BIG-IP 12.1.3.3 Fixes and Known Issues

Supplemental Document : BIG-IP 12.1.3.3 Fixes and Known Issues

Applies To:

Show Versions

BIG-IP AAM

12.1.3

BIG-IP APM

12.1.3

BIG-IP Analytics

12.1.3

BIG-IP Link Controller

12.1.3

BIG-IP LTM

12.1.3

BIG-IP PEM

12.1.3

BIG-IP AFM

12.1.3

BIG-IP DNS

12.1.3

BIG-IP ASM

12.1.3

Original Publication Date: 03/20/2018 Updated Date: 06/22/2020

ID Number	CVE	Solution Article(s)	Description
704490	CVE-2017-5754	K91229003	CVE-2017-5754 (Meltdown)
704483	CVE-2017-5753 CVE-2017-9074 CVE-2017-7542 CVE-2017-11176	K91229003	CVE-2017-5753 (Spectre Variant 1)

Functional Change Fixes

None

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
707226-2	1-Blocking		DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations
706086-1	2-Critical		PAM RADIUS authentication subsystem hardening
704804-2	3-Major		The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address
704733-2	3-Major		NAS-IP-Address will be sent with the bytes backwards
703869-1	3-Major		Waagent updated to 2.2.21
701249-2	3-Major		RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1
699147	3-Major		Hourly billed cloud images are now pre-licensed
687098	3-Major		IPv6 RADIUS servers not supported for remote authentication
649465-1	3-Major		SELinux warning messages regarding nsm daemon

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
695117	2-Critical	K30081842	bigd cores and sends corrupted MCP messages with many FQDN nodes
668883	2-Critical		FQDN pool member status may become out-of-sync when enabled/disabled through GUI
707675	3-Major		FQDN nodes or pool members flap when DNS response received
701609	3-Major		Static member of pool with FQDN members may revert to user-disabled after being re-enabled
685344-2	3-Major		Monitor 'min 1 of' not working as expected with FQDN nodes/members
673075-1	3-Major		Reduced Issues for Monitors configured with FQDN
671228-1	3-Major		Multiple FQDN ephemeral nodes may be created with autopopulate disabled
667560-3	3-Major		FQDN nodes: Pool members can become unknown (blue) after monitor configuration is changed
573602-1	3-Major		FQDN pool members not shown by tmsh show ltm monitor
573302-1	3-Major		FQDN pool member remains in disabled state after removing monitor
571095-1	3-Major		Monitor probing to pool member stops after FQDN pool member with same IP address is deleted
467709-1	4-Minor		FQDN nodes or pool members show Green (Available) when DNS responds with NXDOMAIN
699262-2	5-Cosmetic		FQDN pool member status remains in 'checking' state after full config sync

Cumulative fixes from BIG-IP v12.1.3.2 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
677193-2	CVE-2017-6154	K38243073	ASM BD Daemon Crash.
674189	CVE-2016-0718	K52320548	iControl-SOAP exposed to CVE-2016-0718 in Expat 2.2.0
673078-1	CVE-2017-6150	K62712037	TMM may crash when processing FastL4 traffic
670405-4	CVE-2017-1000366	K20486351	K20486351: glibc vulnerability CVE-2017-1000366:
630446-1	CVE-2016-0718	K52320548	Expat vulnerability CVE-2016-0718
694274-2	CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 CVE-2017-9788 CVE-2017-9798	K23565223	[RHSA-2017:3195-01] Important: httpd security update - EL6.7
688625-2	CVE-2017-11628	K75543432	PHP Vulnerability CVE-2017-11628
662850-2	CVE-2015-2716	K50459349	Expat XML library vulnerability CVE-2015-2716
652848-2	CVE-2018-5501	K44200194	TCP DNS profile may impact performance
617273-7	CVE-2016-5300	K70938105	Expat XML library vulnerability CVE-2016-5300
593139-9	CVE-2014-9761	K31211252	glibc vulnerability CVE-2014-9761
673607-2	CVE-2017-3169	K83043359	Apache CVE-2017-3169
672667-4	CVE-2017-7679	K75429050	CVE-2017-7679: Apache vulnerability
605579-8	CVE-2012-6702	K65460334	iControl-SOAP expat client library is subjected to entropy attack
578983-4	CVE-2015-8778	K51079478	glibc: Integer overflow in hcreate and hcreate_r
684033-1	CVE-2017-9798	K70084351	CVE-2017-9798 : Apache Vulnerability (OptionsBleed)

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
686389-3	3-Major		APM does not honor per-farm HTML5 client disabling at the View Connection Server
653772-2	3-Major		fastL4 fails to evict flows from the ePVA
639505-3	3-Major		BGP may not send all configured aggregate routes
587107-3	3-Major		Allow iQuery to negotiate up to version TLS1.2
572272-5	4-Minor		BIG-IP - Anonymous Certificate ID Enumeration

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
667148-1	1-Blocking	K02500042	Config load or upgrade can fail when loading GTM objects from a non-/Common partition
689577-1	2-Critical	K45800333	ospf6d may crash when processing specific LSAs
678833	2-Critical		IPv6 prefix SPDAG causes packet drop
676203-1	2-Critical		Inter-blade mpi connection fails, does not recover, and eventually all memory consumed.
667405-2	2-Critical	K61251939	Fragemented IPsec encrypted packets with fragmented original payloads may cause memory leak in the TMM.
667404-2	2-Critical	K77576404	Fragmented IP over IPsec tunnels might capture mcp flows and provoke restarts
651362	2-Critical		eventd crashes during boot
631700-1	2-Critical		sod may kill bcm56xxd under heavy load
617733-1	2-Critical		Error message: subscriber id response; Subscription not found
580753-1	2-Critical	K82583534	eventd might core on transition to secondary.
563661-2	2-Critical		Datastor may crash
694696-3	3-Major		On multiblade Viprion, creating a new traffic-group causes the device to go Offline
688011-5	3-Major		Dig utility does not apply best practices
687658-2	3-Major		Monitor operations in transaction will cause it to stay unchecked
687353-3	3-Major	K35595105	Qkview truncates tmstat snapshot files
685020-1	3-Major		Enhancement to SessionDB provides timeout
682213-3	3-Major	K31623549	TLS v1.2 support in IP reputation daemon
679480-1	3-Major		User able to create node when an ephemeral with the same IP already exists
674320-2	3-Major	K11357182	Syncing a large number of folders can prevent the configuration getting saved on the peer systems
672815-2	3-Major		Incorrect disaggregation on VIPRION B4200 blades
671082-1	3-Major		snmpd constantly restarting
669888-2	3-Major		No distinction between IPv4 addresses and IPv6 subnet ::ffff:0:0/96
669462-1	3-Major		Error adding /Common/WideIPs as members to GTM Pool in non-Common partition
664894-1	3-Major	K11070206	PEM sessions lost when new blade is inserted in chassis
664057-2	3-Major		Upgrading GTM from pre-12.0.0 to post 12.0.0 no longer removes WideIPs without pools attached if they have an iRule attached
664017-3	3-Major		OCSP may reject valid responses
652968-2	3-Major	K88825548	IKEv2 PFS CREATE_CHILD_SA in rekey does not negotiate new keys
645723-2	3-Major	K74371937	Dynamic routing update can delete admin ip route from the kernel
632366-1	3-Major		Prevent a spurious Broadcom switch driver failure.
631316	3-Major	K62532020	Unable to load config with client-SSL profile error★
626990-1	3-Major	K64915164	restjavad logs flooded with messages from ChildWrapper
624362-1	3-Major		VCMP guest /shared file system growth due to /shared/tmp/guestagentd.out file
623803-2	3-Major	K12921801	General DB error when select Profiles: Protocol: SCTP profile. Error due to 'read access denied type Virtual Address profile SCTP'
610122-1	3-Major		Hotfix installation fails: can't create /service/snmpd/run★
598724-1	3-Major		Abandoned indefinite lifetime SessionDB entries on STANDBY devices.
586887-2	3-Major	K25883308	SCTP tmm crash with virtual server destination.
579760-3	3-Major	K55703840	HSL::send may fail to resume after log server pool member goes down/up
471237-2	3-Major	K12155235	BIG-IP VE instances do not work with an encrypted disk in AWS.
699281	4-Minor		Version format of hypervisor bundle matches Version format of ISO
669255-2	4-Minor	K20100613	An enabled sFlow receiver can cause poor TMM performance on certain BIG-IP platforms
660239-3	4-Minor		When accessing the dashboard, invalid HTTP headers may be present
655085-2	4-Minor		While one chassis in a DSC is being rebooted, other members report spurious HA Group configuration errors
613275-2	4-Minor	K62581339	SNMP get/MIB walk returns incorrect speed for sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed when the interface is not up
601168-1	4-Minor		Incorrect virtual server CPU utilization may be observed.
509980-1	4-Minor		Spurious HA group configuration errors can be displayed during reboot of other DSC cluster members.

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
700556-2	2-Critical		TMM may crash when processing WebSockets data
692970-3	2-Critical		Using UDP port 67 for purposes other than DHCP might cause TMM to crash
687603-1	2-Critical		tmsh query for dns records may cause tmm to crash
686228-3	2-Critical		TMM may crash in some circumstances with VLAN failsafe
682682-3	2-Critical		tmm asserts on a virtual server-to-virtual server connection
681175-1	2-Critical	K32153360	TMM may crash during routing updates
676982-2	2-Critical	K21958352	Active connection count increases over time, long after connections expire
674576-4	2-Critical		Outage may occur with VIP-VIP configurations
668501-2	2-Critical		HTTP2 does not handle some URIs correctly
665924-1	2-Critical	K24847056	The HTTP2 and SPDY filters may cause a TMM crash in complicated scenarios
665732-2	2-Critical	K45001711	FastHTTP may crash when receiving a fragmented IP packet
664461-3	2-Critical	K16804728	Replacing HTTP payload can cause tmm restart
658989-2	2-Critical		Memory leak when connection terminates in iRule process
643375-1	2-Critical		TMM may crash when processing compressed data
639039-4	2-Critical	K33754014	Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons
621233-1	2-Critical		FastL4 and HTTP profile or hash persistence with ip-protocol not set to TCP can crash tmm
614702-1	2-Critical	K24172560	Race condition when using SSL Orchestrator can cause TMM to core
704073-3	3-Major		Repeated "bad transition" OOPS logging may appear in /var/log/ltm and /var/log/tmm
699346-2	3-Major		NetHSM capacity reduces when handling errors
698000-1	3-Major	K04473510	Connections may stop passing traffic after a route update
689089-3	3-Major		VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot
686305-2	3-Major		TMM may crash while processing SSL forward proxy traffic
686065-1	3-Major		RESOLV::lookup iRule command can trigger crash with slow resolver
685955	3-Major		TMM hud_message_ctx leak
685110-3	3-Major	K05430133	With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members.
683683-1	3-Major		ASN1::encode returns wrong binary data
682104-1	3-Major		HTTP PSM leaks memory when looking up evasion descriptions
680755-1	3-Major	K27015502	max-request enforcement no longer works outside of OneConnect
676457-3	3-Major		TMM may consume excessive resource when processing compressed data
673621-2	3-Major		Chain certificate is still being sent to the client, despite both ca-file and chain certificate being removed from the clientssl profile.
671638-4	3-Major		TMM crash when load-balancing mptcp traffic
670822-3	3-Major		TMM may crash when processing SOCKS data
670816-2	3-Major	K44519487	HTTP/HTTPS/TCP Monitor response code for 'last fail reason' can include extra characters
669974-1	3-Major	K90395411	Encoding binary data using ASN1::encode may truncate result
668522-1	3-Major		bigd might try to read from a file descriptor that is not ready for read
668419-1	3-Major	K53322151	ClientHello sent in multiple packets results in TCP connection close
666315	3-Major		Global SNAT sets TTL to 255 instead of decrementing
666160-1	3-Major	K63132146	L7 Policy reconfiguration causes a slow memory leak
665022-1	3-Major		Rateshaper stalls when TSO packet length exceeds max ceiling.
664769-1	3-Major	K33637041	TMM may restart when using SOCKS profile and an iRule
663821-3	3-Major	K41344010	SNAT Stats may not include port FTP traffic
662663-6	3-Major		Decryption failure Nitrox platforms in vCMP mode
661881-2	3-Major	K00030614	Memory and performance issues when using certain ASN.1 decoding formats in iRules
659648-2	3-Major		LTM Policy rule name migration doesn't properly handle whitespace
657795-1	3-Major	K51498984	Possible performance impact on some SSL connections
655432-7	3-Major	K85522235	SSL renegotiation failed intermittently with AES-GCM cipher
651681-4	3-Major	K49562354	Orphaned bigd instances may exist (within multi-process bigd)
651135-4	3-Major	K41685444	LTM Policy error when rule names contain slash (/) character★
645220-2	3-Major		bigd identified as username "(user %-P)" or "(user %-S)" in mcpd debug logs
645197-3	3-Major		Monitors receiving unique HTTP "success" response codes may stop monitoring after status change
640565-1	3-Major	K11564859	Incorrect packet size sent to clone pool member
636149-3	3-Major		Multiple monitor response codes to single monitor probe failure
628721-1	3-Major		In rare conditions, DNS cache resolver outbound TCP connections fail to expire.
627926-1	3-Major	K21211001	Retrieving a server-side SSL session ID in iRules does not work
584865-1	3-Major		Primary slot mismatch after primary cluster member leaves and then rejoins the cluster
582487-2	3-Major		'merged.method' set to 'slow_merge,' does not update system stats
574526-1	3-Major	K55542554	HTTP/2 and SPDY do not parse the path for the location/existence of the query parameter
573366-4	3-Major		parking command used in the nesting script of clientside and serverside command can cause tmm core
692095-3	4-Minor	K65311501	bigd logs monitor status unknown for FQDN Node/Pool Member
625892-2	4-Minor		Nagle Algorithm Not Fully Enforced with TSO
530877-7	4-Minor	K13887095	TCP profile option Verified Accept might cause iRule processing to run twice in very specific circumstances.

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
692941-3	2-Critical		GTMD and TMM SIGSEGV when changing wide IP pool in GTMD
678861-3	2-Critical	K00426059	DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other★
580537-1	2-Critical		The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data
562921-4	2-Critical	K55736054	Cipher 3DES and iQuery encrypting traffic between BIG-IP systems
700527-1	3-Major		cmp-hash change can hang iRule DNS lookup
691498-1	3-Major		Connection failure during iRule DNS lookup can crash TMM
690166-3	3-Major		ZoneRunner create new stub zone when creating a SRV WIP with more subdomains
671326-2	3-Major	K81052338	DNS Cache debug logging might cause tmm to crash.
667469-1	3-Major	K35324588	Higher than expected CPU usage when using DNS Cache
665347-2	3-Major	K17060443	GTM listener object cannot be created via tmsh while in non-Common partition
636853-2	3-Major		Under some conditions, a change in the order of GTM topology records does not take effect.
621374-1	3-Major		"abbrev" argument in "whereis" iRule returns nothing
487144-2	3-Major	K52278479	tmm intermittently reports that it cannot find FIPS key

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
701327-1	2-Critical		failed configuration deletion may cause unwanted bd exit
699720-3	2-Critical		ASM crash when configuring remote logger for WebSocket traffic with response-logging:all
691670-3	2-Critical	K02515009	Rare BD crash in a specific scenario
684312-2	2-Critical	K54140729	During Apply Policy action, bd agent crashes, causing the machine to go Offline
681109-2	2-Critical	K46212485	BD crash in a specific scenario
679603-2	2-Critical	K15460886	bd core upon request, when profile has sensitive element configured.
678462-2	2-Critical		after chassis failover: asmlogd cpu 100% on secondary
678228-1	2-Critical	K27568142	Repeated Errors in ASM Sync
672301-2	2-Critical		ASM crashes when using a logout object configuration in ASM policy
662281-2	2-Critical		Inconsistencies in Automatic sync ASM Device Group
637252-1	2-Critical	K73107660	Rest worker becomes unreliable after processing a call that generated an error
633070-1	2-Critical		Sync Inconsistencies when using Autosync ASM Group between Chassis devices
631609-1	2-Critical		ASM Centralized Management Infrastructure Sync issues
631204-1	2-Critical		GeoIP lookups incorrectly parse IP addresses
614441-4	2-Critical	K04950182	False Positive for illegal method (GET)
611154-1	2-Critical		BD crash
599221-1	2-Critical		ASM Policy cannot be created in non-default partition via the Import Policy Task
576123-3	2-Critical	K23221623	ASM policies are created as inactive policies on the peer device in Active/Active setup
702946-2	3-Major		Added option to reset staging period for signatures
701841-1	3-Major		Unnecessary file recovery_db/conf.tar.gz consumes /var disk space
700564-2	3-Major		JavaScript errors shown when debugging a mobile device with ASM deviceID enabled
700330	3-Major		AJAX blocking page isn't shown when a webpage uses jQuery framework.
700143-1	3-Major		ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages
698919-1	3-Major		Anti virus false positive detection on long XML uploads
697303-3	3-Major		BD crash
696265-3	3-Major		BD crash
694922-4	3-Major		ASM Auto-Sync Device Group Does Not Sync
691477-1	3-Major		ASM standby unit showing future date and high version count for ASM Device Group
685743-3	3-Major		When changing internal parameter 'request_buffer_size' in large request violations might not be reported
685207-2	3-Major		DoS client side challenge does not encode the Referer header.
683508-3	3-Major		WebSockets: umu memory leak of binary frames when remote logger is configured
682612	3-Major		Event Correlation is disabled on vCMP even though all the prerequisites are met.
679384-1	3-Major	K85153939	The policy builder is not getting updates about the newly added signatures.
678293-1	3-Major		Uncleaned policy history files cause /var disk exhaustion
676416-2	3-Major		BD restart when switching FTP profiles
675232-3	3-Major		Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction
674494-1	3-Major	K77993010	BD memory leak on specific configuration and specific traffic
671675-1	3-Major		Centralized Management Infrastructure: asm_config_server restart on device group change
668184-1	3-Major		Huge values are shown in the AVR statistics for ASM violations
668181-2	3-Major		Policy automatic learning mode changes to manual after failover
667922	3-Major	K44692860	Alternative unicode encoding in JSON objects not being parsed correctly
666986-2	3-Major	K50320144	Filter by Support ID is not working in Request Log
663535-1	3-Major		Sending ASM cookies with "secure" attribute even without client-ssl profile
654925-1	3-Major	K25952033	Memory Leak in ASM Sync Listener Process
654873-2	3-Major		ASM Auto-Sync Device Group
619516-1	3-Major		Inconsistencies in Automatic sync ASM Device Group
605982-1	3-Major		Policy settings change during export/import
434821-1	3-Major		Remote logging of staged signatures and staged sets
694073-1	4-Minor		All signature update details are shown in 'View update history from previous BIG-IP versions' popup
655159-1	4-Minor	K84550544	Wrong XML profile name Request Log details for XML violation

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
658343-2	3-Major	K33043439	AVR tcp-analytics: per-host RTT average may show incorrect values
648242	3-Major		Administrator users unable to access all partition via TMSH for AVR reports
582029-4	3-Major		AVR might report incorrect statistics when used together with other modules.
682105	4-Minor		Adding widget in Analytics Overview can cause measures list to empty out on Page change
649161-1	4-Minor	K42340304	AVR caching mechanism not working properly

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
693739-3	2-Critical	K70644505	VPN cannot be established on macOS High Sierra 10.13.1 if full tunneling configuration is enabled
660711-1	2-Critical	K05265457	MCPd might crash when user trying to import a access policy
649234-3	2-Critical		TMM crash from a possible memory corruption.
639929-2	2-Critical		Session variable replace with value containing these characters ' " & < > = may case tmm crash
632178-1	2-Critical		LDAP Query agent creates only two session variables when required attributes list is empty
703984-2	3-Major		Machine Cert agent improperly matches hostname with CN and SAN
703429-1	3-Major		Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services
692307-1	3-Major		User with 'operator' role may not be able to view some session variables
689826-2	3-Major		Proxy/PAC file generated during VPN tunnel is not updated for Windows 10 (unicode languages like: Japanese/Korean/Chinese)
686282-1	3-Major		APMD intermittently crash when processing access policies
684325-3	3-Major		APMD Memory leak when applying a specific access profile
683389-1	3-Major		Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file
682500-1	3-Major		VDI Profile and Storefront Portal Access resource do not work together
680112-1	3-Major	K18131781	SWG-Explicit rejects large POST bodies during policy evaluation
678851-1	3-Major		Portal Access produces incorrect Java bytecode when rewriting java.applet.AppletStub.getDocumentBase()
676690-3	3-Major		Windows Edge Client sometimes crashes when user signs out from Windows
675866-1	3-Major		WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO
675399-3	3-Major		Network Access does not work when empty variables are assigned for WINS and DNS
674593-1	3-Major		APM configuration snapshot takes a long time to create
674410-3	3-Major		AD auth failures due to invalid Kerberos tickets
673748-1	3-Major	K19534801	ng_export, ng_import might leave security.configpassword in invalid state
672868-1	3-Major		Portal Access: JavaScript application with non-whitespace control characters may be processed incorrectly
672040-3	3-Major		Access Policy Causing Duplicate iRule Event Execution
671597-1	3-Major		Import, export, copy and delete is taking too long on 1000 entries policy
670910-2	3-Major		Flash AS3 flash.external.ExternalInterface.call() wrapper can fail when loaderInfo object is undefined
669510-2	3-Major		When network changes after VPN is established, network access tunnel is closed when network access configuration has 'Allow local DNS servers' and 'Prohibit routing table changes during Network Access connection' options enabled.
669154-1	3-Major		Creating new invalid SAML IdP configuration object may cause tmm restart in rare cases.
668623-5	3-Major	K85991425	macOS Edge client fails to detect correct system language for regions other than USA
668503-3	3-Major		Edge Client fails to reconnect to VS after disabling Network Adapter
668129-1	3-Major		BIG-IP as SAML SP support for multiple signing certificates in SAML metadata from external identity providers.
666689-1	3-Major		Occasional "profile not found" errors following activate access policy
666058-2	3-Major	K86091857	XenApp 6.5 published icons are not displayed on APM Webtop
665416-3	3-Major		Old versions of APM configuration snapshots need to be reaped more aggressively if not used
665330-1	3-Major		MSIE 11 should avoid compatibility mode
664507-3	3-Major		When BIG-IP is used as SP with IdP-connector automation, updates to remotely published metadata may remove certificate reference from the local configuration
663127-1	3-Major		Empty attribute values in SAML Identity Provider configuration may cause error when loading configuration.
655364-1	3-Major		Portal access rewriting window.opener causes JS exception
655146-2	3-Major		APM Profile access stats are not updated correctly
654508-2	3-Major		SharePoint MS-OFBA browser window displays Javascript errors
654046-1	3-Major		BIG-IP as SAML IdP may fail to process signed authentication requests from some external SPs.
653771-2	3-Major		tmm crash after per-request policy error
653324-3	3-Major	K87979026	On macOS Sierra (10.12), Edge client shows customized icon of size 48x48 pixels scaled incorrectly
651910-2	3-Major		When we upgrade from 12.* to 13.0+ you cannot change the "Enable Access System Logs" and "Enable URL Request Logs" properties via the UI
649613-3	3-Major		Multiple UDP/TCP packets packed into one DTLS Record
632646-4	3-Major		APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server.
629921-4	3-Major		[[SWG]-NTLM 407 based front end auth and passthrough 401 based NTLM backend auth does not work.
621682-1	3-Major		Portal Access: problem with specific JavaScript code
616104-2	3-Major		VMware View connections to pool hit matching BIG-IP virtuals
613373-2	3-Major		Access may be denied to users with Application Editor role when accessing SAML Authentication Context UI page
610582-2	3-Major		Device Guard prevents Edge Client connections
601420-3	3-Major		Possible SAML authentication loop with IE and multi-domain SSO.
596083-1	3-Major		Error running custom APM Reports with "session creation time" on Viprion Platform
590992-3	3-Major		If IP address on network adapter changes but DNS remains unchanged, DNS resolution stops working
578413-1	3-Major		Missing reference to customization-group from connectivity profile if created via portal access wizard
575444-1	3-Major		Wininfo agent incorrectly reports OS version on Windows 10 in some cases
563135-3	3-Major		SWG Explicit Proxy uses incorrect port after a 407 Authentication Attempt
466068-1	3-Major		Allow setting of the AAA Radius server timeout value larger than 60 seconds
447565-5	3-Major		Renewing machine-account password does not update the serviceId for associated ntlm-auth.
699455-3	4-Minor		SAML export does not follow best practices
691017-1	4-Minor		Preventing ng_export hangs
684414-1	4-Minor		Retrieving too many groups is causing out of memory errors in TMUI and VPE
671627-1	4-Minor	K06424790	HTTP responces without body may contain chunked body with empty payload being processed by Portal Access.
667304-1	4-Minor	K68108551	Logon page shows 'Save Password' checkbox even if 'Allow Password Caching' is not enabled
561892-2	4-Minor		Kerberos cache is not cleared when Administrator password is changed in AAA AD Server

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
662844	2-Critical	K87735013	TMM crashes if Diameter MRF mirroring is enabled in v12.x.x. Diameter MRF mirroring is not implemented in v12.x.x.
643785-3	2-Critical		diadb crashes if it cannot find pool name
699431	3-Major		Possible memory leak in MRF under low memory

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
456376-4	1-Blocking	K53153545	BIG-IP does not support IPv4-mapped-IPv6 notation in the configuration with prefix length greater than 32
671052-3	2-Critical	K50324413	AFM NAT security RST the traffic with (FW NAT) dst_trans failed
664708-2	2-Critical		TMM memory leak when DoS profile is attached to VS
644822-2	2-Critical	K19245372	FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned
564058-1	2-Critical	K91467162	AutoDoS daemon aborts intermittently after it's being up for several days
620543-1	3-Major		Security Address Lists and Port Lists can't change Description field

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
698080-1	2-Critical		TMM may consume excessive resources when processing with PEM
696383-2	2-Critical		PEM Diameter incomplete flow crashes when sweeped
694717-3	2-Critical		Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup.
691504-3	2-Critical		PEM content insertion in a compressed response may cause a crash.
616008-3	2-Critical	K23164003	TMM core may be seen when using an HSL format script for HSL reporting in PEM
696789-2	3-Major		PEM Diameter incomplete flow crashes when TCL resumed
695968-3	3-Major		Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues.
694319-3	3-Major		CCA without a request type AVP cannot be tracked in PEM.
694318-3	3-Major		PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP.
684333-3	3-Major		PEM session created by Gx may get deleted across HA multiple switchover with CLI command
678820-2	3-Major		Potential memory leak if PEM Diameter sessions are not created successfully.
678714-3	3-Major		After HA failover, subscriber data has stale session ID information
660187-3	3-Major		TMM core after intra-chassis failover for some instances of subscriber creation
642068-1	3-Major		PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens
638594-3	3-Major		TMM crash when handling unknown Gx messages.
627616-3	3-Major		CCR-U missing upon VALIDITY TIMER expiry when quota is zero
624231-5	3-Major		No flow control when using content-insertion with compression
680729-3	4-Minor	K64307999	DHCP Trace log incorrectly marked as an Error log.
678822-3	4-Minor		Gx/Gy stats display provision pending sessions if there is no route to PCRF or the app is unlicensed

Carrier-Grade NAT Fixes

ID Number	Severity	Solution Article(s)	Description
663333-1	2-Critical		TMM may core in PBA mode id LSN pool is under provisioned or the utilization is high
615432-1	2-Critical		Multiple TFTP data transfers cannot be initiated in a single session
663974-2	3-Major		TMM crash when using LSN inbound connections

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
692123-2	3-Major		GET parameter is grayed out if MobileSafe is not licensed
667892-2	3-Major		FPS: BLFN inheritance won't take effect until GUI refresh

Cumulative fixes from BIG-IP v12.1.3.1 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
673595-2	CVE-2017-3167 CVE-2017-3169	K34125394	Apache CVE-2017-3167
648786-5	CVE-2017-6169	K31404801	TMM crashes when categorizing long URLs

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
673129	3-Major		New feature: revoke license

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
682837	1-Blocking		Compression watchdog period too brief.
675921	1-Blocking		Creating 5th vCMP 'ssl-mode dedicated' guest results in an error, but is running
696468	2-Critical		Active compression requests can become starved from too many queued requests.
665656-1	2-Critical		BWC with iSession may memory leak
663366-3	2-Critical		SEGV fault can occur during tmm 'panic' on i4x00 and i2x00 platforms.
621386-1	2-Critical	K91988084	restjavad spawns too many icrd_child instances
679959-1	3-Major		Unable to ping self IP of VCMP guest configured on i5000, i7000, or i10000
672988-2	3-Major	K03433341	MCP memory leak when performing incremental ConfigSync
669288-3	3-Major	K76152943	Cannot run tmsh utils unix-* commands in Appliance mode when /shared/f5optics/images does not exist.
668352-2	3-Major		High Speed Logging unbalance in log distribution for multiple pool destination.
668048-1	3-Major	K02551403	TMM memory leak when manually enabling/disabling pool member used as HSL destination
663063-2	3-Major		Disabling pool member used in busy HSL TCP destination can result service disruption.
659057-1	3-Major		BIG-IP iSeries: Retrieving the gateway from the Host via REST through the LCD
658636-2	3-Major	K51355172	When creating LTM or DNS monitors through batch/transaction mode newlines are improperly escaped.
652691-1	3-Major		Installation fails if only .iso.384.sig (new format signature file) is present★
652689-2	3-Major	K14243280	Displaying 100G interfaces
642952	3-Major		platform_check doesn't run PCI check on i11800
640636-3	3-Major		F5 Optics seen as unsupported instead of misconfigured when inserted into wrong port on B4450 Blade
638881-1	3-Major		Incorrect fan status displayed when fan tray is removed on BIG-IP iSeries appliances
628739-1	3-Major		BIG-IP iSeries does not disallow configuring of management IP outside the management subnet using the LCD
628735-1	3-Major		Displaying Hardware SYN Cookie Protection field in TCP/FastL4/FastHTTP profiles
604547-1	3-Major		Unix daemon configuration may lost or not be updated upon reboot
674515	4-Minor		New revoke license feature for VE only implemented
663580-1	4-Minor	K31981624	logrotate does not automatically run when /var/log reaches 90% usage
644723-1	4-Minor		cm56xxd logs link 'DOWN' message when an interface is admin DISABLED
507206-1	4-Minor		Multicast Out stats always zero for management interface.

