephemeral source port, subsequents connections from the same client may connect using a different ephemeral port.

Impact:
Without being able to identify the current connection as equivalents to other connections from the same IP, it will not be discoverable as an equivalent connection.

Workaround:
Without this change, a new connection would need to be created to the client.

Fix:
New iRule command allow script author to identify the current connection as equivalent to other connections of the IP and route domain ID matches.

620903-1 : Decreased performance of ICMP attack mitigation.

Component: Performance

Symptoms:
Decreased performance of ICMP attack mitigation.

Conditions:
A Big-Ip is under attack, for example a ICMP flood attack.

Impact:
Decreased performance of ICMP attack mitigation.

Workaround:
NA

Fix:
Increased performance of ICMP attack mitigation.

620829-2 : Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly

Component: Access Policy Manager

Symptoms:
JavaScript code with literal object definition containing field names equal to reserved keywords is not handled correctly by Portal Access.

Conditions:
JavaScript code with literal object definition containing fields with reserved keywords as a name, for example:

var a = { default: 1, continue: 2 };

Impact:
JavaScript code is not rewritten and may not work correctly.

Workaround:
None.

Fix:
Now JavaScript with literal object definition containing reserved keywords as field names is handled correctly by Portal Access.

620801-3 : Access Policy is not able to check device posture for Android 7 devices

Component: Access Policy Manager

Symptoms:
APM identifies Android devices based on their MAC address. With Android 7, it is not possible to retrieve device MAC address and hence APM is not able to check for device compliance against configured Endpoint Management System (EMS) using the Managed Endpoint Status Policy Item.

If the Access Policy is configured to restrict access based on APM's Managed Endpoint Status, and the user attempts to connect to APM using an Android 7 device with the F5 Edge Client app, access will be disallowed.

Conditions:
- Access policy is configured to deny access on endpoint compliance failure with Managed Endpoint Status
- User accesses APM from an Android 7 device using F5 Edge Client app.

Impact:
Connection is denied because F5 Edge Client is not able to determine the device MAC address to transmit to APM. The lookup for endpoint posture will result in a compliance check failure.

Workaround:
This workaround only applies to IBM Maas360:

Add Variable Assign agent just before Managed Endpoint Status agent with the following variables:

session.client.platform_tmp = expr {[mcget session.client.platform]}
session.client.platform = expr {"iOS"}
session.client.unique_id = expr {"Android[mcget session.client.unique_id]"}

And add Variable Assign agent after Managed Endpoint Status agent to reset session.client.platform to its original state:
session.client.platform = expr {[mcget session.client.platform_tmp]}

Fix:
Access policy now uses multiple fallback types to correlate the device identity with endpoint management systems: Device Serial Number, IMEI number, and MAC address, respectively.

620788-1 : FQDN pool created with existing FQDN node has RED status

Solution Article: K05232247

Component: Local Traffic Manager

Symptoms:
After creating an FQDN pool using an existing FQDN node, the pool has RED status.

Conditions:
-- Existing FQDN node.
-- Pool created with an existing FQDN node as a member.

Impact:
Traffic will not pass in this pool.

Workaround:
As a workaround, follow these steps:
1. Delete the existing FQDN node.
2. Create a new one.
3. Create a pool that includes the new FQDN node.

Fix:
When creating an FQDN pool with an existing FQDN node, the pool status now reflects the actual monitor status.

620782 : Azure cloud now supports hourly billing

Component: TMOS

Symptoms:
Prior to 12.1.2 hourly billing was not supported in Azure cloud.

Conditions:
Any version prior to 12.1.2 in Azure Cloud

Impact:
Hourly billing not possible

Fix:
With 12.1.2 hourly billing is now supported in Azure.

620659-3 : The BIG-IP system may unecessarily run provisioning on successive reboots

Component: TMOS

Symptoms:
After the first boot, the system runs provisioning and boots successfully, but there is a file left on the system /mprov_firstboot. This will appear in /var/log/ltm:
info mprov:4614:: \'\'provision.initialized\' indicates force TMOS only provisioning - forcing.\'

During a subsequent boot, provisioning will run again, potentially unnecessarily, due to the existence of this file. The following will appear in /var/log/ltm during the second boot:
info mprov:4609:: \'Existence of file \'/mprov_firstboot\' indicates force TMOS only provisioning - forcing.\'

Conditions:
The memory size of the host changes and there is some other need for reprovisioning (for example a new configuration load).

Impact:
On a vCMP host, the second provisioning may not complete properly and guest systems will not pass traffic.

The vCMP host will continually try to start more than one tmm and fail when there should only be one tmm running. The /var/log/tmm logfile on the vCMP host will contain:
  <13> Sep 25 01:33:28 vcmphost1 notice Too small memsize (60) -- need at least 136 MB

The /var/log/tmm logfile on the vCMP guest will contain:
  <13> Sep 25 01:38:21 bigip1 notice Failed to write /var/run/libdag.so_2, err: -30
  <13> Sep 25 01:38:21 bigip1 notice panic: vdag failed to attach
  <13> Sep 25 01:38:21 bigip1 notice ** SIGFPE **

Workaround:
If the vCMP host is in a tmm restart loop due to this issue, reboot the vCMP host to allow the system to come up properly.

Fix:
The BIG-IP software now always removes the /mprov_firstboot file when the system is reprovisioned.

620635-2 : Request having upper case JSON login parameter is not detected as a failed login attempt

Component: Application Security Manager

Symptoms:
Not able to detect failed login attempt if ASM policy is case insensitive, and incoming JSON string contains upper case.

Conditions:
ASM provisioned
ASM policy is case-insensitive
JSON profile, w/ JSON login parameter with an upper-case character

Impact:
Not able to detect failed login attempt if ASM policy is case insensitive, and incoming JSON string contains upper case.

Workaround:
N/A

Fix:
We've made sure that JSON login parameter are always treated as case sensitive, regardless of the ASM policy case sensitivity setting.

620625-2 : Changes to the Connection.VlanKeyed DB key may not immediately apply

Solution Article: K38094257

Component: Local Traffic Manager

Symptoms:
Changes to the Connection.VlanKeyed DB key may not immediately apply to all TMMs

Conditions:
The Connection.VlanKeyed DB key is changed

Impact:
Asymmetrically routed connections may fail with Connection.VlanKeyed disabled

Workaround:
Restarting TMM will resolve the issue, though this will interrupt traffic so should be performed during a maintenance window. To do so, run one of the following tmsh commands:

-- on an appliance (BIG-IP platform): bigstart restart tmm
-- on a clustered system (a VIPRION or VIPRION-based vCMP guest): clsh bigstart restart tmm

Fix:
Asymmetrically routed connections no longer fail with Connection.VlanKeyed disabled.

620614-4 : Citrix PNAgent replacement mode: iOS Citrix receiver fails to add new store account

Component: Access Policy Manager

Symptoms:
iOS Citrix receiver fails to add new store account and touching on the Save option after providing the credentials displays "Loading" and comes back to previous save option.

/var/log/apm displays "An exception is thrown: EVP_CipherFinal_ex failed: EVP_DecryptFinal_ex:bad decrypt" from VDI.

The above error, otherwise, below error which deletes the session id abruptly.

Oct 24 16:33:12 slot2/vip-guest7-test notice tmm[11547]: 01490567:5: /Common/mvdi-r_ap:Common:e19516fd: Session deleted (internal_cause).

Conditions:
APM is configured with Citrix replacement mode. Provide wrong passcode values for RSA SecurId auth for continuously three times which trigger the next token input for the fourth time entering the right passcode. APM rotate session is enabled.

Impact:
iOS Citrix receiver could not add the account after providing wrong token values for two factor auth

Workaround:
Kill the iOS Citrix receiver application and click on the receiver again to add the account.

Fix:
Use the right session id for decrypting the password.

620400-1 : TMM crash during TLS processing

Solution Article: K21154730

620366-4 : Alertd can not open UDP socket upon restart

Component: TMOS

Symptoms:
alertd fails to restart due to the following error:
Sep 29 18:29:44 B2200-R76-S19 err alertd[16882]: 01100009:3: Couldn't open file UDP listener

Conditions:
alertd has spawned a long-running process (e.g. ntpd) which does not close inherited file descriptors.

Impact:
alertd fails to restart

Fix:
Mark alertd file descriptors for automatic closure in child processes.

620215-5 : TMM out of memory causes core in DNS cache

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM crashes and service is lost until it restarts. You may see several "aggressive mode sweeper" messages in /var/log/ltm prior to the crash.

Conditions:
This can occur when the TMM memory is exhausted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Provision sufficient memory for the TMM or reduce load.

Fix:
The fix was to properly handle the failure allocating memory.

620079-3 : Removing route-domain may cause monitors to fail

Component: Local Traffic Manager

Symptoms:
Removing route-domain may cause icmp and gateway-icmp monitors in unrelated route-domains to fail.

Conditions:
Route-domain is removed and icmp/gateway-icmp monitor is used.

Impact:
Monitor marking node down resulting in partial service outrage.

Workaround:
Restart bigd (bigstart restart bigd).

620056-1 : Assert on deletion of paired in-and-out IPsec traffic selectors

Component: TMOS

Symptoms:
When two traffic-selectors, one in and one out, mirror each other by reversing source and destination addresses, then deleting one can miss-fire an assert, restarting tmm.

Conditions:
Defining two clearly related traffic selectors, one for in and one for out, can confuse a later check of their names.

Impact:
When a traffic selector is deleted, from such a pair, an assert can fail that restarts tmm processes. Traffic disrupted while tmm restarts.

Workaround:
Using one traffic selector with direction=both would avoid the problem, before this change appears in a release.

Fix:
The confusion of over names for such paired traffic selectors is now fixed, so the assert cannot occur. Such traffic selectors -- just like each other execpt for reversed source and destination -- will work correctly for IKEv1 configs. For IKEv2 it is still best to use single TS insances with direction=both.

619879-1 : HTTP iRule commands could lead to WEBSSO plugin being invoked

Component: Access Policy Manager

Symptoms:
With SSO logs set to 'Debug' in Access log configuration, the following log messages are seen in '/var/log/apm':
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: constructor
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: webssoContext constructor ...
Sep 30 12:46:17 BIG-IP3900mgmt err websso.3[14520]: 014d0005:3: Unsupported SSO Method
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: ctx: 0x914b510, SERVER: TMEVT_REQUEST
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: ctx: 0x914a718, CLIENT: TMEVT_ABORT_PROXY
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: webssoContext destructor ...
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: webssoConfig destructor

With 'rstcause' enabled, the following log message is seen in '/var/log/ltm':
Sep 30 12:46:17 BIG-IP3900mgmt err tmm2[13116]: 01230140:3: RST sent from 172.17.90.92:57611 to 127.0.0.1:10001, [0x24ccbbc:820] Internal error (APM::WEBSSO requested abort (Unsupported SSO Method))

Conditions:
HTTP::disable followed by HTTP::enable.

when CLIENT_ACCEPTED {
    HTTP::disable
    // do some other stuff
    HTTP::enable
}

Impact:
client receives a HTTP 503 reset

Workaround:
When the access profile is added to the virtual server, the websso plugin profile is automatically added. Manually removing the websso plugin fixes this bug.

Fix:
The server-side access hudfilter was mistakenly enabling the websso plugin. The logic has been updated so that this does not happen.

619849-4 : In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled.

Component: Local Traffic Manager

Symptoms:
TMM crashes with a SIGABRT (killed by sod)

Conditions:
TCP (full proxy) virtual servers with verified-accept enabled in the TCP profiles, that must be handling traffic.

This issue occurs extremely rarely.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
disable verify accept.

Fix:
the loop is fixed.

619811-2 : Machine Cert OCSP check fails with multiple Issuer CA

Component: Access Policy Manager

Symptoms:
If there are multiple CAs in the CA bundle and issuing CA is not first in it, the OCSP responder returns "unauthorized" response.

Conditions:
This can only happen when issuing CA is not first in the CA file.

Impact:
OSCP check in machine cert will fail and user won't be able to follow successful branch in Access Policy. This might result in Authentication failure even though the machine cert is valid.

Workaround:
Use iRule Event and variable Assign agent in between Machine Cert and OCSP Auth agent.

Follow these steps:

iRule:

1) Loop through the CA bundle until you find matching issuer cert
2) Set this new issuer cert to "session.check_machinecert.last.cert.issuer.cert"

Variable Assign:

3) Read this issuer cert from the session db and assign it back to the same session variable:

session.check_machinecert.last.cert.issuer.cert = expr { [mcget -nocache {session.check_machinecert.last.cert.issuer.cert}] }

Fix:
Issuer cert is now looked up and set properly from the CA bundle. So there is no longer any failure response from OCSP responder.

619757-1 : iSession causes routing entry to be prematurely freed

Component: Wan Optimization Manager

Symptoms:
iSession may cause TMM to prematurely free a routing entry resulting in memory corruption and TMM restarting.

Conditions:
iSession-enabled virtual.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
No reasonable workaround short of not using iSession functionality.

Fix:
iSession no longer causes routing entries to be prematurely freed.

619663-3 : Terminating of HTTP2 connection may cause a TMM crash

Solution Article: K49220140

Component: Local Traffic Manager

Symptoms:
TMM crashes when an HTTP2 connection is being terminating on client and server sides concurrently.

Conditions:
-- HTTP2 profile is configured and assigned to a virtual server.
-- A client SSL profile is also used on the same virtual server.
-- Client interrupting a connection and server terminating a connection at the same time.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
A fix stops HTTP2 from further processing when a connection is terminating preventing TMM crash for this reason.

619528-4 : TMM may accumulate internal events resulting in TMM restart

Component: Local Traffic Manager

Symptoms:
Under some uncommon circumstances, long-lived connections may cause internal events to be accumulated causing excessive memory usage potentially resulting in TMM restarting.

Conditions:
HTTP virtual with long-lived connections.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
The issue can be mitigated by setting the HTTP 'max-requests' profile option to a reasonably low value - this value will depend on application requirements.

Fix:
Internal events are no longer accumulated thus avoiding low memory conditions.

619486-3 : Scripts on rewritten pages could fail with JavaScript exception if application code modifies window.self

Component: Access Policy Manager

Symptoms:
Attempts to call some JavaScript methods (such as XMLHttpRequest.open) on a page accessed through Portal Access could fail if application modifies window.self builtin object. As a result, the application will stop working and optionally log an undefined variable/reference exception into Developer Tools console.

To verify that window.self is modified, run 'window.self == window' command in Developer Tools console of the page with error and check if it returns 'false'.

Conditions:
This can occur if a web application has javascript that modifies the value of window.self.

Impact:
Affected web-applications will not work when accessed through Portal Access.

Workaround:
None

Fix:
Scripts on pages accessed through Portal Access are no longer failing when web application code modifies window.self.

619473-2 : Browser may hang at APM session logout

Component: Access Policy Manager

Symptoms:
Browser hangs at logout from APM session with RDP client and/or VMware View client.

Conditions:
- APM Virtual server with RDP client and/or VMware View client on webtop;
- active session on this webtop with opened client.

Impact:
Logout from APM session may take a long time (several minutes). In some cases, it may be necessary to restart browser.

Fix:
Now browser does not hangs at logout from APM session with RDP client and/or VMvare View client.

619410-1 : TMM hardware accelerated compression not registering for all compression levels.

Component: TMOS

Symptoms:
DEFLATE/gzip/zlib compression levels other than level 1 were bypassing the hardware accelerator and being serviced in software, resulting in higher CPU utilization and slower compression times.

Conditions:
Compression requests for DEFLATE/gzip/zlib levels other than level 1.

Impact:
Compression requests serviced by software are scheduled on local CPUs. During heavy compression traffic, overall system traffic flow may be reduced. Compression requests serviced in software may take significantly longer to complete.

Fix:
Hardware accelerator correctly registers for all DEFLATE/gzip/zlib compression levels, not just level 1.

619398-7 : TMM out of memory causes core in DNS cache

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM crashes and service is lost until it restarts. You may see several "aggressive mode sweeper" messages in /var/log/ltm prior to the crash.

Conditions:
This can occur when the TMM memory is exhausted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Provision sufficient memory for the TMM or reduce load.

Fix:
The fix was to properly handle the failure allocating memory.

619250-1 : Returning to main menu from "RSS Feed" breaks ribbon

Component: Access Policy Manager

Symptoms:
When you go to "RSS Feed" configuration page for Document, Picture Library, List etc. and go back to SharePoint Dashboard using link at the top pointing to "RSS FEED for ..." and then click any option on the ribbon, you got "500 Internal Server Error" and ribbon stops working. When you use built-in browser button "go back" instead, everything works Ok.

Conditions:
"500 Internal Server Error" occurred. Ribbon stop working.

Impact:
Ribbon stop working.

Workaround:
Use built-in browser "go back" button instead.

Fix:
Returning to main menu from "RSS FEED for ...", ribbon continue to work. No more "500 Internal Server Error".

619110-1 : Slow to delete URLs, CPU spikes with Automatic Policy Builder

Component: Application Security Manager

Symptoms:
Deleting a URL causes an incorrect event to be generated and logged for every other URL in the Policy.

When a policy has many URLs configured, deleting a URL takes a long time and consumes heavy CPU time.

Conditions:
Many URLs are configured in the Policy.
This can be due to Policy Builder being set to "Always" learn new HTTP URLs.
If Policy Builder is also configured to collapse common URLs to wildcards, then it deletes the collapsed urls and these calls can be resource intensive.

Impact:
1) GUI is slow to delete URLs
2) Misleading (incorrect) logs are present in the audit log for each other URL in the system after a URL delete.
3) CPU can spike to 100%

Workaround:
A) Change "Learn New HTTP URLs" mode to "Selective" from "Always"
B) Disable collapse URLS.

Fix:
URL delete no longer incorrectly generates an event for every other URL in the system.

619097 : iControl REST slow performace on GET request for virtual servers

Component: TMOS

Symptoms:
Performing a GET request on a BIG-IP with a large number of virtual servers may result in slow performance and timeout errors.

Conditions:
When a significant number of virtual servers reference persistence profiles.

Impact:
Unable to perform large GET query on virtual servers.

Workaround:
None.

Fix:
Improved iControl REST performance for Performing a GET request on a BIG-IP with a large number persistence profiles on virtual servers.

619071-3 : OneConnect with verified accept issues

Component: Local Traffic Manager

Symptoms:
System may experience an outage.

Conditions:
Verified Accept enabled in TCP profile
hardware syncookies enabled
OneConnect profile on VIP
Syncookie threshold crossed

Impact:
System outage.

Workaround:
Disabled verified accept when used with OneConnect on a VIP.

Fix:
Verified accept, OneConnect and hardware syncookies work
correctly together.

619060 : Reduction in boot time in BIG-IP Virtual Edition platforms

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) version has experienced increased boot time.

Conditions:
The increased boot time occurs each time a VE is booted.

Impact:
Long boot time, longer than previous releases.

Workaround:
None.