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
681710-4	3-Major		Malformed HTTP/2 requests may cause TMM to crash
463097-3	3-Major	K09247330	Clock advanced messages with large amount of data maintained in DNS Express zones

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
672504-1	2-Critical	K52325625	Deleting zones from large databases can take excessive amounts of time.
614788-1	2-Critical		zxfrd crash due to lack of disk space
655233-1	3-Major	K93338593	DNS Express using wrong TTL for SOA RRSIG record in NoData response
648766-1	3-Major	K57853542	DNS Express responses missing SOA record in NoData responses if CNAMEs present
645615-2	3-Major	K70543226	zxfrd may fail and restart after multiple failovers between blades in a chassis.
433678-2	3-Major	K32401561	A monitor removed from GTM link cannot be deleted: 'monitor is in use'
646615-1	4-Minor		Improved default storage size for DNS Express database

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
652796-1	1-Blocking		When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled.
652792-1	2-Critical		When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled.
678976-2	3-Major	K24756214	Do not print all HTTP headers to avoid printing user credentials to /var/log/apm.
677058-3	3-Major		Citrix Logon prompt with two factor auth or Logon Page agent with two password type variables write password in plain text

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
679440-2	2-Critical	K14120433	MCPD Cores with SIGABRT
591828-4	3-Major		For unmatched connection, TCP RST may not be sent for data packet

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
668252-2	2-Critical	K22784428	TMM crash in PEM_DIAMETER component
628311-3	2-Critical	K87863112	Potential TMM crash due to duplicate installed PEM policies by the PCRF
675928-2	3-Major		Periodic content insertion could add too many inserts to multiple flows if http request is outstanding
674686-2	3-Major		Periodic content insertion of new flows fails, if an outstanding flow is a long flow
673683-2	3-Major		Periodic content insertion fails, if pem and classification profile are detached and reattached to the Listener
673678-2	3-Major		Periodic content insertion fails, if http request/response get interleaved by second subscriber http request
673472-2	3-Major		After classification rule is updated, first periodic Insert content action fails for existing subscriber
639486-4	3-Major		TMM crash due to PEM usage reporting after a CMP state change.
634015-3	3-Major		Potential TMM crash due to a PEM policy content triggered buffer overflow
572568-2	3-Major		Gy CCR-i requests are not being re-sent after initial configured re-transmits

Cumulative fixes from BIG-IP v12.1.3 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
684879-2	CVE-2017-6164	K02714910	Malformed TLS1.2 records may result in TMM segmentation fault.
662022-5	CVE-2017-6138	K34514540	The URI normalization functionality within the TMM may mishandle some malformed URIs.
653993-3	CVE-2017-6132	K12044607	A specific sequence of packets to the HA listener may cause tmm to produce a core file
653880	CVE-2017-6214	K81211720	Kernel Vulnerability: CVE-2017-6214
652539	CVE-2016-0634 CVE-2016-7543 CVE-2016-9401	K73705133	Multiple Bash Vulnerabilities
652516	CVE-2016-10088 CVE-2016-10142 CVE-2016-2069 CVE-2016-2384 CVE-2016-6480 CVE-2016-7042 CVE-2016-7097 CVE-2016-8399 CVE-2016-9576	K31603170	Multiple Linux Kernel Vulnerabilities
651221-2	CVE-2017-6133	K25033460	Parsing certain URIs may cause the TMM to produce a core file.
650286-2	CVE-2017-6167	K24465120	REST asynchronous tasks permissions issues
650059-1	CVE-2017-6129	K20087443	TMM may crash when processing VPN traffic
649907-2	CVE-2017-3137	K30164784	BIND vulnerability CVE-2017-3137
649904-2	CVE-2017-3136	K23598445	BIND vulnerability CVE-2017-3136
644904-5	CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925, CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7929, CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933, CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937, CVE-2016-7938, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973, CVE-2016-7986, CVE-2016-7992, CVE-2016-7993, CVE-2016-8574, CVE-2016-8575, CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984, CVE-2016-7985 CVE-2017-5202, CVE-2017-5203, CVE-2017-5204, CVE-2017-5205, CVE-2017-5341, CVE-2017-5342, CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485, CVE-2017-5486	K55129614	tcpdump 4.9
644693-3	CVE-2016-2183, CVE-2017-3272, CVE-2017-3289, CVE-2017-3253, CVE-2017-3261, CVE-2017-3231,CVE-2016-5547,CVE-2016-5552, CVE-2017-3252, CVE-2016-5546, CVE-2016-5548, CVE-2017-3241	K15518610	Fix for multiple CVE for openjdk-1.7.0
638556-2	CVE-2016-10045	K73926196	PHP Vulnerability: CVE-2016-10045
634779-1	CVE-2017-6147	K43945001	In SSL Forward Proxy, an uninitialized variable may overflow a buffer and cause TMM to produce a core file
625860-2	CVE-2017-6140	K55102452	Improved handling of crypto hardware decrypt failures on B4450 platform.
624903-6	CVE-2017-6140	K55102452	Improved handling of crypto hardware decrypt failures on 2000s/2200s or 4000s/4200v platforms.
600069-6	CVE-2017-0301	K54358225	Portal Access: Requests handled incorrectly
659791-2	CVE-2017-6136	K81137982	TFO and TLP could produce a core file under specific circumstances
655059-3	CVE-2017-6134	K37404773	TMM Crash
653224-1	CVE-2016-8610 CVE-2017-5335 CVE-2017-5336 CVE-2017-5337	K59836191	Multiple GnuTLS Vulnerabilities
653217-2	CVE-2016-2125 CVE-2016-2126	K03644631	Multiple Samba Vulnerabilities
645480-3	CVE-2017-6139	K45432295	Unexpected APM response
645101-2	CVE-2017-3731, CVE-2017-3732	K44512851	OpenSSL vulnerability CVE-2017-3732
642659-2	CVE-2015-8870, CVE-2016-5652, CVE-2016-9533, CVE-2016-9534, CVE-2016-9535, CVE-2016-9536, CVE-2016-9537, CVE-2016-9540	K34527393	Multiple LibTIFF Vulnerabilities
640768	CVE-2016-10088 CVE-2016-9576	K05513373	Kernel vulnerability: CVE-2016-10088
639729-2	CVE-2017-0304	K39428424	Request validation failure in AFM UI Policy Editor
637666-2	CVE-2016-10033	K74977440	PHP Vulnerability: CVE-2016-10033
635314-5	CVE-2016-1248	K22183127	vim Vulnerability: CVE-2016-1248
597176-1	CVE-2015-8711 CVE-2015-8714 CVE-2015-8716 CVE-2015-8717 CVE-2015-8718 CVE-2015-8720 CVE-2015-8721 CVE-2015-8723 CVE-2015-8725 CVE-2015-8729 CVE-2015-8730 CVE-2015-8733 CVE-2016-2523 CVE-2016-4006 CVE-2016-4078 CVE-2016-4079 CVE-2016-4080 CVE-2016-4081 CVE	K01837042	Multiple Wireshark (tshark) vulnerabilities
583678-1	CVE-2016-3115	K93532943	SSHD session.c vulnerability CVE-2016-3115
567233-1	CVE-2015-5252, CVE-2015-5296, CVE-2015-5299	K92616530	Multiple samba vulnerabilities
656912-4	CVE-2017-6460, CVE-2017-6462, CVE-2017-6463, CVE-2017-6464, CVE-2017-6451, CVE-2017-6458	K32262483	Various NTP vulnerabilities
615226-5	CVE-2015-8925 CVE-2015-8933 CVE-2016-8688 CVE-2015-8919 CVE-2016-8689 CVE-2015-8931 CVE-2015-8923 CVE-2015-8930 CVE-2015-8922 CVE-2016-5844 CVE-2015-8917 CVE-2016-8687 CVE-2015-8932 CVE-2015-8916 CVE-2016-4809 CVE-2015-8934 CVE-2015-8924 CVE-2015-8920 CVE-2016-4302 CVE-2015-8921 CVE-2015-8928 CVE-2015-8926 CVE-2016-7166 CVE-2016-4300	K13074505	Libarchive vulnerabilities: CVE-2016-8687 and others
590840-2	CVE-2015-8325	K20911042	OpenSSH vulnerability CVE-2015-8325
655021-2	CVE-2017-3138	K23598445	BIND vulnerability CVE-2017-3138
627203-1	CVE-2016-5542, CVE-2016-5554, CVE-2016-5573, CVE-2016-5582, CVE-2016-5597	K63427774	Multiple Oracle Java SE vulnerabilities

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
654549-1	2-Critical		PVA support for uncommon protocols DoS vector
653729-2	2-Critical		Support IP Uncommon Protocol
653234	2-Critical		Many objects must be reconfigured before use when loading a UCS from another device.★
652094-2	2-Critical	K49190243	Improve traffic disaggregation for uncommon IP protocols
643210-2	2-Critical	K45444280	Restarting MCPD on Secondary Slot of Chassis causes deletion of netHSM keys on SafeNet HSM
643054-2	2-Critical		ARP and NDP packets should be CoS marked by the swtich on ingress
663521-2	3-Major		Intermittent dropping of multicast packets on certain BIG-IP platforms
651772-3	3-Major		IPv6 host traffic may use incorrect IPv6 and MAC address after route updates
643143-2	3-Major		ARP and NDP packets should be QoS/DSCP marked on egress
632875-3	3-Major		Non-Administrator TMSH users no longer allowed to run dig
610710-2	3-Major		Pass IP TOS bits from incoming connection to outgoing connection
584545-2	3-Major		Failure to stabilize internal HiGig link will not trigger failover event
567177-1	4-Minor		Log all attempts of key export in ltm log
650074-1	5-Cosmetic		Changed Format of RAM Cache REST Status output.

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
642703-2	1-Blocking		Formatting installation using software v12.1.2 or v13.0.0 fails for i5000, i7000, i10000, i11000, i12000 platforms.★
619097	1-Blocking		iControl REST slow performace on GET request for virtual servers
539093-1	1-Blocking	K26104530	VE shows INOPERATIVE status until at least one VLAN is configured and attached to an interface.
697878	2-Critical		High crypto request completion time under some workload patterns
666790-2	2-Critical	K06619044	Use HSB HiGig MAC reset to recover both FCS errors and link instability
665354-2	2-Critical		Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log
658574-2	2-Critical	K61847644	An accelerated flow transmits packets to a stale (incorrect) destination MAC address.
655357-2	2-Critical	K06245820	Corrupted L2 FDB entries on B4450 blades might result in dropped traffic
653376-5	2-Critical		bgpd may crash on receiving a BGP update with >= 32 extended communities
649866-1	2-Critical		fsck should not run during first boot on public clouds
638997-2	2-Critical		Reboot required after disk size modification in a running BIG-IP VE instance.
625456-5	2-Critical		Pending sector utility may write repaired sector incorrectly
624826-2	2-Critical		mgmt bridge takes HWADDR of guest vm's tap interface
613415-2	2-Critical		Memory leak in ospfd when distribute-list is used
609335-1	2-Critical		IPsec tmm devbuf memory leak.
604011-1	2-Critical		Sync fails when iRule or policy is in use★
595783	2-Critical		Changing console baud rate for B2100, B2150 and B2250 blades does not work
593137-1	2-Critical		userDefined property for bot signatures is not shown in REST
579210-3	2-Critical	K11418051	VIPRION B4400N blades might fail to go Active under rare conditions.
471860-10	2-Critical	K16209	Disabling interface keeps DISABLED state even after enabling
412817-3	2-Critical		BIG-IP system unreachable for IPv6 traffic via PCI pass-through interfaces as current ixgbevf drivers do not support multicast receive.
671920-1	3-Major		Accessing SNMP over IPv6 on non-default route domains
669818-2	3-Major		Higher CPU usage for syslog-ng when a syslog server is down
667278-3	3-Major		DSC connections between BIG-IP units may fail to establish
667138-1	3-Major		LTM 12.1.2 HF1 - Upgrade to 12.1.2 HF1 fails with err "folder does not exist"★
664829-1	3-Major		BIG-IP sometimes performs unnecessary reboot on first boot
662331-1	3-Major	K24331010	BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
661764-2	3-Major	K53762147	It is possible to configure a number of CPUs that exceeds the licensed throughput
660532-2	3-Major	K21050223	Cannot specify the event parameter for redirects on the policy rule screen.
655671-1	3-Major		Polling time waiting for I2C bus transactions in the bcm56xxd daemon needs to be reduced
655649-2	3-Major		BGP last update timer incorrectly resets to 0
654011-2	3-Major	K33210520	Pool member's health monitors set to Member Specific does not display the active monitors
652638-2	3-Major		php - Fix DOS vulnerability in gdImageCreateFromGd2Ctx()
651155-1	3-Major		HSB continually logs 'loopback ring 0 tx not active'
650349	3-Major	K50168519	Creation or reconfiguration of iApps will fail if logging is configured
650002-1	3-Major		tzdata bug fix and enhancement update
649949-1	3-Major		Intermittent failure to do a clean install on iSeries platforms from USB DVD-ROM★
647988-3	3-Major	K15331432	HSL Balanced distribution to Two-member pool may not be balanced correctly.
647944-2	3-Major		MCP may crash when making specific changes to a FIX profile attached to more than one virtual server
645179-6	3-Major		Traffic group becomes active on more than one BIG-IP after a long uptime
644404-1	3-Major		Extracting SSD from system leads to Emergency LCD alert★
644184-4	3-Major	K36427438	ZebOS daemons hang while AgentX SNMP daemon is waiting.
643294	3-Major		IGMP and PIM not in self-allow default list when upgrading from 10.2.x★
643121-1	3-Major		Failed installation volumes cannot be deleted in the GUI.
643013	3-Major		DAGv2 introduced on i5600, i5800, i7600, i7800, i10600, i10800 platforms in v12.1.3
642982-3	3-Major	K23241518	tmrouted may continually restart after upgrade, adding or renaming an interface★
642314-2	3-Major	K24276198	CNAME ending with dot in pool causes validation problems after upgrade from 11.x to 12.x or v13.x★
638825-2	3-Major		SNMP Get of sysInterfaceMediaActiveSpeed returns wrong value for 100000SR4-FD
637561-1	3-Major		Wildcard wideips not handling matching queries after tmsh load sys from gtm conf file twice
636744-1	3-Major	K16918340	IKEv1 phase 2 SAs not deleted
631866-2	3-Major		Cannot access LTM policy rules in the web UI when the name contains certain characters
631172-4	3-Major		GUI user logged off when idle for 30 minutes, even when longer timeout is set
624692-3	3-Major		Certificates with ISO/IEC 10646 encoded strings may prevent certificate list page from displaying
623391-5	3-Major		cpcfg cannot copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size★
622619-5	3-Major		BIG-IP 11.6.1 - "tmsh show sys log <item> range" can kill MCPD
622133-1	3-Major		VCMP guests may incorrectly obtain incorrect MAC addresses
621259-3	3-Major		Config save takes long time if there is a large number of data groups
619060	3-Major		Reduction in boot time in BIG-IP Virtual Edition platforms
617875-1	3-Major		vCMP guest may fail to start due to not enough hugepages
612752-1	3-Major		UCS load or upgrade may fail under certain conditions.★
610442-2	3-Major	K75051412	vcmp_media_insert failed message and lind restart loop on vCMP guest when installing with block-device-image with bad permissions on .iso★
607961-1	3-Major		Secondary blades restart when modifying a virtual server's route domain in a different partition.
605792-1	3-Major		Installing a new version changes the ownership of administrative users' files★
601709-2	3-Major	K02314881	I2C error recovery for BIG-IP 4340N/4300 blades
590938-3	3-Major		The CMI rsync daemon may fail to start
583475-1	3-Major		The BIG-IP may core while recompiling LTM policies
577474-3	3-Major		Users with auditor role are unable to use tmsh list sys crypto cert
569100-1	3-Major		Virtual server using NTLM profile results in benign Tcl error
544906-2	3-Major	K07388310	Issues when using remote authentication when users have different partition access on different devices
507240-4	3-Major	K13811263	ICMP traffic cannot be disaggregated based on IP addresses
480983-4	3-Major		tmrouted daemon may core due to daemon_heartbeat
471029-2	3-Major		If the configuration contains a filename with the $ character, then saving the UCS fails.
656900-1	4-Minor		Blade family migration may fail
655314	4-Minor		When failing to load a UCS, the hostname is still changed, only in 12.1.2 or 13.0.0★
653225-1	4-Minor		coreutils security and bug fix update
645717	4-Minor		UCS load does not set directory owner
644975-4	4-Minor		/var/log/maillog contains errors when ssmtp is not configured to use a valid mailhost
644799-1	4-Minor	K42882011	TMM may crash when the BIG-IP system processes CGNAT traffic.
642723-3	4-Minor		Western Digital WD1600YS-01SHB1 hard drives not recognized by pendsect
634371-2	4-Minor		Cisco ethernet NIC driver
530927-8	4-Minor		Adding interfaces to trunk fails if trunk and interfaces are forced to lower speed
530530-6	4-Minor		tmsh sys log filter is displays in UTC time
527720-1	4-Minor		Rare 'No LopCmd reply match found' error in getLopReg
448409-1	4-Minor	K15491	'load sys config verify' commands cause loss of sync configuration and initiates a provisioning cycle
626596	5-Cosmetic		Statistics :: Analytics :: Hardware Acceleration menu contains misspelled menu item: 'Assited Connections'.

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
670011-2	1-Blocking		SSL forward proxy does not create the server certchain when ignoring server certificates
621452-1	1-Blocking	K58146172	Connections can stall with TCP::collect iRule
659899-1	2-Critical	K10589537	Rare, intermittent system instability observed in dynamic load-balancing modes
657713-5	2-Critical	K05052273	Gateway pool action may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart.
655628-1	2-Critical		TCP analytics does not release resources under specific sequence of packets
655211-1	2-Critical	K25384206	bigd crash (SIGSEGV) when running FQDN node monitors
650317-3	2-Critical		The TMM on the next-active panics with message: "Missing oneconnect HA context"
649171-4	2-Critical		tmm core in iRule with unreachable remote address
648037-2	2-Critical		LB::reselect iRule on a virtual with the HTTP profile can cause a tmm crash
646643-2	2-Critical	K43005132	HA standby virtual server with non-default lasthop settings may crash.
646604-5	2-Critical	K21005334	Client connection may hang when NTLM and OneConnect profiles used together
645663	2-Critical		Crypto traffic failure for vCMP guests provisioned with more than 12 vcpus.
644112-2	2-Critical	K56150996	Permanent connections may be expired when endpoint becomes unreachable
643631	2-Critical	K70938130	Serverside connections on virtual servers using VDI may become zombies.
635274-1	2-Critical	K21514205	SSL::sessionid command may return invalid values
634265-2	2-Critical	K34688632	Using route pools whose members aren't directly connected may crash the TMM.
632552-2	2-Critical	K08634156	tmm crashes when CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event
629178-1	2-Critical	K42206046	Incorrect initial size of connection flow-control window
611704-5	2-Critical		tmm crash with TCP::close in CLIENTSSL_CLIENTCERT iRule event
605983-1	2-Critical		tmrouted may crash when being restarted in debug mode
604926-3	2-Critical	K50041125	The TMM may become unresponsive when using SessionDB data larger than ~400K
604223-2	2-Critical		pkcs11d signal handler improvement to turn off all threads at time of "SIGTERM"
583700-3	2-Critical		tmm core on out of memory
583355-1	2-Critical		The TMM may crash when changing profiles associated with plugins
566071-5	2-Critical		network-HSM may not be operational on secondary slots of a standby chassis.
559030-1	2-Critical	K65244513	TMM may core during ILX RPC activity if a connflow closes before the RPC returns
687193-1	3-Major		TMM may leak memory when processing SSL Forward Proxy traffic
677119	3-Major		HTTP2 implementation incorrectly treats SETTINGS_MAX_HEADER_LIST_SIZE
672008-1	3-Major	K22122208	NUL character inserted into syslog message when system time rolls over to exactly 1000000 microseconds
671935-2	3-Major	K64461712	Possible ephemeral port reuse.
669025-1	3-Major	K11425420	Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate
668521-2	3-Major		Bigd might stall while waiting for an external monitor process to exit
666032-3	3-Major	K05145506	Secure renegotiation is set while data is not available.
663326-2	3-Major		Thales HSM: "fipskey.nethsm --export" fails to make stub keys
662881-2	3-Major	K10443875	L7 mirrored packets from standby to active might cause tmm core when it goes active.
662085-1	3-Major		iRules LX Workspace editor in TMUI fails to display all workspace contents after install of large Node.js packages
658214-2	3-Major	K20228504	TCP connection fail intermittently for mirrored fastl4 virtual server
655793-1	3-Major	K04178391	SSL persistence parsing issues due to SSL / TCP boundary mismatch
654109-2	3-Major	K01102467	Configuration loading may fail when iRules calling procs in other iRules are deleted
653511-2	3-Major	K45770397	Intermittent connection failure with SNAT/automap, SP-DAG and virtual server source-port=preserve
652535-1	3-Major	K54443700	HTTP/2 stream reset with PROTOCOL_ERROR when frame header is fragmented.
652445-2	3-Major	K87541959	SAN with uppercase names result in case-sensitive match or will not match
651651-3	3-Major	K54604320	bigd can crash when a DNS response does not match the expected value
650292-2	3-Major		DNS transparent cache can return non-recursive results for recursive queries
650152-1	3-Major		Support AES-GCM acceleration in Nitrox PX wlite VCMP platforms
648954-5	3-Major	K01102467	Configuration validation (e.g., ConfigSync) may fail after an iRule is deleted, if the iRule made procedure calls
647137	3-Major		bigd/tmm con vCMP guests
646443-1	3-Major		Ephemeral Node may be errantly created in bigd, causing crash
645058-3	3-Major		Modifying SSL profiles in GUI may fail when key is protected by passphrase
645036-3	3-Major	K85772089	Removing pool from virtual server does not update its status
644873-2	3-Major	K97237310	ssldump can fail to decrypt captures with certain TCP segmenting
644851-2	3-Major		Websockets closes connection on receiving a close frame from one of the peers
644418-2	3-Major		Do not consider self-signed certificate in hash algorithm selection when Forward Proxy forges a certificate
643777-2	3-Major	K27629542	LTM policies with more than one IP address in TCP address match may fail
643582-2	3-Major		Config load with large ssl profile configuration may cause tmm restart
641491-2	3-Major	K37551222	TMM core while running iRule LB::status pool poolname member ip port
640376-3	3-Major		STPD leaks memory on 2000/4000/i2000/i4000 series
638715-3	3-Major	K77010072	Multiple Diameter monitors to same server ip/port may race on PID file
632001-1	3-Major		For Thales net-HSMs, fipskey.nethsm now defaults to module protected keys
627574-1	3-Major		After upgrade to BIG-IP v12.1.x, Local Traffic Policies in partitions other than Common cannot be converted into a draft.
626434-6	3-Major		tmm may be killed by sod when a hardware accelerator does not work
624805-1	3-Major		ILX node.js process may be restarted if a single operation takes more than 15 seconds
623940-3	3-Major		SSL Handshake fails if client tries to negotiate EC ciphers but does not present ec_point_formats extension in ClientHello
622178-1	3-Major		Improve flow handling when Autolasthop is disabled
622017-8	3-Major	K54106058	Performance graph data may become permanently lost after corruption.
621736-6	3-Major		statsd does not handle SIGCHLD properly in all cases
620788-1	3-Major	K05232247	FQDN pool created with existing FQDN node has RED status
618161-1	3-Major		SSL handshake fails when clientssl uses softcard-protected key-certs.
618121	3-Major		"persist add" irule validation fails for RTSP_RESPONSE event on upgrade to v12.x.x★
607246-10	3-Major		Encrypted cookie insert persistence with fallback may not honor cookie after fallback expires
603609-2	3-Major		Policy unable to match initial path segment when request-URI starts with "//"
602040-3	3-Major		Truncated support ID for HTTP protocol security logging profile
600614-5	3-Major		External crypto offload fails when SSL connection is renegotiated
596433-3	3-Major		Virtual with lasthop configured rejects request with no route to client.
596242-1	3-Major	K17065223	[zxfrd] Improperly configured master name server for one zone makes DNS Express respond with previous record
595275-5	3-Major		Virtual IP address change might cause VIP state to go from GREEN to RED to GREEN
593390-4	3-Major		Profile lookup when selected via iRule ('SSL::profile') might cause memory issues.
589006-5	3-Major		SSL does not cancel pending sign request before the handshake times out or is canceled.
587705-5	3-Major	K98547701	Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools.
578573-1	3-Major		SSL Forward Proxy Forged Certificate Signature Algorithm
563933-4	3-Major		[DNS] dns64-additional-section-rewrite v4-only does not rewrite v4 RRs
536563-7	3-Major		Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' or 'No flow found for ACK' on subsequent packets.
484542-1	3-Major		QinQ tag-mode can be set on unsupported platforms
668802-3	4-Minor	K83392557	GTM link graphs fail to display in the GUI
667318-3	4-Minor		BIG-IP DNS/GTM link graphs fail to display in the GUI.
584210-1	4-Minor		TMM may core when running two simultaneous WebSocket collect commands
578415-2	4-Minor		Support for hardware accelerated bulk crypto SHA256 missing
513288-7	4-Minor		Management traffic from nodes being health monitored might cause health monitors to fail.
462043-2	4-Minor		DB variable 'qinq.cos' does not work in all cases on 5000 and C2400 platforms

Performance Fixes

ID Number	Severity	Solution Article(s)	Description
620903-1	2-Critical		Decreased performance of ICMP attack mitigation.

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
636541-3	1-Blocking		DNS Rapid Response filters large datagrams
667028-1	2-Critical		DNS Express does not run on i11000 platforms with htsplit disabled.
649564-2	2-Critical		Crash related to GTM monitors with long RECV strings
663073-1	3-Major		GSLB Pool member Manage page combo box has an issue that can cause the wrong pool member to be removed from the available list when adding a member to the selected list.
659912-1	3-Major		GSLB Pool Member Manage page display issues and error message
655807-5	3-Major	K40341291	With QoS LB, packet rate score is calculated incorrectly and dominates the QoS score
655445-2	3-Major		Provide the ability to globally specifiy a DSCP value.
654599-1	3-Major	K74132601	The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed
648286-2	3-Major		GSLB Pool Member Manage page fails to auto-select next available VS/WiP after pressing the add button.
644447-2	3-Major		sync_zones script increasingly consumes memory when there is network connectivity failure
626141-3	3-Major		DNSX Performance Graphs are not displaying Requests/sec"
615222-1	3-Major		GTM configuration fails to load when it has gslb pool with members containing more than one ":"★
605260-1	3-Major		[GUI] Changes can not be made to GTM listener in partition with default route domain <> 0
659969-1	4-Minor		tmsh command for gtm-application disabled contexts does not work with none and replace-all-with
644220-3	4-Minor	K37049259	Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page
604371-1	4-Minor		Pagination controls missing for GSLB pool members
582773-5	4-Minor		DNS server for child zone can continue to resolve domain names after revoked from parent

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
653014-1	2-Critical		Apply Policy failure if an custom Blocking Page is configured with an underscore in the header name
652200-1	2-Critical	K81349220	Failure to update ASM enforcer about account change.
638629-2	2-Critical		Bot can be classified as human
619110-1	2-Critical		Slow to delete URLs, CPU spikes with Automatic Policy Builder
672695-1	3-Major		Internal perl process listening on all interfaces when ASM enabled
665905	3-Major	K83305000	Signature System corruption from specific ASU prevents ASU load after upgrade
664930-2	3-Major		Policy automatic learning mode changes to manual after failover
655617-1	3-Major	K36442669	Safari, Firefox in incognito mode on iOS device cannot pass persistent client identification challenge
631444-2	3-Major		Bot Name for ASM Search Engines is case sensitive
606521-1	3-Major		Policy with UTF-8 encoding retains disallowed high ASCII meta-characters after upgrade
605616-1	3-Major		Creating 256 Fundamental Security policies will result in an out of memory error
602975-1	3-Major		Unable to update the HTTP URL's "Header-Based Content Profiles" values
596685-1	3-Major	K76841626	Request Log failure on request with XML format violation
595900-4	3-Major	K11833633	Cookie Signature overrides may be ignored after Signature Update
563727-1	3-Major		Issue a Body in Get sub violation for GET request with 'transfer-encoding: chunked'
534247-1	3-Major		Issue a Body in Get sub violation for GET request with content type header

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
604191-1	2-Critical		AVR: Loading the configuration after upgrade might fail due to mishandling of scheduled-reports★
629573-1	3-Major		No drill-down filter for virtual-servers is mentioned on exported reports when using partition
603875-2	3-Major		The statistic ASM memory Utilization - bd swap size: stats are wrong
601536-1	3-Major		Analytics load error stops load of configuration★
639395-2	4-Minor	K91614278	AVR does not display 'Max read latency' units.

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
647108-1	1-Blocking		Deletion of saml-idp-connector may fail depending on the order in which related objects are deleted within a transaction
679235-5	2-Critical		Inspection Host NPAPI Plugin for Safari can not be installed
669341	2-Critical		Category Lookup by Subject.CN will result in a reset
666454-2	2-Critical	K05520115	Edge client on Macbook Pro with touch bar cannot connect to VPN after OS X v10.12.5 update
663506-7	2-Critical	K30533350	apmd crash during ldap cache initialization
652004-2	2-Critical	K45320415	Show /apm access-info all-properties causes memory leaks in tmm
662639-2	3-Major		Policy Sync fails when policy object include FIPS key
659371-2	3-Major		apmd crashes executing iRule policy evaluate
658852-5	3-Major		Empty User-Agent in iSessions requests from APM client on Windows
654513-6	3-Major	K11003951	APM daemon crashes when the LDAP query agent returns empty in its search results.
649929-1	3-Major		saml_sp_connector not properly deleted in a transaction that removes the saml resource and servers referring to it
648053-1	3-Major		Rewrite plugin may crash on some JavaScript files
646928-1	3-Major		Landing URI incorrect when changing URI
645684-2	3-Major		Flash application components are loaded into wrong ApplicationDomain after Portal Access rewriting.
618957-1	3-Major		Certificate objects are not properly imported from external SAML SP metadata when metadata contains both signing and encryption certificates
601919-2	3-Major		Custom categories and custom url filter assignment must be specific to partition instead of global lookup
583272-2	3-Major		"Corrupted Connect Error" when using IPv6 and On-Demand Cert Auth
580567-1	3-Major		LDAP Query agent failed to resolve nested group membership
551795-1	3-Major		Portal Access: corrections to CORS support for XMLHttpRequest
550547-2	3-Major		URL including a "token" query fails results in a connection reset

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
664535-1	2-Critical		Diameter failure: load balancing fails when all pool members use same IP Address
640407-1	2-Critical	K41344483	Usage of iRule commands that try to get or set connection state during CLIENT_CLOSED iRule event may core with MRF
568545-2	2-Critical	K17124802	iRules commands that refer to a transport-config will fail validation
559953-1	2-Critical		tmm core on long DIAMETER::host value
662364-2	3-Major		MRF DIAMETER: IP ToS not passing through with DIAMETER
644946-2	3-Major	K05053251	Enabling mirroring on SIP or DIAMETER router profile effects per-client connection mode operation
644565-1	3-Major		MRF Message metadata lost when routing message to a connection on a different TMM
634078-2	3-Major		MRF: Routing using a virtual with SNAT set to none may select a source port of zero
624155-2	3-Major		MRF Per-Client mode connections unable to return responses if used by another client connection
620929-4	3-Major		New iRule command, MR::ignore_peer_port
353229-2	3-Major	K54130510	Buffer overflows in DIAMETER
651640-3	4-Minor		queue full dropped messages incorrectly counted as responses

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
670400-3	2-Critical		SSH Proxy public key authentication can be circumvented in some cases
655470	2-Critical	K79924625	IP Intelligence logging publisher removal can cause tmm crash
651001-1	2-Critical		massive prints in tmm log: "could not find conf for profile crc"
650081-1	3-Major	K53010710	FP feature causes the blank page/delay on IE11
648617	3-Major		JavaScript challenge repeating in loop when URL has path parameters
644855-2	3-Major		irules with commands which may suspend processing cannot be used with proactive bot defense
630356-1	3-Major		JavaScript challenge follow-up to POST is sent as GET in iframe from IE/Edge
628351-1	3-Major		Redirect loops on URLs with Path Parameters when Proactive Bot Defense is enabled
618902-4	3-Major		PCCD memory usage increases on configuration changes and recompilation due to small amount of memory leak on each compilation
618656-2	3-Major		JavaScript challenge repeating in loop on Firefox when URL is longer than 1033 characters
519612-1	3-Major		JavaScript challenge fails when coming within iframe with different domain than main page

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
658261-2	2-Critical		TMM core after HA during GY reporting
658148-2	2-Critical	K23150504	TMM core after intra-chassis failover for some instances of subscriber creation
657632-4	2-Critical		Rarely if a subscriber delete is performed following HA switchover, tmm may crash
653285-1	2-Critical		PEM rule deletion with HSL reporting may cause tmm coredump
652973-2	2-Critical		Coredump observed at system bootup time when many DHCP packets arrive
650422-2	2-Critical		TMM core after a switchover involving GY quota reporting
659567-1	3-Major	K94685557	iRule command PEM::session functions differently in 12.1.x and 13.0.0 than it did in prior versions
652052-3	3-Major		PEM:sessions iRule made the order of parameters strict
635257-2	3-Major	K41151808	Inconsistencies in Gx usage record creation.
623037-2	3-Major		delete of pem session attribute does not work after a update

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
676808-2	2-Critical		FPS: tmm may crash on response with large payload from server
669364-1	2-Critical		TMM core when server responds fast with server responses such as 404.
669359	2-Critical		WebSafe might cause connections to hang
674931	3-Major		FPS modified responses/injections might result in a corrupted response
674909-3	3-Major		Application CSS injection might break when connection is congested
667872-1	3-Major		Websafe's 'Apply cookies to base domain' feature doesn't work for non standard ports
658321-2	3-Major		Websafe features might break in IE8
657502-2	3-Major		JS error when leaving page opened for several minutes
644694	3-Major		FPS security update check ends up with an empty page when error occurs.
618185-1	3-Major		Mismatch in URL CRC32 calculation
643602-2	4-Minor		'Select All' checkbox selects items on hidden pages

Device Management Fixes

ID Number	Severity	Solution Article(s)	Description
605123-1	2-Critical		IAppLX objects fail to sync after establishing HA in auto-sync mode★

iApp Technology Fixes

ID Number	Severity	Solution Article(s)	Description
606316-4	1-Blocking		HTTPS request to F5 licensing server fails
665778-1	2-Critical	K34503519	Non-admin BIG-IP users can now view/re-deploy iApps through TMUI.
599424-2	2-Critical		iApps LX fails to sync★
632060-1	4-Minor		restjavad is unable to read the dtca.key files resulting in Error: Failed to read key: invalid header★

Cumulative fixes from BIG-IP v12.1.2 Hotfix 2 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
693211-3	CVE-2017-6168	K21905460	CVE-2017-6168

Functional Change Fixes

None

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
664063-1	2-Critical	K03203976	Azure displays failure for deployment of BIG-IP from a Resource Manager template

Cumulative fixes from BIG-IP v12.1.2 Hotfix 1 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
652151-1	CVE-2017-6131	K61757346	Azure VE: Initialization improvement
641256-1	CVE-2016-9257	K43523962	APM access reports display error
623885-4	CVE-2016-9251	K41107914	Internal authentication improvements
621371-2	CVE-2016-9257	K43523962	Output Errors in APM Event Log
648865-2	CVE-2017-6074	K82508682	Linux kernel vulnerability: CVE-2017-6074
643187-2	CVE-2017-3135	K80533167	BIND vulnerability CVE-2017-3135
641445-1	CVE-2017-6145	K22317030	iControl improvements
641360-2	CVE-2017-0303	K30201296	SOCKS proxy protocol error
636702-3	CVE-2016-9444	K40181790	BIND vulnerability CVE-2016-9444
636699-5	CVE-2016-9131	K86272821	BIND vulnerability CVE-2016-9131
631582	CVE-2016-9250	K55792317	Administrative interface enhancement
628836-4	CVE-2016-9245	K22216037	TMM crash during request normalization
626360	CVE-2017-6163	K22541983	TMM may crash when processing HTTP2 traffic
624570-1	CVE-2016-8864	K35322517	BIND vulnerability CVE-2016-8864
624526-3	CVE-2017-6159	K10002335	TMM core in mptcp
624457-5	CVE-2016-5195	K10558632	Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195
623093-1	CVE-2016-3990 CVE-2016-3632 CVE-2015-7554 CVE-2016-5320	K38871451	TIFF vulnerability CVE-2015-7554
620400-1	CVE-2017-6141	K21154730	TMM crash during TLS processing
610255-1	CVE-2017-6161	K62279530	CMI improvement
596340-8	CVE-2016-9244	K05121675	F5 TLS vulnerability CVE-2016-9244
580026-5	CVE-2017-6165	K74759095	HSM logging error
648879-2	CVE-2016-6136 CVE-2016-9555	K90803619	Linux kernel vulnerabilities: CVE-2016-6136 CVE-2016-9555
641612-2	CVE-2017-0302	K87141725	APM crash
638137	CVE-2016-7117 CVE-2016-4998 CVE-2016-6828	K51201255	CVE-2016-7117 CVE-2016-4998 CVE-2016-6828
635412	CVE-2017-6137	K82851041	Invalid mss with fast flow forwarding and software syn cookies
635252-1	CVE-2016-9256	K47284724	CVE-2016-9256
631841-7	CVE-2016-9311	K55405388	NTP vulnerability CVE-2016-9311
631688-7	CVE-2016-9311 CVE-2016-9310 CVE-2016-7427 CVE-2016-7428 CVE-2016-9312 CVE-2016-7431 CVE-2016-7434 CVE-2016-7429 CVE-2016-7426 CVE-2016-7433	K55405388 K87922456 K63326092 K51444934 K80996302	Multiple NTP vulnerabilities
630150-1	CVE-2016-9253	K51351360	Websockets processing error
627916-1	CVE-2017-6144	K81601350	Improve cURL Usage
627747-1	CVE-2017-6142	K20682450	Improve cURL Usage
625372-5	CVE-2016-2179	K23512141	OpenSSL vulnerability CVE-2016-2179
623119	CVE-2016-4470	K55672042	Linux kernel vulnerability CVE-2016-4470
622496	CVE-2016-5829	K28056114	Linux kernel vulnerability CVE-2016-5829
622126-1	CVE-2016-7124 CVE-2016-7125 CVE-2016-7126 CVE-2016-7127	K54308010	PHP vulnerability CVE-2016-7124
621337-6	CVE-2016-7469	K97285349	XSS vulnerability in the BIG-IP and Enterprise Manager Configuration utilities CVE-2016-7469
618261-6	CVE-2016-2182	K01276005	OpenSSL vulnerability CVE-2016-2182
615267-2	CVE-2016-2183	K13167034	OpenSSL vulnerability CVE-2016-2183
613225-7	CVE-2016-2180, CVE-2016-6306, CVE-2016-6302	K90492697	OpenSSL vulnerability CVE-2016-6306
606710-10	CVE-2016-2834, CVE-2016-5285, CVE-2016-8635	K15479471	Mozilla NSS vulnerability CVE-2016-2834
600232-9	CVE-2016-2177	K23873366	OpenSSL vulnerability CVE-2016-2177
600223-2	CVE-2016-2177	K23873366	OpenSSL vulnerability CVE-2016-2177
599858-7	CVE-2015-8895 CVE-2015-8896 CVE-2015-8897 CVE-2015-8898 CVE-2016-5118 CVE-2016-5239 CVE-2016-5240	K68785753	ImageMagick vulnerability CVE-2015-8898
635933-3	CVE-2004-0790	K23440942 K13361021	The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable
628832-4	CVE-2016-6161	K71581599	libgd vulnerability CVE-2016-6161
622662-7	CVE-2016-6306	K90492697	OpenSSL vulnerability CVE-2016-6306
609691-1	CVE-2014-4617	K21284031	GnuPG vulnerability CVE-2014-4617
600205-9	CVE-2016-2178	K53084033	OpenSSL Vulnerability: CVE-2016-2178
600198-2	CVE-2016-2178 CVE-2016-6306 CVE-2016-6302 CVE-2016-2216	K53084033	OpenSSL vulnerability CVE-2016-2178
599285-2	CVE-2016-5094 CVE-2016-5095 CVE-2016-5096	K51390683	PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095
598002-10	CVE-2016-2178	K53084033	OpenSSL vulnerability CVE-2016-2178
621937-1	CVE-2016-6304	K54211024	OpenSSL vulnerability CVE-2016-6304
621935-6	CVE-2016-6304	K54211024	OpenSSL vulnerability CVE-2016-6304
606771-2	CVE-2016-5399 CVE-2016-6288 CVE-2016-6289 CVE-2016-6290 CVE-2016-5385 CVE-2016-6291 CVE-2016-6292 CVE-2016-6207 CVE-2016-6294 CVE-2015-8879 CVE-2016-6295 CVE-2016-6296 CVE-2016-6297	K35799130	Multiple PHP vulnerabilities
601268-5	CVE-2015-8874 CVE-2016-5770 CVE-2016-5772 CVE-2016-5768 CVE-2016-5773 CVE-2016-5769 CVE-2016-5766 CVE-2016-5771 CVE-2016-5767 CVE-2016-5093 CVE-2016-5094	K43267483	PHP vulnerability CVE-2016-5766

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
653453	2-Critical		ARP replies reach front panel port of the B4450 blade, but fail to reach TMMs.
628972-2	2-Critical		BMC version 2.51.7 for iSeries appliances
624831-2	2-Critical		BWC: tmm crash can occur if dynamic BWC policy is used at max-user-rate over 2gbps
616918-1	2-Critical		BMC version 2.50.3 for iSeries appliances
633723-3	3-Major		New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot
633391-1	3-Major		GUI Error trying to modify IP Data-Group
609614-3	3-Major		Yafuflash 4.25 for iSeries appliances
597797-4	3-Major	K78449695	Allow users to disable enforcement of RFC 7057
581840-5	3-Major	K46576869	Cannot manage BIG-IP version 11.6.1 or 11.6.1 HF1 through BIG-IQ.
564876-2	3-Major		New DB variable log.lsn.comma changes CGNAT logs to CSV format
609084-2	4-Minor	K03808942	Max number of chunks not configurable above 1000 chunks
597270-2	4-Minor		tcpdump support missing for VXLAN-GPE NSH

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
655500	1-Blocking		Rekey SSH sessions after one hour
642058-1	1-Blocking		CBL-0138-01 Active Copper does not work on i2000/i4000/HRC-i2800 Series appliances
641390-5	1-Blocking		Backslash removal in LTM monitors after upgrade
627433-1	1-Blocking		HSB transmitter failure on i2x00 and i4x00 platforms
602830-1	1-Blocking		BIG-IP iSeries appliance LCD does not indicate when BIG-IP is in platform_check diagnostic mode
648056-2	2-Critical	K16503454	bcm56xxd core when configuring QinQ VLAN with vCMP provisioned.
645805	2-Critical		LACP PDUs generated by lacpd on i4x00/i2x00 platforms contain bad ethernet src mac address
641248	2-Critical		IPsec-related tmm segfault
641013-5	2-Critical		GRE tunnel traffic pinned to one TMM
638935-3	2-Critical		Monitor with send/receive string containing double-quote may cause upgrade to fail.★
636918-2	2-Critical		Fix for crash when multiple tunnels use the same traffic selector
636290	2-Critical		vCMP support for B4450 blade
627898-2	2-Critical		TMM leaks memory in the ECM subsystem
625824-1	2-Critical		iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory
624263-4	2-Critical		iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response
618779-1	2-Critical		Route updates during IPsec tunnel setup can cause tmm to restart
616059-1	2-Critical	K19545861	Modifying license.maxcores Not Allowed Error
614296-1	2-Critical		Dynamic routing process ripd may core
613536-5	2-Critical		tmm core while running the iRule STATS:: command
610295-1	2-Critical	K32305923	TMM may crash due to internal backplane inconsistency after reprovisioning
583516-2	2-Critical		tmm ASSERT's "valid node" on Active, after timer fire..
567457-2	2-Critical		TMM may crash when changing the IKE peer config.
652484-2	3-Major		tmsh show net f5optics shows information for only 1 chassis slot in a cluster
649617-2	3-Major		qkview improvement for OVSDB management
648544-5	3-Major	K75510491	HSB transmitter failure may occur when global COS queues enabled
646760	3-Major		Common Criteria Mode Disrupts Administrative SSH Access
644490-1	3-Major		Finisar 100G LR4 values need to be revised in f5optics
637559-1	3-Major		Modifying iRule online could cause TMM to be killed by SIGABRT
636535	3-Major	K24844444	HSB lockup in vCMP guest doesn't generate core file
635961-1	3-Major		gzipped and truncated files may be saved in qkview
635129	3-Major		Chassis systems in HA configuration become Active/Active during upgrade★
635116-1	3-Major	K34100550	Memory leak when using replicated remote high-speed logging.
634115-1	3-Major	K10608314	Not all topology records may sync.
633879-1	3-Major	K52833014	Fix IKEv1 md5 phase1 hash algorithm so config takes effect
633512-1	3-Major		HA Auto-failback will cause an Active/Active overlap, or flapping, on VIPRION.
633413-1	3-Major		IPv6 addr can't be deleted; not able to add ports to addr in DataGroup object in GUI
631627-4	3-Major		Applying BWC over route domain sometimes results in tmm not becoming ready on system start
630622-1	3-Major		tmm crash possible if high-speed logging pool member is deleted and reused
630610-5	3-Major	K43762031	BFD session interface configuration may not be stored on unit state transition
630546-1	3-Major		Very large core files may cause corrupted qkviews
629499-9	3-Major		tmsh show sys perf command gives an error "011b030d:3: Graph 'dnsx' not found"
629085-1	3-Major	K55278069	Any CSS content truncated at a quoted value leads to a segfault
628202-4	3-Major		Audit-forwarder can take up an excessive amount of memory during a high volume of logging
628164-3	3-Major	K20766432	OSPF with multiple processes may incorrectly redistribute routes
628009-1	3-Major		f5optics not enabled on Herculon iSeries variants HRC-i2800, HRC-i5800, HRC-i10800
627961-3	3-Major	K15130343	nic_failsafe reboot doesn't trigger if HSB fails to disable interface
627914-1	3-Major		Unbundled 40GbE optics reporting as Unsupported Optic
627214-3	3-Major		BGP ECMP recursive default route not redistributed to TMM
626839	3-Major		sys-icheck error for /var/lib/waagent in Azure.
626721-5	3-Major		"reset-stats auth login-failures" command for unknown users causes secondary mcpd processes to restart
625703-2	3-Major		SELinux: snmpd is denied access to tmstat files
625221-5	3-Major		Support for overriding SPDAG address bit selection and L1 buckets on P8
625085	3-Major		lasthop rmmod causes kernel panic
624361-1	3-Major		Responses to some of the challenge JS are not zipped.
623930-3	3-Major		vCMP guests with vlangroups may loop packets internally
623401-1	3-Major		Intermittent OCSP request failures due to non-optimal default TCP profile setting
623336-4	3-Major		After an upgrade, the old installation's CA bundle may be used instead of the one that comes with the new version of TMOS★
623055-1	3-Major		Kernel panic during unic initialization
622183-5	3-Major		The alert daemon should remove old log files but it does not.
621909-4	3-Major	K23562314	Uneven egress trunk distribution on 5000/10000 platforms with odd number of trunk members
621273-1	3-Major		DSR tunnels with transparent monitors may cause TMM crash.
620659-3	3-Major		The BIG-IP system may unecessarily run provisioning on successive reboots
620366-4	3-Major		Alertd can not open UDP socket upon restart
617628-1	3-Major		SNMP reports incorrect value for sysBladeTempTemperature OID
615934-1	3-Major		Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.
615107-1	3-Major		Cannot SSH from AOM/SCCP to host without password (host-based authentication).
613765-3	3-Major		Creating 0.0.0.0:0 Virtual Server in TMUI results in slow-loading virtual server page and name resolution errors.
612809-1	3-Major		Bootup script fails to run on on a vCMP guest due to a missing reference file.
611658-3	3-Major		"less" utility logs an error for remotely authenticated users using the tmsh shell
611512-1	3-Major		AWS: Pool member autoscaling in BIG-IP fails to add pool members when pool name is same as AWS Autoscaling Group name.
611487-3	3-Major		vCMP: VLAN failsafe does not trigger on guest
610417-1	3-Major	K54511423	Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported.
609119-7	3-Major		Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3:
608320-3	3-Major		iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response
604727-1	3-Major		Upgrade from 10.2.4 to 12.1.x fails when SNMP trap exists in config from 10.2.4.★
604237-3	3-Major		Vlan allowed mismatch found error in VCMP guest
604061-2	3-Major		Link Aggregation Control Protocol May Lose Synchronization after TMM Crash
602376-1	3-Major		qkview excludes files
598498-7	3-Major		Cannot remove Self IP when an unrelated static ARP entry exists.
598134-1	3-Major		Stats query may generate an error when tmm on secondary is down
596067-2	3-Major		GUI on VIPRION hangs on secondary blade reboot
590211-2	3-Major		jitterentropy-rngd quietly fails to start
583754-7	3-Major		When TMM is down, executing 'show ltm persist persist-records' results in a blank error message.
575027-1	3-Major		Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.
562928-2	3-Major		Curl connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled
559080-5	3-Major		High Speed Logging to specific destinations stops from individual TMMs
557471-3	3-Major		LTM Policy statistics showing zeros in GUI
543208-1	3-Major		Upgrading to v12.x or later in a sync-failover group might cause mcpd to become unresponsive.★
534520-1	3-Major		qkview may exclude certain log files from /var/log
424542-5	3-Major		tmsh modify net interface with invalid interface name or attributes will create an interface in cluster or VE environments
418349-2	3-Major		Update/overwrite of FIPS keys error
643404-2	4-Minor	K30014507	'tmsh system software status' does not display properly in a specific cc-mode situation★
636520-3	4-Minor	K88813435	Detail missing from power supply 'Bad' status log messages
633181-1	4-Minor		A CSR generated from Configuration Utility or tmsh may have an empty 'Attributes' or 'Requested Extensions' section
632668-5	4-Minor		When a BIG-IP using BFD sessions is forced offline, the system continues to send "State Up" BFD packets for ~30 seconds
632069-3	4-Minor		Sudo vulnerabilities: CVE-2016-7032, CVE-2016-7076
621957-2	4-Minor		Timezone data on AOM not syncing with host
617901-1	4-Minor		GUI to handle file path manipulation to prevent GUI instability.
609107-1	4-Minor		mcpd does not properly validate missing 'sys folder' config in bigip_base.conf
605420-5	4-Minor		httpd security update - CVE-2016-5387
599191-2	4-Minor		One of the config-sync scenarios causes old FIPS keys to be left in the FIPS card
589379-2	4-Minor	K20937139	ZebOS adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route.
585097-1	4-Minor		Traffic Group score formula does not result in unique values.
541550-3	4-Minor		Defining more than 10 remote-role groups can result in authentication failure
541320-10	4-Minor	K50973424	Sync of tunnels might cause restore of deleted tunnels.
500452-8	4-Minor	K28520025	PB4300 blade doesn't disaggregate ESP traffic based on IP addresses in hardware
642015-2	5-Cosmetic		SSD Manufacturer "unavailable"
524277-2	5-Cosmetic		Missing power supplies issue warning message that should be just a notice message.