Fix:
Reduction in boot time in BIG-IP Virtual Edition platforms.

618957-1 : Certificate objects are not properly imported from external SAML SP metadata when metadata contains both signing and encryption certificates

Component: Access Policy Manager

Symptoms:
BIG-IP supports import of external SAML SP metadata to create SP-Connector objects. When such metadata file contains two certificates (one with 'signing' and one with 'encryption use) then BIG-IP will import certificate that is positioned 'second' in metadata twice.

Conditions:
Imported metadata contains two certificates with different use types: 'signing' and 'encryption'

Impact:
There is no impact if in metadata signing and encryption certificates are the same. If certificates are different - SAML SSO may not function properly due to incorrect certificate imported in configuration.

Workaround:
Import certificates manually, and assign them to created from metadata SAML SP connector

Fix:
Issue is now fixed: both certificates are imported correctly.

618944-1 : AVR statistic is not save during the upgrade process

Component: Application Visibility and Reporting

Symptoms:
All AVR statistics will be lost after upgrade from 12.1.0 or 12.1.1.

Conditions:
AVR statistic was collected on 12.1.0 or 12.1.1.
The BIG-IP was upgraded.

Impact:
Old AVR statistics will be lost

Workaround:
1. before upgrade edit the following file:
./usr/libdata/configsync/avr_save_pre
2. change the following line " [ $(is_provisioned avr) -eq 1 -o $(is_provisioned pem) -eq 1 -o $(is_provisioned afm) -eq 1 -o $(is_provisioned swg) -eq 1 $(is_provisioned asm) -eq 1 ] && "

with " [ $(is_provisioned avr) -eq 1 -o $(is_provisioned pem) -eq 1 -o $(is_provisioned afm) -eq 1 -o $(is_provisioned swg) -eq 1 -o $(is_provisioned asm) -eq 1 ] && "

Fix:
AVR upgrade script fixed

618905-1 : tmm core while installing Safenet 6.2 client

Component: Local Traffic Manager

Symptoms:
tmm core while installing Safenet 6.2 client.

Conditions:
Safenet 6.2 client installation

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a tmm core related to Safenet 6.2 client installation.

618902-4 : PCCD memory usage increases on configuration changes and recompilation due to small amount of memory leak on each compilation

Component: Advanced Firewall Manager

Symptoms:
Each time the Packet Classification Compiler Daemon (PCCD) process recompiles rules due to configuration changes, it loses approximately 20 bytes or more (depends on the rule complexity) due to small memory leak.

Conditions:
This occurs when making changes to the firewall configuration when AFM is configured.

Impact:
This can potentially lead to an out-of-memory situation if the system runs for a long time without reboot and PCCD continuously recompiles due to frequent configuration changes.

Workaround:
None.

Fix:
The PCCD memory leak was identified and fixed.

618779-1 : Route updates during IPsec tunnel setup can cause tmm to restart

Component: TMOS

Symptoms:
During the setup of IPsec tunnel flows, tmm depends on a valid route being available towards a remote peer to correctly create the IPsec inbound tunnel flows. The absence of the route at this stage, causes tmm to crash and restart. This is more likely to happen if the route towards the endpoint is dynamic.

Conditions:
IPsec tunnels are being set up with a given remote peer and the route towards that peer is not reliably present (as is in the case of dynamic route updates)

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure that there is always a valid route towards each of the remote peers.

Fix:
The tmm process no longer restarts if there is no valid route towards the remote peer during IPsec tunnel setup.

618771-1 : Some Social Security Numbers are not being masked

Component: Application Security Manager

Symptoms:
ASM does not block or mask some SSN numbers.

Conditions:
The Data Guard feature is turned on and set to Block, Alarm or Mask. The responses contains social security numbers with specific ranges.

Impact:
The traffic passes neither masked nor blocked to the end client.

Workaround:
None.

Fix:
The system now correctly masks and/or blocks all relevant social security numbers.

618657-4 : Bogus ICMP unreachable messages in PEM with ipother profile in use

Component: Policy Enforcement Manager

Symptoms:
The ipother virtual server will send bogus ICMP unreachable messages caused by incorrect error handling in the PEM filter.

Conditions:
A VS with ipother profile configured together with the PEM profile. In the field defect the additional piece needed was the missing classification, but this is due to code ordering, so in non-fixed versions this can also happen with the classification profile present.

Impact:
Unnecessary ICMP traffic

Fix:
Fixed an issue related to unnecessary ICMP traffic in the PEM filter.

618656-2 : JavaScript challenge repeating in loop on Firefox when URL is longer than 1033 characters

Component: Advanced Firewall Manager

Symptoms:
The JavaScript challenge is repeating in a loop on Firefox on URLs which are longer than 1033 characters. The request never reaches the back-end server.
This happens in the following challenges:
* Proactive Bot Defense with Suspicious Browsers enabled
* Client-Side Integrity Defense
In the rest of the challenges, the challenges will succeed, but POST requests will not be reconstructed correctly and sent as a multipart message to the back-end server.

Conditions:
URLs are longer than 1033 characters, AND:
Users are using the Firefox browser, AND:
Either:
* Proactive Bot Defense with Suspicious Browsers enabled, OR
* Client-Side Integrity Defense is enabled and is used as a DoSL7 mitigation during an attack.

Impact:
Requests to URLs longer than 1033 will be blocked on Firefox, and the browser will repeat the challenge in a loop.

Workaround:
None

Fix:
The JavaScript challenge no longer gets stuck in a loop on Firefox, on URLs which are longer than 1033 characters.

618549-1 : Fast Open can cause TMM crash CVE-2016-9249

Solution Article: K71282001

618517-1 : bigd may falsely complain of a file descriptor leak when it cannot open its debug log file; bigd stops monitoring

Solution Article: K61255401

Component: Local Traffic Manager

Symptoms:
- In v11.6.1, bigd reports pool members were marked down that are not actually down, and logs messages similar to the following in the ltm log file:

warning bigd[7413]: 01060154:4: Bigd PID 7413 throttling monitor instance probe because file descriptor limit 65436 reached.

- Because of changes in the v12.1.x software, although the problem is still present, it has negligible impact.

Conditions:
-- Monitoring is in use.
-- bigd debug logging is enabled.
-- The bigd debug log file (/var/log/bigdlog) is full.

Impact:
- On v11.6.1 this can cause bigd to stop monitoring, resulting in pool members being marked down erroneously.

- In v12.1.x, some of the underlying logging code changed, and there is no real impact.

Workaround:
Prevent the log file from getting full. To do so, rotate the log file using the following command:
logrotate -f bigdlog

Fix:
Stopped bigd from thinking it was out of file descriptors when it was unable to open its debug log file.

618506 : TMM may core under certain conditions when APM is provisioned and access profile is attached to the virtual.

Component: Access Policy Manager

Symptoms:
TMM may core under certain conditions when APM is provisioned and access profile is attached to the virtual.

Conditions:
APM is provisioned and access profile is attached to the virtual.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Correctly handle session DB data in APM to prevent memory segmentation fault.

618430-2 : iRules LX data not included in qkview

Component: Local Traffic Manager

Symptoms:
Qkview does not contain any of the iRuleLX information.

Conditions:
N/A

Impact:
Support engineers will have to ask for the iRuleLX information separately. No iHealth heuristics possible at the moment.

Fix:
The following ILX information was added to the qkview:

TMSH commands:
  list ilx workspace all-properties
  list ilx plugin all-properties
  list ilx global-settings (13.0.0+)
  list ltm profile ilx all-properties (13.0.0+)
  show ilx plugin all
  show ltm profile ilx all (13.0.0+)

The files in the following folders:
  /var/ilx - master copies of workspaces
  /var/sdm - running files of the plugins
  /var/log/ilx - ILX specific logs

618428 : iRules LX - Debug mode does not function in dedicated mode

Component: Local Traffic Manager

Symptoms:
In case if the debug option is enabled in the dedicated mode, sometimes some of the nodejs process can be allocated a "in-use" port, which prevents it from starting successfully.
By design every process is guaranteed a debug port in the configured range as long as there are enough ports available in the system. In-use ports are skipped, so consecutive port allocation is not guaranteed.

Conditions:
some of the ports in the range are busy.

Impact:
Some of the nodejs processes fail to start which prevents normal iRuleLX operation.

Workaround:
Consult with netstat output and set the debug-port-range-low to a higher value (eg. 10000+) to minimise the change of a port conflict.

618421 : Some mass storage is left un-used

Component: TMOS

Symptoms:
It is intended that all mass storage capacity be available for use by application data, site-local configuration, or sofwtare. In some conditions, about 10% of the mass storage capacity is not made available for application data.

Conditions:
This occurs on the BIG-IP i-Series platforms.

Impact:
Applications that use a lot of storage may not function optimally.

Fix:
The storage is optimally reallocated.

618404-1 : Access Profile copying might end up in invalid way if series of names.

Component: Access Policy Manager

Symptoms:
After copying an access policy, you receive an error when trying to open the copy: "Unable to load accessPolicy '/Common/my_policy_access_1_1' from source."

Conditions:
When items with names ending with _#_#_1 and _#_#_2, _# reduction is working.

Impact:
Unable to copy policy properly.

Workaround:
Export policy, import with reuse.

Fix:
Copying is fixed for this conditions.

618382-4 : qkview may cause tmm to restart or may take 30 or more minutes to run

Component: TMOS

Symptoms:
When taking a qkview on a heavily loaded BIG-IP device (with lots of connections) running 12.1.0 or 12.1.1, the qkview utility may take a very long time to complete (30+ minutes) or cause tmm to restart. This is due to a new qkview command that was added to gather a list of recent connections with the tmsh show sys connection command, which has a significant performance impact when run while the BIG-IP is heavily loaded.

Conditions:
This can occur on the following versions:

- 12.1.0 including 12.1.0 HF1 and 12.1.0 HF2
- 12.1.1 including 12.1.1 HF1

This can occur when the BIG-IP is heavily loaded and while running the qkview command.

Impact:
Qkview command can take an exceedingly long time to run (30+ minutes).
Traffic disrupted while tmm restarts.

Workaround:
Do not run the qkview command if the device is heavily loaded.

Fix:
Removed offending "show sys connection" command from qkview utility.

618324-1 : Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor

Component: Access Policy Manager

Symptoms:
When upgrading from OPSWAT SDK V3 to V4, opening Access Policy in VPE if one of the opswat checker (e.g. Anti-Virus checker) contains an Undefined (i.e. previously defined but out of support) ID it will display as "Any." The correct display should be "Unsupported" or "Invalid" product.

Conditions:
Wrongful information displayed.

Impact:
Wrongful information displayed.

Workaround:
N/A

Fix:
Correct (*** Invalid ***) information displayed.

618306-2 : TMM vulnerability CVE-2016-9247

Solution Article: K33500120

618263-1 : OpenSSL vulnerability CVE-2016-2182

Solution Article: K01276005

618261-6 : OpenSSL vulnerability CVE-2016-2182

Solution Article: K01276005

618254-4 : Non-zero Route domain is not always used in HTTP explicit proxy

Component: Local Traffic Manager

Symptoms:
You may experience connectivity failure in certain situations where a sideband communications are required as part of the transaction.

Conditions:
BIG-IP has http-explicit configuration, where a sideband connection is required, say in the case of getting an OCSP response or a DNS resolver response when those services are associated with a different route domain.

Impact:
End-to-end connectivity failure.

Workaround:
Change configuration so that all services required are on the default route domain, 0.

618185-1 : Mismatch in URL CRC32 calculation

Component: Fraud Protection Services

Symptoms:
In some cases URL CRC32 calculated by JS does not match referrer CRC32 calculated by Plugin.

Conditions:
Each one of next conditions cause this problem:
1. CRC32 calculated for URL with path parameters while strip_path_parameters BigDB variable value is 'true'.
2. CRC32 calculated for URL with a fragment (hashmark '#') in query string.

Impact:
A component validation alert is triggered as a result of mismatch between URL CRC32 calculated by JS and referrer CRC32 calculated by Plugin.

Workaround:
No workaround.

Fix:
strip_path_parameters BigDB variable value is passed to JS and JS URL normalization before CRC32 calculation is now similar to the one Plugin does.

618170-3 : Some URL unwrapping functions can behave bad

Component: Access Policy Manager

Symptoms:
Some URL unwrapping functions can behave incorrectly with different web application malfunctions as a result.

Conditions:
JavaScript with "location.pathname" like fields at the right side of an expression.

Impact:
Different web application malfunctions. One example is SharePoint 2010 using IE11, clicking the Edit button results in "Only secure content is displayed" at the bottom of the page.

Fix:
Fixed.

618161-1 : SSL handshake fails when clientssl uses softcard-protected key-certs.

Component: Local Traffic Manager

Symptoms:
SSL handshake fails when clientssl uses softcard-protected key-certs.

Conditions:
Softcard-protection is enabled and token protection is disabled.

Impact:
SSL handshake fails

Workaround:
None known.

Fix:
SSL handshake no longer fails when clientssl uses softcard-protected key-certs.

618121 : "persist add" irule validation fails for RTSP_RESPONSE event on upgrade to v12.x.x★

Component: Local Traffic Manager

Symptoms:
"persist add" irule validation fails for RTSP_RESPONSE event on upgrade to v12.x.x

Conditions:
When the RTSP_RESPONSE event and "persist add" iRule are used and upgrade to v12.x.x.

Impact:
"persist add" iRule validation failed. The iRule will not be loaded.

Workaround:
possible workaround is to bypass validation

when RULE_INIT {
  set static::persist_cmd { persist add uie $SessionID $static::persist_timeout }
}

when RTSP_RESPONSE {
   set SessionID [RTSP::header value "Session"]
  if { $SessionID != "" }{
    #persist add uie $SessionID $static::persist_timeout
    eval $static::persist_cmd
  }
}

617986-2 : Memory leak in snmpd

Component: TMOS

Symptoms:
Memory usage in snmpd is increases until the OOM process kills snmpd.

Conditions:
BIG-IP configured with virtual servers that have the same destination IP address

Impact:
snmp disrupted while snmp restarts.

Workaround:
No workaround

Fix:
Fixed memory leaks.

617935 : IKEv2 VPN tunnels fail to establish

Component: TMOS

Symptoms:
IKEv2 VPN tunnels fail to establish.

Conditions:
This occurs with IKEv2 on a specific 12.1.2 HF1 engineering hotfix.

Impact:
IPsec IKEv2 VPN tunnels fail to establish.

Workaround:
Use IPsec IKEv1.

Fix:
IKEv2 VPN tunnels now establish as expected.

617901-1 : GUI to handle file path manipulation to prevent GUI instability.

Component: TMOS

Symptoms:
Request file path may be incorrectly processed

Conditions:
Authenticated administrative user makes a GUI request

Impact:
The GUI becomes unstable because it cannot process the request.

Fix:
Redirect the user to a No Access page.

617875-1 : vCMP guest may fail to start due to not enough hugepages

Component: TMOS

Symptoms:
In rare cases, when there are many vCMP guests, the last one may fail to start because the system has apparently leaked a few 2M hugepages. The shortfall so far has been very small, 5 - 20 hugepages missing, but occasionally this is enough that the last guest can not start.

Conditions:
It is not yet known what triggers this.

Impact:
vCMP guest fails to start.

Workaround:
Once in this state, only restarting the host system seems to clear the condition. Restarting the VCMP guests does not appear to help.

Fix:
Addressed by changes to the pagemap code.

617862-2 : Fastl4 handshake timeout is absolute instead of relative

Component: Local Traffic Manager

Symptoms:
TCP connections that are pending completion of the three-way handshake are expired based on the absolute value of handshake timeout. For example, if handshake timeout is 5 seconds, then the connection is reset after 5 seconds of receiving the initial SYN from the client.

Conditions:
A TCP connection in three-way handshake.

Impact:
Connections are expired prematurely if they are still in three-way handshake.

Workaround:
Disable handshake timeout.

Impact of workaround: Your TCP handshake will not prematurely timeout and connections remains open until the Idle Timeout expires.

Fix:
The handshake timeout now expires based on idleness of the connection, taking into consideration of any SYN retransmissions, etc., that might occur.

617858-2 : bigd core when using Tcl monitors

Component: Local Traffic Manager

Symptoms:
If a Tcl monitor encounters an error, it may exit with an assert which causes bigd to core.

Conditions:
This can occur rarely when Tcl monitors are in use (specifically, SMTP, FTP, IMAP, POP3 monitors).

Impact:
bigd can core, which temporarily suspends monitoring while bigd restarts.

Workaround:
None.

Fix:
Now, when a Tcl monitor encounters an error, it no longer exits with an assert, so bigd no longer cores.

617824-3 : "SSL::disable/enable serverside" + oneconnect reuse is broken

Component: Local Traffic Manager

Symptoms:
If "SSL::disable/enable serverside" is configured in an iRule and oneConnect is configured in the iRule or in the Virtual Server profile, BIG-IP may not receive the backend server's HTTP response for every client's HTTP Request.

Conditions:
1. "SSL::disable/enable serverside" exists in the iRule
2. OneConnect is configured in the iRule or in the VS profile
3. apply the iRule and oneConnect Profile to the VS.

Impact:
The oneConnect behavior is unexpected, and may not get the backend Server's HTTP response for every client's HTTP Request.

Workaround:
You can work around the problem by disabling oneConnect.

617688 : Encryption is not activated unless "real-time encryption" is selected

Component: Fraud Protection Services

Symptoms:
Encryption is not activated as expected

Conditions:
Encryption enabled
Real-time encryption disabled

Impact:
Encryption error alert received in alert server

Workaround:
Enable "real-time encryption"

Fix:
Encryption on submit is now supported better.

617648 : Surfing with IE8 sometimes results with script error

Component: Fraud Protection Services

Symptoms:
Slow devices running Internet Explorer 8 can suffer performance issues on websafe protected sites.

Conditions:
Slow device running Internet Explorer 8.
Large number of configured or updated malware signatures.

Impact:
Clientside slowness.
In extreme cases, a popup asking the user whether to stop the script.

Workaround:
Reduce the number of malware signatures

Fix:
Compressed signatures

617628-1 : SNMP reports incorrect value for sysBladeTempTemperature OID

Component: TMOS

Symptoms:
SNMP reports incorrect value for sysBladeTempTemperature OID, while TMSH reports the corresponding value correctly.

# snmpwalk -v2c -c public localhost .1.3.6.1.4.1.3375.2.1.3.2.4.2.1.2.8.1
F5-BIGIP-SYSTEM-MIB::sysBladeTempTemperature.8.1 = Gauge32: 4294967245

# tmsh show sys hardware

Sys::Hardware
Blade Temperature Status
Slot Index Lo Limit(C) Temp(degC) Hi Limit(C) Location
...
1 8 0 -48 0 Blade CPU #1 TControl Delta tem
...

The negative "Blade CPU #1 TControl Delta" temperature is being incorrectly reported as a large positive temperature by SNMP.