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
651476	2-Critical		bigd may core on non-primary bigd when FQDN in use
648715-2	2-Critical		BIG-IP i2x00 and ix4x00 platforms send LLDP, STP, and LACP PDUs with a VLAN tag of 0
643396-2	2-Critical	K34553627	Using FLOW_INIT iRule may lead to TMM memory leak or crash
642400-2	2-Critical		Path MTU discovery occasionally fails
640352-2	2-Critical	K01000259	Connflow can be leaked when DHCP proxy in forwarding mode with giaddr set in DHCP renewal packet
639744-1	2-Critical	K84228882	Memory leak in STREAM::expression iRule
637181-4	2-Critical		VIP-on-VIP traffic may stall after routing updates
632685	2-Critical		bigd memory leak for FQDN nodes on non-primary bigd instance
630475-5	2-Critical		TMM Crash
630306-1	2-Critical		TMM crash in DNS processing on UDP virtual server with no available pool members
629145-1	2-Critical		External datagroups with no metadata can crash tmm
628890-1	2-Critical		Memory leak when modifying large datagroups
627403-2	2-Critical		HTTP2 can can crash tmm when stats is updated on aborting of a new connection
626311-2	2-Critical	K75419237	Potential failure of DHCP relay functionality credits to incorrect route lookup.
625198-1	2-Critical		TMM might crash when TCP DSACK is enabled
622856-1	2-Critical		BIG-IP may enter SYN cookie mode later than expected
621870-2	2-Critical		Outage may occur with VIP-VIP configurations
619663-3	2-Critical	K49220140	Terminating of HTTP2 connection may cause a TMM crash
619528-4	2-Critical		TMM may accumulate internal events resulting in TMM restart
619071-3	2-Critical		OneConnect with verified accept issues
614509-1	2-Critical		iRule use of 'all' keyword with 'class match' on large external datagroups may result in TMM restart
609027-1	2-Critical		TMM crashes when SSL forward proxy is enabled.
608304-1	2-Critical	K55292305	TMM crash on memory corruption
603667-2	2-Critical		TMM may leak or corrupt memory when configuration changes occur with plugins in use
603082-3	2-Critical		Ephemeral pool members are getting deleted/created over and over again.
602136-5	2-Critical		iRule drop command causes tmm segfault or still sends 3-way handshake to the server.
601828-1	2-Critical	K13338433	An untrusted certificate can cause tmm to crash.
600982-5	2-Critical		TMM crashes at ssl_cache_sid() with "prf->cache.sid == 0"
599720-2	2-Critical		TMM may crash in bigtcp due to null pointer dereference
597828-1	2-Critical		SSL forward proxy crashes in some cases
596450-1	2-Critical		TMM may produce a core file after updating SSL session ticket key
594642-3	2-Critical		Stream filter may require large allocations by Tcl leading TMM to core on allocation failure.
581746-1	2-Critical	K42175594	MPTCP or SSL traffic handling may cause a BIG-IP outage
557358-5	2-Critical		TMM SIGSEGV and crash when memory allocation fails.
423629-3	2-Critical	K08454006	bigd cores when route-domain tagged to a pool with monitor as gateway_ICMP is deleted
651106	3-Major		memory leak on non-primary bigd with changing node IPs
649571-1	3-Major		Limits set in Server SSL Profile are not enforced if the server ignores BIG-IP's renegotiation ClientHello
648990	3-Major		Serverside SSL renegotiation does not occur after block cipher data limit is exceeded
641512-4	3-Major	K51064420	DNSSEC key generations fail with lots of invalid SSL traffic
632324-2	3-Major		PVA stats does not show correct connection number
629412-3	3-Major		BIG-IP closes a connection when a maximum size window is attempted
627246-1	3-Major	K09336400	TMM memory leak when ASM policy configured on virtual server
626386-1	3-Major	K28505256	SSL may not be reassembling fragments correctly with a large-sized client certificate when SSL persistence is enabled
626106-3	3-Major		LTM Policy with illegal rule name loses its conditions and actions during upgrade★
625106-2	3-Major		Policy Sync can fail over a lossy network
624616-1	3-Major		Safenet uninstall is unable to remove libgem.so
620625-2	3-Major	K38094257	Changes to the Connection.VlanKeyed DB key may not immediately apply
620079-3	3-Major		Removing route-domain may cause monitors to fail
619849-4	3-Major		In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled.
618430-2	3-Major		iRules LX data not included in qkview
618428	3-Major		iRules LX - Debug mode does not function in dedicated mode
618254-4	3-Major		Non-zero Route domain is not always used in HTTP explicit proxy
617858-2	3-Major		bigd core when using Tcl monitors
616022-2	3-Major	K46530223	The BIG-IP monitor process fails to process timeout conditions
613326-1	3-Major		SASP monitor improvements
612694-5	3-Major		TCP::close with no pool member results in zombie flows
610429-5	3-Major		X509::cert_fields iRule command may memory with subpubkey argument
610302-1	3-Major		Link throughput graphs might be incorrect.
609244-4	3-Major		tmsh show ltm persistence persist-records leaks memory
608551-3	3-Major		Half-closed congested SSL connections with unclean shutdown might stall.
607152-1	3-Major		Large Websocket frames corrupted
604496-4	3-Major		SQL (Oracle) monitor daemon might hang.
603979-4	3-Major		Data transfer from the BIG-IP system self IP might be slow
603723-2	3-Major		TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
603550-1	3-Major		Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats.
600827-8	3-Major		Stuck Nitrox crypto queue can erroneously be reported
600593-1	3-Major		Use of HTTP Explicit Proxy and OneConnect can lead to an issue with CONNECT HTTP requests
600052-1	3-Major		GUI displaying "Internal Server Error" page when there many (~3k) certs/keys in the system
599121-2	3-Major	K24036315	Under heavy load, hardware crypto queues may become unavailable.
592871-3	3-Major		Cavium Nitrox PX/III stuck queue diagnostics missing.
591666-3	3-Major		TMM crash in DNS processing on TCP virtual with no available pool members
589400-1	3-Major		With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.
586738-4	3-Major		The tmm might crash with a segfault.
584471-1	3-Major		Priority order of clientssl profile selection of virtual server.
584310-1	3-Major		TCP:Collect ignores the 'skip' parameter when used in serverside events
584029-6	3-Major		Fragmented packets may cause tmm to core under heavy load
582769-1	3-Major	K99405272	WebSockets frames are not forwarded with Websocket profile and ASM enabled on virtual
579926-1	3-Major		HTTP starts dropping traffic for a half-closed connection when in passthrough mode
568543-4	3-Major		Syncookie mode is activated on wildcard virtuals
562267-3	3-Major		FQDN nodes do not support monitor alias destinations.
517756-6	3-Major		Existing connections can choose incorrect route when crossing non-strict route-domains
509858-5	3-Major	K36300805	BIG-IP FastL4 profile vulnerability
419741-3	3-Major		Rare crash with vip-targeting-vip and stale connections on VIPRION platforms
352957-4	3-Major	K03005026	Route lookup after change in route table on established flow ignores pool members
660170-1	4-Minor	K28505910	tmm may crash at ~75% of VLAN failsafe timeout expiration
631862-1	4-Minor	K32107573	Stream is not finalized when OWS response has Transfer-Encoding header with zero-size chunk
618517-1	4-Minor	K61255401	bigd may falsely complain of a file descriptor leak when it cannot open its debug log file; bigd stops monitoring
611161-3	4-Minor	K28540353	VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.
587966-1	4-Minor	K77283304	LTM FastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port
583943-1	4-Minor	K27491104	Forward proxy does not work when netHSM is configured on TMM interfaces
574020-5	4-Minor		Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}')

Performance Fixes

ID Number	Severity	Solution Article(s)	Description
621115-1	2-Critical		IP/IPv6 TTL/hoplimit may not be preserved for host traffic

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
642039-2	2-Critical		TMM core when persist is enabled for wideip with certain iRule commands triggered.
584374-2	2-Critical	K67622400	iRule cmd: RESOLV::lookup causes tmm crash when resolving an IP address.
642330-2	3-Major		GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.★
640903-1	3-Major		Inbound WideIP list page on Link Controller takes a long time to load when displaying 50+ records per screen
632423-4	3-Major		DNS::query can cause tmm crash if AXFR/IXFR types specified.
629530-2	3-Major	K53675033	Under certain conditions, monitors do not time out.
628897-1	3-Major		Add Hyperlink to gslb server and vs on the Pool Member List Page
625671-4	3-Major		The diagnostic tool dnsxdump may crash with non-standard DNS RR types.
624876-1	3-Major		Response Policy Zones can trigger even after entry removed from zone
624193-2	3-Major		Topology load balancing not working as expected
623023-1	3-Major		Unable to set DNS Topology Continent to Unknown via GUI
621239-2	3-Major		Certain DNS queries bypass DNS Cache RPZ filter.
620215-5	3-Major		TMM out of memory causes core in DNS cache
619398-7	3-Major		TMM out of memory causes core in DNS cache
612769-1	3-Major	K33842313	Hard to use search capabilities on the Pool Members Manage page.
601180-2	3-Major	K73505027	Link Controller base license does not allow DNS namespace iRule commands.★
567743-2	3-Major		Possible gtmd crash under certain conditions.
557434-4	3-Major		After setting a Last Resort Pool on a Wide IP, cannot reset back to None
366695-1	5-Cosmetic		Remove managers create/modify/delete ability from TMSH on GTM datacenters, links, servers, prober-pools, and topology errors incorrectly, and receive a database error when performed

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
646511-1	2-Critical		BD crashes repeatedly after interrupted roll-forward upgrade★
636397-1	2-Critical		bd cores when persistent storage configuration and under some memory conditions.
634001-2	2-Critical		ASM restarts after deleting a VS that has an ASM security policy assigned to it
627117-1	2-Critical		crash with wrong ceritifcate in WSS
625783-1	2-Critical		Chassis sync fails intermittently due to sync file backlog
618771-1	2-Critical		Some Social Security Numbers are not being masked
601378-2	2-Critical		Creating an ASM security policy with "Auto accept" language leads to numerous errors in asm log and restarts of 'pabnagd' and 'asm_config_server' daemons
584082-3	2-Critical		BD daemon crashes unexpectedly
540928-1	2-Critical		Memory leak due to unnecessary logging profile configuration updates.
640824-1	3-Major	K20770267	Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★
635754-1	3-Major	K65531575	Wildcard URL pattern match works inncorectly in Traffic Learning
632344-2	3-Major		POP DIRECTIONAL FORMATTING causes false positive
632326-2	3-Major	K52814351	relax_unicode_in_xml/json internal may still trigger a false positive Malformed XML violation
631737-1	3-Major	K61367823	ArcSight cs4 (attack_type) is N/A for certain HTTP Compliance sub-violations
630929-1	3-Major	K69767100	Attack signature exception list upload times-out and fails
627360-1	3-Major		Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★
625832-4	3-Major		A false positive modified domain cookie violation
622913-2	3-Major		Audit Log filled with constant change messages
621524-2	3-Major		Processing Timeout When Viewing a Request with 300+ Violations
620635-2	3-Major		Request having upper case JSON login parameter is not detected as a failed login attempt
611151-2	3-Major		An upper case JSON sensitive parameter is not masked when ASM policy is case-insensitive
608245	3-Major		Reporting missing parameter details when attack signature is matched against parameter value
581406-1	3-Major		SQL Error on Peer Device After Receiving ASM Sync in a Device Group
580168-4	3-Major		Information missing from ASM event logs after a switchboot and switchboot back
576591-6	3-Major		Support for some future credit card number ranges
572885-1	3-Major		Policy automatic learning mode changes to manual after failover
392121-3	3-Major		TMSH Command to retrieve the memory consumption of the bd process
642874-1	4-Minor	K15329152	Ready to be Enforced filter for Policy Signatures returns too many signatures

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
634215-1	2-Critical		False detection of attack after restarting dosl7d
573764-1	2-Critical		In some cases, only primary blade retains it's statistics after upgrade on multi bladed system
642221-2	3-Major		Incorrect entity is used when exporting TCP analytics from GUI
641574	3-Major	K06503033	AVR doesn't report on virtual and client IP in DNS statistics
635561-1	3-Major		Heavy URLs statistics are not shown after upgrade.
631722	3-Major		Some HTTP statistics not displayed after upgrade
631131-3	3-Major		Some tmstat-adapters based reports stats are incorrect
605010-1	3-Major		Thrift::TException error
560114-6	3-Major		Monpd is being affected by an I/O issue which makes some of its threads freeze

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
645339-2	1-Blocking		TMM may crash when processing APM data
637308-8	2-Critical	K41542530	apmd may crash when HTTP Auth agent is used in an Access Policy
632005-1	2-Critical		BIG-IP as SAML SP: Objects created by IdP connector automation may not be updated when remote metadata changes
622244-2	2-Critical		Edge client can fail to upgrade when always connected is selected
617310-2	2-Critical		Edge client can fail to upgrade when Always Connected is selected★
614322-1	2-Critical	K31063537	TMM might crash during handling of RDG-RPC connection when APM is used as RD Gateway
608424-2	2-Critical		Dynamic ACL agent error log message contains garbage data
608408-2	2-Critical		TMM may restart if SSO plugin configuration initialization fails due to internal error in tmconf library
593078-1	2-Critical		CATEGORY::filetype command may cause tmm to crash and restart
643547-1	3-Major	K43036745	APMD initialization may fail when large number of access policy agents are configured in access policies installed on BIG-IP
638799-1	3-Major		Per-request policy branch expression evaluation fails
638780-3	3-Major		Handle 302 redirects for VMware Horizon View HTML5 client
636044-1	3-Major	K68018520	Large number of glob patterns affects custom category lookup performance
634576	3-Major	K48181045	TMM core in per-request policy
634252	3-Major	K99114539	TMM crash with per-request policy in SWG explicit
632504-1	3-Major	K31277424	APM Policy Sync: Non-LSO resources such as webtop are listed under dynamic resource list
632499-1	3-Major	K70551821	APM Policy Sync: Resources under webtop section are not sync'ed automatically
632472-1	3-Major		Frequently logged "Silent flag set - fail" messages
632386-1	3-Major		EdgeClient cannot establish iClient control connection to BIG-IP if another control connection exists
630571-1	3-Major	K35254214	Edge Client on Mac OSX Sierra stuck in a reconnect loop
629801-2	3-Major		Access policy is applied automatically on target device after policy sync, when there is a also a FODG in the trust domain.
629698-1	3-Major		Edge client stuck on "Initializing" state
629069-2	3-Major		Portal Access may delete scripts from HTML page in some cases
628687-2	3-Major		Edge Client reconnection issues with captive portal
628685-2	3-Major	K79361498	Edge Client shows several security warnings after roaming to a network with Captive Portal
627972-2	3-Major	K11327511	Unable to save advanced customization when using Exchange iApp
627059-1	3-Major		In some rare cases TMM may crash while handling VMware View client connection
626910-1	3-Major		Policy with assigned SAML Resource is exported with error
625474-1	3-Major		POST request body is not saved in session variable by access when request is sent using edge client
625159-1	3-Major		Policy sync status not shown on standby device in HA case
624966-2	3-Major		Edge client starts new APM session when Captive portal session expire
623562-3	3-Major		Large POSTs rejected after policy already completed
622790-1	3-Major		EdgeClient disconnect may take a lot of time when machine is moved to network with no connectivity to BIG-IP
621976-4	3-Major		OneDrive for Business thick client shows javascript errors when rendering APM logon page
621974-4	3-Major		Skype For Business thick client shows javascript errors when rendering APM logon page
621447-1	3-Major		In some rare cases, VDI may crash
621210-2	3-Major		Policy sync shows as aborted even if it is completed
621126-2	3-Major		Import of config with saml idp connector with reuse causes certificate not found error
620829-2	3-Major		Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
620801-3	3-Major		Access Policy is not able to check device posture for Android 7 devices
620614-4	3-Major		Citrix PNAgent replacement mode: iOS Citrix receiver fails to add new store account
619879-1	3-Major		HTTP iRule commands could lead to WEBSSO plugin being invoked
619811-2	3-Major		Machine Cert OCSP check fails with multiple Issuer CA
619486-3	3-Major		Scripts on rewritten pages could fail with JavaScript exception if application code modifies window.self
619473-2	3-Major		Browser may hang at APM session logout
618170-3	3-Major		Some URL unwrapping functions can behave bad
617063-1	3-Major		After VPN tunnel established, if network is switched and a Captive Portal is present in the new network, EdgeClient fails to re-establish VPN tunnel
617002-1	3-Major		SWG with Response Analytics agent in a Per-Request policy fails with some URLs
616838-3	3-Major		Citrix Remote desktop resource custom parameter name does not accept hyphen character
615970-1	3-Major		SSO logging level may cause failover
615254-2	3-Major		Network Access Launch Application item fails to launch in some cases
612419-1	3-Major		APM 11.4.1 HF10 - suspected memory leak (umem_alloc_32/network access (variable))
611968-3	3-Major		JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow
611669-4	3-Major		Mac Edge Client customization is not applied on macOS 10.12 Sierra
610180-2	3-Major		SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin.
597214-5	3-Major		Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
595819-1	3-Major		Access session 'Bytes In' and 'Bytes Out' are not getting updated (stay at 0) when accessed with a http/2 enabled browser and HTTP/2 profile attached,
595272-1	3-Major		Edge client may show a windows displaying plain text in some cases
591246-1	3-Major		Unable to launch View HTML5 connections in non-zero route domain virtual servers
584582-1	3-Major		JavaScript: 'baseURI' property may be handled incorrectly
570217-2	3-Major		BIG-IP APM now uses Airwatch v2 API to retreive device posture information
533956-3	3-Major	K30515450	Portal Access: Space-like characters in EUC character sets may be handled incorrectly.
503842-4	3-Major		MS WebService html component doesn't work after rewriting
640521-1	4-Minor		EdgeClient does not render Captive Portal login page which uses jQuery library for mobile devices
636254-2	4-Minor		Cannot reinitiate a sync on a target device when sync is completed
618404-1	4-Minor		Access Profile copying might end up in invalid way if series of names.
606257-3	4-Minor	K56716107	TCP FIN sent with Connection: Keep-Alive header for webtop page resources

WebAccelerator Fixes

ID Number	Severity	Solution Article(s)	Description
630661-2	3-Major	K30241432	WAM may leak memory when a WAM policy node has multiple variation header rules

Wan Optimization Manager Fixes

ID Number	Severity	Solution Article(s)	Description
644970-1	2-Critical		Editing a virtual server config loses SSL encryption on iSession connections
644489-1	3-Major	K14899014	Unencrypted iSession connection established even though data-encrypt configured in profile

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
639236-1	2-Critical	K66947004	Parser doesn't accept Contact header with expires value set to 0 that is not the last attribute
624023-3	2-Critical		TMM cores in iRule when accessing a SIP header that has no value
569316-1	2-Critical		Core occurs on standby in MRF when routing to a route using a transport config
649933-1	3-Major		Fragmented RADIUS messages may be dropped
629663-1	3-Major	K23210890	CGNAT SIP ALG will drop SIP INVITE
625542-1	3-Major		SIP ALG with Translation fails for REGISTER refresh.
625098-3	3-Major		SCTP::local_port iRule not supported in MRF events
601255-4	3-Major		RTSP response to SETUP request has incorrect client_port attribute

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
632731-2	2-Critical		specific external logging configuration can cause TMM service restart
628623-1	2-Critical		tmm core with AFM provisioned
639193-1	3-Major	K03453591	BIG-IP devices configured with Manual Sync, deleting parent policy causes sync to fail.
631025-1	3-Major		500 internal error on inline rule editor for certain firewall policies
627907-1	3-Major		Improve cURL usage
626438-1	3-Major		Frame is not showing in the browser and/ or an error appears
614563-3	3-Major		AVR TPS calculation is inaccurate
610129-3	3-Major	K43320840	Config load failure when cluster management IP is not defined, but instead uses address-list.
592113-5	3-Major		tmm core on the standby unit with dos vectors configured
590805-4	3-Major		Active Rules page displays a different time zone.
583024-1	3-Major		TMM restart rarely during startup
431840-3	3-Major		Cannot add vlans to whitelist if they contain a hyphen

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
627257-2	2-Critical		Potential PEM crash during a Gx operation
626851-2	2-Critical	K37665112	Potential crash in a multi-blade chassis during CMP state changes.
624744-1	2-Critical		Potential crash in a multi-blade chassis during CMP state changes.
624733-1	2-Critical		Potential crash in a multi-blade chassis during CMP state changes.
624228-1	2-Critical		Memory leak when using insert action in pem rule and flow gets aborted
623922-5	2-Critical	K64388805	TMM failure in PEM while processing Service-Provider Disaggregation
641482-2	3-Major		Subscriber remains in delete pending state until CCR-t ack has success as result code is received
640510-3	3-Major		BWC policy category attachment may fail during a PEM policy update for a subscriber.
640457-2	3-Major		Session Creation failure after HA
635233-3	3-Major		Missing some Custom AVPs in CCRu for non-existent policy and CCRt messages
630611-1	3-Major	K84324392	PEM module crash when subscriber not fund
627798-3	3-Major		Buffer length check for quota bucket objects
627279-2	3-Major		Potential crash in a multi-blade chassis during CMP state changes.
623927-2	3-Major	K41337253	Flow entry memory leaked after DHCP DORA process
564281-3	3-Major		TMM (debug) assert seen during Failover with Gy
628869-4	4-Minor		Unconditional logs seen due to the presence of a PEM iRule.

Carrier-Grade NAT Fixes

ID Number	Severity	Solution Article(s)	Description
609788	2-Critical		PCP may pick an endpoint outside the deterministic mapping
642284	3-Major		Closing a PCP connection while an asynchronous mapping request is in progress may result in memory corruption.
629871-2	3-Major		FTP ALG deployment should not rewrite PASV response 464 XLAT cases

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
639750-1	2-Critical		username aliases are not supported
636370	3-Major		Application Layer Encryption AJAX support
629627-1	3-Major		FPS Log Publisher is not grouped nor filtered by partition
629127-1	3-Major		Parent profiles cannot be saved using FPS GUI
628348-1	3-Major		Cannot configure any Mobile Security list having 11 records or more via the GUI
628337-1	3-Major		Forcing a single injected tag configuration is restrictive
625275-1	3-Major		Unable to add and modify URL parameters containing square brackets "[]" in FPS GUI
624198-1	3-Major		Unable to add multiple User-Defined alerts with the same search category
623518-1	3-Major		Unable to add users in User Enforcement list under user-defined partition. Update check fails in user-defined partition
594127-2	3-Major		Pages using Angular may hang when Websafe is enabled
635541	4-Minor		"Application CSS Locations" is not inherited if changing parent profile

Traffic Classification Engine Fixes

ID Number	Severity	Solution Article(s)	Description
625172-1	2-Critical		tmm crashes when classification is enabled and ftp traffic is flowing trough the box
631472-1	3-Major		Reseting classification signatures to default may result in non-working configuration

Device Management Fixes

ID Number	Severity	Solution Article(s)	Description
606518-3	2-Critical		iControl REST with 3rd party auth does not function as expected with '@' / email addresses as username.
642983-1	3-Major	K94534313	Update to max message size limit doesn't work sometimes
629845-2	3-Major		Disallowing TLSv1 connections to HTTP causes iControl/REST issues
626542-2	3-Major		Unable to set maxMessageBodySize in iControl REST after upgrade★

Cumulative fixes from BIG-IP v12.1.2 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
618306-2	CVE-2016-9247	K33500120	TMM vulnerability CVE-2016-9247
616864-1	CVE-2016-2776	K18829561	BIND vulnerability CVE-2016-2776
613282-2	CVE-2016-2086, CVE-2016-2216, CVE-2016-1669	K15311661	NodeJS vulnerability CVE-2016-2086
611469-3	CVE-2016-7467	K95444512	Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector
597394-2	CVE-2016-9252	K46535047	Improper handling of IP options
591328-7	CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109	K36488941	OpenSSL vulnerability CVE-2016-2106
591325-8	CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109	K75152412	OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109
591042-17	CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109	K23230229	OpenSSL vulnerabilities
560109-7	CVE-2017-6160	K19430431	Client capabilities failure
618549-1	CVE-2016-9249	K71282001	Fast Open can cause TMM crash CVE-2016-9249
618263-1	CVE-2016-2182	K01276005	OpenSSL vulnerability CVE-2016-2182
614147-1	CVE-2017-6157	K02692210	SOCKS proxy defect resolution
614097-1	CVE-2017-6157	K02692210	HTTP Explicit proxy defect resolution
607314-1	CVE-2016-3500, CVE-2016-3508	K25075696	Oracle Java vulnerability CVE-2016-3500, CVE-2016-3508
605039-3	CVE-2016-2775	K92991044	lwresd and bind vulnerability CVE-2016-2775
601059-6	CVE-2016-1762 CVE-2016-1833 CVE-2016-1834 CVE-2016-1835 CVE-2016-1836 CVE-2016-1837 CVE-2016-1838 CVE-2016-1839 CVE-2016-1840 CVE-2016-3627 CVE-2016-3705 CVE-2016-4447 CVE-2016-4448 CVE-2016-4449	K14614344	libxml2 vulnerability CVE-2016-1840
597023-1	CVE-2016-4954	K82644737	NTP vulnerability CVE-2016-4954
595242-1	CVE-2016-3705	K54225343	libxml2 vulnerabilities CVE-2016-3705
595231-1	CVE-2016-3627	K54225343	libxml2 vulnerabilities CVE-2016-3627 and CVE-2016-3705
594496-1	CVE-2016-4539	K35240323	PHP Vulnerability CVE-2016-4539
593447-1	CVE-2016-5024	K92859602	BIG-IP TMM iRules vulnerability CVE-2016-5024
592485	CVE-2015-5157 CVE-2015-8767	K17326	Linux kernel vulnerability CVE-2015-5157
592001-1	CVE-2016-4071 CVE-2016-4073	K64412100	CVE-2016-4073 PHP vulnerabilities
591455-7	CVE-2016-1550 CVE-2016-1548 CVE-2016-2516 CVE-2016-2518	K24613253	NTP vulnerability CVE-2016-2516
591447-1	CVE-2016-4070	K42065024	PHP vulnerability CVE-2016-4070
591358-1	CVE-2016-3425 CVE-2016-0695 CVE-2016-3427	K81223200	Oracle Java SE vulnerability CVE-2016-3425
585424-1	CVE-2016-1979	K20145801	Mozilla NSS vulnerability CVE-2016-1979
580747-1	CVE-2016-0739	K57255643	libssh vulnerability CVE-2016-0739
557190-3	CVE-2017-6166	K65615624	'packet_free: double free!' tmm core
597010-1	CVE-2016-4955	K03331206	NTP vulnerability CVE-2016-4955
596997-1	CVE-2016-4956	K64505405	NTP vulnerability CVE-2016-4956
591767-8	CVE-2016-1547	K11251130	NTP vulnerability CVE-2016-1547
591438-7	CVE-2015-8865	K54924436	PHP vulnerability CVE-2015-8865
575629-3	CVE-2015-8139	K00329831	NTP vulnerability: CVE-2015-8139
573343-1	CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 CVE-2015-8158	K01324833	NTP vulnerability CVE-2015-8158

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
615377-3	3-Major		Unexpected rate limiting of unreachable and ICMP messages for some addresses.
599536-1	3-Major		IPsec peer with wildcard selector brings up wrong phase2 SAs
590122-2	3-Major		Standard TLS version rollback detection for TLSv1 or earlier might need to be relaxed to interoperate with clients that violate TLS specification.
581438-2	3-Major		Allow more than 16 pool members to be chosen from a pool during a single load-balancing decision.
561348-7	3-Major		krb5.conf file is not synchronized between blades and not backed up
541549-2	3-Major		AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination.
530109-3	3-Major		OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.
246726-1	3-Major	K8940	System continues to process virtual server traffic after disabling virtual address
599839-3	4-Minor		Add new keyords to SIP::persist command to specify how Persistence table is updated
591733-4	4-Minor	K83175883	Save on Auto-Sync is missing from the configuration utility.