Impact:
A negative temperature may be incorrectly reported by SNMP as an impossibly high positive value.

Workaround:
Use tmsh show sys hardware to view blade temperatures. Negative temperatures are properly reported.

config # tmsh show /sys hardware
Sys::Hardware
Blade Temperature Status
  Slot Index Lo Limit(C) Temp(degC) Hi Limit(C) Location
  1 1 0 19 49 Blade air outlet temperature 1
  1 2 0 14 41 Blade air inlet temperature 1
  1 3 0 21 57 Blade air outlet temperature 2
  1 4 0 16 41 Blade air inlet temperature 2
  1 5 0 25 60 Mezzanine air outlet temperatur
  1 6 0 27 72 Mezzanine HSB temperature 1
  1 7 0 17 63 Blade PECI-Bridge local tempera
  1 8 0 -48 0 Blade CPU #1 TControl Delta tem
  1 9 0 25 68 Mezzanine BCM56846 proximity te
  1 10 0 22 69 Mezzanine BCM5718 proximity tem
  1 11 0 19 57 Mezzanine Nitrox3 proximity tem
  1 12 0 16 46 Mezzanine SHT21 Temperature

617622 : In TM Shell, saving the AAM configuration removes value from matching rule causing system configuration loading failure

Component: TMOS

Symptoms:
In TMSH, when trying to save the AAM configuration, TMSH removes value from matching rule. It corrupts bigip.conf and causes system loading configuration failure, with the following error in /var/log/ltm:

01070734:3: Configuration error: Policy "/Common/Drafts/<policy>", node "test_node", matching rule "path:Path": Must have a value.
Unexpected Error: Validating configuration process failed.

Conditions:
-- Use TM Shell to load configuration.
-- AAM configuration is loaded on BIG-IP and it is saved

Impact:
TMSH fails to load system configuration file.

Before the configuration save the policy would look like this:
matching {
  path {
    values {
      / { }
    }
  }
}

After the save it is converted to
matching {
  path { }
}

Workaround:
None.

Fix:
TMSH now saves AAM configuration without removing values from matching rules. Saving/loading system configuration succeeds.

617481-1 : TMM can crash when HTML minification is configured

Component: TMOS

Symptoms:
When AAM is provisioned and is used to cache dynamic pages, it can be configured to use HTML Minification to improve performance and optimize memory utilization. In some cases, HTML may incorrectly process the HTML code and cause TMM to crash.

Conditions:
1) AAM has to be provisioned and
2) AAM policy has to be configured and
3) has HTML minification enabled and
4) be applied to a virtual.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disabling minification prevent TMM from crashing for this reason.

617310-2 : Edge client can fail to upgrade when Always Connected is selected★

Component: Access Policy Manager

Symptoms:
Attempt to upgrade from an Edge client version to a current version fails when Always Connected is enabled

Conditions:
Always Connected is selected in BIG-IP when upgrading the client.

Impact:
Upgrade fails. Must turn off Always Connected to upgrade client.

Workaround:
Turn off Always Connected before upgrading.

Fix:
Edge client now succeeds during upgrade when Always Connected is selected.

617229-1 : Local policy rule descriptions disappear when policy is re-saved

Solution Article: K54245014

Component: TMOS

Symptoms:
Local policy rule descriptions disappear when policy is re-saved.

Conditions:
A rule with description exists, and the policy it's under is saved.

Impact:
An existing rule description disappears when the policy it's under is saved.

Workaround:
Use TMSH to modify the policy's properties.

Fix:
Local policy rule descriptions now remain visible when policy is re-saved.

617187-1 : APM CustomDialer can't connect to APM server with invalid/untrusted SSL certificate

Component: Access Policy Manager

Symptoms:
If APM server uses untrusted SSL certificate/or it is accessed using IP address CustomDilaer, access is refused and there is no prompt to confirm the security warning.

Conditions:
APM has invalid certificate
User uses CustomDialer to access VPN

Impact:
VPN connection can't be established

Workaround:
Use valid SSL certificate on APM or add particular invalid certificate to trusted store on Windows

Fix:
Now CustomDialer warns user about invalid certificate and allows to proceed with invalid certificate.

617124 : Cannot map hardware type (12) to HardwareType enumeration

Component: TMOS

Symptoms:
iControl-SOAP throws an error whenever a method call to SystemInfo::get_hardware_information() is made.

Conditions:
This is reproducible in under all conditions.

Impact:
iControl-SOAP crashes when this call is made.

Workaround:
Don't call this SystemInfo::get_hardware_information().

Fix:
Call this method no longer leads to a crash.

617063-1 : After VPN tunnel established, if network is switched and a Captive Portal is present in the new network, EdgeClient fails to re-establish VPN tunnel

Component: Access Policy Manager

Symptoms:
After VPN tunnel is established, if network is switched and a Captive Portal is present in the new network, EdgeClient fails to re-establish VPN tunnel.

Conditions:
VPN tunnel is established. Place the computer in hibernation. Resume from hibernation and connect to a new network where a Captive Portal is present, e.g. Starbucks.

Impact:
EdgeClient may show an error page for captive portal or stay in Reconnecting state for extended period. Disconnect button may not be responsive.

Fix:
If captive portal is detected during reconnect, close VPN resources before showing captive portal authentication page.

617014-3 : tmm core using PEM

Component: Policy Enforcement Manager

Symptoms:
tmm core when using PEM with cloning monitored traffic

Conditions:
Using PEM with iRules and cloning traffic

Impact:
Traffic disrupted while tmm restarts.

Fix:
The problem with PEM and cloning traffic via iRule has been corrected.

617002-1 : SWG with Response Analytics agent in a Per-Request policy fails with some URLs

Component: Access Policy Manager

Symptoms:
SWG with Response Analytics agent in a Per-Request policy fails with some URLs

Conditions:
Response analytics agent is added to per-request policy and per-request policy is attached to the virtual. APM and SWG are provisioned and licensed.

Impact:
Client might receive resets for some URLs when response analytics doesn't function correctly.

Workaround:
Remove response analytics agent from the per-request policy and perform categorization based only on URLs.

Fix:
Correctly handle the response analytics for these URLs and dont send resets to client.

616918-1 : BMC version 2.50.3 for iSeries appliances

Component: TMOS

Symptoms:
Firmware on BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx needs to be upgraded to BMC version 2.50.3.

Conditions:
-- BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.
-- PXE boot.

Impact:
This is a firmware upgrade.

Workaround:
None.

Fix:
This release contains BMC version 2.50.3 which includes support for PXE boot on the following BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.

Behavior Change:
This release contains BMC version 2.50.3 which includes support for PXE boot on the following BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.

616864-1 : BIND vulnerability CVE-2016-2776

Solution Article: K18829561

616838-3 : Citrix Remote desktop resource custom parameter name does not accept hyphen character

Component: Access Policy Manager

Symptoms:
While adding the custom parameter in Citrix Resource would give parser error as following,

01070734:3: Configuration error: apm resource remote-desktop /Common/ctx_resource: Parse error on line 1: DesktopViewer-ForceFullScreenStartup=On"

Conditions:
Having Citrix resource with custom parameter name with hyphen character

Impact:
Custom parameter can not be used with hyphen character

Workaround:
None

Fix:
Accept custom parameter name with hyphen character

616242-3 : basic_string::compare error in encrypted SSL key file if the first line of the file is blank★

Solution Article: K39944245

Component: TMOS

Symptoms:
Trying to load a configuration that references an encrypted SSL key file may fail if the first line of the SSL key file is blank. When this occurs, the system will report a vague error message:

01070711:3: basic_string::compare

If this happens during an upgrade, the system will not load the configuration under the new software version, and will remain inoperative.

Conditions:
This can occur if an affected configuration is present on a system running BIG-IP v11.3.0 or earlier, and is upgraded to BIG-IP v11.4.0 through v12.1.1.

Impact:
Configuration fails to load on upgrade with extremely unhelpful error message, and absolutely no indication as to what file was being processed at the time (or that this relates to a filestore file).

Workaround:
Remove the newlines at the beginning of any SSL key files that begin with a newline. During an upgrade scenario, edit the files in the filestore.

616215-4 : TMM can core when using LB::detach and TCP::notify commands in an iRule

Component: Local Traffic Manager

Symptoms:
TMM cores when running an iRule that has the LB::detach command before the TCP::notify command.

Conditions:
A virtual server with an iRule that has the LB::detach command executed before the TCP::notify command.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid the combination of the TCP::notify and LB::detach commands.

Fix:
TMM no longer cores in this instance.

616169 : ASM Policy Export returns HTML error file

Component: Application Security Manager

Symptoms:
When attempting to export an ASM Policy the resulting file contains an HTML error page.

Conditions:
It is not known what triggers this condition.

Impact:
Unable to export ASM Policies.

Workaround:
Delete all files in /ts/dms/policy/upload_files/. All files are transient and can safely be deleted.

Fix:
Permissions are now explicitly set on exported ASM Policies so the GUI PHP process can successfully download it.

616059-1 : Modifying license.maxcores Not Allowed Error

Solution Article: K19545861

Component: TMOS

Symptoms:
Your sync-failover device group status says 'Sync Failed' and reports the following error in Device Management :: Overview: Sync error on <device name>: Load failed from /Common/BIG-IP1 0107178a:3: Modifying license.maxcores to a value other than 8 is not allowed.

Conditions:
-- Non-homogeneous Virtual Edition (VE) configured with different licenses in a device group, or with hardware-based BIG-IP systems.
-- License variable perf_VE_cores is different among licenses.

Impact:
The device group fails to sync.

Workaround:
If you are using VEs in a device group, ensure that their licenses are the same.

Fix:
The license variable perf_VE_cores no longer syncs, so there is no error message.

616022-2 : The BIG-IP monitor process fails to process timeout conditions

Solution Article: K46530223

Component: Local Traffic Manager

Symptoms:
Pool members that are down are not marked down by the monitor. The BIG-IP system continues to attempt to monitor the object.

Conditions:
It is not known exactly what triggers this condition. It was encountered on an HTTPS monitor.

Impact:
Incorrect monitor state. Pool members may not be marked down even though the target pool-member is down.

Workaround:
No known workaround.

Fix:
The monitor process no longer inadvertently skips processing monitor timeouts and correctly marks monitored objects down.

615970-1 : SSO logging level may cause failover

Component: Access Policy Manager

Symptoms:
SSO logging level may cause failover.

Conditions:
SSO logging level set to "Debug".

Impact:
TMM may crash. Core file may be generated.

Workaround:
Lower the SSO log level from "Debug" to either "Info" or "Notice".

Fix:
The SSO logging level of "Debug" no longer causes failover.

615934-1 : Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.

Component: TMOS

Symptoms:
Overwrite flag in key/certificate management iControl functions is ignored and might result in errors.

Conditions:
If there is an existing key/certificate, and the key/certificate management iControl functions are used to overwrite the key/certificate by setting the overwrite flag, the flag is ignored, and an error is returned.

Impact:
Key/certificate overwrite using iControl operations might fail.

Fix:
The fix honors the overwrite flag, so that the key/certificate is overwritten when the flag is set to true.

615824-1 : REST API calls to invalid REST endpoint log level change

Component: iApp Technology

Symptoms:
In Big-IP 12.x versions before 12.1.2 invalid requests to a REST endpoint were being recorded in the FINE level logs, making it difficult to audit when an invalid request to a REST endpoint was coming in. In version 12.1.2, the log level was changed to INFO so that these messages are more easily consumed by users attempting to audit the log.

Conditions:
Any request made to an invalid REST endpoint will trigger a log message at the FINE level indicating that a request came in to an invalid REST endpoint.

Impact:
Auditing the REST Framework logs is more difficult, requiring you to look at messages logged at the FINE level.

Workaround:
Users can increase the log level of the REST Framework to FINE by making the following change to the file '/etc/restjavad.log.conf':

Before:
.level=FINE
After:
.level=INFO

Fix:
This message is included in the INFO log level on BIG-IP v12.1.2.

615388-1 : L7 policies using normalized HTTP URI or Referrer operands may corrupt memory

Component: Local Traffic Manager

Symptoms:
TMM may restart when using a L7 policy that contains the 'normalized' keyword for HTTP URI or Referrer operands.

Conditions:
Normalized HTTP URI or Referrer operands used in L7 policies.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
No workaround short of removing use of normalization for HTTP URI and Referrer instances in L7 policies.

Fix:
Use of URI or Referrer normalization in L7 policies no longer results in memory corruption.

615377-3 : Unexpected rate limiting of unreachable and ICMP messages for some addresses.

Component: Local Traffic Manager

Symptoms:
The BIG-IP system might fail to send RSTs, ICMP unreachable, or ICMP echo responses for some addresses.

/var/log/ltm might contain messages similar to the following:
-- Limiting icmp unreach response from 251 to 250 packets/sec.
-- Limiting icmp ping response from 251 to 250 packets/sec.
-- Limiting closed port RST response from 251 to 250 packets/sec.

Conditions:
Certain traffic patterns to addresses in two or more different traffic-groups.

Impact:
Certain response messages from addresses in one or more traffic-groups (but not all) might be rate limited by the BIG-IP system even though the level of traffic has not exceeded the tm.maxrejectrate setting.

Workaround:
None known.

Fix:
The rate limiting messages in the ltm log will now include the name of the traffic group that is being rate limited.

Example old log message:
warning tmm[6167]: 011e0001:4: Limiting icmp ping response from 251 to 250 packets/sec.
Example new log message:
warning tmm[19109]: 011e0001:4: Limiting icmp ping response from 251 to 250 packets/sec for traffic group /Common/traffic-group-1.

Behavior Change:
The rate limiting messages in the ltm log will now include the name of the traffic group that is being rate limited.

Example old log message:
warning tmm[6167]: 011e0001:4: Limiting icmp ping response from 251 to 250 packets/sec.
Example new log message:
warning tmm[19109]: 011e0001:4: Limiting icmp ping response from 251 to 250 packets/sec for traffic group /Common/traffic-group-1.

615338-2 : The value returned by "matchregion" in an iRule is inconsistent in some cases.

Component: Global Traffic Manager

Symptoms:
The value returned by "matchregion" in an iRule is inconsistent when the GTM global setting, "cache-ldns-servers", is set to "yes" and the region contains a region, continent, country, state, or ISP.

Conditions:
The GTM global setting, "cache-ldns-servers" must be set to "yes" and the region must contain a region, continent, country, state, or ISP.

Impact:
The value returned by "matchregion" in an iRule is inconsistent and may lead to inconsistent behavior in the iRule.

Workaround:
Set the GTM global setting, "cache-ldns-servers" to "no".

Fix:
"Matchregion" returns the correct value under all conditions.

615267-2 : OpenSSL vulnerability CVE-2016-2183

Solution Article: K13167034

615254-2 : Network Access Launch Application item fails to launch in some cases

Component: Access Policy Manager

Symptoms:
If access policy has multiple network resources with application launch configured, applications will launch only from first network resource.

Conditions:
Multiple Network access resources are configured with application launch.

Impact:
Applications will launch only from first network resource. Applications will not launch for other network resources

Workaround:
Launch applications manually after VPN is established.

Fix:
Applications from all network resources are now detected and launched correctly.

615226-5 : Libarchive vulnerabilities: CVE-2016-8687 and others

Solution Article: K13074505

615222-1 : GTM configuration fails to load when it has gslb pool with members containing more than one ":"★

Component: Global Traffic Manager (DNS)

Symptoms:
GTM Virtual Servers or GTM Servers containing a colon ":" in their name would throw errors when attempting to use them as a GTM Pool Member through TMSH. If created through TMUI, and a configuration was saved and loaded, the same error would be thrown.

Example error:
01070226:3: Pool Member 20002 references a nonexistent Virtual Server.

Conditions:
1. Create virtual server of format <IP>:<PORT>.
2. Attempt to add this virtual server as a GTM Pool Member

Impact:
Unable to create GTM Pool Member from TMSH, or to load a configuration with this object in it.

Workaround:
None.

Fix:
Fixed issue related to parsing of GTM Pool member names that prevents the use of GTM virtual servers or GTM servers with a colon ":" in the name from being used as a GTM pool member.

615143-1 : VDI plugin-initiated connections may select inappropriate SNAT address

Component: Local Traffic Manager

Symptoms:
When the VDI plugin makes outgoing connections, the source address is selected from a SNAT pool. Should the connection pass through another matching virtual server before reaching the external network, the selected SNAT address may be inappropriate for the egress VLAN.

Conditions:
-- APM configuration.
-- VDI functionality enabled.
-- Additional virtual server matching the VDI-initiated connections.

Impact:
Return traffic from destination may not be able to return to the BIG-IP, thus breaking the VDI functionality.

Workaround:
No workaround short of removing the additional virtual server matching the VDI traffic.

Fix:
Outgoing VDI connections now select an appropriate SNAT address even when passing through additional matching virtual servers before reaching the external network.

615107-1 : Cannot SSH from AOM/SCCP to host without password (host-based authentication).

Component: TMOS

Symptoms:
Issuing commands from the AOM/SCCP menu to the host do not function, or password is required when SSH from AOM/SCCP to the host.

Conditions:
Presence of /etc/ssh directory on host.

Impact:
AOM/SCCP unable to connect to host without password.

Workaround:
None.

Fix:
Can now SSH from AOM/SCCP to host without password (host-based authentication).

614891-2 : Routing table doesn't get updated when EDGE client roams among wireless networks

Component: Access Policy Manager

Symptoms:
Clients using the EDGE client report that they are unable to reach the VPN when they switch wifi networks.

Conditions:
This is triggered when a device running the EDGE client is on a wifi network, then roams to another wifi network that has a different default route.

Impact:
Clients have an incorrect route to the VPN and are forced to re-connect.

614865-5 : Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.

Component: TMOS

Symptoms:
Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.

Specifically, the functions are:
key_import_from_pem()
certificate_import_from_pem()
key_import_from_pem_v2()
certificate_import_from_pem_v2()

Conditions:
When there is an existing key or certificate on the BIG-IP system, and you want to overwrite them using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls, it results in errors stating that the key or certificate already exists on the BIG-IP system.

Impact:
Cannot overwrite the key/certificate file-objects using these iControl calls.

Workaround:
There are two workarounds:
- Delete and import the key/certificate using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls.

- Use key_import_from_file and certificate_import_from_file iControl calls as an alternative to import key/certificate from a file.

Fix:
Overwrite flag in iControl functions key/certificate_import_from_pem_v2() functions are now processed correctly and no longer produce errors.

614788-1 : zxfrd crash due to lack of disk space

Component: Global Traffic Manager (DNS)

Symptoms:
It is possible that the zone transfer daemon (zxfrd) can crash if the /var disk partition fills up and zxfrd needs to increase the size of its database.

Conditions:
DNS Express configured
Full /var partition
Changes to the zone database require more space to be allocated for zxfrd.

Impact:
zxfrd may crash and restart. This process may repeat depending on the need for space on restart.

Workaround:
Free up space in the /var partition.

Fix:
zxfrd now correctly handles the out of space condition.

614766-1 : lsusb uses unknown ioctl and spams kernel logs

Component: TMOS

Symptoms:
RHEL6 version of lsusb and associated libusb1 libraries
are using an ioctl that isn't properly supported by the kernel in the 32-bit syscall path.

Conditions:
RHEL6 version of lsusb and associated libusb1 libraries.

Impact:
Spamming of kernel logs.

Workaround:
None.

Fix:
kernel.el6.5: fix missing ia32 compat mapping for USBDEVFS_GET_CAPABILITIES.

614563-3 : AVR TPS calculation is inaccurate

Component: Advanced Firewall Manager

Symptoms:
The TPS that AVR calculates for DoS is 11% more than the real TPS.

Conditions:
DoS profile attached to the virtual server.

Impact:
Attack can wrongly be detected.

Workaround:
None.

Fix:
TPS that AVR calculates for DoS now reflects the actual TPS.

614530-2 : Dynamic ECMP routes missing from Linux host

Component: TMOS

Symptoms:
When an ECMP route is learned via dynamic routing, it is not added to the Linux host and local processes may not be able to reach the destination prefix. Load balanced traffic is not affected.

Conditions:
Dynamic routing in use, ECMP configured, ECMP route received from neighbors.

Impact:
Monitors may fail, other host-originated traffic may be sent out the wrong interface or nowhere at all.

Workaround:
Disable ECMP in ZebOS by setting "maximum-paths 1" in imish.

Fix:
ECMP routes are correctly added to the Linux host.

614509-1 : iRule use of 'all' keyword with 'class match' on large external datagroups may result in TMM restart

Component: Local Traffic Manager

Symptoms:
When the 'all' keyword is used with 'class match' on large external datagroups, the results will be incorrect and may result in TMM restarting.

Conditions:
iRule utilizing 'all' keyword with 'class match' on large external datagroups. A more unusual case is external datagroups with the tmm.classallocatemetadata bigdb entry set to the non-default 'disable' value.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No reasonable workaround short of not using 'all' keyword with 'class match' in iRules.

Fix:
'all' keyword with 'class match' now returns the correct results and TMM does not restart.

614322-1 : TMM might crash during handling of RDG-RPC connection when APM is used as RD Gateway

Solution Article: K31063537

Component: Access Policy Manager

Symptoms:
TMM might crash during handling of RDG-RPC connection when APM is used as RD Gateway.

Conditions:
RDP client uses RDG-RPC protocol to connect via APM's RD Gateway implementation.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
N/A

Fix:
Fixed TMM crash, which occurred during RDG-RPC protocol handling.

614296-1 : Dynamic routing process ripd may core

Component: TMOS

Symptoms:
As a result of a known issue the dynamic routing protocol daemon ripd, used for the RIP protocol may produce a core file when configuring it to use a interface configured with multiple self IP addresses on different subnets on the same VLAN.

Conditions:
- Use the RIP dynamic routing on an affected version.
- Have multiple self IP addresses belonging to different subnets on the same VLAN
- Add one of the subnets with the network command within the "router RIP" stanza.

Impact:
ripd will core and the configuration will not be allowed.

Workaround:
Configure one subnet/self IP address per VLAN.

Fix:
ripd no longer cores when configured with multiple subnets on the same VLAN.

614284-2 : Performance fix to not reset a data structure in the packet receive hotpath.

Component: Advanced Firewall Manager

Symptoms:
No symptoms. This is a performance fix.

Conditions:
This will happen always in the packet receive hotpath.

Impact:
No impact. Without this fix BIG-IP could have 0.5% (hard to measure) performance impact.

Workaround:
No workaround.

Fix:
Made an optimization to the packet receive hotpath.

614180-1 : ASM is not available in LTM policy when ASM is licensed as the main active module

Component: TMOS

Symptoms:
ASM is not available in LTM policy rule creation when ASM is licensed as the main active module

Conditions:
ASM is licensed as the main active module

Impact:
ASM is not available in LTM policy rule creation

Workaround:
Use a license that has ASM as a sub-module. For example, LTM with Best Bundle.

Fix:
Fixed license data parsing so that the main module is also included in the license map used to determine whether a module is licensed or not.

614147-1 : SOCKS proxy defect resolution

Solution Article: K02692210

614097-1 : HTTP Explicit proxy defect resolution

Solution Article: K02692210

613765-3 : Creating 0.0.0.0:0 Virtual Server in TMUI results in slow-loading virtual server page and name resolution errors.

Component: TMOS

Symptoms:
Creating 0.0.0.0:0 Virtual Server in TMUI results in slow-loading virtual server page and name resolution errors.

Conditions:
When a virtual server with a destination address of 0.0.0.0:0 is in the list, sorting the list is slow because of extra name resolution performed.

Impact:
Degraded user experience waiting for the extra logic and misleading error in logs.

Workaround:
None.

Fix:
Creating 0.0.0.0:0 Virtual Server in TMUI no longer results in slow-loading virtual server page and name resolution errors.

613671-2 : Error in the Console, when configured nonexistent parameter with Encryption and Obfuscation

Component: Fraud Protection Services

Symptoms:
Wrong handling of nonexistent parameter configured with Encryption and Obfuscation

Conditions:
nonexistent parameter configured with Encryption and Obfuscation

Impact:
Error in console

Fix:
Ignore nonsexist parameter

613613-2 : Incorrect handling of form that contains a tag with id=action

Component: Access Policy Manager

Symptoms:
In some cases, a form with an absolute path in the action is handled incorrectly in Internet Explorer (IE) versions 7, 8, and 9. The resulting action path is wrong and the form cannot be submitted.

Conditions:
This issue occurs under these conditions:
-- HTML Form with absolute action path.
-- A tag with id=action inside this form.
-- A submit button in the form.
-- IE versions 7 through 9.

Impact:
The impact of this issue is that the web application can not work as expected.

Workaround:
This issue has no workaround at this time.

Fix:
Forms with absolute action paths and tag with id=action inside are handled correctly.

613576-1 : QOS load balancing links display as gray

Component: Global Traffic Manager

Symptoms:
All links in all data centers appear gray. After this patch all link appear to be green and the functional of load balancing to the first available link in each pool is restored.

Conditions:
This bug only affects devices licensed after 9/1/2016 which contain the gtm_lc: disabled field.

Impact:
Any GTM/LC devices licensed after 9/1/2016 and using links as part of their configuration will have the links reported as gray.

Workaround:
Remove all ilnks from configuration or install this hotfix.

613536-5 : tmm core while running the iRule STATS:: command

Component: TMOS

Symptoms:
With an iRule that runs the STATS::set command inside the ACCESS_SESSION_CLOSED event, tmm cores.

Conditions:
STATS:: command invoked inside the ACCESS_SESSION_CLOSED event. This event does not have all of the connection information so invoking STATS:: to store data from the connection will fail and cause tmm to crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use STATS::set inside ACCESS_SESSION_CLOSED

613459-1 : Non-common browsers blocked by Proactive Bot Defense

Component: Advanced Firewall Manager

Symptoms:
Some non-common browsers may get blocked by the Proactive Bot Defense feature. This has been seen in rare cases, and causes these browsers to remain in a white page while the request is not being sent to the back-end server.

Conditions:
Proactive Bot Defense enable on the DoS profile.

Impact:
In rare cases, some non-common browsers may get blocked.

Workaround:
None

Fix:
Non-common browsers no longer get blocked when Proactive Bot Defense is enabled.

613429-2 : Unable to assign wildcard wide IPs to various BIG-IP DNS objects.

Component: Local Traffic Manager

Symptoms:
Assigning a wide IP with wildcard characters in the name to a DHS distributed application may not work properly when done via tmsh, and such configurations created via the GUI will result in configuration files that fail to load.

Conditions:
A wide IP with a wildcard character in its name.

Impact:
Unable to assign wide IP to BIG-IP DNS distributed-app.

Workaround:
None.

Fix:
Fixed issue preventing wide IPs to be assigned to BIG-IP DNS distributed apps if those wide IPs have a wildcard character in their name.

613415-2 : Memory leak in ospfd when distribute-list is used

Component: TMOS

Symptoms:
Memory might be leaked when a distribute-list is used to filter routes between OSPFv2 and the Routing Information Base (RIB). The leak may lead to a the daemon being terminated via the oom-killer.

Conditions:
OSPFv2 in use with a distribute-list, and Link State Advertisements (LSAs) in the database whose prefixes will be filtered by the distribute-list.

Impact:
ospfd may leak memory until the system terminates the process via the oom-killer.

Workaround:
Position the BIG-IP system in the network so there are no LSAs that need to be filtered using a distribute-list, such as in a stub area.

Fix:
ospfd no longer leaks memory when a distribute-list is configured.

613396-1 : Invalid XML Policy Exported for Policies with Metachar Overrides on Websocket URLs

Component: Application Security Manager

Symptoms:
Exported Policy in XML format cannot be imported.

Conditions:
Metacharacter overrides are defined on a Websocket URL in the policy.

Impact:
Exported XML policies cannot be imported back into the system without manual manipulation

Workaround:
If such a policy has already been exported only manual manipulation would allow it to be imported again.

Fix:
Policy export now correctly creates valid XML Policies for configurations with metachar overrides configured on Websocket URLs.

613369-4 : Half-Open TCP Connections Not Discoverable

Component: Local Traffic Manager

Symptoms:
New TCP connection requests are reset after a specific sequence of TCP packets.

Conditions:
A TCP connection in half-open state.

Impact:
Half-open TCP connections are not discoverable

Fix:
Properly acknowledge half-open TCP connections.

613326-1 : SASP monitor improvements

Component: Local Traffic Manager

Symptoms:
A SASP monitor created in versions earlier than 13.0.0 might exhibit problems in certain situations, such as:
-- Attempting to connect multiple times with GWM pairs.
-- Dropping and reconnecting frequently with GWM pairs.
-- Problematic behavior with mixed Push/Pull workgroups on the same GWM.
-- Overly-chatty use of the SASP protocol when establishing/reestablishing connections.
-- Marking pool members down during GWM switch-over.
.-- Inability to handle many hundreds of workgroups/workloads

Conditions:
Using versions of the SASP monitor created in versions earlier than 13.0.0.

Impact:
Might cause flapping pool members or unstable pools.

Workaround:
None.

Fix:
A significantly improved SASP monitor has been developed in version 13.0.0. It properly handles the SASP protocol, GWM pairs, and connection semantics. In addition, it has the ability to briefly delay node down on GWM switchover, resulting in no interrupted traffic in most cases, and has vastly improved scalability.

When run in push mode (now the default), it is more efficient with the SASP protocol, only asking for changes from GWM, and pinging GWM infrequently if no traffic has been received.

The improved monitor uses Pool name rather than Monitor name as the Workload name. This allows a single Monitor definition to be shared among many Pools, where previously a single unique Monitor was required for each SASP Pool.

613297-3 : Default generic message routing profile settings may core

Component: Service Provider

Symptoms:
If a virtual is created using the default generic message profile, the first packet received will produce an infinite number of messages and overflow the internal buffers.

Conditions:
The default generic message profile has the internal parser enabled but a zero byte message separator pattern. This causes the parser when receiving traffic to create an infinite number of empty packets and overflow the system.

Impact:
The infinite number of message will cause an internal panic producing a core. Traffic disrupted while tmm restarts.

Workaround:
Each usage of generic message should either provide a separator pattern or disable the internal parser.

Fix:
In this release, the system automatically disables the internal parser if no separator is provided, so if a virtual is created using the default generic message profile, the first packet received no longer produces an infinite number of messages and overflows the internal buffers.

613282-2 : NodeJS vulnerability CVE-2016-2086

Solution Article: K15311661

613225-7 : OpenSSL vulnerability CVE-2016-6306

Solution Article: K90492697

613127-3 : Linux TCP Stack vulnerability CVE-2016-5696

Solution Article: K46514822

613079-4 : Diameter monitor watchdog timeout fires after only 3 seconds

Component: Local Traffic Manager

Symptoms:
The Diameter monitor has a 3-second timeout that overrides the interval and timeout settings configured for the monitor.

Conditions:
A Diameter monitor must be configured.

Impact:
If the Diameter server takes longer than 3 seconds to reply to requests, it will be marked down.

Workaround:
None.

Fix:
Removed the 3-second Diameter monitor watchdog timeout so that interval and timeout can be used like other external monitors.

613065-1 : User can't generate netHSM key with Safenet 6.2 client using GUI

Component: Local Traffic Manager

Symptoms:
With Safenet6.2, creating key using GUI may hang and timeout. The GUI eventually quits with error message.

Conditions:
Installing Safenet6.2 client and attempting to create netHSM key from the GUI

Impact:
netHSM key creation fails, GUI hang.

Workaround:
You can use the corresponding tmsh command to create key.

Fix:
NetHSM key waiting time has been increased and you can now create a netHSM key using GUI.

613045-7 : Interaction between GTM and 10.x LTM results in some virtual servers marked down

Component: Global Traffic Manager

Symptoms:
Some GTM virtual servers are never marked up when interacting with 10.x LTM.

Conditions:
1. On a GTM server, with autoconf off, manually create a virtual server that is using translated IP/port and either no LTM virtual server name or an incorrect LTM virtual server name.
2. Make sure the LTM virtual server is available.

Impact:
On the GTM side, that LTM virtual server will never get marked up.

Workaround:
None.

Fix:
Interaction between GTM and 10.x LTM now works, so virtual servers are correctly marked up.

612952-1 : PSU FW revision not displayed correctly

Component: TMOS

Symptoms:
When EUD displays the PSU FW revison it is truncated from 16 bytes to 14 bytes.

Conditions:
This occurs when using a Murata REV02 M1845 PSU with AOM FW less than 2.7.14

Impact:
Incomplete PSU FW rev.

Workaround:
Infer the last 2 characters of the PSU FW rev from the 14 that are displayed and the HW revision of the PSU.

612874-1 : iRule with FLOW_INIT stage execution can cause TMM restart

Component: Advanced Firewall Manager

Symptoms:
If you have an iRule that has FLOW_INIT stage execution, it is likely to result in random TMM crashes.

Conditions:
iRule that has FLOW_INIT stage action in it.

The FLOW_INIT stage iRule could be executed either because it was attached to a Virtual Server or configured on an AFM ACL Rule.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use iRule with FLOW_INIT action. Other stage iRules does not cause this problem.

Fix:
Memory allocation and release during iRule FLOW_INIT execution was not handled right in a specific scenario, which was corrected.

612809-1 : Bootup script fails to run on on a vCMP guest due to a missing reference file.

Component: TMOS

Symptoms:
Script /etc/sysconfig/sysinit/10virtual-platform.sysinit fails to run. sod log spamming.

Conditions:
Startup in a vCMP guest.

Impact:
vCMP guests shows dbg_echo related errors in /var/log/boot.log.

Workaround:
Disable sys db variable "failover.usetty01" and restart sod.

If unable to restart sod at the moment, apply a filter with no publisher matching message-id 012a0003:
    sys log-config filter no-serial-failover-logs {
        message-id 012a0003
    }

Fix:
This release adds a separate sysinit file for vCMP instead of using sysinit-virtual-platform.

612769-1 : Hard to use search capabilities on the Pool Members Manage page.

Solution Article: K33842313

Component: Global Traffic Manager (DNS)

Symptoms:
With hundreds of potential pool members the GUI does not make it easy to search for them. The search list only supports searches that match the beginning of the pool member's name.

Conditions:
This difficulty exists when there are more than a few potential pool members.

Impact:
Frustrating BIG-IP system administrator experience.

Workaround:
A workaround is to perform the needed virtual server/member addition to the pool via TMOS/CLI using a command similar to the following:

$ tmsh modify gtm pool <record> <pool> members add { <member> }.

Tip: You can take advantage of auto-completing the member's name by pressing the <tab> key, which saves typing the entire name.

Fix:
The system now provides better search capabilities on the Pool Members Manage page.

612752-1 : UCS load or upgrade may fail under certain conditions.★

Component: TMOS

Symptoms:
UCS load fails, with the following error message: loaddb[20786]: 01080023:3: Error return while getting reply from mcpd: 0x10718e6, 010718e6:3: The requested primary admin user (user1) must exist in local user database.

Conditions:
Root login is disabled and the primary administrative user is set to anything other than 'admin', the default.

Impact:
UCS load or upgrade will fail.

Workaround:
Before upgrading or generating the UCS, re-enable the root account by setting DB variable systemauth.disablerootlogin to 'false'.

Unset the custom primary administrative user by setting DB variable systemauth.primaryadminuser to 'admin'.

These settings may be safely reinstated after the upgrade is complete.

612694-5 : TCP::close with no pool member results in zombie flows

Component: Local Traffic Manager

Symptoms:
'tmsh show sys conn all-properties' shows connections whose idle time exceeds the timeout.

Conditions:
There is no pool member, and a TCP::close iRule activates (typically after a TCP::respond).

Impact:
Connection does not tear itself down.

Workaround:
Make TCP::close conditional on pool failure, and rely on the pool failure to RST the connection rather than perform a clean TCP close.

Fix:
The system now properly handles TCP teardown when TCP::close has already torn down the rest of the stack.

612564 : mysql does not start

Component: TMOS

Symptoms:
ASM storage initialization does not happen.

Conditions:
BIG-IP iSeries platforms; this occurs after new software install.

Impact:
Application is non-functional.

Workaround:
remove the sentinel file ;
/appdata/mprov/local/HD1.4/mysqldb/.moved.to.asmdbvol.
and reboot.

612419-1 : APM 11.4.1 HF10 - suspected memory leak (umem_alloc_32/network access (variable))

Component: Access Policy Manager

Symptoms:
When there are multiple network access resources, and users switch between them within the same connection, a small memory leak happens.

Conditions:
Network access; full webtop, multiple Network Access resources.

Impact:
Memory usage increases over time.

Workaround:
There is no workaround. It is a relatively slow leak though. In the case where it was observed, the leak was about 130MB per month.

Fix:
Fixed a memory leak related to network access.

612229-1 : TMM may crash if LTM a disable policy action for 'LTM Policy' is not last

Component: Local Traffic Manager

Symptoms:
TMM may crash while processing an LTM policy.

Conditions:
- VIP with LTM policy attached.
- LTM policy contains rule with 2 or more actions.
- Policy action of disable - LTMN Policy is not the last one in the list of actions.

Impact:
TMM crash with the following in one of the /var/log/tmm log files:
notice ** SIGABRT **
Traffic disrupted while tmm restarts.

Workaround:
Ensure any LTM policy disable action is the last in the list of actions.

Fix:
TMM no longer crashes if LTM a disable policy action for 'LTM Policy' is not last in the list of actions in the rule.

612135-3 : Virtual with GenericMessage profile without MessageRouter profile will core when receiving traffic

Component: Service Provider

Symptoms:
Configuring a virtual server with generic message profile without message routing profile will core when a packet is received by the virtual.