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
625784	1-Blocking		TMM crash on i4x00 and i2x00 platforms with large ASM configuration.
617622	1-Blocking		In TM Shell, saving the AAM configuration removes value from matching rule causing system configuration loading failure
621422	2-Critical		i2000 and i4000 series appliances do not warn when an incorrect optic is in a port
620056-1	2-Critical		Assert on deletion of paired in-and-out IPsec traffic selectors
617935	2-Critical		IKEv2 VPN tunnels fail to establish
617481-1	2-Critical		TMM can crash when HTML minification is configured
614865-5	2-Critical		Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.
610354-1	2-Critical		TMM crash on invalid memory access to loopback interface stats object
605476-3	2-Critical		statsd can core when reading corrupt stats files.
601527-4	2-Critical		mcpd memory leak and core
600894-1	2-Critical		In certain situations, the MCPD process can leak memory
598748	2-Critical		IPsec AES-GCM IVs are now based on a monotonically increasing counter
598697-1	2-Critical		vCMP guests may fail after vCMP host system is upgraded to BIG-IP v12.1.x when 'qemu' user isn't created★
595712-1	2-Critical		Not able to add remote user locally
591495-2	2-Critical		VCMP guests sflow agent can crash due to duplicate vlan interface indices
591104-1	2-Critical		ospfd cores due to an incorrect debug statement.
588686	2-Critical		High-speed logging to remote logging node stops sending logs after all logging nodes go down
587698-3	2-Critical		bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured
585745-2	2-Critical		sod core during upgrade from 10.x to 12.x.
583936-5	2-Critical		Removing ECMP route from BGP does not clear route from NSM
557680-4	2-Critical		Fast successive MTU changes to IPsec tunnel interface crashes TMM
355806-7	2-Critical		Starting mcpd manually at the command line interferes with running mcpd
622877-1	3-Major		i2000 and i4000 series appliances may show intermittent DDM alarms/warnings at powerup that clear right away
622199	3-Major		sys-icheck reports error with /var/lib/waagent
622194	3-Major		sys-icheck reports error with ssh_host_rsa_key
621423	3-Major		sys-icheck reports error with /config/ssh/ssh_host_dsa_key
621242-1	3-Major		Reserve enough space in the image for future upgrades.
621225	3-Major		LTM log contains misleading error messages for front panel interfaces, "PCI Device not found for Interface X.0"
620782	3-Major		Azure cloud now supports hourly billing
619410-1	3-Major		TMM hardware accelerated compression not registering for all compression levels.
617986-2	3-Major		Memory leak in snmpd
617229-1	3-Major	K54245014	Local policy rule descriptions disappear when policy is re-saved
616242-3	3-Major	K39944245	basic_string::compare error in encrypted SSL key file if the first line of the file is blank★
614530-2	3-Major		Dynamic ECMP routes missing from Linux host
614180-1	3-Major		ASM is not available in LTM policy when ASM is licensed as the main active module
610441-3	3-Major		When using iControl REST to add a member to an existing pool, the pool member is successfully created. However, a 404 response is received.
610352-1	3-Major		sys-icheck reports error with /etc/sysconfig/modules/unic.modules
610350-1	3-Major		sys-icheck reports error with /config/bigpipe/defaults.scf
610273-3	3-Major		Not possible to do targeted failover with HA Group configured
605894-3	3-Major		Remote authentication for BIG-IP users can fail
603149-2	3-Major		Large ike-phase2-lifetime-kilobytes values in racoon ipsec-policy
602854-8	3-Major		Missing ASM control option from LTM policy rule screen in the Configuration utility
602502-2	3-Major		Unable to view the SSL Cert list from the GUI
601989-3	3-Major	K88516119	Remote LDAP system authenticated username is case sensitive★
601893-2	3-Major		TMM crash in bwc_ctb_instance_recharge because of pkts_avg_size is zero.
601502-4	3-Major		Excessive OCSP traffic
600558-5	3-Major		Errors logged after deleting user in GUI
599816-2	3-Major		Packet redirections occur when using VLAN groups with members that have different cmp-hash settings.
598443-1	3-Major		Temporary files from TMSH not being cleaned up intermittently.
598039-6	3-Major		MCP memory may leak when performing a wildcard query
597729-5	3-Major		Errors logged after deleting user in GUI
596104-1	3-Major	K84539934	HA trunk unavailable for vCMP guest★
595773-4	3-Major		Cancellation requests for chunked stats queries do not propagate to secondary blades
594426-2	3-Major		Audit forwarding Radius packets may be rejected by Radius server
592870-2	3-Major		Fast successive MTU changes to IPsec tunnel interface crashes TMM
592320-5	3-Major		ePVA does not offload UDP when pva-offload-state set to establish in BIG-IP 12.1.0 and 12.1.1
589083-2	3-Major		TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors.
586878-4	3-Major		During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.★
585833-3	3-Major		Qkview will abort if /shared partition has less than 2GB free space
585547-1	3-Major	K58243048	NTP configuration items are no longer collected by qkview★
585485-3	3-Major		inter-ability with "delete IPSEC-SA" between AZURE, ASA, and the BIG-IP system
584583-3	3-Major		Timeout error when attempting to retrieve large dataset.
583285-5	3-Major	K24331010	BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
582084-1	3-Major		BWC policy in device sync groups.
580500-1	3-Major		/etc/logrotate.d/sysstat's sadf fails to read /var/log/sa6 or fails to write to /var/log/sa6, disk space is not reclaimed.
578551-5	3-Major		bop "network 0.0.0.0/0 route-map Default" configuration is lost after after restart/reboot
576305-7	3-Major		Potential MCPd leak in IPSEC SPD stats query code
575649-5	3-Major		MCPd might leak memory in IPFIX destination stats query
575591-6	3-Major		Potential MCPd leak in IKE message stats query code
575589-5	3-Major		Potential MCPd leak in IKE event stats query code
575587-7	3-Major		Potential MCPd leak in BWC policy class stats query code
575176-1	3-Major		Syn Cookie cache statistics on ePVA enabled devices is incremented with UDP traffic
575066-1	3-Major		Management DHCP settings do not take effect
570818-4	3-Major		Address lease-pool in IKEv2 might interfere with IKEv2 negotiations.
568672-1	3-Major		Down IPsec traffic-selector shows as 'up' in 'show net ipsec traffic-selector' and in GUI
566507-4	3-Major		Wrong advertised next-hop in BGP for a traffic group in Active-Active deployment
553795-7	3-Major		Differing certificate/key after successful config-sync
547479-5	3-Major		Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted
546145-1	3-Major		Creating local user for previously remote user results in incomplete user definition.
540872-1	3-Major		Config sync fails after creating a partition.
527206-5	3-Major		Management interface may flap due to LOP sync error
393270-1	3-Major		Configuration utility may become non-responsive or fail to load.
618421	4-Minor		Some mass storage is left un-used
617124	4-Minor		Cannot map hardware type (12) to HardwareType enumeration
581835-1	4-Minor		Command failing: tmsh show ltm virtual vs_name detail.
567546-1	4-Minor		Files with file names larger than 100 characters are omitted from qkview
564771-1	4-Minor		cron sends purge_mysql_logs.pl email error on LTM-only device
564522-2	4-Minor	K40547220	cron is configured with MAILTO=root but mailhost defaults to 'mail'
559837-4	4-Minor		Misleading error message in catalina.out when listing certificates.
551349-5	4-Minor	K80203854	Non-explicit (*) IPv4 monitor destination address is converted to IPv6 on upgrade★
460833-5	4-Minor		MCPD sync errors and restart after multiple modifications to file object in chassis
572133-5	5-Cosmetic		tmsh save /sys ucs command sends status messages to stderr
442231-4	5-Cosmetic		Pendsect log entries have an unexpected severity

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
618905-1	1-Blocking		tmm core while installing Safenet 6.2 client
616215-4	2-Critical		TMM can core when using LB::detach and TCP::notify commands in an iRule
615388-1	2-Critical		L7 policies using normalized HTTP URI or Referrer operands may corrupt memory
612229-1	2-Critical		TMM may crash if LTM a disable policy action for 'LTM Policy' is not last
609628-2	2-Critical		CLIENTSSL_SERVERHELLO_SEND event in SSL forward proxy is not raised when client reuses session
609199-6	2-Critical		Debug TMM produces core when an MPTCP connection times out while a subflow is trying to join
608555-1	2-Critical		Configuring asymmetric routing with a VE rate limited license will result in tmm crash
607724-2	2-Critical	K25713491	TMM may crash when in Fallback state.
607524-2	2-Critical		Memory leak when multiple DHCP servers are configured, and the last DHCP server configured is down.
607360-5	2-Critical		Safenet 6.2 library missing after upgrade★
606573-3	2-Critical		FTP traffic does not work through SNAT when configured without Virtual Server★
605865-4	2-Critical		Debug TMM produces core on certain ICMP PMTUD packets
604133-2	2-Critical		Ramcache may leave the HTTP Cookie Cache in an inconsistent state
603032-1	2-Critical		clientssl profiles with sni-default enabled may leak X509 objects
602326-1	2-Critical		Intermittent pkcs11d core when installing Safenet 6.2 software
599135-2	2-Critical		B2250 blades may suffer from high TMM CPU utilisation with tcpdump
588959-2	2-Critical	K34453301	TMM may crash or behave abnormally on a Standby BIG-IP unit
588351-5	2-Critical		IPv6 fragments are dropped when packet filtering is enabled.
586449-1	2-Critical		Incorrect error handling in HTTP cookie results in core when TMM runs out of memory
584213-1	2-Critical		Transparent HTTP profiles cannot have iRules configured
575011-1	2-Critical	K21137299	Memory leak. Nitrox3 Hang Detected.
574880-3	2-Critical		Excessive failures observed when connection rate limit is configured on a fastl4 virtual server.
549329-3	2-Critical	K02020031	L7 mirrored ACK from standby to active box can cause tmm core on active
545810-3	2-Critical		ASSERT in CSP in packet_reuse
459671-4	2-Critical		iRules source different procs from different partitions and executes the incorrect proc.
617862-2	3-Major		Fastl4 handshake timeout is absolute instead of relative
617824-3	3-Major		"SSL::disable/enable serverside" + oneconnect reuse is broken
615143-1	3-Major		VDI plugin-initiated connections may select inappropriate SNAT address
613429-2	3-Major		Unable to assign wildcard wide IPs to various BIG-IP DNS objects.
613369-4	3-Major		Half-Open TCP Connections Not Discoverable
613079-4	3-Major		Diameter monitor watchdog timeout fires after only 3 seconds
613065-1	3-Major		User can't generate netHSM key with Safenet 6.2 client using GUI
612040-4	3-Major		Statistics added for all crypto queues
611320-3	3-Major		Mirrored connection on Active unit of HA pair may be unexpectedly torndown
610609-3	3-Major		Total connections in bigtop, SNMP are incorrect
608024-3	3-Major		Unnecessary DTLS retransmissions occur during handshake.
607803-3	3-Major	K33954223	DTLS client (serverssl profile) fails to complete resumed handshake.
607304-5	3-Major		TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.
606940-3	3-Major		Clustered Multiprocessing (CMP) peer connection may not be removed
606575-6	3-Major		Request-oriented OneConnect load balancing ends when the server returns an error status code.
606565-2	3-Major	K52231531	TMM may crash when /sys db tm.simultaneousopen is set to reset or drop_connection
604977-2	3-Major	K08905542	Wrong alert when DTLS cookie size is 32
603236-1	3-Major		1024 and 4096 size key creation issue with SafeNet 6.2 with 6.10.9 firmware
602385-1	3-Major		Add zLib compression
602366-1	3-Major		Safenet 6.2 HA performance
602358-5	3-Major		BIG-IP ServerSSL connection may reset during rengotiation with some SSL/TLS servers due to ClientHello version
601496-4	3-Major		iRules and OCSP Stapling
601178-6	3-Major		HTTP cookie persistence 'preferred' encryption
598874-2	3-Major		GTM Resolver sends FIN after SYN retransmission timeout
597978-2	3-Major		GARPs may be transmitted by active going offline
597879-1	3-Major		CDG Congestion Control can lead to instability
597532-1	3-Major		iRule: RADIUS avp command returns a signed integer
597089-8	3-Major		Connections are terminated after 5 seconds when using ePVA full acceleration
593530-6	3-Major		In rare cases, connections may fail to expire
592784-2	3-Major		Compression stalls, does not recover, and compression facilities cease.
592497-1	3-Major		Idle timeout ineffective for FIN_WAIT_2 when server-side expired and HTTP in fallback state.
591659-5	3-Major	K47203554	Server shutdown is propagated to client after X-Cnection: close transformation.
591476-7	3-Major	K53220379	Stuck crypto queue can erroneously be reported
591343-5	3-Major	K03842525	SSL::sessionid output is not consistent with the sessionid field of ServerHello message.
589223-1	3-Major		TMM crash and core dump when processing SSL protocol alert.
588115-1	3-Major		TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw
588089-3	3-Major		SSL resumed connections may fail during mirroring
587016-3	3-Major		SIP monitor in TLS mode marks pool member down after positive response.
585813-3	3-Major		SIP monitor with TLS mode fails to find cert and key files.
585412-4	3-Major		SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines
583957-6	3-Major		The TMM may hang handling pipelined HTTP requests with certain iRule commands.
582465-1	3-Major		Cannot generate key after SafeNet HSM is rebooted
580303-5	3-Major		When going from active to offline, tmm might send a GARP for a floating address.
579843-1	3-Major		tmrouted may not re-announce routes after a specific succession of failover states
579371-4	3-Major	K70126130	BIG-IP may generate ARPs after transition to standby
578951-2	3-Major		TCP Fast Open connection timeout during handshake does not decrement pre_established_connections
572281-5	3-Major		Variable value in the nesting script of foreach command get reset when there is parking command in the script
570057-2	3-Major		Can't install more than 16 SafeNet HSMs in its HA group
569288-6	3-Major		Different LACP key may be used in different blades in a chassis system causing trunking failures
565799-4	3-Major		CPU Usage increases when using masquerade addresses
551208-6	3-Major		Nokia alarms are not deleted due to the outdated alert_nokia.conf.
550161-4	3-Major		Networking devices might block a packet that has a TTL value higher than 230.
545796-5	3-Major		[iRule] [Stats] iRule is not generating any stats for executed iRules.
545450-5	3-Major		Log activation/deactivation of TM.TCPMemoryPressure
537553-8	3-Major		tmm might crash after modifying virtual server SSL profiles in SNI configuration
534457-4	3-Major		Dynamically discovered routes might fail to remirror connections.
530266-7	3-Major		Rate limit configured on a node can be exceeded
506543-5	3-Major		Disabled ephemeral pool members continue to receive new connections
483953-1	3-Major		Cached route MTUs may be set to the value of TM.MinPathMTU even if the path MTU is lower than that value.
472571-7	3-Major		Memory leak with multiple client SSL profiles.
464801-3	3-Major		Intermittent tmm core
423392-6	3-Major		tcl_platform is no longer in the static:: namespace
371164-1	3-Major		BIG-IP sends ND probes for all masquerading MAC addresses on all VLANs, so MAC might associated with multiple VLANs.
225634-1	3-Major		The rate class feature does not honor the Burst Size setting.
598860-4	4-Minor		IP::addr iRule with an IPv6 address and netmask fails to return an IPv4 address
587676-2	4-Minor		SMB monitor fails due to internal configuration issue
560471-1	4-Minor		Changing the monitor configuration of a pool can cause the virtual server to be briefly logged as down
544033-5	4-Minor	K30404012	ICMP fragmentation request is ignored by BIG-IP
222034-4	4-Minor		HTTP::respond in LB_FAILED with large header/body might result in truncated response

Performance Fixes

ID Number	Severity	Solution Article(s)	Description
510631-1	3-Major		B4450 L4 No ePVA or L7 throughput lower than expected

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
603598-3	2-Critical		big3d memory under extreme load conditions
587656-2	2-Critical		GTM auto discovery problem with EHF for ID574052
587617-1	2-Critical		While adding GTM server, failure to configure new IP on existing server leads to gtmd core
615338-2	3-Major		The value returned by "matchregion" in an iRule is inconsistent in some cases.
613576-1	3-Major		QOS load balancing links display as gray
613045-7	3-Major		Interaction between GTM and 10.x LTM results in some virtual servers marked down
607658-1	3-Major		GUI becomes unresponsive when managing GSLB Pool
589256-1	3-Major		DNSSEC NSEC3 records with different type bitmap for same name.
588289-1	3-Major		GTM is Re-ordering pools when adding pool including order designation
584623-2	3-Major		Response to -list iRules command gets truncated when dealing with MX type wide IP
574052-4	3-Major		GTM autoconf can cause high CPU usage for gtmd
370131-4	3-Major		Loading UCS with low GTM Autoconf Delay drops pool Members from config

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
609499-1	2-Critical		Compiled signature collections use more memory than prior versions
603945-2	2-Critical		BD config update should be considered as config addition in case of update failure
588087-1	2-Critical		Attack prevention isn't escalating under some conditions in session opening mitigation
587629-2	2-Critical		IP exceptions may have issues with route domain
575133-1	2-Critical		asm_config_server_rpc_handler_async.pl SIGSEGV and core
622386-1	3-Major		Internet Explorer getting blocked when Web Scraping and Proactive Bot Defense are both enabled
616169	3-Major		ASM Policy Export returns HTML error file
613396-1	3-Major		Invalid XML Policy Exported for Policies with Metachar Overrides on Websocket URLs
611385-1	3-Major		"Learn Explicit Entities" may continue to work as if it is 'Add All Entities'
609496-2	3-Major		Improved diagnostics in BD config update (bd_agent) added
608509-1	3-Major		Policy learning is slow under high load
604923-5	3-Major		REST id for Signatures change after update
604612-1	3-Major	K20323120	Modified ASM cookie violation happens after upgrade to 12.1.x★
602221-2	3-Major		Wrong parsing of redirect Domain
584642-1	3-Major		Apply Policy Failure
584103-2	3-Major		FPS periodic updates (cron) write errors to log
582683-2	3-Major		xpath parser doesn't reset a namespace hash value between each and every scan
582133-1	3-Major		Policy builder doesn't enable staging after policy change on "*" entities (file types, urls, etc.)
581315-1	3-Major		Selenium detection not blocked
579917-1	3-Major		User-defined signature set cannot be created/updated with Signature Type = "All"
579495-1	3-Major		Error when loading Upgrade UCS★
521204-2	3-Major		Include default values in XML Policy Export

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
602654-2	2-Critical		TMM crash when using AVR lookups
602434-1	2-Critical		Tmm crash with compressed response
601056	2-Critical		TCP-Analytics, error message not using rate-limit mechanism can halt TMM
622735	3-Major		TCP Analytics statistics does not list all virtual servers
618944-1	3-Major		AVR statistic is not save during the upgrade process
601035	3-Major		TCP-Analytics can fail to collect all the activity

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
618506	2-Critical		TMM may core under certain conditions when APM is provisioned and access profile is attached to the virtual.
618324-1	2-Critical		Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor
592868-3	2-Critical		Rewrite may crash processing HTML tag with HTML entity in attribute value
591117-3	2-Critical		APM ACL construction may cause TMM to core if TMM is out of memory
569563-3	2-Critical		Sockets resource leak after loading complex policy
619250-1	3-Major		Returning to main menu from "RSS Feed" breaks ribbon
617187-1	3-Major		APM CustomDialer can't connect to APM server with invalid/untrusted SSL certificate
614891-2	3-Major		Routing table doesn't get updated when EDGE client roams among wireless networks
613613-2	3-Major		Incorrect handling of form that contains a tag with id=action
611922-1	3-Major		Policy sync fails with policy that includes custom CA Bundle.
611240-3	3-Major		Import of config with securid might fail
610224-3	3-Major		APM client may fetch expired certificate when a valid and an expired certificate co-exist
608941-1	3-Major		AAA RADIUS system authentication fails on IPv6 network
604767-1	3-Major		Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object.
601905-1	3-Major		POST requests may not be forwarded to backend server when EAM plugin is enabled on the virtual server
600119-3	3-Major		DNS name resolution for servers outside of Network Access Name Split scope can be slow in some conditions
598981-3	3-Major	K06913155	APM ACL does not get enforced all the time under certain conditions
598211-1	3-Major		Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode.
597431-2	3-Major		VPN establishment may fail when computer wakes up from sleep
596116-3	3-Major		LDAP Query does not resolve group membership, when required attribute(s) specified
595227-1	3-Major		SWG Custom Category: unable to have a URL in multiple custom categories
594288-1	3-Major		Access profile configured with SWG Transparent results in memory leak.
592414-4	3-Major		IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed
591840-1	3-Major		encryption_key in access config is NULL in whitelist
591590-1	3-Major		APM policy sync results are not persisted on target devices
591268-1	3-Major		VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions
590820-3	3-Major		Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.
588888-3	3-Major	K80124134	Empty URI rewriting is not done as required by browser.
586718-1	3-Major		Session variable substitutions are logged
586006-1	3-Major		Failed to retrieve CRLDP list from client certificate if DirName type is present
585562-3	3-Major		VMware View HTML5 client shipped with Horizon 7 does not work through BIG-IP APM in Chrome/Safari
583113-1	3-Major		NTLM Auth cannot be disabled in HTTP_PROXY_REQUEST event
582752-3	3-Major		Macrocall could be topologically not connected with the rest of policy.★
582526-3	3-Major		Unable to display and edit huge policies (more than 4000 elements)
580893-2	3-Major	K08731969	Support for Single FQDN usage with Citrix Storefront Integration mode
573643-3	3-Major		flash.utils.Proxy functionality is not negotiated
572558-1	3-Major		Internet Explorer: incorrect handling of document.write() to closed document
569309-3	3-Major		Clientside HTML parser does not recognize HTML event attributes without value
562636-2	3-Major	K05489319	Possible memory exhaustion in access end-user interface pages for transparent proxy/SWG cases.
525429-11	3-Major		DTLS renegotiation sequence number compatibility
455975-1	3-Major		Separate MIBS needed for tracking Access Sessions and Connectivity Sessions
389484-6	3-Major		OAM reporting Access Server down with JDK version 1.6.0_27 or later
386517-1	3-Major		Multidomain SSO requires a default pool be configured
238444-3	3-Major	K14219	An L4 ACL has no effect when a layered virtual server is used.
605627	4-Minor		Selinux denial seen for apmd when it is being shutdown.
584373-2	4-Minor		AD/LDAP resource group mapping table controls are not accessible sometimes
573611-1	4-Minor		Erroneous error message Access encountered error: ERR_NOT_FOUND may appear in APM logs
557411-1	4-Minor		Full Webtop resources appear overlapping in IE11 compatibility mode

Wan Optimization Manager Fixes

ID Number	Severity	Solution Article(s)	Description
619757-1	2-Critical		iSession causes routing entry to be prematurely freed

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
613297-3	2-Critical		Default generic message routing profile settings may core
612135-3	2-Critical		Virtual with GenericMessage profile without MessageRouter profile will core when receiving traffic
603397-2	2-Critical		tmm core on MRF when routing via MR::message route iRule command using a non-existant transport-config
596631-2	2-Critical		SIP MRF: Wrong listener may be deleted during media deny-listener deletions, causing crash later
609575-5	3-Major		BIG-IP drops ACKs containing no max-forwards header
609328-3	3-Major	K53447441	SIP Parser incorrectly parsers empty header
607713-3	3-Major		SIP Parser fails header with multiple sequential separators inside quoted string.
603019-3	3-Major		Inserted SIP VIA branch parameter not unique between INVITE and ACK
599521-5	3-Major		Persistence entries not added if message is routed via an iRule
598854-3	3-Major		sipdb tool incorrectly displays persistence records without a pool name
598700-6	3-Major		MRF SIP Bidirectional Persistence does not work with multiple virtual servers
597835-3	3-Major	K12228503	Branch parameter in inserted VIA header not consistent as per spec
583010-4	3-Major		Sending a SIP invite with 'tel' URI fails with a reset
578564-4	3-Major		ICAP: Client RST when HTTP::respond in HTTP_RESPONSE_RELEASE after ICAP REQMOD returned HTTP response
573075-4	3-Major		ADAPT recursive loop when handling successive iRule events
566576-6	3-Major		ICAP/OneConnect reuses connection while previous response is in progress
401815-1	3-Major		BIG-IP system may reset the egress IP ToS to zero when load balancing SIP traffic
585807-2	4-Minor		'ICAP::method <method>' iRule is documented but is read-only
561500-4	4-Minor		ICAP Parsing improvement

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
612874-1	2-Critical		iRule with FLOW_INIT stage execution can cause TMM restart
609095-1	2-Critical		mcpd memory grows when updating firewall rules
622281-1	3-Major		Network DoS logging configuration change can cause TMM crash
621808-1	3-Major		Proactive Bot Defense failing in IE11 with Compatibility View enabled
614284-2	3-Major		Performance fix to not reset a data structure in the packet receive hotpath.
613459-1	3-Major		Non-common browsers blocked by Proactive Bot Defense
610857-1	3-Major		DoSL7 Proactive Bot Defense should block requests from a browser (Chrome/Firefox) when it is running selenium webdriver.
610830-1	3-Major		FingerPrint javascript runs slow and causes bad user browsing experience when accessing a webapp's first page.
608566-1	3-Major		The reference count of NW dos log profile in tmm log is incorrect
606875-1	3-Major		DoS Application - Block requests from suspicious browsers feature causes javascript latency for webapp first page
605427-1	3-Major		TMM may crash when adding and removing virtual servers with security log profiles
601924-1	3-Major		Selenium detection by ports scanning doesn't work even if the ports are opened
596502-1	3-Major		Unable to force Bot Defense action to Allow in iRule
594869-4	3-Major		AFM can log DoS attack against the internal mpi interface and not the actual interface
594075-2	3-Major		Sometimes when modifying the firewall rules, the blob does not compile and pccd restarts periodically
586070	3-Major		'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings
585823-1	3-Major		FW NAT translation fails if the matched FW NAT rule uses source address list and the source translation object in the rule is configured for dynamic-pat (with deterministic mode)
501892-1	3-Major		Selenium is not detected by headless mechanism when using client version without server

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
609005-2	1-Blocking		Crash: tmm crashing when 2nd client (srcPort=68) sends a DHCP renew with giaddr (Relay Agent IP) in the packet after 1st client (srcPort=67).
611467-3	2-Critical		TMM coredump at dhcpv4_server_set_flow_key().
608009-1	2-Critical		Crash: Tmm crashing when active system connections are deleted from cli
603825-2	2-Critical		Crash when a Gy update message is received by a debug TMM
593070-2	2-Critical		TMM may crash with multiple IP addresses per session
472860-5	2-Critical		RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented.
623491-2	3-Major		After receiving the first Gx response from the PCRF, the BWC action against a rule is lost.
622220-2	3-Major		Disruption during manipulation of PEM data with suspected flow irregularity
618657-4	3-Major		Bogus ICMP unreachable messages in PEM with ipother profile in use
617014-3	3-Major		tmm core using PEM
608742-2	3-Major	K48561135	DHCP: DHCP renew ACK messages from server are getting dropped by BIG-IP in Forward mode.
608591-1	3-Major		Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers
592070-5	3-Major		DHCP server connFlow when created based on the DHCP client connFlow does not have the traffic group ID copied
588456-3	3-Major	K60250444	PEM deletes existing PEM Subscriber Session after lease time expires (DHCP renewal not processed).
577863-5	3-Major	K56504204	DHCP relay not forwarding server DHCPOFFER and DHCPACK message after some time

Carrier-Grade NAT Fixes

ID Number	Severity	Solution Article(s)	Description
606066-2	2-Critical		LSN_DELETE messages may be lost after HA failover
605525-1	2-Critical		Deterministic NAT combined with NAT64 may cause a TMM core
587106-1	2-Critical		Inbound connections are reset prematurely when zombie timeout is configured.
602171-1	3-Major		TMM may core when remote LSN operations time out

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
617648	2-Critical		Surfing with IE8 sometimes results with script error
603234-3	2-Critical		Performance Improvements
597471	2-Critical		Some Alerts are sent with outdated username value
617688	3-Major		Encryption is not activated unless "real-time encryption" is selected
613671-2	3-Major		Error in the Console, when configured nonexistent parameter with Encryption and Obfuscation
610897-2	3-Major		FPS generated request failure throw "unspecified error" error in old IE.
609098-1	3-Major		Improve details of ajax failure
604885-1	3-Major		Redirect/Route action doesn't work if there is an alert logging iRule
601083-1	3-Major		FPS Globally Forbidden Words lists freeze in IE 11
588058-3	3-Major		False positive "failed to unseal" Source Integrity alerts from old versions of Internet Explorer
609114-1	4-Minor		Add the ability to control dropping of alerts by before-load-function
605125-2	4-Minor		Sometimes, passwords fields are readonly
592274-3	4-Minor		RAT-Detection alerts sent with incorrect duration details

Anomaly Detection Services Fixes

ID Number	Severity	Solution Article(s)	Description
588405-1	3-Major		BADOS - BIG-IP Self-protection during (D)DOS attack
608826-1	4-Minor		Greylist (bad actors list) is not cleaned when attack ends

Traffic Classification Engine Fixes

ID Number	Severity	Solution Article(s)	Description
624370-1	2-Critical		tmm crash during classification hitless upgrade if virtual server configuration is modified

Device Management Fixes

ID Number	Severity	Solution Article(s)	Description
621401	3-Major		When HA is configured on BIG-IPs managed by BIG-IQ, the AVR reporting from BIG-IQ may fail under the load

iApp Technology Fixes

ID Number	Severity	Solution Article(s)	Description
615824-1	3-Major		REST API calls to invalid REST endpoint log level change

Cumulative fixes from BIG-IP v12.1.1 Hotfix 2 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
613127-3	CVE-2016-5696	K46514822	Linux TCP Stack vulnerability CVE-2016-5696

Functional Change Fixes

None

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
612564	1-Blocking		mysql does not start
618382-4	2-Critical		qkview may cause tmm to restart or may take 30 or more minutes to run
614766-1	3-Major		lsusb uses unknown ioctl and spams kernel logs
612952-1	3-Major		PSU FW revision not displayed correctly
611352	3-Major	K68092141	Benign message "replay num rollover error condition correctable errors" counter on iSeries platforms
610307	3-Major		Spurious error message from mcpd at shutdown: Subscription not found in mcpd for subscriber Id BIGD_Subscriber
609325	3-Major		Unsupported DDM F5 SFP modules do not write log message saying DDM is not supported
606807-1	3-Major		i5x00, i7x00, i10x00 series appliances may use sensor number instead of name "LCD health" reporting communication error
604459-1	3-Major		On i5x00, i7x00 and i10x00 platforms, bcm56xxd may restart on power-up
597309-2	3-Major		Increase the Maximum Members Per Trunk limit to 32 or 64 for high end platforms
561444-1	3-Major		LCD might display incorrect output.
521270-1	3-Major		Hypervisor might replace vCMP guest SYN-Cookie secrets
434573-6	3-Major	K25051022	Tmsh 'show sys hardware' displays Platform ID instead of platform name
609677-1	4-Minor		Dossier warning 14
607857-1	4-Minor		Some information displayed in "list net interface" will be stale for interfaces that change bundle state
607200-1	4-Minor		Switch interfaces may seem up after bcm56xxd goes down
602061	4-Minor		i5x00, i7x00, i10x00 series appliances have inconsistent firmware update messages
601309	4-Minor		Locator LED no longer persists across reboots
592716-1	4-Minor		BMC timezone value was not being synchronized by BIG-IP

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
597708-4	3-Major		Stats are unavailable and VCMP state and status is incorrect

Cumulative fixes from BIG-IP v12.1.1 Hotfix 1 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
598294-1	CVE-2016-7472	K17119920	BIG-IP ASM Proactive Bot Defense vulnerability CVE-2016-7472
601938-2	CVE-2016-7474	K52180214	MCPD stores certain data incorrectly

Functional Change Fixes

None

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
542097-4	2-Critical		Update to RHEL6 kernel
601927-1	4-Minor	K52180214	Security hardening of control plane

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
602653-1	2-Critical		TMM may crash after updating bot-signatures
599769	2-Critical		TMM may crash when managing APM clients.
605682-2	3-Major		With forward proxy enabled, sometimes the client connection will not complete.
599054-2	3-Major		LTM policies may incorrectly use those of another virtual server

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
585120-1	2-Critical		Memory leak in bd under rare scenario

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
596674-2	2-Critical		High memory usage when using CS features with gzip HTML responses.
575170-2	2-Critical		Analytics reports may not identify virtual servers correctly
590074-1	3-Major		Wrong value for TCP connections closed measure

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
603997	2-Critical		Plugin should not inject nonce to CSP header with unsafe-inline
594910-1	3-Major		FPS flags no cookie when length check fails
590608-1	3-Major		Alert is not redirected to alert server when unseal fails
590578-4	3-Major		False positive "URL error" alerts on URLs with GET parameters
593355	4-Minor		FPS may erroneously flag missing cookie
589318-1	4-Minor		Clicking 'Customize All' checkbox does not work.

iApp Technology Fixes

ID Number	Severity	Solution Article(s)	Description
603605-1	2-Critical		Cannot install DoS Hybrid Defender on standby device in HA pair if it's already installed on active
608373-2	3-Major		Some iApp LX packages will not be saved during upgrade or UCS save/restore

Cumulative fixes from BIG-IP v12.1.1 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
596488-1	CVE-2016-5118	K82747025	GraphicsMagick vulnerability CVE-2016-5118.
579955-6	CVE-2016-7475	K01587042	BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475
587077-1	CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2115 CVE-2016-2118	K37603172	Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118
579220-1	CVE-2016-1950	K91100352	Mozilla NSS vulnerability CVE-2016-1950
570697-1	CVE-2015-8138	K71245322	NTP vulnerability CVE-2015-8138
580340-1	CVE-2016-2842	K52349521	OpenSSL vulnerability CVE-2016-2842
580313-1	CVE-2016-0799	K22334603	OpenSSL vulnerability CVE-2016-0799
579829-7	CVE-2016-0702	K79215841	OpenSSL vulnerability CVE-2016-0702
579085-6	CVE-2016-0797	K40524634	OpenSSL vulnerability CVE-2016-0797
578570-1	CVE-2016-0705	K93122894	OpenSSL Vulnerability CVE-2016-0705
569355-1	CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494	K50118123	Java vulnerabilities CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494
565895-1	CVE-2015-3217	K17235	Multiple PCRE Vulnerabilities
570667-2	CVE-2016-0701 CVE-2015-3197	K64009378	OpenSSL vulnerabilities

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
600811-2	3-Major		CATEGORY::lookup command change in behaviour★

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
606509-4	2-Critical		Incorrect process priority in vCMP guest results in low priority of the guest control-plane, which might cause high availability failover★
595605	2-Critical		Upgrades from 11.6.1 or recent hotfix rollups to 12.0.0 may fail★
591119	2-Critical		OOM with session messaging may result in TMM crash
601076	3-Major		Fix watchdog event for accelerated compression request overflow
597303	3-Major		"tmsh create net trunk" may fail
595693	3-Major		Incorrect PVA indication on B4450 blade
591261	3-Major		BIG-IP VPR-B4450N shows "unknown" SNMP Object ID
590904-1	3-Major		New HA Pair created using serial cable failover only will remain Active/Active
589661	3-Major		PS2 power supply status incorrect after removal
588327	3-Major		Observe "err bcm56xxd' liked log from /var/log/ltm
587735	3-Major		False alarm on LCD indicating bad fan
587668	3-Major		LCD Checkmark button does not always bring up clearing prompt on VIPRION blades.
585332	3-Major		Virtual Edition network settings aren't pinned correctly on startup★
584670	3-Major		Output of tmsh show sys crypto master-key
584661	3-Major		Last good master key
584655	3-Major		platform-migrate won't import password protected master-keys from a 10.2.4 UCS file
583177	3-Major		LCD text truncated by heartbeat icon on VIPRION
581945-2	3-Major		Device-group "datasync-global-dg" becomes out-of-sync every hour
581811	3-Major		The blade alarm LED may not reflect the warning that non F5 optics is used.
579529	3-Major		Stats file descriptors kept open in spawned child processes
578064	3-Major		tmsh show sys hardwares show "unavailable" for hard disk manufacturer on B4400/B4450 blade
578036-1	3-Major		incorrect crontab can cause large number of email alerts
573584	3-Major		CPLD update success logs at the same error level as an update failure
563592	3-Major		Content diagnostics and LCD
559655	3-Major		Post RMA, system does not display correct platform name regardless of license
555039-4	3-Major	K24458124	VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration
539360	3-Major		Firmware update that includes might take over 15 minutes. Do not turn off device.
526708	3-Major		system_check shows fan=good on removed PSU of 4000 platform
433357	3-Major		Management NIC speed reported as 'none'
400778	3-Major		Message: err chmand[5011]: 012a0003:3: Physical disk CF1/HD1 not found for logical disk delete
400550	3-Major		LCD listener error during shutdown
587780	4-Minor		warning: HSBe2 XLMAC initial recovery failed after 11 retries.
478986	4-Minor		Powered down DC PSU is treated as not-present
418009	5-Cosmetic		Hardware data display inaccuracies

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
603700	2-Critical		tmm core on multiple SSL::disable calls
598052-1	2-Critical		SSL Forward Proxy "Cache Certificate by Addr-Port", cache lookup fails
591139	2-Critical		TMM QAT segfault after zlib/QAT compression conflation.
585654	2-Critical		Enhanced implementation of AES in Common Criteria mode
579953	2-Critical		Updated the list of Common Criteria ciphersuites
584926-1	3-Major		Accelerated compression segfault when devices are all in error state.
566342	3-Major		Cannot set 10T-FD or 10T-HD on management port

Performance Fixes

ID Number	Severity	Solution Article(s)	Description
599803	1-Blocking		TMM accelerated compression incorrectly destroying in-flight contexts.
588879-2	2-Critical		apmd crash under rare conditions with LDAP

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
581824-2	3-Major		"Instance not found" error when viewing the properties of GSLB monitors gateway_icmp and bigip_link.

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
588049-1	2-Critical		Improve detection of browser capabilities
585352-2	2-Critical		bruteForce record selfLink gets corrupted by change to brute force settings in GUI
585054-1	2-Critical		BIG-IP imports delay violations incorrectly, causing wrong policy enforcement
583686-2	3-Major		High ASCII meta-characters can be disallowed on UTF-8 policy via XML import
581991-1	3-Major		Logging filter for remote loggers doesn't work correctly with more than one logging profile
521370-1	3-Major		Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8
518201-4	3-Major		ASM policy creation fails with after upgrading

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
587419-1	3-Major		TMM may restart when SAML SLO is performed after APM session is closed
585442-2	3-Major		Provisioning APM to "none" creates a core file

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
596809-1	3-Major		It is possible to create ssh rules with blank space for auth-info
593925-1	3-Major		ssh profile should not contain rules that begin and end with spaces (cannot be deleted)
593696-1	3-Major		Sync fails when deleting an ssh profile

Carrier-Grade NAT Fixes

ID Number	Severity	Solution Article(s)	Description
584921-1	2-Critical		Inbound connections fail to keep port block alive

Cumulative fixes from BIG-IP v12.1.0 Hotfix 2 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
600662-9	CVE-2016-5745	K64743453	NAT64 vulnerability CVE-2016-5745
599168-7	CVE-2016-5700	K35520031	BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
598983-7	CVE-2016-5700	K35520031	BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
580596-1	CVE-2013-0169 CVE-2016-6907	K14190 K39508724	TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907

Functional Change Fixes

None

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
604211-1	2-Critical	K72931250	License not operational on Azure after upgrading from 12.0.0 HF1-EHF14 to 12.0.0-HF4 or 12.1.0-HF1 or 12.1.1.★
600859-2	2-Critical		Module not licensed after upgrade from 11.6.0 to 12.1.0 HF1 EHF.★
599033-5	2-Critical		Traffic directed to incorrect instance after network partition is resolved
595394-3	2-Critical		Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x can result in instance becoming inaccessible.★
606110-2	3-Major		BIG-IP VE dataplane interfaces change to using UNIC modules instead of sockets.
596814-4	3-Major		HA Failover fails in certain valid AWS configurations
596603-2	3-Major		AWS: BIG-IP VE doesn't work with c4.8xlarge instance type.

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
600357-2	3-Major		bd crash when asm policy is removed from virtual during specific configuration change

Cumulative fixes from BIG-IP v12.1.0 Hotfix 1 that are included in this release

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
569467-5	CVE-2016-2084	K11772107	BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.
591806-8	CVE-2016-3714	K03151140	ImageMagick vulnerability CVE-2016-3714
591918-2	CVE-2016-3718	K61974123	ImageMagick vulnerability CVE-2016-3718
591908-2	CVE-2016-3717	K29154575	ImageMagick vulnerability CVE-2016-3717
591894-2	CVE-2016-3715	K10550253	ImageMagick vulnerability CVE-2016-3715
591881-1	CVE-2016-3716	K25102203	ImageMagick vulnerability CVE-2016-3716

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
583631-2	1-Blocking		ServerSSL ClientHello does not encode lowest supported TLS version, which might result in alerts and closed connections on older Servers.
590993	3-Major		Unable to load configs from /usr/libexec/aws/.
576478	3-Major		Enable support for the Purpose-Built DDoS Hybrid Defender Platform
544477	3-Major		New Hourly Billable VE instances in AWS and Azure register with F5 Licensing Server for Support.

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
591039	2-Critical		DHCP lease is saved on the Custom AMI used for auto-scaling VE
590779	2-Critical		Rest API - log profile in json return does not include the partition but needs to
588140	2-Critical		Pool licensing fails in some KVM/OpenStack environments
587791-1	2-Critical		Set execute permission on /var/lib/waagent
565137	2-Critical	K12372003	Pool licensing fails in some KVM/OpenStack environments.
554713-2	2-Critical		Deployment failed: Failed submitting iControl REST transaction
592363	3-Major		Remove debug output during first boot of VE
592354	3-Major		Raw sockets are not enabled on Cloud platforms

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
592699-3	2-Critical		IPv6 data pulled from the BIG-IP system via HTTPS, SCP, SSH, DNS or SMTP performance
594302-1	3-Major		Connection hangs when processing large compressed responses from server
592854-1	3-Major		Protocol version set incorrectly on serverssl renegotiation
592682-1	3-Major		TCP: connections may stall or be dropped
531979-6	3-Major		SSL version in the record layer of ClientHello is not set to be the lowest supported version.

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
582629-1	2-Critical		User Sessions lookups are not cleared, session stats show marked as invalid

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
590601-2	3-Major		BIG-IP as SAML SP does not redirect users to original request URI after authentication is completed
590428-1	3-Major		The "ACCESS::session create" iRule command does not work
590345-1	3-Major		ACCESS policy running iRule event agent intermittently hangs
585905-1	3-Major		Citrix Storefront integration mode with pass-through authentication fails
581834-5	3-Major		Firefox signed plugin for VPN, Endpoint Check, etc

Anomaly Detection Services Fixes

ID Number	Severity	Solution Article(s)	Description
588399-1	3-Major		BIG-IP CPU utilization can be high even when all bad actors are detected and mitigated
582374-1	3-Major		Multiple 'Loading state for virtual server' messages in admd.log
569121-1	3-Major		Advanced Detection rate limiting can be incorrect in multi-blade clusters when rate limit is low
547053-1	4-Minor		Bad actor quarantining

Traffic Classification Engine Fixes

ID Number	Severity	Solution Article(s)	Description
590795-1	2-Critical		tmm crash when loading default signatures or updating classification signature★

Cumulative fix details for BIG-IP v12.1.3.3 that are included in this release

707675 : FQDN nodes or pool members flap when DNS response received

Component: Local Traffic Manager

Symptoms:
When an LTM pool is configured with FQDN nodes or pool members, the LTM pool and associated virtual server(s) may transition from an UP to DOWN state and back over a period of a few seconds.

Such an event is accompanied by log messages similar to the following:

-- notice mcpd[#]: 01071682:5: SNMP_TRAP: Virtual /Common/vs_test has become unavailable
-- notice mcpd[#]: 010719e7:5: Virtual Address /Common/123.45.67.89 general status changed from GREEN to RED.
-- notice mcpd[#]: 010719e8:5: Virtual Address /Common/123.45.67.89 monitor status changed from UP to DOWN.
-- err mcpd[#]: 01020066:3: The requested Pool Member (/Common/Test_Pool /Common/test-dummy.com-12.34.56.78 443) already exists in partition Common.
-- notice bigd[##]: 01060144:5: Pool /Common/Test_Pool member /Common/test-dummy.com-12.34.56.78 session status enabled by monitor
-- notice bigd[##]: 01060145:5: Pool /Common/Test_Pool member /Common/test-dummy.com-12.34.56.78 monitor status up. [ /Common/mon_test_https: UP ] [ was checking for 0hr:0min:2sec ]
-- notice mcpd[#]: 01071681:5: SNMP_TRAP: Virtual /Common/vs_test has become available
-- notice mcpd[#]: 010719e7:5: Virtual Address /Common/123.45.67.89 general status changed from RED to GREEN.
-- notice mcpd[#]: 010719e8:5: Virtual Address /Common/123.45.67.89 monitor status changed from DOWN to UP.

This symptom repeats each time a DNS query is performed to resolve the FQDN node/pool-member name to its IP addresses, based on the 'interval' value configured for the FQDN node.

This symptom occurs only when the 'autopopulate' value is set to 'enabled' for the FQDN node/pool-member.

Conditions:
-- LTM pool is configured with FQDN nodes or pool members.
-- The 'autopopulate' value is set to 'enabled' for the FQDN node/pool-member.

Impact:
LTM pool and virtual server are briefly and periodically marked DOWN. Traffic may be impacted.

Workaround:
Either of the following methods can be used to work around this issue:

-- Configure static IP addresses instead of FQDN nodes/pool-members.

-- Set the 'autopopulate' value to 'disabled' for the FQDN node/pool-member, if possible (that is, if only one IP address is required/expected to be returned for the FQDN name, which means that the 'autopopulate' feature of FQDN nodes/pool-members is not required).

Fix:
FQDN node/pool-member and corresponding pool and virtual server are no longer briefly marked DOWN when the DNS server is queried to resolve the FQDN name, with the 'autopopulate' feature enabled for the FQDN node/pool-member. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.

707226-2 : DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations

Component: TMOS

Symptoms:
Mitigations for CVE-2017-5754 Meltdown/PTI (Page Table Isolation) can negatively impact performance.

Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.

Conditions:
Mitigations for CVE-2017-5754 Meltdown/PTI (Page Table Isolation) enabled.

Impact:
Meltdown/PTI mitigations may negatively impact performance.

Workaround:
Disable CVE-2017-5754 Meltdown/PTI mitigations.

To turn off mitigations for CVE-2017-5754 Meltdown/PTI, run the following command:

tmsh modify sys db kernel.pti value disable

Note: Turning off these mitigations renders the system vulnerable to CVE-2017-5754 Meltdown; but in order to take advantage of this vulnerability, the attacker must already possess the ability to run arbitrary code on the system. Good access controls and keeping your system up-to-date with regards to security fixes will mitigate this risk on non-VCMP systems. vCMP systems with multiple tenants should leave these mitigations enabled.

Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.

Fix:
On releases that provide mitigations for CVE-2017-5754 Meltdown/PTI, the protection is enabled by default, but can be controlled using db variables.

Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.

706086-1 : PAM RADIUS authentication subsystem hardening

Component: TMOS

Symptoms:
The RADIUS component of the PAM authentication subsystem does not follow current best practices.

Conditions:
RADIUS authentication enabled

Impact:
TMM may crash, leading to a failover event

Fix:
The RADIUS component of the PAM authentication subsystem now follows best practices.

704804-2 : The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address

Component: TMOS

Symptoms:
The NAS-IP-Address in RADIUS remote authentication requests is set to the loopback address, not the management IP.

Conditions:
This applies to remote authentication for the control plane, not APM.

Impact:
Login may be impacted.

Workaround:
There is no workaround at this time.

704733-2 : NAS-IP-Address will be sent with the bytes backwards

Component: TMOS

Symptoms:
The NAS-IP-Address will have the address of the local device sent with the bytes backwards (78.56.30.172 where 172.30.56.78 would be expected).

Conditions:
This affects IPv4 addresses only.

Impact:
The server may be configured to check the NAS-IP-Address before allowing logins, in which case it would fail.

Workaround:
There is no workaround at this time.

Fix:
This has been corrected.

704490 : CVE-2017-5754 (Meltdown)

Solution Article: K91229003

704483 : CVE-2017-5753 (Spectre Variant 1)

Solution Article: K91229003

704073-3 : Repeated "bad transition" OOPS logging may appear in /var/log/ltm and /var/log/tmm

Component: Local Traffic Manager

Symptoms:
"bad transition" OOPS messages may be repeatedly logged to /var/log/ltm and /var/log/tmm over time, polluting the log files.

Conditions:
No definitive user-discernable conditions. Use of SSL functionality may cause this form of logging.

Impact:
Log pollution and potential for performance degradation.

Workaround:
The logging can be suppressed via 'tmsh modify sys db tmm.oops value silent'

Fix:
The "bad transition" OOPS logging has been demoted to debug builds only.

703984-2 : Machine Cert agent improperly matches hostname with CN and SAN

Component: Access Policy Manager

Symptoms:
The Machine Cert check improperly matches the hostname with CN and SAN. The option Match CN with FQDN should match the certificate's CN with the exact FQDN, but this option currently identifies the CN as a match with the FQDN even if only the initial characters of the FQDN match the CN.

Conditions:
Machine cert agent configured with 'match CN with FQDN' settings.

Impact:
Serious issue. Machine cert check passes for incorrect matches as well.

Workaround:
None.

703869-1 : Waagent updated to 2.2.21

Component: TMOS

Symptoms:
Microsoft updates waagent via an opensource process, but it is not compatible with BIG-IP software, and so cannot be upgraded outside of BIG-IP releases. Without this, Microsoft will not support older releases of BIG-IP systems in their environment.

Conditions:
Using Microsoft Azure.

Impact:
Microsoft does not support the version of waagent shipped as part of BIG-IP software.

Workaround:
None.

Fix:
Waagent was updated to 2.2.21 from Microsoft along with F5 changes for compatibility with BIG-IP software.

703429-1 : Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services

Component: Access Policy Manager

Symptoms:
Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services through F5 BIG-IP APM virtual server. The application closes just after entering the credentials.

Conditions:
-- Citrix Receiver for Android (v3.13.1) is used.
-- PNAgent replacement mode is configured for BIG-IP APM virtual server.

Impact:
No access to published Applications and Desktops through Citrix Receiver for Android.

Workaround:
None.

Fix:
System now provides valid data to Citrix Receiver for Android client.

702946-2 : Added option to reset staging period for signatures

Component: Application Security Manager

Symptoms:
In cases where a staging period was started, but no traffic passed through security policy, you might want to reset the staging period when traffic starts, but there is no option to do so.

Conditions:
Staging enabled for signatures in policy.

Impact:
There is a suggestion to enforce the signature before any traffic can influence this decision.

Workaround:
If all signatures are staged, you can enforce them all, and then enable staging again.

Note: Apply policy is required between actions.

Fix:
Added option to reset the staging period for all or specific signatures. In modal windows shown after clicking 'Change properties...' on the Policy Signatures screen, when 'No' is not selected for 'Perform Staging', the system presents a checkbox: Reset Staging Period.

701841-1 : Unnecessary file recovery_db/conf.tar.gz consumes /var disk space

Component: Application Security Manager

Symptoms:
A file, /ts/var/install/recovery_db/conf.tar.gz ,is saved unnecessarily during UCS file save, and consumes /var disk space.

Conditions:
UCS file is saved.

Impact:
The /var filesystem can become full; this may degrade system performance over time, and can eventually lead to traffic disruptions.

Workaround:
Manually delete /ts/var/install/recovery_db/conf.tar.

Fix:
Unnecessary file recovery_db/conf.tar.gz is no longer written.

701609 : Static member of pool with FQDN members may revert to user-disabled after being re-enabled

Component: Local Traffic Manager

Symptoms:
Within an LTM pool containing both FQDN members and members configured with static IP addresses; a statically-configured member that had been disabled (session = user-disabled) and then re-enabled (session = user-enabled) may become disabled again after making other changes affecting the state of other FQDN members of the pool.

Conditions:
This may occur under the following conditions:
- An LTM pool containing a mix of FQDN and statically-configured members.
- A statically-configured pool member is disabled (session = user-disabled) and then re-enabled (session = user-enabled).
- Other changes occur which affect the availability of FQDN pool members.
For example, if a route to an FQDN pool member is deleted and recreated, a previously-disabled statically-configured member may revert to a disabled state.

Depending on circumstances, the issue may only occur once after BIG-IP, TMM, bigd, or a related daemon restarts.

Impact:
A pool member may be unexpectedly disabled after being re-enabled, and thus would not receive traffic.

Workaround:
It may be possible to work around this issue by disabling and re-enabling the statically-configured pool member again.

Fix:
Statically-configured pool members of a pool that also contains FQDN members remain enabled after being manually disabled then re-enabled. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.

701327-1 : failed configuration deletion may cause unwanted bd exit

Component: Application Security Manager

Symptoms:
Immediately after the deletion of a configuration fails, bd exists.

Conditions:
When deleting a configuration fails.

Impact:
Unwanted bd restart.

Workaround:
None.

Fix:
bd will exit upon a failed configuration only when configured to exit on failure.

701249-2 : RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1

Component: TMOS

Symptoms:
RADIUS requests from BIG-IP have attribute NAS-IP-Address = 127.0.0.1, which might cause authentication to fail.

The NAS-IP-Address is essentially the resource an end user client is trying to authenticate to. This is typically the management IP address of the BIG-IP system, but the BIG-IP system always sends 127.0.0.1 instead. That might fail or it might work, depending on how the server is configured.

Conditions:
This is an issue for all RADIUS authentication requests that use the attribute NAS-IP-Address.

Note: This affects remote control plane authentication only, not APM or other uses of RADIUS.

Impact:
BIG-IP system always sends 127.0.0.1 instead of the BIG-IP system's management IP address. RADIUS server might not service the request, so authentication fails.

Workaround:
There is no workaround.

700564-2 : JavaScript errors shown when debugging a mobile device with ASM deviceID enabled

Component: Application Security Manager

Symptoms:
When debugging a mobile device with ASM Device ID enabled, the Google Chrome browser console log contains JavaScript errors similar to the following: net::ERR_UNKNOWN_URL_SCHEME.

Note: In order to view the Chrome browser console log, you must use BrowserStack from a developer's console, or physically connect the phone by cable, enable 'usb debug',
enable 'device discovery' on Chrome on the desktop, and view the console from there.

Conditions:
-- ASM policy is attached on a virtual server with deviceID enabled.
-- Device ID collection request has been sent from a mobile device.
-- Chrome browser console log is opened.

Impact:
Mobile device app developers might be concerned about the errors, potentially asking about why the ASM JavaScript code attempts to access UNKNOWN_URL_SCHEME in a mobile device.