Conditions:
Configuring a virtual server with generic message profile without message routing profile.

Impact:
The system will core when a packet is received by the virtual server. Traffic disrupted while tmm restarts.

Workaround:
Each virtual server that contains a generic message profile should also have a message routing profile.

Fix:
Validation has been improved to fail unless both a generic message profile and a message routing profile are used.

612040-4 : Statistics added for all crypto queues

Component: Local Traffic Manager

Symptoms:
Requests for crypto operations that have been issued but not yet actively queued in the crypto hardware will not show up in the "tmm/crypto" statistics table.

Conditions:
Crypto requests issued but not actively queued in the crypto hardware.

Impact:
Crypto requests do not show up in the "tmm/crypto" statistics table.

Fix:
New rows have been added to the "tmm/crypto" statistics table that will count requests that have been issued but not actively queued to the crypto hardware.

611968-3 : JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow

Component: Access Policy Manager

Symptoms:
JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow.

Conditions:
- IE8 only.
- Significant number of links: >1000.
- JavaScript event handlers presence.

Impact:
Web application performance slowdown.

Workaround:
None

Fix:
Fixed.

611922-1 : Policy sync fails with policy that includes custom CA Bundle.

Component: Access Policy Manager

Symptoms:
Policy sync fails with a policy that includes a custom CA Bundle with an error similar to the following: mcpd[6191]: 01070710:3: Database error (65), Can't set attribute value, type:certificate_summary attribute:name.

Conditions:
- Add a custom certificate bundle
- Add it to a policy, e.g. create an LTM SSL CA profile and add it to the endpoint security check agent in the access policy.
- Initiate a policy sync.

Impact:
Policy sync fails.

Workaround:
Use a built-in certificate bundle on source device and sync the policy.

Import the custom certificate bundle to all devices

Replace the built-in certificate bundle with the custom one in the policy.

Fix:
Policy sync now succeeds when the policy includes a custom certificate bundle.

611704-5 : tmm crash with TCP::close in CLIENTSSL_CLIENTCERT iRule event

Component: Local Traffic Manager

Symptoms:
A tmm crash was discovered during internal testing.

Conditions:
HTTPS virtual server configured with an iRule that uses TCP::close in the CLIENTSSL_CLIENTCERT iRule event.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a tmm crash related to TCP::close in CLIENTSSL_CLIENTCERT

611669-4 : Mac Edge Client customization is not applied on macOS 10.12 Sierra

Component: Access Policy Manager

Symptoms:
Mac Edge Client's Icon, application name, company name, amongst other things can be customized on BIG-IP before deploying on end user's machine. But on Mac Edge Client on macOS 10.12 Sierra this customization is not applied.

Conditions:
macOS Sierra 10.12, Edge client, customization

Impact:
Mac Edge Client customization is not applied on macOS 10.12 Sierra. Functionally there should be no impact except that user will see default application visually.

Workaround:
run following command on Terminal and re-launch Edge client:

For English:
$ defaults write -globalDomain AppleLanguages -array "en" "en-US"

For German:
$ defaults write -globalDomain AppleLanguages -array "de" "de-US"

For Korean:
$ defaults write -globalDomain AppleLanguages -array "ko" "ko-US"

For Japanese
$ defaults write -globalDomain AppleLanguages -array "ja" "ja-US"

For French
$ defaults write -globalDomain AppleLanguages -array "fr" "fr-US"

For spanish
$ defaults write -globalDomain AppleLanguages -array "es" "es-US"

For Chinese traditional
$ defaults write -globalDomain AppleLanguages -array "zh-Hant" "zh-Hant-TW" "zh-Hant-US"

For Chinese simplified
$ defaults write -globalDomain AppleLanguages -array "zh-Hans" "zh-Hans-US"

Fix:
Edge client honors customization on macOS Sierra 10.12 now.

611658-3 : "less" utility logs an error for remotely authenticated users using the tmsh shell

Component: TMOS

Symptoms:
when using 'less' Syntax Error: unexpected argument "/usr/bin/lesspipe.sh"

Conditions:
admin user configured with tmsh shell

Impact:
admin user cannot use the less command from shell

Workaround:
configure admin user to use the bash shell

611512-1 : AWS: Pool member autoscaling in BIG-IP fails to add pool members when pool name is same as AWS Autoscaling Group name.

Component: TMOS

Symptoms:
In AWS, Pool member autoscaling in BIG-IP fails to add pool members when pool name in BIG-IP is same as Autoscaling Group name in AWS.

Conditions:
- BIG-IP is configured to perform autoscaling of pool members in AWS.
- Pool name in BIG-IP is same as the autoscaling group name in AWS attached with it.

Impact:
- Pool member autoscaling doesn't occur correctly without user intervention.

Workaround:
When configuring pool member auto-scaling in AWS, you must choose a different name for the pool compared to the autoscaling group name attached with it.

Fix:
Choose different names for Pool in BIG-IP and autoscaling group in AWS to correctly configure Pool member autoscaling in BIG-IP .

611487-3 : vCMP: VLAN failsafe does not trigger on guest

Component: TMOS

Symptoms:
vCMP: VLAN failsafe does not trigger on guest due to IPv6 link-local neighbor discovery traffic from host.

Conditions:
vCMP host configured, VLAN failsafe enabled on a VLAN, one or more VCMP guests enabled that use that VLAN

Impact:
Since the heartbeat messages going over IPv6 link-local addresses continue to be successfully passed from host to guest, VLAN failsafe does not trigger if a downstream router or switch goes down that's connected to the VLAN.

Workaround:
If you are able to, disabling IPv6 on the host will allow VLAN failsafe to work as expected.

611469-3 : Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector

Solution Article: K95444512

611467-3 : TMM coredump at dhcpv4_server_set_flow_key().

Component: Policy Enforcement Manager

Symptoms:
TMM coredump at dhcpv4_server_set_flow_key().

Conditions:
1. You are using Policy Enforcement Manager (PEM) DHCP to discover subscribers.
2. You have configured a DHCP relay virtual server.
3. Two PEM DHCP subscriber connections share the same connection to a remote DHCP server.
4. One of the PEM DHCP subscriber connections expires.
5. The non-expired PEM DHCP subscriber connection sends a new DHCP request.
6. The remote PEM DHCP server responds to the new PEM subscriber request.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
The client uses broadcast to do DHCP renewal is an indication the client did not get ACK from DHCP server when it uses unicast to talk to DHCP server directly. The most likely reason for this to happen is the server routing table is not configured to send DHCP ACK packets back to the client.

You can work around this problem by configuring DHCP server routing table so that it knows how to send DHCP ACK to the client.

611385-1 : "Learn Explicit Entities" may continue to work as if it is 'Add All Entities'

Component: Application Security Manager

Symptoms:
Under some scenarios, setting "Learn Explicit Entities" to 'Never' has no effect; it continues to work as if it is 'Add All Entities'

Conditions:
Steps to Reproduce:
1) Create a default policy, set "Learn New HTTP URLs" to "Add All Entities".
2) Create a non-pure wildcard URL "/in*".
3) Send the following request:
     GET /index.html HTTP/1.1\r\n
     Host: <Host URL>\r\n
     \r\n
4) There will be no suggestion to add /index.html URL since learning mode on "/in*" wildcard is "Never" by default.
5) Set "Learn Explicit Entities" to "Add All Entities" on "/in*" wildcard.
6) Send the same traffic again; there will be suggestion to add /index.html URL (which is still correct).
7) Delete all suggestions.
8) Set "Learn Explicit Entities" to "Never" on "/in*" wildcard.
9) Send the same traffic again.

Impact:
There is suggestion to add /index.html URL when there should be no such suggestion since the wildcard is in 'Never' mode now.

Workaround:
Go to "Learning and Blocking Settings", set "Learn New HTTP URLs" to "Never" press "Save", then set it back to "Add All Entities". press "Save" again.

Fix:
"Learn Explicit Entities" to 'Never' now works as expected.

611352 : Benign message "replay num rollover error condition correctable errors" counter on iSeries platforms

Solution Article: K68092141

Component: TMOS

Symptoms:
In /var/log/sel you see these errors:
0082 11/23/16 08:23:11 MAJ CPU 0 PCI/DMI Error B:D:F 0x1a: corerrsts: replay_num_rollover_status
0083 11/23/16 08:23:11 MAJ CPU 0 PCI/DMI Error B:D:F 0x1a: rperrsts: correctable_error_received

Conditions:
This can be seen on BIG-IP iSeries platforms.

Impact:
This error message is benign and can be safely ignored.

Workaround:
N/A

Fix:
Benign message "replay num rollover error condition correctable errors" counter is no longer seen.

611320-3 : Mirrored connection on Active unit of HA pair may be unexpectedly torndown

Component: Local Traffic Manager

Symptoms:
Mirrored connection on Active unit is torn down. TCP connection is RST with cause of 'HA Expire flow'.

Conditions:
Mirrored connection on Standby unit times out due state mismatch with connection on Active unit.

Impact:
Traffic loss.

Workaround:
Disable mirroring.

Fix:
The system no longer mirrors connflow expiration from Standby to Active. This is correct behavior.

611240-3 : Import of config with securid might fail

Component: Access Policy Manager

Symptoms:
Import of the profile used for securid auth might fail if the profile has already been used for auth purposes at the moment of export.

Conditions:
This occurs when the following conditions are met:
-- Profile configured for securid authenticaiton with securid server attached.
-- Profile has been used for authentication more than 0 times.
-- Full import (no reuse) or Reuse import when secureid server under the same name is not present.

Impact:
Unable to import certain configurations.

Workaround:
1. In VPE, open securid auth item and set server to none before export.
2. Export profile.
3. Import profile.
4. Re-create the aaa securid server.
5. In VPE, open the securid auth item and set server to one from step #4.

Or
1. Export profile.
2. Create aaa securid server under the same name.
2. Import profile with reuse.

It is also possible to remove securid entry from config-files of securid server configuration in .conf.tar.gz, which would also work.

Fix:
It is now possible to successfully export and the import profile using securid in any state.

611161-3 : VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.

Solution Article: K28540353

Component: Local Traffic Manager

Symptoms:
VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.

Conditions:
VLAN failsafe configured on a non-default cmp-hash VLAN.
When the VLAN failsafe situation occurs, and the generated arp requests are not being answered, VLAN failsafe resorts to ICMP.

Impact:
There are very rare situations in which failsafe triggers but it should have not.

Workaround:
None.

Fix:
VLAN failsafe no longer generates traffic using ICMP, and now supports non-default cmp-hash on VLAN.

611151-2 : An upper case JSON sensitive parameter is not masked when ASM policy is case-insensitive

Component: Application Security Manager

Symptoms:
If you configure a sensitive parameter with an upper-case character (like "Password"), the data masking does not take place. When the sensitive parameter is all lower-case (like "password"), the data masking takes place as expected.

Conditions:
ASM provisioned
ASM policy is case-insensitive
JSON profile, w/ a sensitive parameter with an upper-case character

Impact:
no data masking for a JSON sensitive parameter

Workaround:
N/A

Fix:
We've made sure that JSON parameters are always treated as case sensitive, regardless of the ASM policy case sensitivity setting.

610897-2 : FPS generated request failure throw "unspecified error" error in old IE.

Component: Fraud Protection Services

Symptoms:
If FPS generated request sent and failed in old IE, it will throw "unspecified error" error.

Conditions:
FPS generated request sent and failed in old IE

Impact:
The browser will show error message in the left bottom side.

Workaround:
N\A

Fix:
N\A

610857-1 : DoSL7 Proactive Bot Defense should block requests from a browser (Chrome/Firefox) when it is running selenium webdriver.

Component: Advanced Firewall Manager

Symptoms:
When selenium client webdriver is detected running a browser Chrome or Firefox it is not being blocked due to low score being assigned by PBD (Suspicious Browsers) mechanism.

Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled.

Impact:
A bot which running selenium Chrome or Firefox webdriver isn't mitigated by DoSL7 PBD mechanism.

Workaround:
N/A

Fix:
Adjusted scoring for selenium detection to trigger CAPTCHA upon an attempt to access a website without TSPD101 cookie (usually occurs upon accessing a website's first page)

610830-1 : FingerPrint javascript runs slow and causes bad user browsing experience when accessing a webapp's first page.

Component: Advanced Firewall Manager

Symptoms:
When an end-user accesses a web-site's first page there is a noticeable latency until it gets the page content.

Conditions:
This occurs when ASM is provisioned and to a virtual sever assigned dos application profile where Device ID mitigation configured or ASM policy with WebScraping and FingerPrint detection enabled.

Impact:
Bad user experience when accessing the website's first page.

Workaround:
tmsh modify sys db dosl7.fp_fonts_enabled disabled

Fix:
The javascript slowness bottleneck is fonts collection, to improve the performance the number of font reduced from 300 to 50. If you wish to eliminate the slowness of the fonts collection at all, a new sys db has been added. tmsh list sys db dosl7.fp_fonts_enable. Note, that eliminating the fonts collection for the fingerprint can reduce the its entropy.

610710-2 : Pass IP TOS bits from incoming connection to outgoing connection

Component: Service Provider

Symptoms:
ToS is set to 0 when going through a SIP profile.

Conditions:
This occurs when a SIP profile is in use and ToS is set.

Impact:
Currently outgoing packets TOS bits are configured via profile and are not affected by TOS bits of incoming packet.

Workaround:
NA

Fix:
Outgoing packets TOS bits can be configured via profile to preserve the TOS bits of incoming packet.

Behavior Change:
This change will only change existing behavior if the transport protocol (TCP, UDP or SCTP) has the ip-tos-to-client attribute set to pass-through. If configured as pass-through, the TOS bits of the incoming packet containing a message will be used on the outgoing packets containing the message. Without this change, the TOS bits of the outgoing packet would be undefined if configured this way.

610609-3 : Total connections in bigtop, SNMP are incorrect

Component: Local Traffic Manager

Symptoms:
While looking at total connections for the active BIG-IP using bigtop or SNMP, the connections are reported too high. For example if you sent a single connection through BIG-IP it is reported as 2 connections. Meanwhile, the standby device with mirroring configured accurately shows the number of connections.

Conditions:
This occurs on PVA-enabled hardware platforms.

Impact:
The total connection count statistic is incorrect.

610442-2 : vcmp_media_insert failed message and lind restart loop on vCMP guest when installing with block-device-image with bad permissions on .iso★

Solution Article: K75051412

Component: TMOS

Symptoms:
On a vCMP guest, If a user attempts to install using the block-device-image argument (e.g., install sys software block-device-image <some.iso>), and the .iso file has incorrect file permissions (e.g., $chmod 600 <some.iso>), then the lind process on the guest will enter a restart loop, and the system posts the following error:
lind[23565]: 013c0004:3: Fatal error: vcmp_media_insert failed

Conditions:
-- vCMP guest.
-- Run a command similar to the following:
install sys software block-device-image <some.iso>.
-- <some.iso> has bad permissions, e.g., -r--------.

Impact:
On the guest, lind restarts continuously, logging its restart to /var/log/ltm each time and posting the vcmp_media_insert failed error message.

Workaround:
Use either of the following workarounds:
-- Avoid installing block-device-images known to have bad permissions.

-- From the host, attempt to repair the file with bad permissions, copy the repaired file to /shared/images/, and try the install again. To do so, follow this procedure, running these commands from the host:

1. To repair the file, run the following command:
chmod 644 <some.iso>

2. To copy the file, run the following command:
scp <some.iso> mysystem:/shared/images/

3. To install the guest, run the following commands:
bigstart restart lind
tmsh install sys software block-device-image <some.iso>

Fix:
Instead of throwing a runtime error, lind will log an error to /var/log/ltm and return.

610441-3 : When using iControl REST to add a member to an existing pool, the pool member is successfully created. However, a 404 response is received.

Component: TMOS

Symptoms:
When using iControl REST to add a member to an existing pool, the pool member is successfully created. However, a 404 response is received.

Conditions:
This occurs when adding a new member to an existing pool using iControl REST.

Impact:
Unable to tell if the request has succeeded or failed via iControl REST.

Workaround:
Add the following to partitionInfo in icrd.conf.

{"gtm/pool/a/members":[true, true]},
{"gtm/pool/aaaa/members":[true, true]}

610429-5 : X509::cert_fields iRule command may memory with subpubkey argument

Component: Local Traffic Manager

Symptoms:
The X509::cert_fields iRule command can leak memory in the 'method' memory subsystem if called with the 'subpubkey' argument, when the 'subpubkey' argument is not the last argument.

Conditions:
Create an iRule using X509::cert_fields where the subpubkey is not the last argument.

Example/signature to look for:
ltm rule rule_leak {
    when HTTP_REQUEST {
        if { [SSL::cert 0] ne "" } {
            HTTP::respond 200 content "[X509::cert_fields [SSL::cert 0] 0 subpubkey hash]\n"
        } else {
            HTTP::respond 200 content "no client cert (WRONG!)"
        }
    }
}

Impact:
Memory will leak, eventually impacting the operation of tmm.

Workaround:
Ensure that 'subpubkey' is the last argument to X509::cert_fields

610417-1 : Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported.

Solution Article: K54511423

Component: TMOS

Symptoms:
When adding a device to the trust, the SSL connection can use insecure ciphers. Also it will use the undesirable TLSv1 protocol instead of negotiating to the highest safest protocol available which is TLSv1.2

If the peer device is configured to use TLSv1.1 or TLSv1.2 only, device trust will not be established

Conditions:
This exists when configuring devices in a device cluster.

Impact:
Unable to configure stronger ciphers for device trust.

If the peer device is modified to not use TLSv1.0, it is impossible to establish Device Trust.

Workaround:
None.

Fix:
Advertised client ciphers reduced to what the common criteria compliance standard approves.
Changed the initial OpenSSL call to use the correct one to negotiate to the highest available TLS protocol (1.2).

610354-1 : TMM crash on invalid memory access to loopback interface stats object

Component: TMOS

Symptoms:
TMM can crash with segmentation fault when TMM drops packets on its internal loopback interface. TMM needs to update interface stats associated with the loopback interface when dropping packets on that interface. The interface stats object for loopback interface is not allocated yet. That results in segmentation fault.

Conditions:
TMM drops packets on its internal loopback interfaces.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No Workaround.

610352-1 : sys-icheck reports error with /etc/sysconfig/modules/unic.modules

Component: TMOS

Symptoms:
On Azure cloud, running sys-icheck may report an error with /etc/sysconfig/modules/unic.modules:

ERROR: S.5...... /etc/sysconfig/modules/unic.modules

Conditions:
This occurs on BIG-IP running on Azure cloud.

Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.

Fix:
Fixed an issue with files in /etc/sysconfig/modules/unic.modules that was causing sys-icheck to report errors.

610350-1 : sys-icheck reports error with /config/bigpipe/defaults.scf

Component: TMOS

Symptoms:
n Azure cloud, running sys-icheck may report an error with /config/bigpipe/defaults.scf and /usr/share/defaults/defaults.scf:

ERROR: S.5...... c /config/bigpipe/defaults.scf (no backup)
ERROR: S.5...... /usr/share/defaults/defaults.scf

Conditions:
This occurs on BIG-IP running on Azure cloud.

Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.

Fix:
Fixed an issue with files in /config/bigpipe/defaults.scf that was causing sys-icheck to report errors.

610307 : Spurious error message from mcpd at shutdown: Subscription not found in mcpd for subscriber Id BIGD_Subscriber

Component: TMOS

Symptoms:
This error message may be generated once or twice at shutdown:

01070069:3: Subscription not found in mcpd for subscriber Id BIGD_Subscriber.

Conditions:
Occurs once or twice per boot as a BIG-IP is being shut down or restarted.

Impact:
None. This can be ignored.

Workaround:
No workaround necessary. This message indicates no ill effects and can be ignored.

Fix:
This error message could have been generated once or twice at shutdown:

01070069:3: Subscription not found in mcpd for subscriber Id BIGD_Subscriber.

It no longer appears. Note that even when it was present, it only occurred at system shutdown and could be ignored.

610302-1 : Link throughput graphs might be incorrect.

Component: Local Traffic Manager

Symptoms:
The link throughput performance graphs available in the GTM, DNS or Link Controller modules might show the throughput for the wrong link in the graph.

Conditions:
Multiple links exist and one of the links has a name that is a prefix for the name of one or more other links.

For example, there are two links defined and named "mylink" and "mylink2".

Impact:
The graphs for all links that contain the prefix might show the throughput for the link whose name matches the prefix.

For example, the throughput graphs for both "mylink" and "mylink2" might both show the throughput data for "mylink"

As a result of this issue, the historical link throughput data is gathered and stored incorrectly. This data is used to generate the throughput graphs.

Workaround:
Do not create links where the name of one link forms a prefix for the name of other links.

Fix:
Link throughput graphs now collect and show the throughput for the proper link when one link name is a prefix of one or more other links. Note that historical information gathered before the fix will not be corrected.

610295-1 : TMM may crash due to internal backplane inconsistency after reprovisioning

Component: TMOS

Symptoms:
In some scenarios on BIG-IP Virtual Edition (VE) platforms, TMM may crash due to backplane inconsistency shortly after a provisioning change.

Conditions:
- BIG-IP VE with performance-limited license.
- Additional licensing/provisioning of modules raises performance limits. New TMM processes are started.
- No reboot has occurred after provisioning.

Impact:
TMM may core with panic and post the following message in /var/log/tmm log: 'Unexpected backplane address'. Traffic disrupted while tmm restarts.

Workaround:
Reboot after provisioning if new license add-on keys raises performance of the BIG-IP system.

Fix:
TMM no longer crashes after provisioning if new license add-on keys raises performance of the BIG-IP system.

610273-3 : Not possible to do targeted failover with HA Group configured

Component: TMOS

Symptoms:
With a traffic-group configured to use HA Group, it is not possible to disable the HA Group to perform targeted failover. Running tmsh run sys failover standby traffic-group traffic-group-1 produces an error:
"Unexpected Error: SOD command standby may not be issued for traffic group /Common/traffic-group-1 because it is configured to use HA group."

Conditions:
Traffic-group configured to use HA Group. Versions prior to 12.0.0 allowed you to disable the HA Group to do targeted failover.

Impact:
Unable to force the traffic-group to standby if HA Group is configured. You would need to change it to use a different mode, such as HA Order.

Workaround:
Temporarily change the traffic group to use a different Failover Method such as Load Aware or HA Order in order to failover. Note that this will disable HA Group functionality until the Failover Method is restored.

610255-1 : CMI improvement

Solution Article: K62279530

610224-3 : APM client may fetch expired certificate when a valid and an expired certificate co-exist

Component: Access Policy Manager

Symptoms:
APM client does not consider the expiration when it matches certificates for Machine Cert Check. If a matching but expired certificate is found before a valid certificate, the expired certificate is used for Machine Cert Check on Windows.

Conditions:
A valid and an expired certificate co-exist in the certificate store.

Impact:
Machine Certificate check fails.

Workaround:
Remove the expired certificate from the store.

Fix:
When a valid and an expired certificate co-exist, the system now matches the valid certificate.

610180-2 : SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin.

Component: Access Policy Manager

Symptoms:
When BIG-IP is used as SAML SP, and SLO is not properly configured on associated saml-idp-connector objects, IdP initiated SAML SLO may result in memory leak in SSO plugin.

Conditions:
- BIG-IP is used as SP.
- Associated saml-idp-connector object has 'single-logout-uri' property configured, but 'single-logout-response-uri' property is empty.
- User performs IdP initiated SAML SLO

Impact:
SSO plugin leaks memory

Workaround:
There are two possible workarounds:
- Fix misconfiguration: Configure SLO correctly by adding value to 'single-logout-response-uri' property of IdP connector object.
- Disable SLO by removing single-logout-uri' property of IdP connector object.

Fix:
When fixed, memory will no longer leak in SSO plugin even when SLO is misconfigured.

610129-3 : Config load failure when cluster management IP is not defined, but instead uses address-list.

Solution Article: K43320840

Component: Advanced Firewall Manager

Symptoms:
In Cluster setup with multiple blades, if configurations do not have management IP addresses assigned to individual blades, but instead assign a cluster management IP address list to the cluster of blades. The configuration load will fail. System posts an error message similar to the following: err mcpd[24235]: 01071824:3: The address list is referenced by one of the rules of the admin IP either directly or in a nested manner, and the entry is of a different address family from that of the Admin IP.

Conditions:
1. Cluster setup with multiple blades.
2. No management IP assigned to individual blades.
3. Assign cluster management IP address list to the cluster of blades.

Impact:
After reboot, configuration load failure on secondary blades.

Workaround:
Define the cluster management IP address as the destination (in rule) without using address list.

Fix:
Config load failure no longer occurs when cluster management IP is not defined, but instead uses address-list.

609788 : PCP may pick an endpoint outside the deterministic mapping

Component: Carrier-Grade NAT

Symptoms:
When PCP is picking an endpoint for a LSN pool in deterministic mode and the initial pick fails due to an existing mapping, the subsequent picks are from the entire LSN pool translation port range. This may result in a mapping that violates the deterministic mapping algorithm.

Conditions:
With PCP configured and enabled with a lsn-pool in deterministic mode.

Impact:
Deterministic mapping restriction may be violated causing reverse mapping of public IP address to private IP address to not identify the correct subscriber.

Workaround:
Configure PCP with a NAPT pool (such as the DNAT mode's backup pool) and enable logging. Do not use an lsn-pool in deterministic mode.

Fix:
PCP no longer picks mappings outside of a client's DNAT range after the first mapping attempt fails.

609691-1 : GnuPG vulnerability CVE-2014-4617

Solution Article: K21284031

609677-1 : Dossier warning 14

Component: TMOS

Symptoms:
After each boot, the var/log/ltm log file contains messages similar to the following: warning mcpd[6296]: 01070267:4: Dossier warning 14.

Conditions:
This occurs upon reboot after licensing and management port configuration is complete on i5000/i7000/i10000-Series platforms.

Impact:
There is no functional impact. This is a benign message that can be safely ignored.

Workaround:
None.

Fix:
The var/log/ltm log file no longer contains the benign messages similar to the following: warning mcpd[6296]: 01070267:4: Dossier warning 14.

609628-2 : CLIENTSSL_SERVERHELLO_SEND event in SSL forward proxy is not raised when client reuses session

Component: Local Traffic Manager

Symptoms:
When a client performs an abbreviated handshake by reusing the session from a previously established full handshake, the SSL forward proxy does not raise the CLIENTSSL_SERVERHELLO_SEND event.

Conditions:
This occurs when the following conditions are met:
-- SSL forward proxy configured
-- Session cache is enabled.

Impact:
iRule commands inside of the CLIENTSSL_SERVERHELLO_SEND are only executed for full handshakes but not for abbreviated handshakes; thus any logic that's applied per SSL connection should not run inside of CLIENTSSL_SERVERHELLO_SEND event since it is not reliably raised under all types of handshakes.

Workaround:
To make sure that the CLIENTSSL_SERVERHELLO_SEND event is reliably raised, disable session cache in the client SSL profile.

609614-3 : Yafuflash 4.25 for iSeries appliances

Component: TMOS

Symptoms:
Firmware on BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx needs to be upgraded to Yafuflash 4.25.

Conditions:
-- BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.
-- Yafuflash.

Impact:
This is a firmware upgrade.

Workaround:
None.

Fix:
This release contains Yafuflash v4.25 for BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.

Behavior Change:
This release contains Yafuflash v4.25 for BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.

609575-5 : BIG-IP drops ACKs containing no max-forwards header

Component: Service Provider

Symptoms:
When a sip profile is in use and receives an acknowledgment packet missing the Max-Forwards header, BIG-IP will treat the packet as un-forwardable and does not forward the ACK. This can be experienced as a specific cilent being unable to make a call.

Conditions:
This would only be seen when BIG-IP is connected to specific clients that fail to populate the Max-Forwards header on an ACK.

Impact:
BIG-IP treats packets with the missing header as having a value of 0, which means "Do not forward".

609499-1 : Compiled signature collections use more memory than prior versions

Component: Application Security Manager

Symptoms:
Compiled signature collections use more memory than prior versions.

Conditions:
Different signature sets are used for different policies.

Impact:
BD memory usage for compiled signature collections is increased.

Fix:
Compiled signature collections memory usage was consolidated and reduced.

609496-2 : Improved diagnostics in BD config update (bd_agent) added

Component: Application Security Manager

Symptoms:
Improved diagnostics in BD config update (bd_agent) are needed.

Conditions:
Further troubleshooting of BD config update transmission is needed.

Impact:
No diagnostics are available.

Workaround:
None.

Fix:
Improved diagnostics in BD config update (bd_agent) were added.

609335-1 : IPsec tmm devbuf memory leak.

Component: TMOS

Symptoms:
A small memory leak was discovered during internal testing of IPsec tunnels. Over time tmm might run out of memory and crash.

Conditions:
It is not known exactly what triggers this condition.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

609328-3 : SIP Parser incorrectly parsers empty header

Solution Article: K53447441

Component: Service Provider

Symptoms:
If a SIP message contains an empty header, the following header will be included as the value of the empty header.

Conditions:
A SIP header without any value will incorrectly cause the next header to be used as the value.

Impact:
If the following header is needed for processing the message, it will not be seen (since it is incorrectly considered the value of the previous header).

Workaround:
None.

Fix:
Parser has been corrected to terminate an empty header when a line ending is seen.

609325 : Unsupported DDM F5 SFP modules do not write log message saying DDM is not supported

Component: TMOS

Symptoms:
QSFP modules that do not support DDM (Digital Diagnostic Monitoring), write messages to /var/log/ltm indicating DDM is not supported, however, there are certain unsupported DDM F5-branded SFP modules that do not write a message to the log.

Conditions:
Upon inserting the unsupported DDM SFP modules.

Impact:
DDM is not reporting information for the following optics:

Unsupported DDM 1Gb-10GB SFP modules:

OPT-0004
OPT-0007
OPT-0011
OPT-0015
OPT-0051
OPT-0033

Workaround:
None.

Fix:
All DDM SFP 1Gb-10GB modules now log in /var/log/ltm that DDM is not supported with that optical transceiver.

609244-4 : tmsh show ltm persistence persist-records leaks memory

Component: Local Traffic Manager

Symptoms:
A small memory leak is detected when running the following command: tmsh show ltm persistence persist-records.

Conditions:
This occurs when running tmsh show ltm persistence persist-records.

Impact:
The memory leak is small, however if the command is run constantly the memory growth can become large.

Workaround:
None.

Fix:
tmsh show ltm persistence persist-records no longer leaks memory.

609199-6 : Debug TMM produces core when an MPTCP connection times out while a subflow is trying to join

Component: Local Traffic Manager

Symptoms:
If an MPTCP connection times out while a subflow is still performing the three-way handshake, the TMM produces a core. This only affects the debug TMM, not the default one.

Conditions:
An MPTCP connection times out while a subflow is still performing the three-way handshake with MP_JOIN. This only affects the debug TMM.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable MPTCP.

Fix:
Remove unestablished joining subflows when freeing the MPTCP connection structure.

609119-7 : Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3:

Component: TMOS

Symptoms:
Occasionally the logging system prints out a blank message, similar to the following example:

-- err mcpd[19114]: 01070711:3:

For this log statement, there is text associated with the error in the bigip_mcpd_error_defs.in file, so something should be logged.

Conditions:
The problem is the result of an exception handler issue in mcpd's File Object validator. The damaged logs can come from anywhere in mcpd, but appear only after a File Object configuration change fails validation. If the problem occurs, it will happen only once per validation error. The damage caused by the exception handler is automatically corrected when the system rewrites the log.

Impact:
Except for the missing log text, the state and behavior of the BIG-IP system is unaffected.

Workaround:
None. The problem corrects automatically when the system rewrites the log.

Fix:
The logging system prints out a blank message in response to failed file object configuration change validations.

609114-1 : Add the ability to control dropping of alerts by before-load-function

Component: Fraud Protection Services

Symptoms:
Too many alerts prevents you from enabling FPS. If it does get enabled, a large number of 'missing component' alerts are generated.

Conditions:
This can occur when enabling FPS will trigger a high number of alerts.

Impact:
FPS is disabled, or alerts are not categorized.

Fix:
Add before-load-function capability to drop alert on client.

609107-1 : mcpd does not properly validate missing 'sys folder' config in bigip_base.conf

Component: TMOS

Symptoms:
If a 'sys folder' is manually removed from bigip_base.conf, and the config is then reloaded, mcpd does not produce any warning or error messages, and allows the config to load.

Conditions:
A folder is removed from a previously valid configuration file.

Impact:
Inconsistent configuration between devices in the same device-group, shows in-sync when they are not, prevents config loading after mcpd has been reset.

Workaround:
Do not remove folders from the configuration file.

Fix:
mcpd now properly validates missing 'sys folder' config in bigip_base.conf, so the config performs as expected.

609098-1 : Improve details of ajax failure

Component: Fraud Protection Services

Symptoms:
When AJAX request fails, insufficient information is provided to debug the failure.

Conditions:
AJAX failure

Impact:
Difficult to diagnose the failure.

Workaround:
Not relevant

Fix:
Add information to alert about AJAX failure.

609095-1 : mcpd memory grows when updating firewall rules

Component: Advanced Firewall Manager

Symptoms:
While updating firewall rules such as adding/deleting a blacklist, mcpd memory grows by a small amount with each update.

Conditions:
This can occur when making changes to firewall policies.

Impact:
mcpd memory grows unbounded; over a significant amount of time with many changes and no restarts, mcpd can run out of memory and oom killer can trigger a failover.

609084-2 : Max number of chunks not configurable above 1000 chunks

Solution Article: K03808942

Component: Application Security Manager

Symptoms:
If you want to support requests larger than 1000 chunks, the request is blocked and the system posts the following message in the ASM event log:

Unparsable request content Chunks number exceeds request chunks limit: 1000.

Conditions:
This occurs when the request exceeds 1000 chunks.

Impact:
Requests that are valid from the server side are being rejected.

Workaround:
None.

Fix:
This release adds an internal parameter "request_max_chunks_number" to enable configuring a greater than 1000 max number of chunks. The default value is 1000

Behavior Change:
This release adds an internal parameter "request_max_chunks_number" to enable configuring a greater than 1000 max number of chunks. The default value is 1000

609027-1 : TMM crashes when SSL forward proxy is enabled.

Component: Local Traffic Manager

Symptoms:
TMM crashes when SSL forward proxy is enabled.

Conditions:
This can occur when SSL forward proxy is enabled and there is a server handshake done when client SSL handshake is not ongoing.

Impact:
Traffic disrupted while tmm restarts.

Fix:
SSL forward proxy now ignores server handshake done when client SSL handshake is not ongoing, so an intermittent TMM crash no longer occurs.

609005-2 : Crash: tmm crashing when 2nd client (srcPort=68) sends a DHCP renew with giaddr (Relay Agent IP) in the packet after 1st client (srcPort=67).

Component: Policy Enforcement Manager

Symptoms:
Two client side DHCP packets with giaddr field set, one with source port 67 and another client side packet with source port 68 (not conforming to RFC since giaddr set DHCP packet (from relay agent) should use 67 as source port per RFC),
tmm will crash during err message logging.

Conditions:
1) Two client side DHCP packets arrive one after another.
2) Both DHCP packets have giaddr fields set
3) One packet uses 67 as source port, the other uses 68

Impact:
Traffic disrupted while tmm restarts.

Workaround:
The conditions that cause the crash should not happen in a normal network setup. A DHCP relay agent should only use 67 as source port.

608941-1 : AAA RADIUS system authentication fails on IPv6 network

Component: Access Policy Manager

Symptoms:
APM supports RADIUS authentication to IPv6 servers for APM clients if the IPv6 servers are in a pool, but using RADIUS for system authentication directly to a RADIUS server fails on invalid IP address. The signature in the log file is as follows:

err apmd[13481]: 01490108:3: /Common/profilename: RADIUS module: authentication with 'aa' failed: Invalid Server IP(0)/Port(0) (1)

Conditions:
RADIUS authentication configured for system authentication direct to a RADIUS server, and the RADIUS server is an IPv6 server.

Impact:
RADIUS is unable to connect directly to the IPv6 RADIUS server, clients unable to log into the system.

608826-1 : Greylist (bad actors list) is not cleaned when attack ends

Component: Anomaly Detection Services

Symptoms:
When attack ends the greylist (detected bad actors) remains till the timeout expiration.

Conditions:
Detected bad actors and attack end.

Impact:
If new attack will start sooner than greylist expiration time, greylist member will be mitigated even if they are not related to the current attack.

Workaround:
It it's necessary it's possible to clear greylist manually using ipidr utility.

Fix:
Clear the greylist upon attack end.

608742-2 : DHCP: DHCP renew ACK messages from server are getting dropped by BIG-IP in Forward mode.

Component: Policy Enforcement Manager

Symptoms:
When the BIG-IP system is configured in Forwarding mode, the BIG-IP system drops the renewal ACK message from the server in response to unicast renewal message from DHCP clients.

Conditions:
-- BIG IP system configured in forwarding mode.
-- DHCP clients sending unicast renewal message to DHCP server.

Impact:
Unicast DHCP renewal requests are not responded to with ACKs. DHCP clients will send broadcast renewal messages and will receive ACK from servers.

Workaround:
None.

Fix:
After being unable to receive ACK responses from DHCP servers for unicast DHCP renewal messages, the DHCP client will send broadcast DHCP renewal messages and receive an ACK from the DHCP server and ACKs forwarded by the BIG-IP system and received by DHCP clients.

608591-1 : Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers

Component: Policy Enforcement Manager

Symptoms:
CCR-I requests from PEM to PCRF have subscriber ID type set to 6 (UNKNOWN) for DHCP subscribers instead of 3 (NAI).