The errors occur because Device ID enabled on an ASM policy uses the JavaScript request URI argument 'chrome-extension' to detect the existence of malicious browser extension. However, Chrome on Android/iOS does not support 'chrome-extension'.

Workaround:
Disable Device ID in ASM policy.

Fix:
The system now avoids checking Chrome extensions on mobile devices, so no UNKNOWN_URL_SCHEME errors occur.

700556-2 : TMM may crash when processing WebSockets data

Component: Local Traffic Manager

Symptoms:
Under some circumstances, the Websockets filter does not properly parse certain request/response headers.

Conditions:
Websockets and HTTP profile attached to virtual.

Impact:
TMM may crash, leading to a failover event.

700527-1 : cmp-hash change can hang iRule DNS lookup

Component: Global Traffic Manager (DNS)

Symptoms:
An iRule that uses RESOLV::lookup can hang repeatedly when cmp-hash configuration is changed.

Conditions:
An iRule must be in the middle of a call to RESOLV::lookup when a vlan cmp-hash configuration is changed.

Impact:
The iRule call can hang repeatedly.

Workaround:
Restart the TMM. This will interrupt client traffic.

Fix:
The iRule connection is reestablished when the pending query expires, so subsequent RESOLV::lookup calls do not hang per TMM.

700330 : AJAX blocking page isn't shown when a webpage uses jQuery framework.

Component: Application Security Manager

Symptoms:
Request is blocked by an ASM policy, but the ASM end user does not see the blocking page with a unique support id for the blocked request.

Conditions:
1. ASM policy Asynchronous JavaScript and XML (AJAX) blocking page enabled.
2. ASM policy is working in blocking mode.
3. ASM policy attached to a virtual server.
4. AJAX request has been sent and blocked.

Impact:
ASM end user has no visual indication that there has been a blocked AJAX request.

Workaround:
None.

Fix:
The system now handles Ajax requests being sent via the JQuery framework.

700143-1 : ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages

Component: Application Security Manager

Symptoms:
Attempting to delete request logs by a filter (10,000 at a time), only works once. Subsequent delete by filter actions do not remove additional earlier logs.

Conditions:
System has over 10,000 ASM request logs by a selected filter, and delete all by filter is used multiple times.

Impact:
Only the latest 10,000 events are deleted.

Workaround:
No work around for deleting by a filter.
Delete all (without filter) works, and deleting selected requests works.

Fix:
Deletion by filter correctly deletes subsequent sets of 10,000 rows per action.

699720-3 : ASM crash when configuring remote logger for WebSocket traffic with response-logging:all

Component: Application Security Manager

Symptoms:
ASM may crash when configuring remote logger for WebSocket traffic virtual server.

Conditions:
-- Virtual server handling WebSocket traffic.
-- ASM remote logger on the same virtual server.

Impact:
ASM crash; system goes offline.

Workaround:
Use either of the following workarounds:

-- Remove remote logger.
-- Have response logging for illegal requests only.

Fix:
The system now handles memory correctly and avoids crashing in this specific scenario.

699455-3 : SAML export does not follow best practices

Component: Access Policy Manager

Symptoms:
Export of SAML data does not follow current best practices

Conditions:
SAML data exported by administrator

Impact:
Administrative request processing does not follow current best practices

Workaround:
None.

Fix:
Update SAML export to follow current best practices

699431 : Possible memory leak in MRF under low memory

Component: Service Provider

Symptoms:
MRF may leak a session db record when a memory allocation failure occurs when adding a connection to an internal table. In this the table entry will not be cleaned up when the connection closes.

Conditions:
MRF may leak a session db record when a memory allocation failure occurs when adding a connection to an internal table. In this the table entry will not be cleaned up when the connection closes.

Impact:
The table entry will be remain until the box resets.

Workaround:
There is no workaround at this time.

Fix:
The code has been fixed to remove the table entry when a memory allocation failure occurs while adding the record.

699346-2 : NetHSM capacity reduces when handling errors

Component: Local Traffic Manager

Symptoms:
Under certain conditions NetHSM performance may be reduce while handling errors.

Conditions:
NetHSM enabled

Impact:
Reduced performance potentially leading to a failover event

Fix:
Process errors more efficiently when using NetHSM

699281 : Version format of hypervisor bundle matches Version format of ISO

Component: TMOS

Symptoms:
Recently F5 incorporated 4th element into versioning scheme. 4th and 5th are separated by dash (instead of dot) in ISO name. This change/bug insures that names of hypervisor bundles also use dash between 4th and 5th elements.

Conditions:
Applies to hypervisor bundles (for example ova files for vmware).

Impact:
Version format in names of hypervisor bundles matches version format of ISO file

Workaround:
Version format in names of hypervisor bundles matches version format of ISO file

Fix:
Version format in names of hypervisor bundles matches version format of ISO file (usage of dash between 4th and 5th elements).

699262-2 : FQDN pool member status remains in 'checking' state after full config sync

Component: Local Traffic Manager

Symptoms:
After performing a full config-sync (with overwrite config option checked) the sync target (peer) shows FQDN pool members stuck in the 'checking' state.

Conditions:
This occurs after a full config sync is forced between peers using FQDN pool members:

tmsh modify cm device-group <dg_name> devices modify { <local_member> { set-sync-leader } }

Impact:
Affected pools show an Availability state of 'unknown', although pool members are available and can pass traffic.

Workaround:
Restart bigd on the affected peer after the config sync.

Fix:
After performing a full config-sync (with overwrite config option checked) the sync target (peer) no longer shows FQDN pool members stuck in the 'checking' state. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.

699147 : Hourly billed cloud images are now pre-licensed

Component: TMOS

Symptoms:
Hourly billed images in cloud environments require outbound internet access to the F5 public license server in order to retrieve a license. This causes some sites with strict network access policies to fail to license.

Conditions:
Using hourly billing.

Impact:
Hourly instances do not receive licenses and thus could not pass traffic without outbound internet access.

Workaround:
Enable outbound internet access when the guest instance is created to allow it to license, then revoke it.

Fix:
Hourly billed cloud images are now pre-licensed and so do not require internet access to receive a license.

698919-1 : Anti virus false positive detection on long XML uploads

Component: Application Security Manager

Symptoms:
A false positive virus-detected violation. The description of the violation explains that the ICAP server was not contacted.

Conditions:
-- A long XML upload or payload.
-- The assigned XML profile is configured to be inspected by the ICAP server.

Impact:
Violation is detected where no violation has occurred (false positive violation).

Workaround:
Increase the internal parameter max_raw_request_len to the required length of the XML.

Note: This workaround will affect the amount of logged data from ASM.

Fix:
Fixed a false positive virus-detected violation related to long XML uploads.

698080-1 : TMM may consume excessive resources when processing with PEM

Component: Policy Enforcement Manager

Symptoms:
Under certain conditions TMM may consume an unusually large amount of system resources while processing compressed data with PEM

Conditions:
PEM enabled

Impact:
Reduced system capacity, potentially leading to a failover event

Fix:
Avoid excessive resource consumption while processing compressed data

698000-1 : Connections may stop passing traffic after a route update

Solution Article: K04473510

Component: Local Traffic Manager

Symptoms:
When a pool is used with a non-translating virtual server, routing updates may lead to an incorrect lookup of the nexthop for the connection.

Conditions:
-- Pool on a non-translating virtual server.
-- Routing update occurs.

Impact:
Connections may fail after routing updates. New connections will not be affected.

Workaround:
Use a route to direct traffic to the ultimate destination rather than using a pool to indicate the nexthop.

Fix:
Routing updates no longer interrupts traffic to connections using a pool member to reach the nexthop.

697878 : High crypto request completion time under some workload patterns

Component: TMOS

Symptoms:
The tmctl tmm/crypto table shows heavily loaded bulk crypto queues backed up into associated waiting queue. The crypto requests continue to complete, but are significantly delayed.

Conditions:
High crypto usage often in conjunction with high compression usage.

Impact:
Crypto requests can be delayed as long as 1.5 seconds.

Workaround:
Disable hardware crypto by setting the "crypto.hwacceleration" DB key to "disable":
tmsh modify sys db crypto.hwacceleration value disable

Fix:
Improve accelerated crypto poll-timing calculation.

697303-3 : BD crash

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
-- The internal parameter relax_unicode_in_json is set to 1.
-- Specific traffic scenario.

Impact:
BD crash, failover, and traffic disturbance.

Workaround:
Turn off the internal parameter relax_unicode_in_json.

Fix:
BD no longer crashes under these conditions.

696789-2 : PEM Diameter incomplete flow crashes when TCL resumed

Component: Policy Enforcement Manager

Symptoms:
If a PEM Diameter flow is not fully created, for example suspended by an iRule, and the irule is resumed because of timeout.

Conditions:
PEM Diameter flow not fully created, suspended by iRule, and the iRule is resumed by timeout.

Impact:
The tmm will restart and all flows will reset.

Fix:
The PEM diameter flow is now created in such a way to prevent any crash by iRule resumed by timeout.

696468 : Active compression requests can become starved from too many queued requests.

Component: TMOS

Symptoms:
From the "tmctl compress" table: the cur_ctx value for QAT is equal or higher than 512, and the cur_active remains at zero.

CPU utilization per tmm in this condition may be quite high.

Conditions:
At least 512 contexts with no traffic wait in the compression queue and prevent new requests from getting compression service.

Impact:
Compression on a per-tmm basis can stop servicing new requests.

Workaround:
Switch to software compression.

Fix:
Soften the restriction so that accumulated contexts with no traffic cannot not prevent busy contexts from getting compression time.

696383-2 : PEM Diameter incomplete flow crashes when sweeped

Component: Policy Enforcement Manager

Symptoms:
If a PEM Diameter flow is not fully created, for example suspended by an iRule, the sweeper may encounter a tmm crash.

Conditions:
-- PEM Diameter flow not fully created.
-- The flow is suspended by an iRule.
-- There is a CMP state change (likely) or a manual cluster-mirror change (less likely) while the flow is suspended.

Impact:
The tmm restarts and all flows reset. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The PEM diameter flow is now created in such a way to prevent any crash by the sweeper.

696265-3 : BD crash

Component: Application Security Manager

Symptoms:
BD crash.

Conditions:
ecard_max_http_req_uri_len is set to a value greater than 8 KB.

Impact:
Potential traffic disturbance and failover.

Workaround:
Change the value of ecard_max_http_req_uri_len to a size lower than 8 KB.

Fix:
Fixed a BD crash scenario.

695968-3 : Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues.

Component: Policy Enforcement Manager

Symptoms:
Memory leak resulting in a potential OOM scenario.

Conditions:
1. PEM configured with Gx
2. Flaky Diameter connection
3. Subscriber creation via PEM

Impact:
Potential loss of service.

Workaround:
There is no workaround at this time.

Fix:
Freed Diameter messages appropriately.

695117 : bigd cores and sends corrupted MCP messages with many FQDN nodes

Solution Article: K30081842

Component: Local Traffic Manager

Symptoms:
When configured to monitor large numbers of nodes and/or pool members including FQDN nodes and/or pool members, the following symptoms may occur:
- bigd may core (aborted by sod due to missed heartbeat).
- bigd may produce corrupted MCP messages.
- FQDN nodes and/or pool members may remain in a Checking state indefinitely.

Conditions:
These symptoms may occur on affected versions of BIG-IP when a large number of nodes and/or pool members including FQDN nodes and/or pool members are configured. Depending on the capabilities of the platform in use, approximately one thousand (1,000) or more total nodes and/or pool members may be required to produce these symptoms.

FQDN nodes and/or pool members generate a more significant workload for the bigd daemon than nodes and/or pool members with statically-configured IP addresses. This additional load contributes to high CPU usage and the other observed symptoms.

Impact:
This issue produces the following impacts:
- bigd may core.
- nodes and/or pool members may remain in a Checking state indefinitely.
- bigd may produce corrupted MCP messages, which generate error messages in the LTM log of the following form:

... err mcpd[####]: 01070712:3: Caught configuration exception (0), Can't parse MCP message, ...

Examination of the corrupted MCP message shows objects at the point of corruption that have no hierarchical relationship with the objects referenced at the beginning of the message.

Workaround:
To work around this issue, use the following approaches singly or in combination:
1. Reduce the number of nodes and/or pool members configured for a given BIG-IP system.
2. Configure nodes and/or pool members with statically-configured IP addresses.

Fix:
bigd no longer produces corrupted MCP messages, resulting in nodes and/or pool members remaining in a 'checking' state, with up to 2,000 nodes and/or pool members including FQDN nodes and/or pool members configured. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.

694922-4 : ASM Auto-Sync Device Group Does Not Sync

Component: Application Security Manager

Symptoms:
In rare circumstances a device may enter an untrusted state and confuse the device group.

Conditions:
1) ASM sync is enabled on an autosync device group
2) A new ASM entity is created on a device

Impact:
ASM configuration is not correctly synchronized between devices

Workaround:
1) Remove ASM sync from the device group (Under Security ›› Options : Application Security : Synchronization : Application Security Synchronization)
2) Restart asm_config_server.pl on both devices and wait until they come back up
3) Change the device group to a manual sync group
4) On the device with the good configuration re-enable ASM sync for the device group
5) Make a spurious ASM change, and push the configuration.
6) Change the sync type back to automatic

Fix:
Devices no longer spuriously enter an untrusted state

694717-3 : Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup.

Component: Policy Enforcement Manager

Symptoms:
TMM crashes

Conditions:
PEM iRule command that would result in an inter-TMM lookup on a long lived flow that would result in the PEM iRule command being hit several times. For example, a long lived flow with multiple HTTP transactions.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Always release the connFlow reference associated with the TCL command to avoid a memory leak and potential crash.

694696-3 : On multiblade Viprion, creating a new traffic-group causes the device to go Offline

Component: TMOS

Symptoms:
All devices in the failover device group will go offline, resulting in traffic disruption and possible failovers.

Conditions:
When a new traffic-group is created on a multiblade Viprion system that is a member of a sync-failover device group.

Impact:
Traffic to all other traffic-groups is disrupted for several seconds.

Workaround:
There is no workaround at this time.

Fix:
Creating a new traffic-group does not disrupt existing traffic-groups.

694319-3 : CCA without a request type AVP cannot be tracked in PEM.

Component: Policy Enforcement Manager

Symptoms:
May cause diagnostic issues as not all CCA messages cannot be tracked.

Conditions:
1. PEM with Gx/Gy configured
2. PCRF sends CCA's without a request type AVP

Impact:
May hamper effective diagnostics.

Workaround:
Mitigation:
Configure the PCRF to always include a request type in its CCAs.

Fix:
Add a statistics counter to track CCA's that do not request type AVPs.
Name of new counter:cca_unknown_type

694318-3 : PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP.

Component: Policy Enforcement Manager

Symptoms:
Subscriber sessions in PEM will be stuck in a "Marked for Delete" state.

Conditions:
1. PEM provisioned with Gx.
2. PCRF responds to a CCR-t with a DIAMETER_TOO_BUSY return code and no Request type AVP.

Impact:
Subscriber sessions stuck in delete pending resulting in a potential increase in memry consumption over a period of time.

Workaround:
Mitigation:
PCRF (remote Diameter end point) must send a CCA-t with a request type AVP in case a DIAMETER_TOO_BUSY return code is present.

Fix:
Handle the DIAMETER_TOO_BUSY return code on a CCA-t regardless of the request type AVP.

694274-2 : [RHSA-2017:3195-01] Important: httpd security update - EL6.7

Solution Article: K23565223

694073-1 : All signature update details are shown in 'View update history from previous BIG-IP versions' popup

Component: Application Security Manager

Symptoms:
If you are running a BIG-IP release named with 4 digits (e.g., 12.1.3.1), all signature update details are shown only in 'View update history from previous BIG-IP versions' popup. The 'Latest update details' section is missing.

Conditions:
Running a BIG-IP software release named with 4 digits (e.g., 12.1.3.1).

Impact:
Low and incorrect visibility of signature update details.

Workaround:
Signature update details can be viewed in 'View update history from previous BIG-IP versions' popup.

Fix:
Signature updates are now shown correctly for all versions.

693739-3 : VPN cannot be established on macOS High Sierra 10.13.1 if full tunneling configuration is enabled

Solution Article: K70644505

Component: Access Policy Manager

Symptoms:
For some Network Access configurations, VPN cannot establish a connection with client systems running macOS High Sierra 10.13.1 using F5 Edge client or Browser helper apps.

Conditions:
The following conditions must be true:
-- The Network Access resource Traffic Options setting is configured for Force all Traffic Through Tunnel.
-- The Network Access resource Allow Local Subnet setting is disabled.
(Both of these options are defaults.)
-- Client running macOS High Sierra 10.13.1.

Impact:
The Edge Client unsuccessfully tries to connect, resulting in a loop. The client cannot establish VPN.

Workaround:
1. Navigate to the Network Access resource.
2. Set the Network Access resource Allow Local Subnet checkbox to Enabled.
3. Save the setting, and apply the Access Policy.

Fix:
Edge Client operation does not go into a reconnect loop and is able to establish and maintain connection successfully on macOS High Sierra 10.13.1.

693211-3 : CVE-2017-6168

Solution Article: K21905460

692970-3 : Using UDP port 67 for purposes other than DHCP might cause TMM to crash

Component: Local Traffic Manager

Symptoms:
DHCP relay presumes that a flow found via lookup is always a server-side flow of type DHCP relay. Hence TMM can crash when DHCP relay makes a server connection if UDP port 67 is used for another purpose, in which case a wrong DHCP server flow could be selected.

Conditions:
A UDP port 67 is configured for a purpose other than DHCP relay.

Impact:
TMM restart causes traffic interruption or failover.

Workaround:
Do not use UDP port 67 for other virtual servers, or configure a drop listener on certain VLANs that cannot avoid using UDP port 67.

Fix:
TMM no longer crashes with DHCP flow validation.

692941-3 : GTMD and TMM SIGSEGV when changing wide IP pool in GTMD

Component: Global Traffic Manager (DNS)

Symptoms:
Changing wide IP causes gtmd and tmm core under certain conditions.

Conditions:
-- GTM pool is removed when it is referenced by a persist record.
-- That record is accessed before it is purged.

Impact:
gtmd and tmm core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Changing wide IP no longer causes gtmd and tmm core when GTM pool is removed when it is referenced by a persist record, and that record is accessed before it is purged.

692307-1 : User with 'operator' role may not be able to view some session variables

Component: Access Policy Manager

Symptoms:
When a user with 'operator' role tries to view the session variables, the GUI may show the following error: An error has occurred while trying to process you request.

Conditions:
This occurs when there is a huge blob of data associated with the user whose session variable is being viewed. For example Active Directory (AD) user accounts with thumbnailphoto and userCertificate user attributes containing binary data.

Impact:
User cannot view the session variables for those particular sessions. This data is available, however, via clicking on the Session ID.

Workaround:
Find this data via clicking on the session ID.

Fix:
User with 'operator' role can now view all expected session variables

692123-2 : GET parameter is grayed out if MobileSafe is not licensed

Component: Fraud Protection Services

Symptoms:
GET parameter is grayed out if MobileSafe is not licensed.

Conditions:
-- Provision FPS on a system whose license has at least one active feature.
-- Do not license MobileSafe.

Impact:
In FPS Parameter's list, the GET method is always grayed out.

Workaround:
Use either of the following workarounds:
-- License MobileSafe.
-- Use TMSH or REST.

Fix:
The GET method is not grayed out if MobileSafe is not licensed.

692095-3 : bigd logs monitor status unknown for FQDN Node/Pool Member

Solution Article: K65311501

Component: Local Traffic Manager

Symptoms:
While monitoring FQDN nodes or pool members, bigd may log the current or previous monitor status of the node or pool member as 'unknown' in messages where that state internally could have been logged as 'checking' or 'no address' for FQDN template nodes. Other states for FQDN configured nodes or pool members log monitor status as expected. Messages are similar to the following:

notice bigd[####]: 01060141:5: Node /Common/node_name monitor status unknown [ ip.address: unknown ] [ was up for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: unknown ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: up ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status unknown. [ ] [ was unchecked for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status up. [ ] [ was unknown for ##hrs:##mins:##sec ]

Conditions:
This may occur of the FQDN template node or pool member is in a 'checking' or 'no address' state.
The 'checking' state may occur if the DNS resolution of the FQDN node or pool member name is in progress.
The 'no address' state may occur if no IP addresses were returned by the DNS server for the configured FQDN node or pool member name.

Impact:
Unable to triage state of FQDN nodes or pool members identified in these log messages, to determine whether further troubleshooting is required, or what specific problem condition might require further investigation.

Workaround:
None.

Fix:
An FQDN-configured node or pool member logs each internal monitor status, including for scenarios of 'checking' and 'no address' for FQDN template nodes which were previously logged as 'unknown'.

691670-3 : Rare BD crash in a specific scenario

Solution Article: K02515009

Component: Application Security Manager

Symptoms:
BD crash or False reporting of signature ID 200023003.

Conditions:
JSON/XML/parameters traffic (should not happen with the enforce value signature).

Impact:
Failover, traffic disturbance in the core case. False positive violation or blocking in the other scenario.

Workaround:
Removing attack signature 200023003 from the security policy stops the issue.

Fix:
Fix a bug in the signatures engine that causes a false positive reporting of a signature. In some rare cases, this false reporting may cause a crash.

A newly released attack signature update changes the signature in a way that it no longer causes the issue to happen.

691504-3 : PEM content insertion in a compressed response may cause a crash.

Component: Policy Enforcement Manager

Symptoms:
TMM may crash while processing a specially crafted page.

Conditions:
PEM enabled

Impact:
TMM crash and failover event

Workaround:
None.

Fix:
TMM no longer crashes when processing specially crafted content via PEM.

691498-1 : Connection failure during iRule DNS lookup can crash TMM

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM crashes in the DNS response cache periodic sweep.

Conditions:
The DNS resolver connection fails after a successful lookup response is cached. This has been reproduced with a failure due to a lost route. Other failures such as down ports do not cause a crash.

Impact:
The TMM cores and automatically restarts, Traffic disrupted while tmm restarts.

Workaround:
No known workaround.

Fix:
The reference counting of the resolver connection was fixed.

691477-1 : ASM standby unit showing future date and high version count for ASM Device Group

Component: Application Security Manager

Symptoms:
Policy builder is changing configuration of standby unit.

Conditions:
The system state changes from active to standby (also when blade is changed from master to non-master).

Impact:
Unexpected changes are made to the policy on standby device (CID increment).

Workaround:
Restart pabnagd when switching device from active to standby (also when blade is changed from master no non-master):

killall -s SIGHUP pabnagd

Fix:
Policy builder now updates its state correctly and doesn't make changes to a policy on a standby device.

691017-1 : Preventing ng_export hangs

Component: Access Policy Manager

Symptoms:
Sometimes ng_export is stuck while reading tmsh thru the pipe because of buffer issues. Export is trying to read more data from tmsh while data is lost in the middle of the read operation.

Conditions:
-- ng_export receives tmsh replies through buffer of constant size x.
-- During the read operation, tmsh returns a buffer size of x minus k, where k is very small random number (less than 50).

Note: K is very small random number, which makes this issue difficult to describe.

Impact:
The export operation hangs.

Workaround:
None.

Fix:
ng_export is now using non-blocking socket and loops to wait for data or terminate gracefully

690166-3 : ZoneRunner create new stub zone when creating a SRV WIP with more subdomains

Component: Global Traffic Manager (DNS)

Symptoms:
Creating SRV wideip will result in stub zone creation even there are already matching zones.

Conditions:
Creating SRV wideip with three more layers than existing zone.

Impact:
Unnecessary stub zones created.

689826-2 : Proxy/PAC file generated during VPN tunnel is not updated for Windows 10 (unicode languages like: Japanese/Korean/Chinese)

Component: Access Policy Manager

Symptoms:
On a Microsoft Windows 10 system configured for a Unicode language (Japanese, Korean, or Chinese, for example) the client proxy autoconfig file is not assigned in the Microsoft Internet Explorer browser after the VPN connection is established.

Conditions:
- Client proxy settings provided in Network Access settings, or client is configured with proxy prior to establishing VPN tunnel.
- Windows 10 configured for a unicode-language (Japanese/Korean/Chinese/etc.).
- VPN tunnel is established using either a browser or the Edge Client.

Impact:
Proxy settings are not applied on client side after VPN is established.

Workaround:
There are two possible workarounds:
Workaround A
============
-- Change the language to English from Control panel :: Region :: Administrative :: Language for non-Unicode programs :: Change System locale.

Workaround B
============
-- Add a variable assign agent in the access policy, after the logon item and before the resource is assigned. To do so, follow this procedure:

1. Set the custom variable name to the following value:
    config.connectivity_resource_network_access./Common/<network_access_resource_name>.client.ConnectionTrayIcon
    Note: <network access resource name> is the name of the network access resource.

2. Set the value to be of the type 'custom expression' and populate it with the following value (including the quotation marks):
    return "</ConnectionTrayIcon><connection_name_txt>F5VPN</connection_name_txt><ConnectionTrayIcon>"
    Note: The <connection_name_txt> tag contains the name of the adapter that the client will create.

3. After making these two changes, apply the access policy. The next time the VPN is established, a new virtual adapter entry will be created with the name provided in <connection_name_txt> tag.

Fix:
Previously, on a Windows 10 system configured for a Unicode language (for example, Japanese, Korean, or Chinese) the client proxy autoconfig file was not assigned with Internet Explorer after the VPN connection was established. This issue has been fixed.

689577-1 : ospf6d may crash when processing specific LSAs

Solution Article: K45800333

Component: TMOS

Symptoms:
When OSPFv3 is configured and another router in the network performs a graceful restart, ospf6d may crash.

Conditions:
-- OSPFv3 in use.
-- Graceful restart initiated by another system.

Impact:
OSPFv3 routing will interrupted while the daemon restarts and the protocol re-converges.

Workaround:
Disabling graceful restart on other network systems will prevent ospf6d from crashing on the BIG-IP system. However, it will cause a routing interruption on a system that restarts.

Fix:
The ospf6d daemon no longer crashes when a graceful restart occurs in the network.

689089-3 : VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot

Component: Local Traffic Manager

Symptoms:
The cluster configuration file can be lost or corrupted, resulting in the out-of-band cluster management IP reverting to the default value.

Conditions:
Unexpected system restart while the configuration file is being updated may cause the file to become corrupted. If this occurs, the following error will be logged during blade startup:

"err clusterd[8171]: 013a0027:3: Chassis has N slots, config file has 0, ignoring config file"

Where "N" is the number of physical slots in the chassis (2, 4, or 8).

Impact:
Management IP reverts to 192.168.1.246, resulting in loss of access to the chassis through the out-of-band management network.

Workaround:
If this occurs, the management IP can be restored using TMSH or the UI through an in-band self IP, or with TMSH through the management console port.

Fix:
The configuration file update logic has been changed to prevent file corruption during update.

688625-2 : PHP Vulnerability CVE-2017-11628

Solution Article: K75543432

688011-5 : Dig utility does not apply best practices

Component: TMOS

Symptoms:
The dig utility does not apply current best practices when processing administrator requests from TMSH

Conditions:
Appliance mode
TMSH access

Impact:
Dig does not apply current best practices

Workaround:
None.

Fix:
Dig now applies current best practices

687658-2 : Monitor operations in transaction will cause it to stay unchecked

Component: TMOS

Symptoms:
If a monitored object is deleted and created or modified in the same transaction, and any of its monitor configuration is changed (either the monitor, or the state user-down), the monitor state will become unchecked.

Conditions:
This only happens within transactions.