Conditions:
Occurs for DHCP discovered subscribers on a BIG-IP system that uses a PCRF for policy determination.

Impact:
Might impact the way policies are provided from the PCRF.

Workaround:
None

Fix:
Subscrbier ID type is marked as NAI for DHCP discovered subscribers.

608566-1 : The reference count of NW dos log profile in tmm log is incorrect

Component: Advanced Firewall Manager

Symptoms:
In certain circumstances when virtual servers are configured with security log profiles, the log message in tmm log is showing incorrect reference cnt to the log profiles.

Conditions:
Creation, modification and deletion of many virtual servers with security log profiles attached.

Impact:
This may lead to issues such as TMM crash if the reference count is not calculated correctly

Fix:
The reference count now is showing correct number in the log message after the fix

608555-1 : Configuring asymmetric routing with a VE rate limited license will result in tmm crash

Component: Local Traffic Manager

Symptoms:
Configuring asymmetric routing with a VE rate limited license results in tmm crash.

Conditions:
Asymmetric routing is configured (i.e., client and/or server ingress and egress travel on different VLANs), and a VE rate limited license is used.

Impact:
tmm might continually crash when passing traffic. Traffic disrupted while tmm restarts.

Workaround:
Do not use asymmetric routing with a rate limited license.

Fix:
The VE rate shaper now works correctly when asymmetric routing is configured, tmm does not crash.

608551-3 : Half-closed congested SSL connections with unclean shutdown might stall.

Component: Local Traffic Manager

Symptoms:
Half-closed congested SSL connections with unclean shutdown might stall.

Conditions:
If SSL egress is congested and the client FINs with no Close Notify, connection might stall as SSL does not request more egress data from HTTP.

Impact:
Possible stalled flow.

Workaround:
Use SSL client that sends clean shutdown.

Fix:
Resolved half-closed congested SSL connections with unclean shutdown, so connections no longer stall.

608509-1 : Policy learning is slow under high load

Component: Application Security Manager

Symptoms:
On systems with high load, policy learning is slow and learning suggestions are slow to arrive.

Conditions:
Policy builder generates many learning suggestions on a system that processes intense traffic.

Impact:
Learning suggestions appear with considerable delay, policy learning speed goes down.

Workaround:
No workaround

Fix:
Fixed an issue with slow policy learning on heavily loaded systems.

608424-2 : Dynamic ACL agent error log message contains garbage data

Component: Access Policy Manager

Symptoms:
Starting in BIG-IP version 12.0.0, Dynamic ACL error log messages might contain garbage data.

Conditions:
This occurs when Dynamic ACL detects incorrect syntax of an ACL entry.

Impact:
The system logs garbage data.

Workaround:
Make sure the ACL entry is correct.

Fix:
Dynamic ACL error log messages no longer contain garbage data when Dynamic ACL detects incorrect syntax of an ACL entry.

608408-2 : TMM may restart if SSO plugin configuration initialization fails due to internal error in tmconf library

Component: Access Policy Manager

Symptoms:
TMM may restart when new SAML SSO configuration is created on BIG-IP systems as SAML IdP. This could also happen when BIG-IP is restarted, or a saved configuration containing SAML SSO objects is loaded on running BIG-IP.

Conditions:
All of the following
- The BIG-IP system is used as SAML IdP
- New SAML SSO configuration is added on BIG-IP
- Rarely occurring internal tmconf error happens when processing newly added configuration.

Impact:
TMM may restart.

Workaround:
None.

Fix:
TMM no longer restarts when internal error happens upon adding new SAML SSO configurations. Instead, the system logs the following error in /var/log/apm to indicate problematic configuration object: Internal error processing sso config <name>.

608373-2 : Some iApp LX packages will not be saved during upgrade or UCS save/restore

Component: iApp Technology

Symptoms:
iApp LX packages that include dependencies on system utilities (like /bin/sh, /bin/bash, python etc.) cannot be imported to iApp LX RPM database.

Conditions:
oApp LX packages that depends on system utilities.

Impact:
iApp LX packages with dependencies will not be restored during upgrade or UCS restore process.

Workaround:
None.

Fix:
iApp LX UCS save process is updated turn off automatic dependency generation by rpmbuild so iApp LX package can be imported during UCS restore or upgrade.

608320-3 : iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response

Component: TMOS

Symptoms:
For persistence profiles, iControl REST does not provide visibility for property override when "none" is specified, including references, passwords, and array of strings.

Conditions:
-- Use iControl REST API with persistence profiles.
-- string, enum, or vector of enum/string property explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf.

Impact:
The iControl REST API response skips these elements. iControl REST does not provide visibility for persistence profile property overrides.

Workaround:
None.

Fix:
iControl REST API now returns persistence profile elements (i.e., string, enum , or vector of enum/string property that is explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf) with a value "none". The exclusion to this policy is the secured attributes. Secured attributes are always excluded from the iControl REST API response.

608304-1 : TMM crash on memory corruption

Solution Article: K55292305

Component: Local Traffic Manager

Symptoms:
In rare cases tmm might crash on memory corruption.

Conditions:
It is not known what sequence of events triggers this condition.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
tmm no longer crashes on memory corruption in rare cases.

608245 : Reporting missing parameter details when attack signature is matched against parameter value

Component: Application Security Manager

Symptoms:
A parameter is shown without parameters details or with garbled parameter details in the local logging GUI.

Conditions:
An attack signature was detected in a parameter value.

Impact:
Bad reporting

Workaround:
N/A

608024-3 : Unnecessary DTLS retransmissions occur during handshake.

Component: Local Traffic Manager

Symptoms:
Unnecessary DTLS retransmissions occur during handshake.

Conditions:
During DTLS handshake, unnecessary retransmissions of handshake message may occur on VE platform.

Impact:
Possible DTLS handshake failure on VE platform.

Workaround:
None.

Fix:
This release fixes a possible failed DTLS handshake on VE platforms.

608009-1 : Crash: Tmm crashing when active system connections are deleted from cli

Component: Policy Enforcement Manager

Symptoms:
When the BIG-IP is in DHCP forwarding mode, if the giaddr field in the unicast DHCP renewal packet is set to DHCP relay agent IP address by relay agent, tmm may crash when active system connections are deleted from cli or via aging.

Conditions:
1) BIG-IP in forwarding mode
2) giaddr field in unicast DHCP renewal packet is set to IP address of relay agent (Typically, it is set to 0 by the DHCP client)

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This is not a typical network setup. Usually DHCP relay agent will not modify DHCP renewal packet to insert its own address as giaddr.

607961-1 : Secondary blades restart when modifying a virtual server's route domain in a different partition.

Component: TMOS

Symptoms:
Secondary blades restart when modifying a virtual server's route domain in a different partition. This log signature is in /var/log/ltm before the secondaries restart: err mcpd[1255]: 0107004d:3: Virtual address (/stef/1.1.1.1%0) encodes IP address (1.1.1.1) which differs from supplied IP address field (1.1.1.1%1).

Conditions:
- Only happens on chassis.
- Route domains created on each device.
- Route domain assigned to a new partition after they were created.

Impact:
Traffic disrupted while secondary blades restart.

Workaround:
None.

Fix:
Secondary blades no longer restart when modifying a virtual server's route domain in a different partition.

607857-1 : Some information displayed in "list net interface" will be stale for interfaces that change bundle state

Component: TMOS

Symptoms:
Changing the bundling on an interface does not clear the following fields in the previously configured interface:
module-description, serial, vendor, vendor-oui, vendor-partnum, vendor-revision.

That information will be correct for the active interface, it is just not cleared for the previously configured interface.

Module description is not correctly reported on unbundled interfaces.

Conditions:
Bundling change on an interface

Impact:
"list net interface" on previously configured interfaces will show stale information. May be confusing.
Module description is missing from "list net interface" on unbundled interfaces.

Workaround:
Stale data will clear on a reboot. This is purely a display issue, it does not affect the functionality of the currently configured interfaces.

607803-3 : DTLS client (serverssl profile) fails to complete resumed handshake.

Solution Article: K33954223

Component: Local Traffic Manager

Symptoms:
DTLS client (serverssl profile) fails to complete resumed handshake.

Conditions:
This occurs when the BIG-IP system acts as a DTLS client.

Impact:
Possible failed resumed handshake.

Workaround:
Disable session reuse.

Fix:
This release fixes a possible failed resumed DTLS handshake.

607724-2 : TMM may crash when in Fallback state.

Solution Article: K25713491

Component: Local Traffic Manager

Symptoms:
There is a chance, when HTTP in Fallback mode, that the HTTP filter will send an Abort event to the TCP filter (causing tear down) prematurely while the Aborting that was triggered by the upper filter/proxy is occurring.

TMM may crash when this happens.

Conditions:
It is not known exactly what conditions trigger this, but it has been known to occur when issuing HTTP::respond in the LB_FAILED event in an iRule, and it has been seen only rarely.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a rarely occurring tmm crash that might be related to issuing HTTP::respond in the LB_FAILED event in an iRule.

607713-3 : SIP Parser fails header with multiple sequential separators inside quoted string.

Component: Service Provider

Symptoms:
SIP Parser fails header with multiple sequential separators inside quoted string.

Conditions:
If a SIP header contains multiple attribute separators ',' or ';' in an attribute.

Impact:
The SIP parser flags the message as an error. If this occurs in a quote within the attribute, it should be allowed, but it will still fail, Valid SIP messages are failing to be parsed.

Workaround:
None.

Fix:
The SIP parser has been improved to ignore multiple sequential separators if within quotes.

607658-1 : GUI becomes unresponsive when managing GSLB Pool

Component: Global Traffic Manager (DNS)

Symptoms:
GUI Locks Up and becomes unresponsive. Most major web browsers will complain about slow javascript and prompt you to kill the script.

Conditions:
Managing an A type GSLB pool when hundereds of virtual servers exist. These virtual servers do not have to be associated with the pool you are attempting to manage.

Impact:
Page takes a significantly long time to load.

Workaround:
Manage pools through tmsh, or wait for it to load.

607524-2 : Memory leak when multiple DHCP servers are configured, and the last DHCP server configured is down.

Component: Local Traffic Manager

Symptoms:
When the last member of a list of multiple DHCP servers is down, the original DHCP packet from client is not freed and memory is leaked.

Conditions:
Multiple DHCP servers are configured, and the last DHCP server configured is down.

Impact:
Packet memory is leaked.

Workaround:
Remove the last DHCP server that is down, or move it to the middle or front of the server member list.

Fix:
Free the original packet memory when last DHCP server is down.

607360-5 : Safenet 6.2 library missing after upgrade★

Component: Local Traffic Manager

Symptoms:
After upgrading BIG-IP, a symbolic link is missing to the core Safenet library.

Conditions:
This occurs when a BIG-IP installation with Safenet 6.2 already installed is upgraded.

Impact:
Safenet 6.2 is not functional.

Workaround:
Reinstall Safenet 6.2. Or,

run this command at all blades of BIG-IP after the installation.

ln -sf /shared/safenet/toolkit/libgem.so /usr/lib64/openssl/engines/libgem.so

Fix:
Add symbolic link to libgem at time of pkcs11d daemon start/restart.

607314-1 : Oracle Java vulnerability CVE-2016-3500, CVE-2016-3508

Solution Article: K25075696

607304-5 : TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.

Component: Local Traffic Manager

Symptoms:
TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.

Conditions:
This can occur under normal operation, while running the geo_update command.

Impact:
Traffic disrupted while tmm restarts.

607246-10 : Encrypted cookie insert persistence with fallback may not honor cookie after fallback expires

Component: Local Traffic Manager

Symptoms:
You notice erratic persistence behavior when you set cookie persistence to "required" in your cookie persistence profile

Conditions:
Encrypted cookie persistence with fallback where the fallback persistence has a reasonable short timer such that a request containing a valid cookie is handled after the fallback entry has expired.

Impact:
Persistence fails after fallback expired.

Workaround:
Change cookie-encryption to preferred which allows persistence on either encrypted or decrypted cookie.

607200-1 : Switch interfaces may seem up after bcm56xxd goes down

Component: TMOS

Symptoms:
'tmsh show net interface' may show that switch ports are still up after bcm56xxd is brought down. This is because bcm56xxd does not notify mcpd that bcm56xxd will go down.

Conditions:
If the switch ports are up and bcm56xxd is brought down, 'tmsh show net interface' will show that the switch ports are still up.

Impact:
The switch ports may seem up, but traffic can't be sent/received.

Workaround:
None.

Fix:
Fix for bcm56xxd to notify mcpd that all ports become uninitialized before it goes down has already been implemented.

607152-1 : Large Websocket frames corrupted

Component: Local Traffic Manager

Symptoms:
If large Websocket frames are being sent by the end-point and this transfer is interleaved with frames being sent by the other endpoint, corrupted frames could be sent by BIG-IP.

Conditions:
Websocket profile is attached to the virtual. Large Websocket frames are sent by the end-point. This transfer is interleaved with frames being sent in the other direction.

Impact:
Connection reset because of corrupted frames being received by the end-point.

606940-3 : Clustered Multiprocessing (CMP) peer connection may not be removed

Component: Local Traffic Manager

Symptoms:
- High memory usage due to connflow allocations
- conn_remove_cf_not_found stat is non-zero

Conditions:
CMP with multiple TMMs. CMP peer connection is removed before it has been established.

Impact:
Low memory may lead to allocation failures that may lead to tmm core

Fix:
Fix validation performed on parsed CMP flow keys that allows unknown CMP connections to be removed.

606875-1 : DoS Application - Block requests from suspicious browsers feature causes javascript latency for webapp first page

Component: Advanced Firewall Manager

Symptoms:
When an end-user accesses a web-site's first page there is a noticeable latency until it gets the page content.

Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled, when accessing the page for a first time.

Impact:
Bad user experience when accessing the website's first page.

Workaround:
N/A

Fix:
The javascript has improved as much as possible to reduce the time to get the website's first page.

606807-1 : i5x00, i7x00, i10x00 series appliances may use sensor number instead of name "LCD health" reporting communication error

Component: TMOS

Symptoms:
If the LCD is not communicating with BIG-IP when the chassis manager daemon starts occasionally LCD errors will be displayed using the sensor number rather than the name "LCD"

Conditions:
chmand restart and LCD unable to commuicate

Impact:
cosmetic

Fix:
LCD error will show name "LCD" rather than sensor number in communication error.

606771-2 : Multiple PHP vulnerabilities

Solution Article: K35799130

606710-10 : Mozilla NSS vulnerability CVE-2016-2834

Solution Article: K15479471

606575-6 : Request-oriented OneConnect load balancing ends when the server returns an error status code.

Component: Local Traffic Manager

Symptoms:
Request-oriented OneConnect load balancing ends when the server returns an error status code.

Conditions:
OneConnect is enabled and the server responds with a HTTP error status code.

Impact:
The client remains connected to the server, and no further load-balancing decisions are made.

Workaround:
It may be possible to detect the HTTP status code in the response, and manually detach the client-side.

To do so, use an iRule similar to the following:

when HTTP_RESPONSE {
    if { [HTTP::status] == 200 } { return }
    if { [HTTP::status] == 401 } {
        set auth_header [string tolower [HTTP::header values "WWW-Authenticate"]]
        if { $auth_header contains "negotiate" || $auth_header contains "ntlm" } {
            # Connection-oriented auth. System should already be doing the right thing
            unset auth_header
            return
        }

        unset auth_header
    }

    catch { ONECONNECT::detach enable }
}.

Note: These workarounds should not be used when the backend server is using connection-oriented HTTP authentication (e.g., NTLM or Negotiate authentication).

Fix:
With OneConnect, the client-side remains detachable when the server-side returns an HTTP error status code.

606573-3 : FTP traffic does not work through SNAT when configured without Virtual Server★

Component: Local Traffic Manager

Symptoms:
After upgrading to 12.1.0 or 12.1.1, FTP traffic no longer works correctly with SNAT, when SNAT is configured without a virtual server.

Conditions:
The BIG-IP system configured to allow FTP traffic through, and SNAT is configured without a virtual server.

Impact:
The BIG-IP system does not SNAT port 21 traffic. In rare circumstances this can cause tmm to restart.

Workaround:
None.

Fix:
FTP traffic now works through SNAT when SNAT is configured without a virtual server.

606565-2 : TMM may crash when /sys db tm.simultaneousopen is set to reset or drop_connection

Solution Article: K52231531

Component: Local Traffic Manager

Symptoms:
When the /sys db tm.simultaneousopen variable is set to 'reset' or 'drop_connection', TMM may crash during a TCP simultaneous 4 way handshake.

Conditions:
1. The /sys db tm.simultaneousopen variable is set to 'reset' or 'drop_connection'.
2. A TCP 4 way handshake (simultaneous open) occurs as described in RFC 793.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
The crash can be avoided, while still mitigating TCP 4 way handshakes, by setting the /sys db tm.simultaneousopen variable to 'drop_pkt'.

606521-1 : Policy with UTF-8 encoding retains disallowed high ASCII meta-characters after upgrade

Component: Application Security Manager

Symptoms:
Policy with UTF-8 encoding has disallowed high ASCII meta-characters even after upgrade, which results in suggestions for allowing meta-characters that cannot be accepted.

Conditions:
System with a policy with encoding set to UTF-8 (uppercase).
Upgrading from v11.6.x/v12.x to v12.1.2 or 13.0.0.

Impact:
Suggestions for allowing high ASCII meta-characters cannot be accepted.

Workaround:
None.

Fix:
The upgrade process now fixes policies that had their encoding stored in uppercase as well.

606518-3 : iControl REST with 3rd party auth does not function as expected with '@' / email addresses as username.

Component: Device Management

Symptoms:
Cannot use username containing an 'at' ( @ ) character, or specify the email address when requesting authentication token using iControl REST when 3rd party authentication provider being used.

Conditions:
Set-up the BIG-IP system to use 3rd party RADIUS or LDAP authentication and configure a username containing an 'at' ( @ ) character, or specify the email address.

Impact:
Cannot authenticate and get authentication token using iControl REST.

Workaround:
Do not use username with special characters, such as 'at' ( @ ), period ( . ), and so on).

Fix:
Updated logic to allow any special characters in username and password when 3rd party authentication system is used on the BIG-IP system.

606509-4 : Incorrect process priority in vCMP guest results in low priority of the guest control-plane, which might cause high availability failover★

Component: TMOS

Symptoms:
Incorrect process priority in vCMP guest results in low priority of the guest control-plane, which might cause high availability failover.

Conditions:
This occurs when the following conditions are met:
* vCMP provisioned.
* vCMP hypervisor (host) running 12.1.0
* vCMP guest with 2 or more cores deployed and running 11.5.0 or greater.
* vCMP guest has HT-Split enabled (tmsh list sys db scheduler.splitplanes.ltm).

Impact:
vCMP guests may experience control-plane issues (such as failures to send or receive network failover traffic in an HA-pair, causing a failover).

Fix:
This release restores the process nice value of VCMP guest control-plane, so the vCMP guest no longer experiences potential frequent failovers.

606316-4 : HTTPS request to F5 licensing server fails

Component: iApp Technology

Symptoms:
Licensing BIG-IP systems through REST API fails.

Conditions:
Licensing BIG-IP systems using the REST API.

Impact:
Cannot use REST API to license BIG-IP systems.

Workaround:
Use TMUI or TMSH to license BIG-IP systems.

Fix:
Licensing BIG-IP systems through REST API now completes successfully.

606257-3 : TCP FIN sent with Connection: Keep-Alive header for webtop page resources

Solution Article: K56716107

Component: Access Policy Manager

Symptoms:
When using customized webtops (for example, using custom images for the webtop links), sometimes a TCP FIN flag will be sent with a packet with an HTTP "Connection: Keep-Alive" header. Not all clients recover from this.

Conditions:
Use a customized webtop link.

Impact:
The webtop links page does not render correctly.

Fix:
Weptop page resources no longer send FIN flags with Keep-Alive headers.

606110-2 : BIG-IP VE dataplane interfaces change to using UNIC modules instead of sockets.

Component: TMOS

Symptoms:
On AWS and Azure, dataplane interfaces use socket-based networking instead of UNIC modules. After upgrading a version later than 12.1.0, the default module for dataplane interfaces is UNIC modules instead of socket-based networking.

Conditions:
Upgrading BIG-IP VE on AWS or Azure running versions 12.0.0 or 12.1.0.

Impact:
The raw socket-based tmm driver is replaced by a UNIC driver. The socket-based driver eliminates kernel driver dependencies and provides better portability during kernel/driver upgrades.

Workaround:
None.

Fix:
BIG-IP VE socket-based networking driver retained after upgrade on AWS or Azure.

606066-2 : LSN_DELETE messages may be lost after HA failover

Component: Carrier-Grade NAT

Symptoms:
After a failover, an LSN_DELETE message may be lost if the connection continued after the failover.

Conditions:
CGNAT configured as an HA pair, with session logging enabled.

Impact:
An LSN_DELETE message may be missing from the logs.

Fix:
After the fix, the LSN_DELETE message will not be lost.

605983-1 : tmrouted may crash when being restarted in debug mode

Component: Local Traffic Manager

Symptoms:
tmrouted may restart after it being manually restarted with debug level equal or higher than 2.

Conditions:
tmrouted is manually restarted with debug level equal or higher than 2.
Multi route-domain setup with independent routing processes enabled on several route-domains.

Impact:
tmrouted may restart additional times which can add delay to getting back to service after manually restarting tmrouted.
Any restart of tmrouted already causes loss of dynamic routing sessions.

Workaround:
Do not use equal or higher than 2 debug level for tmrouted. This should be carried out only under recommendation from F5 Support.

Fix:
tmrouted no longer crashes when being restarted in debug mode

605894-3 : Remote authentication for BIG-IP users can fail

Component: TMOS

Symptoms:
While trying to log into the command line of BIG-IP as a remotely authenticated user, login will intermittently fail. You may see the following in /var/log/secure: "err httpd[19596]: pam_ldap: ldap_simple_bind Can't contact LDAP server" but the LDAP server is up and is accessible by the BIG-IP

Conditions:
Remote authentication configured, users configured to use remote authentication, ssl-check-peer is enabled and one or more of these properties are different than "none": ssl-ca-cert-file, ssl-client-cert, ssl-client-key.

Impact:
The remote authentication service will fail to initiate a connection to the LDAP server with the ssl-check-peer setting enabled, even if the ssl-ca-cert-file is valid. It will terminate the connection and remote authentication will fail.

Workaround:
Disabling ssl-check-peer and setting ssl-ca-cert-file, ssl-client-cert and ssl-client-key to "none" can work around this issue.

605865-4 : Debug TMM produces core on certain ICMP PMTUD packets

Component: Local Traffic Manager

Symptoms:
The debug TMM will produce a core on the assert "cwnd or ssthresh too low" when receiving an ICMP PMTUD packet with an MTU larger than the current MTU. This does not affect the default TMM.

Conditions:
While using the debug TMM, an ICMP PMTUD packet is received with an MTU larger than the current MTU.

Impact:
Debug TMM crashes on assert "cwnd or ssthresh too low." Traffic disrupted while tmm restarts.

Workaround:
Block incoming ICMP PMTUD packets. Note that this will cause Path MTU Discovery to fail, and IP packets sent by the BIG-IP system with the Don't Fragment (DF) bit set may be dropped silently if the MTUs of the devices on the path are configured incorrectly.

Fix:
The system now always updates TCP MSS after an ICMP PMTUD packet, so there is no debug TMM core.

605792-1 : Installing a new version changes the ownership of administrative users' files★

Component: TMOS

Symptoms:
Installing a new version changes the ownership of administrative users' files to a different, nonzero UID.

Conditions:
A user is an administrative user who has advanced shell (bash) access and custom files in their home directory.

Impact:
Low in most cases, since the administrative user can still access most files. One exception is that SSH requires that the authorized_keys file be owned by the user ID in question. This is 0 when a user has an administrative role, so the authorized_keys file will be ignored and a password will still be required for login.

Workaround:
Run the following command, substituting a different filename as needed: chown 0 /home/theuser/.ssh/authorized_keys.

Fix:
Installing a new version changes the ownership of administrative users' files to a different, nonzero UID. This still happens by design, but no longer applies to the user's SSH configuration files, which stay at UID 0. Therefore, these users are no longer be prevented from using stored public keys in authorized_keys.

605682-2 : With forward proxy enabled, sometimes the client connection will not complete.

Component: Local Traffic Manager

Symptoms:
If forward proxy is enabled, and a required forged certificate is not in the cache, the connection might not complete.

Conditions:
Forward proxy is enabled, and a required forged certificate is not in the cache.

Impact:
Degraded service due to connections not completing.

Workaround:
None.

Fix:
The stalling caused by a missing forged certificate no longer happens.

605627 : Selinux denial seen for apmd when it is being shutdown.

Component: Access Policy Manager

Symptoms:
When Apmd process is stopped, you observe a selinux related log which indicates that apmd process does not have the getattr permission for shared memory component owned by tmm.

Conditions:
When apmd is stopped or restarted.

Impact:
No Impact to APMD functionality. APMd stops and starts normally.

605616-1 : Creating 256 Fundamental Security policies will result in an out of memory error

Component: Application Security Manager

Symptoms:
ASM out of memory error will occur when 256 fundamental security policies are created.

Conditions:
Create 256 fundamental security policies.

Impact:
Out of memory error.

Workaround:
None.

Fix:
Improved memory allocations for shared XML profiles to enable more than 256 fundamental security policies.

605525-1 : Deterministic NAT combined with NAT64 may cause a TMM core

Component: Carrier-Grade NAT

Symptoms:
TMM crashes when a virtual is configured with nat64 enabled, and a deterministic NAT lsn-pool, and there is traffic.

Conditions:
lsn-pool in deterministic mode is attached to a virtual server with nat64 enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Deterministic NAT is not supported with nat64, and should not be configured.

605476-3 : statsd can core when reading corrupt stats files.

Component: TMOS

Symptoms:
-- The istatsd process produces a core file in the /shared/core directory.

Conditions:
This issue occurs when the following condition is met:

The istatsd process attempts to read a corrupt iStats segment file with duplicate FIDs.

Under these conditions, the istatsd process continually consumes memory which produces a core causing the istatsd process to restart.

Impact:
iStatsd process will restart due to resource exhaustion.

Workaround:
To work around this issue, you can remove the iStats files and restart the istatsd processes. To do so, perform the following procedure:

Impact of workaround: This workaround will cause all statistics in the iStats files to reset.

1. Log in to the BIG-IP command line.
2. To stop the istatsd and related processes, type the following command:
tmsh stop sys service istatsd avrd merged.

3. To delete the iStats files, type the following command:
find /var/tmstat2/ -depth -type f -delete.

4. To start the istatsd and related processes, type the following command:
tmsh start sys service istatsd avrd merged.

Fix:
Added a fix to protect against a continually reading a segment file that is corrupted and has Duplicate Fids.

605427-1 : TMM may crash when adding and removing virtual servers with security log profiles

Component: Advanced Firewall Manager

Symptoms:
In certain circumstances when virtual servers are configured with security log profiles TMM may crash.

Conditions:
Creation, modification and deletion of many virtual servers with security log profiles attached.

Impact:
TMM may crash with the following log in /var/log/tmm:
<13> Apr 18 13:23:04 <hostname> notice panic: ../base/fw_log_profile.c:3368: Assertion "fw_log_profile_protocol_sip_dos ref non-zero" failed.

Traffic disrupted while tmm restarts.

Fix:
TMM no longer crashes with multiple creation, modification and deletion of many virtual servers with security log profiles attached.

605420-5 : httpd security update - CVE-2016-5387

Component: TMOS

Symptoms:
It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests

Conditions:
none

Impact:
A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request.

Workaround:
none

Fix:
Install latest build that includes httpd-2.2.15-54.el6_8 or higher.

605260-1 : [GUI] Changes can not be made to GTM listener in partition with default route domain <> 0

Component: Global Traffic Manager (DNS)

Symptoms:
When a listener is created in a partition that has a default route domain set, you cannot make changes to the listener in the GUI via DNS -> Delivery -> Listeners. It gives 'Instance not found' error when you try to save the change. Also, a listener in the /Common partition cannot even be viewed when a partition that has a default route domain other than 0 is selected.

Conditions:
This occurs when using partitions that have default-route-domain set to something other than 0.

Impact:
You will be unable to make changes to the listener.

Workaround:
Use TMSH or through LTM GUI: Local Traffic :: Virtual Servers.

605125-2 : Sometimes, passwords fields are readonly

Component: Fraud Protection Services

Symptoms:
Sometimes, passwords fields are readonly so the user won't be able to type any password.

Conditions:
WebSafe protection enabled on a site

Impact:
the user won't be able to type any password on the site.

Workaround:
N/A

Fix:
N/A

605123-1 : IAppLX objects fail to sync after establishing HA in auto-sync mode★

Component: Device Management

Symptoms:
IAppLX objects are part of REST Framework. REST Framework implements gossip based replication. This replication might not work when restFrameworkVersion in device-group device out of sync with actual restFrameworkVersion

Conditions:
DeviceInfoWorker detects and update the framework version after rest RPM upgrade. But device group device doesn't get updated correctly

Impact:
REST framework objects (Including iAppLX instances, templates, packages) fail to sync to HA peer

Workaround:
Mitigation is to run DeviceRefreshWorker and it is responsible for patching the localhost resource in all device groups with correct framework version on update. Workaround is to patch the restFrameworkVersion manually on the device-group device.

Fix:
Run the DeviceRefreshWorker and it is responsible for patching the localhost resource in all device groups with correct framework version on update.

605039-3 : lwresd and bind vulnerability CVE-2016-2775

Solution Article: K92991044

605010-1 : Thrift::TException error

Component: Application Visibility and Reporting

Symptoms:
Trying to send a scheduled report might fail in some cases with the error "Thrift::TException=HASH(0x9a65410)".

Conditions:
This occurs when sending scheduled reports.

Impact:
Failure on sending scheduled-report.

Workaround:
Modify the script to use the explicit address instead of the 'localhost' value. This can be achieved with the following command:

mount -o remount -rw /usr
sed -i 's/localhost/127\.0\.0\.1/' /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm
mount -o remount -r /usr

Fix:
Changing script to use explicit address instead of 'localhost'.

604977-2 : Wrong alert when DTLS cookie size is 32

Solution Article: K08905542

Component: Local Traffic Manager

Symptoms:
When ServerSSL profile using DTLS receives a cookie with length of 32 bytes, the system reports a fatal alert.

Conditions:
Another LTM with ClientSSL profile issues 32-byte long cookie.

Impact:
DTLS with cookie size 32-byte fails.

Workaround:
None.

Fix:
DTLS now accepts cookies with a length of 32 bytes.

604926-3 : The TMM may become unresponsive when using SessionDB data larger than ~400K

Component: Local Traffic Manager

Symptoms:
There is a hard limit on messages sizes sent on the backplane on chassis platforms. Messages larger than the limit (~400K) are refused from being sent at a lower layer but buffered for resending at a higher layer. The messages are never sent which cases backplane communication to lockup.

Conditions:
-- The BIG-IP system is a chassis with more than one blade.
-- Client traffic triggers the creation of SessionDB data larger than ~400K.

Impact:
The TMM becomes unresponsive to client traffic. If left running under load, the TMM might run out of memory from buffering SessionDB data and crash.

Workaround:
The workaround is the avoid sending large SessionDB data. The TMM may be restarted in the event it does become unresponsive.

Fix:
There is no longer a hard limit for sending SessionDB data on the backplane.

604923-5 : REST id for Signatures change after update

Component: Application Security Manager

Symptoms:
The REST id of existing signatures are unexpectedly modified after updating a User Defined Signature, or downloading an Attack Signature Update that modifies existing signatures.

Conditions:
A User-Defined Signature is updated, or an ASU containing updated signatures is downloaded.

Impact:
The REST id of the modified signatures is changed which may confuse REST clients.

Workaround:
Execution of the following script will repair an affected device:

perl -MF5::Utils::Rest -MF5::DbUtils -MF5::ASMConfig::Entity::Signature -e '$dbh = F5::DbUtils::get_dbh(); $dbh->begin_work(); $dbh->do("UPDATE PLC.NEGSIG_SIGNATURES SET rest_uuid = \"\" "); F5::Utils::Rest::populate_uuids(dbh => $dbh, rest_entities => ["F5::ASMConfig::Entity::Signature"]); $dbh->commit();'

Fix:
Updated Signatures now retain the correct REST id.

604885-1 : Redirect/Route action doesn't work if there is an alert logging iRule

Component: Fraud Protection Services

Symptoms:
When "Trigger iRule Events" is enabled in FPS profile and there are configured FPS rules w

Subscriptions

Product Usage

Trials

Registration Keys

Downloads

Applies To:

BIG-IP AAM

BIG-IP APM

BIG-IP Analytics

BIG-IP Link Controller

BIG-IP LTM

BIG-IP PEM

BIG-IP AFM

BIG-IP DNS

BIG-IP ASM

Cumulative fix details for BIG-IP v12.1.3.1 that are included in this release

697878 : High crypto request completion time under some workload patterns

696468 : Active compression requests can become starved from too many queued requests.

693211-3 : CVE-2017-6168

684879-2 : Malformed TLS1.2 records may result in TMM segmentation fault.

682837 : Compression watchdog period too brief.

681710-4 : Malformed HTTP/2 requests may cause TMM to crash

679959-1 : Unable to ping self IP of VCMP guest configured on i5000, i7000, or i10000

679440-2 : MCPD Cores with SIGABRT

679235-5 : Inspection Host NPAPI Plugin for Safari can not be installed

678976-2 : Do not print all HTTP headers to avoid printing user credentials to /var/log/apm.

677119 : HTTP2 implementation incorrectly treats SETTINGS_MAX_HEADER_LIST_SIZE

677058-3 : Citrix Logon prompt with two factor auth or Logon Page agent with two password type variables write password in plain text

676808-2 : FPS: tmm may crash on response with large payload from server

675928-2 : Periodic content insertion could add too many inserts to multiple flows if http request is outstanding

675921 : Creating 5th vCMP 'ssl-mode dedicated' guest results in an error, but is running

674931 : FPS modified responses/injections might result in a corrupted response

674909-3 : Application CSS injection might break when connection is congested

674686-2 : Periodic content insertion of new flows fails, if an outstanding flow is a long flow

674515 : New revoke license feature for VE only implemented

673683-2 : Periodic content insertion fails, if pem and classification profile are detached and reattached to the Listener

673678-2 : Periodic content insertion fails, if http request/response get interleaved by second subscriber http request

673595-2 : Apache CVE-2017-3167

673472-2 : After classification rule is updated, first periodic Insert content action fails for existing subscriber

673129 : New feature: revoke license

672988-2 : MCP memory leak when performing incremental ConfigSync

672695-1 : Internal perl process listening on all interfaces when ASM enabled

672504-1 : Deleting zones from large databases can take excessive amounts of time.

672008-1 : NUL character inserted into syslog message when system time rolls over to exactly 1000000 microseconds

671935-2 : Possible ephemeral port reuse.

671920-1 : Accessing SNMP over IPv6 on non-default route domains

670400-3 : SSH Proxy public key authentication can be circumvented in some cases

670011-2 : SSL forward proxy does not create the server certchain when ignoring server certificates

669818-2 : Higher CPU usage for syslog-ng when a syslog server is down

669364-1 : TMM core when server responds fast with server responses such as 404.

669359 : WebSafe might cause connections to hang

669341 : Category Lookup by Subject.CN will result in a reset

669288-3 : Cannot run tmsh utils unix-* commands in Appliance mode when /shared/f5optics/images does not exist.

669025-1 : Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate

668802-3 : GTM link graphs fail to display in the GUI

668521-2 : Bigd might stall while waiting for an external monitor process to exit

668352-2 : High Speed Logging unbalance in log distribution for multiple pool destination.

668252-2 : TMM crash in PEM_DIAMETER component

668048-1 : TMM memory leak when manually enabling/disabling pool member used as HSL destination

667872-1 : Websafe's 'Apply cookies to base domain' feature doesn't work for non standard ports

667318-3 : BIG-IP DNS/GTM link graphs fail to display in the GUI.

667278-3 : DSC connections between BIG-IP units may fail to establish

667138-1 : LTM 12.1.2 HF1 - Upgrade to 12.1.2 HF1 fails with err "folder does not exist"★

667028-1 : DNS Express does not run on i11000 platforms with htsplit disabled.

666790-2 : Use HSB HiGig MAC reset to recover both FCS errors and link instability

666454-2 : Edge client on Macbook Pro with touch bar cannot connect to VPN after OS X v10.12.5 update

666032-3 : Secure renegotiation is set while data is not available.

665905 : Signature System corruption from specific ASU prevents ASU load after upgrade

665778-1 : Non-admin BIG-IP users can now view/re-deploy iApps through TMUI.

665656-1 : BWC with iSession may memory leak

665354-2 : Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log

664930-2 : Policy automatic learning mode changes to manual after failover

664829-1 : BIG-IP sometimes performs unnecessary reboot on first boot

664535-1 : Diameter failure: load balancing fails when all pool members use same IP Address

664063-1 : Azure displays failure for deployment of BIG-IP from a Resource Manager template

663580-1 : logrotate does not automatically run when /var/log reaches 90% usage

663521-2 : Intermittent dropping of multicast packets on certain BIG-IP platforms

663506-7 : apmd crash during ldap cache initialization

663366-3 : SEGV fault can occur during tmm 'panic' on i4x00 and i2x00 platforms.

663326-2 : Thales HSM: "fipskey.nethsm --export" fails to make stub keys