Note: Using the command 'modify ltm pool <name> members replace-all-with' is considered a transaction containing a delete and create of pool members.

Impact:
Monitor state never returns to its correct value.

Workaround:
Do not do these operations in transactions. For pool members, use 'modify ltm pool <name> members modify' instead of replace-all-with.

687603-1 : tmsh query for dns records may cause tmm to crash

Component: Local Traffic Manager

Symptoms:
tmm experiences segmentation fault.

Conditions:
Run 'tmsh show ltm dns cache records key cache <cache>' query when dns cache contains malformed records.

Impact:
Core file / system outage. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
tmm experiences segmentation fault when running the 'tmsh show ltm dns cache records key cache <cache>' query when dns cache contains malformed records.

687353-3 : Qkview truncates tmstat snapshot files

Solution Article: K35595105

Component: TMOS

Symptoms:
Qkview truncates the snapshot files it collects in /shared/tmstat/snapshots/.

Conditions:
Files are larger than 5 MiB, or the 'max file size' limit specified when running Qkview (the -s argument).

Note: 5 MiB is qkview utility's default maximum file size value.

Impact:
Snapshot data may not be collected in qkview. This may result in data being lost if the issue is only identified once important data has rotated out of history.

Workaround:
To specify no file size limit when collecting qkviews, use the following tmsh command:
qkview -s0

687193-1 : TMM may leak memory when processing SSL Forward Proxy traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may leak memory when processing SSL Forward Proxy traffic.

Conditions:
SSL forward proxy enabled.

Impact:
Increasing memory consumption over time, potentially leading to a TMM crash and failover event.

Workaround:
None.

Fix:
TMM no longer leaks memory when processing SSL Forward Proxy traffic

687098 : IPv6 RADIUS servers not supported for remote authentication

Component: TMOS

Symptoms:
Authenticating against an IPv6 RADIUS server is not supported, only an IPv4 server.

Conditions:
This applies to remote authentication to log on to the BIG-IP system for management purposes.

Impact:
Login will time out, as if the server did not respond.

Workaround:
Use an IPv4 server. If you have an IPv6 management IP, then you will need to have the IPv4 server reachable over a dataplane VLAN.

Fix:
Support for IPv6 RADIUS servers has been added.

686389-3 : APM does not honor per-farm HTML5 client disabling at the View Connection Server

Component: Access Policy Manager

Symptoms:
Current logic for determining whether to offer HTML5 client option works for Horizon 6.x (and earlier) but it does not work for Horizon 7.x.

With Horizon 7.x, VMware has enhanced the XML so that each resource includes a flag to indicate whether HTML5 client is enabled (absence of <html-access-disabled/> tag). APM does not honor this flag to show HTML5 client option to APM end user only if it has been enabled for that resource.

Conditions:
-- APM webtop with a VMware View resource assigned.
-- HTML5 Access disabled for some of the RDS farms managed by the broker.

Impact:
APM offers HTML5 client launch option and actually runs it if requested, although it is disabled at the backend.

Workaround:
There is no workaround at this time.

Fix:
For Horizon 7.x, the system now honors the <html5-access-disabled> flag in broker responses to disable HTML5 client for those RDS desktops and apps that have this flag set.

Behavior Change:
Before this fix, all the RDS desktops and apps were available for HTML5 client if it was installed on VCS.
Now, for those desktops and apps where HTML5 access has been deliberately disabled at the broker, only the native client option will be available.

686305-2 : TMM may crash while processing SSL forward proxy traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash while processing SSL forward proxy traffic

Conditions:
SSL forward proxy enabled

Impact:
TMM crash leading to a failover event

Workaround:
None.

Fix:
TMM now correctly processes SSL forward proxy traffic

686282-1 : APMD intermittently crash when processing access policies

Component: Access Policy Manager

Symptoms:
APMD process may crash intermittently (rare) when processing access policies.

Conditions:
This rarely encountered issue occurs when any one of the following conditions exist:

-- iRule is configured with 'ACCESS::policy evaluate'.
-- NTLM authentication configured and ECA plugin is involved (for example VDI RDG).
-- Kerberos authentication is configured with RBA enabled.

Impact:
APM end users cannot pass access policy, cannot login.

Workaround:
None.

Fix:
APMD no longer intermittently crashes when processing access policies.

686228-3 : TMM may crash in some circumstances with VLAN failsafe

Component: Local Traffic Manager

Symptoms:
TMM may crash when managing traffic in response to the VLAN failsafe traffic generating mechanisms

Conditions:
- VLAN failsafe is configured with low timers.
- VLAN failsafe is triggered and multiple responses are received for traffic generating in fast succession.

Impact:
A TMM may core file may be produced. Traffic disrupted while tmm restarts.

Workaround:
Relax the timer to the default VLAN failsafe timer setting.

Fix:
TMM no longer crashes in some circumstances with VLAN failsafe.

686065-1 : RESOLV::lookup iRule command can trigger crash with slow resolver

Component: Local Traffic Manager

Symptoms:
If thousands of connections are serviced by an iRule that performs a lookup for the same FQDN before the FQDN can be resolved, tmm may crash.

Conditions:
iRule with RESOLV::lookup.
Slow DNS resolver.
Thousand of connections triggering resolution of the same name.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Remove RESOLV::lookup from the workflow if it is not required.

Fix:
The scenario now works as expected and no longer results in a crash.

685955 : TMM hud_message_ctx leak

Component: Local Traffic Manager

Symptoms:
There is a TMM memory issue caused by leaked hud_message_ctx objects, each holding a websockets_frame.

Conditions:
Running WebSocket traffic that needs to be processed by a plugin like ASM.

Impact:
Increasing TMM memory usage leading to eventual service outage. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The memory leak in TMM has been fixed.

685743-3 : When changing internal parameter 'request_buffer_size' in large request violations might not be reported

Component: Application Security Manager

Symptoms:
When the internal 'request_buffer_size' is set to a large value, long requests might be blocked, and no violation is reported.

Conditions:
-- Internal parameter 'request_buffer_size' is set to a large value (~50 KB or larger).
-- Request is long (~50 KB or longer).
-- Violations found.

Impact:
Requests might be blocked, and no reason is reported.

Workaround:
Reset internal 'request_buffer_size' to default.

Fix:
The system now handles the case in which the internal 'request_buffer_size' is set to a large value, so long requests are no longer blocked, and the violation is reported.

685344-2 : Monitor 'min 1 of' not working as expected with FQDN nodes/members

Component: Local Traffic Manager

Symptoms:
A pool with a monitor configured as 'min 1 of {...}' may be unavailable when one or more members configured with FQDN are down, rather than remain available as long as at least one pool member remains up.

Conditions:
-- Pool nodes/members are configured with FQDN.
-- At least one associated monitor is defined with the 'min 1 of {...}' feature.

Impact:
The pool may be seen as 'offline' when one or more members are down, rather than remaining available as long as a single pool member is 'UP'.

Workaround:
To configure a pool with 'min 1 of{...}', specify static pool members, do not use FQDN to configure pool members.

Fix:
A pool with FQDN configured nodes/members and specified with a monitor of 'min 1 of {...}' remains available as long as a single pool member remains up.
This issue is resolved by the FQDNv2 feature re-implementation.

685207-2 : DoS client side challenge does not encode the Referer header.

Component: Application Security Manager

Symptoms:
XSS reflection when DoS client side is enabled as a mitigation, or a proactive bot defense is enabled.

Conditions:
1. Login to the client IP address and send the ab request.
2. Once the DoS attack starts, sends the curl request
hl=en&q=drpdrp'-alert(1)-'drpdrp".
3. Unencoded Referer header is visible.

Impact:
The XSS reflection occurs after triggering the DoS attack.

Workaround:
None.

Fix:
DoS client side challenge now encodes the Referer header.

685110-3 : With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members.

Solution Article: K05430133

Component: Local Traffic Manager

Symptoms:
1. FQDN Node/pools fails to populate with members.

2. An error similar to the following is logged in /var/log/ltm when an FQDN node or pool member is created:

err mcpd[####]: 01070356:3: Ratio load balancing feature not licensed.

Conditions:
1. License a BIG-IP system with non-LTM license lacking the ltm_lb_ratio feature.
Such licenses include APM and/or ASM licenses for certain newer platforms which do not support the AAM module.
Affected platforms include certain iSeries and Virtual Edition (VE) releases.
2. Configure an FQDN node/pool member. Do not specify a 'ratio' value.

Impact:
Unable to use FDQN nodes/pool members with non-LTM license.

Workaround:
None.

Fix:
Non-LTM license (ASM, APM, etc.), ephemeral nodes are now created for FQDN nodes/pool members.

685020-1 : Enhancement to SessionDB provides timeout

Component: TMOS

Symptoms:
In some cases, calls made to SessionDB never return from the remote TMM.

Conditions:
-- Using add, update, delete, and lookup commands to remote TMM.
-- SessionDB request is not returned.

Impact:
Calls made to SessionDB never return from the remote TMM.

Workaround:
None.

Fix:
The system initiates a timeout after 2 seconds. If a timeout occurs, the calling command receives a result of err==ERR_TIMEOUT

684879-2 : Malformed TLS1.2 records may result in TMM segmentation fault.

Solution Article: K02714910

684414-1 : Retrieving too many groups is causing out of memory errors in TMUI and VPE

Component: Access Policy Manager

Symptoms:
Retrieving too many groups might cause out-of-memory errors in TMUI and VPE. TMUI might end up with HTTP 502 and VPE fails with HTTP 500

Conditions:
LDAP/AD server with over 20,000 groups.

Impact:
It's hard to perform LDAP/AD group mapping because there are no group names in the dialog box, which complicates work on such a large number of groups.

Workaround:
The only solution is to remove /shared/tmp/gmcache folder and use manual groupmapping.

Fix:
Retrieving too many groups no longer results in memory errors in TMUI and VPE, even on LDAP/AD servers with over 20,000 groups.

684333-3 : PEM session created by Gx may get deleted across HA multiple switchover with CLI command

Component: Policy Enforcement Manager

Symptoms:
PEM sessions may get cleaned up with terminate cause of FATAL GRACE TIMEOUT, if multiple high availability (HA) failover is being performed using the following command: tmsh run sys failover standby.

Conditions:
Multiple HA failover performed using the following command: tmsh run sys failover standby.

Impact:
PEM session created using Gx may get deleted.

Workaround:
Initiate failover using alternate commands, such as the following:
tmm big start restart.

684325-3 : APMD Memory leak when applying a specific access profile

Component: Access Policy Manager

Symptoms:
Access profile having CheckMachineCert agent, while updating profile using 'Apply access policy', each time it leaks 12096 bytes of memory.

Conditions:
-- Access profile configured with agent 'CheckMachineCert'.
-- Repeatedly update the profile using 'Apply access policy'.

Impact:
APMD process stops after repeated application of the script.

Workaround:
None.

Fix:
APMD no longer leaks memory when applying Access profile configured with agent 'CheckMachineCert'.

684312-2 : During Apply Policy action, bd agent crashes, causing the machine to go Offline

Solution Article: K54140729

Component: Application Security Manager

Symptoms:
During Apply Policy action, bd agent crashes, causing with this error:
--------------------
crit perl[21745]: 01310027:2: ASM subsystem error (bd_agent,): bd_agent exiting, error:[Bit::Vector::new_Dec(): input string syntax error at /usr/local/share/perl5/F5/CfgConvert.pm line 66, <$inf> line 1. ]
--------------------

Causing bd and bd_agent processes restart, and causing the machine to go Offline.

Conditions:
-- ASM provisioned.
-- Applying policy.
-- Corrupted data was attempted to be loaded during an Apply Policy action.

Impact:
bd and bd_agent processes restart, causing the machine to go Offline while the processes restart..

Workaround:
None.

Fix:
During Apply Policy action, bd agent no longer crashes when attempting to load corrupted data.

684033-1 : CVE-2017-9798 : Apache Vulnerability (OptionsBleed)

Solution Article: K70084351

683683-1 : ASN1::encode returns wrong binary data

Component: Local Traffic Manager

Symptoms:
ASN1::encode returns incorrect data for certain integer values. For example, for integer 49280, ASN1::encode returns 02030000.

Conditions:
The problem happens in an implicit UTF encoding/decoding, and it is not obvious what data triggers the error.

This is because it implicitly converts the Tcl object type from byte array to string and later back to byte array, but because of the UTF de-coding algorithm, certain bytes get changed.

Impact:
The returned binary is wrong.

Workaround:
Use binary scan for the value that is incorrectly encoded by the command.

Fix:
ASN1::encode ENCODE mode now works so that it avoids the implicit type-conversion byte array to string back to byte array, which gets the original byte array changed during UTF-8 decoding.

683508-3 : WebSockets: umu memory leak of binary frames when remote logger is configured

Component: Application Security Manager

Symptoms:
ASM out of memory error messages in /var/log/asm.

Conditions:
-- Virtual server configured with WebSocket profile.
-- ASM remote logger configured and assigned to the virtual server.

Impact:
ASM out of memory, memory leak.

Workaround:
Remove ASM remote logging profile from a virtual server.

Fix:
This release correctly releases unused memory after WebSocket message is sent to the logging destination.

683389-1 : Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file

Component: Access Policy Manager

Symptoms:
Flash ActionScript3 application shows Error #2134 when trying to call flash.net::SharedObject.getLocal with localPath specified.

Conditions:
Attempt to create local SharedObject.

Impact:
Affected Flash applications are not working when accessed through Portal Access.

Workaround:
None.

Fix:
Addressed an issue in Portal Access which caused rewritten Flash files to show Error #2134 on attempt to create local SharedObject.

682837 : Compression watchdog period too brief.

Component: TMOS

Symptoms:
Compression TPS can be reduced on certain platforms when sustained, very high compression request traffic is present.

Conditions:
Very high sustained system-wide compression request traffic.

Impact:
Accelerated compression throughput can drop significantly; some flows dropped.

Workaround:
Switch to software compression.

Fix:
Compression request monitor tuned to account for systems with smaller bandwidth.

682682-3 : tmm asserts on a virtual server-to-virtual server connection

Component: Local Traffic Manager

Symptoms:
tmm might crash when using a virtual server-to-virtual server connection, and that connection has a TCP profile with keepalive configured.

Conditions:
-- L7 virtual server-to-virtual server connection (Virtual command, cpm rule, etc.).
-- TCP profile with keepalive configured.
-- (Deflate profile.)
-- At the beginning of the connection, there is a stall for longer than the specified keepalive timer interval.
-- The received response decompresses to a size that is greater than the advertised window size on the first virtual server's TCP stack.

Impact:
Shortly after the keepalive packet is received, which then is decompressed, the assert is triggered, and tmm restarts. Traffic disrupted while tmm restarts.

Workaround:
Remove keepalive from the TCP profiles of the two virtual servers involved.

Fix:
The system now honors the current receive window size when sending keepalives, so the tmm crash no longer occurs.

682612 : Event Correlation is disabled on vCMP even though all the prerequisites are met.

Component: Application Security Manager

Symptoms:
In GUI screen,

Security ›› Event Logs : Application : Event Correlation

It shows "Event Correlation is not supported on this platform.".

Conditions:
Multi bladed vCMP guest, running on a BIG-IP with SSD drives, having only one available Slot (other Slots appear offline/unavailable).

Impact:
Multi bladed vCMP guest, running on a BIG-IP with SSD drives, having only one available Slot have Event Correlation disabled.

Workaround:
The following workaround does not survive ASM restart.
Thus, it has to be executed after every restart of ASM:
------------------------
# perl -MF5::ASMReady -MF5::Cfg -e 'while (! F5::ASMReady::is_asm_ready()) { print "Waiting for ASM to be ready.\n"; sleep 5; }; print "ASM is ready, patching Event Correlation cfg file\n"; F5::Cfg::cfg_set_config_item(qw{/etc/ts/correlation/correlation.cfg}, qw{General}, qw{Idle}, 0)'

# pkill -f correlation
------------------------

Event Correlation should start with in ~15 seconds, after the execution of this workaround:
------------------------
# ps -elf | grep correlation

0 S root ... /usr/share/ts/bin/correlation
------------------------

682500-1 : VDI Profile and Storefront Portal Access resource do not work together

Component: Access Policy Manager

Symptoms:
Accessing a Citrix Storefront portal access resource and clicking on the application does not work since VDI returns HTTP status 404.

Conditions:
-- VDI profile is attached to the Virtual server.
-- Access policy has Citrix Storefront portal access resource.
-- Citrix remote-desktop resource is attached.

Impact:
Citrix Storefront portal access resource cannot be used to launch applications.

Workaround:
None.

Fix:
Citrix Storefront portal access resources can now be used with Citrix Remote desktop resources.

682213-3 : TLS v1.2 support in IP reputation daemon

Solution Article: K31623549

Component: TMOS

Symptoms:
The IP reputation daemon opens SSL connections to the Webroot BrightCloud server using TLS 1.0 protocol.

Conditions:
This occurs when using IP reputation.

Impact:
Because IP reputation services are used to accept/deny connections to critical business applications, there might be concerns about the service. Also some configurations might require that all transactions exfiltrating a PCI-controlled environment leverage secure protocols and ciphers, which won't be the case for IP reputation services.

Workaround:
None.

Fix:
Webroot updated BrightCloud servers to support TLS 1.2. This is additional support. To preserve backward compatiblity, the servers support TLS 1.0, TLS 1.1, TLS 1.2, SSL 2.0 and SSL 3.0.

In addition, this software version supports TLS 1.2 on the client side by customizing the SDK used by the IP reputation daemon.

682105 : Adding widget in Analytics Overview can cause measures list to empty out on Page change

Component: Application Visibility and Reporting

Symptoms:
When adding a new widget on Analytics Overview page with multiple modules (e.g., vCMP, Security), it is possible to reach a state in which the list of available measures is empty.

Conditions:
-- All 'available measurements' is selected (moved left).
-- A page should be changed.

Impact:
In some cases (like in vCMP when changing from Network to SynCookies), the list of available measurements will remain empty. Unable to select measures to display in new widget.

Workaround:
To reset the list of measures so that all measures are visible again, switch to another page and return to the previous one right away.

682104-1 : HTTP PSM leaks memory when looking up evasion descriptions

Component: Local Traffic Manager

Symptoms:
http_psm_description_lookup leaks xfrags containing PSM evasion descriptions.

Conditions:
When PSM looks up evasion descriptions.

Impact:
Memory leaked each time might eventually cause out of memory to the TMM.

Workaround:
None.

Fix:
This fix will stop the memory leakage.

681710-4 : Malformed HTTP/2 requests may cause TMM to crash

Component: Local Traffic Manager

Symptoms:
Malformed HTTP/2 requests can cause TMM to crash

Conditions:
Specially crafted request is sent through an HTTP/2 configured virtual server.

Impact:
TMM crash leading to a failover event

Workaround:
N/A

Fix:
HTTP/2 configured virtual server properly handles requests

681175-1 : TMM may crash during routing updates

Solution Article: K32153360

Component: Local Traffic Manager

Symptoms:
When dynamic routing is configured and ECMP routes are received, certain routing updates may lead to a TMM crash.

Conditions:
-- Dynamic routing.
-- ECMP routes.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable ECMP routes by configuring "max-paths 1" in ZebOS.

Fix:
TMM no longer crashes on routing updates when ECMP is in use.

681109-2 : BD crash in a specific scenario

Solution Article: K46212485

Component: Application Security Manager

Symptoms:
BD crash occurs.

Conditions:
A specific, non-default configuration with specific traffic.

The issue is much more likely to occur when the policy is not tuned correctly, in which case you might receive a potentially huge number of false positive attack signature matches on that payload. The crash might then occur if there is a subsequent 'Parameter value does not comply with regular expression' violation on that same payload.

For example, nothing prevents you from incorrectly associating a Content-Type and <type-value> with a Request Body Handling parser that is not designed to parse that type of data, such as the following:
Content-Type :: *xml* :: form-data

This configuration is likely to result in a very long list of false-positive attack signatures. Because of the big message generated, The regex violation which is also likely to happen on the payload cannot be added to the filled message, which causes the crash.

Impact:
Failover, traffic disturbance.

Workaround:
In order to prevent this, correctly configure the header-based-content-profile property on URLs for cases where an unusual header requires a specific, potentially unexpected parsing mechanism.

A correctly configured header-based-content-profile property on URLs appears as follows:

In URL Properties, the Header-Based Content Profiles section of the wildcard URL is by default applying the value and content signature. Here, you can associate Content-Type with <type-value> with <parser-type>. By default, the correct definitions are as follows:
Content-Type :: *form* :: Form Data
Content-Type :: *json* :: JSON
Content-Type :: *xml* :: XML

Fix:
Added a check to prevent a crash in a specific scenario.

680755-1 : max-request enforcement no longer works outside of OneConnect

Solution Article: K27015502

Component: Local Traffic Manager

Symptoms:
max-request enforcement does not work when OneConnect is not configured.

Conditions:
-- The max-request enforcement option is configured.
-- OneConnect is not configured.

Impact:
max-request enforcement does not work.

Workaround:
Always use OneConnect.

Fix:
max-request enforcement now works when OneConnect is not configured.

680729-3 : DHCP Trace log incorrectly marked as an Error log.

Solution Article: K64307999

Component: Policy Enforcement Manager

Symptoms:
The following sample DHCP debug log may be found repeatedly in the TMM logs.

<#> <date> <slot#> notice DHCP:dhcpv4_xh_timer_callback/1053: Entering: <mac-addr>

Conditions:
Send a DHCP request through a DHCP virtual and wait for 30 seconds for the DHCP callback to trigger.

Impact:
Possible clutter in the TMM logs.

Workaround:
Set the db variable to critical. To do so, run the following command: setdb tmm.dhcp.log.level critical

Fix:
The following log can be seen only when DHCP debug logs are set to enabled.
<#> <date> <slot#> notice DHCP:dhcpv4_xh_timer_callback/1053: Entering: <mac-addr>

680112-1 : SWG-Explicit rejects large POST bodies during policy evaluation

Solution Article: K18131781

Component: Access Policy Manager

Symptoms:
When an access profile of type SWG-Explicit is being used, there is a 64 KB limit on POST bodies while the policy is being evaluated.

==> /var/log/apm <==
err tmm[13751]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: hud_access_process_ingress, Line: 3048

Conditions:
This applies only during the policy evaluation. After the policy has been set to 'Allow', there is no limit.

Impact:
Unable to start an SWG-Explicit policy with a large POST body.

Workaround:
None.

Fix:
Modify the db variable 'tmm.access.maxrequestbodysize' with a value larger than the maximum post body size you would like to support. The maximum supported value is 25000000 (25 MB).

679959-1 : Unable to ping self IP of VCMP guest configured on i5000, i7000, or i10000

Component: TMOS

Symptoms:
Unable to the ping self IP of VCMP guests configured on i5000, i7000, or i10000.

Conditions:
Running TMOS v12.1.3 and VCMP guests configured on i5000, i7000 or i10000.

Impact:
Unable to process client traffic.

Workaround:
No workaround at this time.

Fix:
This issue is fixed.

679603-2 : bd core upon request, when profile has sensitive element configured.

Solution Article: K15460886

Component: Application Security Manager

Symptoms:
bd crash, system goes offline.

Conditions:
ASM provisioned.
-- ASM policy attached on a virtual server.
-- json profile configured with sensitive element.

Impact:
System goes offline/fails over.

Workaround:
Remove sensitive elements from the json profile in the ASM policy.

Fix:
ASM now handles this condition so the crash no longer occurs.

679480-1 : User able to create node when an ephemeral with the same IP already exists

Component: TMOS

Symptoms:
If an FQDN ephemeral node exists for a given IP address, the user is still able to create a real node for the same IP address.

Conditions:
This can only be done by the GUI, not by tmsh or iControl REST.

Impact:
This should be prevented, but is allowed.

Workaround:
Avoid creating such a node.

Fix:
Validation now prevents this from happening.

679440-2 : MCPD Cores with SIGABRT

Solution Article: K14120433

Component: Advanced Firewall Manager

Symptoms:
MCPD cores with SIGABRT.

Conditions:
This occurs while the dynamic white/black daemon (dwbld) processes auto-blacklisted IP addresses.

Impact:
MCPD core.

Workaround:
Run the following command:
tmsh modify sys db debug.afm.shun.notify_peers value disable

Fix:
MCPD no longer cores with SIGABRT if the auto-blacklisting feature is enabled.

679384-1 : The policy builder is not getting updates about the newly added signatures.

Solution Article: K85153939

Component: Application Security Manager

Symptoms:
The policy builder is not getting updates about the newly added signatures.

Conditions:
When ASU is installed or user-defined signatures are added/updated.

Impact:
No learning suggestions for some of the newly added signatures.

Workaround:
Use either of the following workarounds:
-- One workaround is restarting the policy builder. This will revert the learning progress made in the last 24 hours:
killall -s SIGHUP pabnagd

-- Manually change some Policy Attack Signature Set in Learning and Blocking Settings (e.g., disabling and re-enabling Learn checkbox).

Fix:
After the fix, Policy Builder will be aware of all newly added signatures.

679235-5 : Inspection Host NPAPI Plugin for Safari can not be installed

Component: Access Policy Manager

Symptoms:
Inspection Host NPAPI Plugin for Safari on macOS High Sierra can not be installed.

Conditions:
macOS High Sierra, Inspection Host Plugin package installation triggered.

Impact:
Inspection Host plugin cannot be installed, therefore, endpoint checks will not work.

Workaround:
There is no workaround at this time.

Fix:
Previously, the Inspection Host NPAPI Plugin for Safari on macOS High Sierra could not be successfully installed. This plugin can now be successfully installed.

678976-2 : Do not print all HTTP headers to avoid printing user credentials to /var/log/apm.

Solution Article: K24756214

Component: Access Policy Manager

Symptoms:
VDI debug logs print user credentials to /var/log/apm.

Conditions:
VDI debug logs are enabled and VDI functionality is used on the virtual server.

Impact:
User credentials are written to /var/log/apm.

Workaround:
Set VDI debug level to Notice.

Fix:
The system no longer prints user credentials to VDI debug logs.

678861-3 : DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other★

Solution Article: K00426059

Component: Global Traffic Manager (DNS)

Symptoms:
Upgrade fails with a message similar to the following.

emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- 01070356:3: Link Controller feature not licensed. Unexpected Error: Loading configuration process failed.

Conditions:
Previously had Link Controller with DNS:: commands in an iRule proc.

Impact:
Upgrade fails.

Workaround:
Remove DNS:: commands from procs before upgrade.

Or use AFM instead of iRules.

678851-1 : Portal Access produces incorrect Java bytecode when rewriting java.applet.AppletStub.getDocumentBase()

Component: Access Policy Manager

Symptoms:
Java applets containing call of getDocumentBase() through a reference to java.applet.AppletStub are incorrectly rewritten.

Attempt to call incorrectly patched method causes following exception:
java.lang.VerifyError: (...) Illegal type in constant pool

Conditions:
This occurs when using rewrite on Java applets that call getDocumentBase().

Impact:
Affected Java applets cannot be started through Portal Access.

Workaround:
None.

Fix:
Rewritten applets with calls of java.applet.AppletStub interface methods are no longer causing java.lang.VerifyError exception during execution.

678833 : IPv6 prefix SPDAG causes packet drop

Component: TMOS

Symptoms:
If IPv6 prefix SPDAG is turned on, on systems running v12.1.2 HF1, v12.1.2 HF2, or 12.1.3, it can cause packet drops.

Conditions:
Turn on IPv6 prefix DAG.
-- Assign a value other than 128 to sys db tmm.pem.session.ipv6.prefix.len.
-- Running v12.1.2 HF1, v12.1.2 HF2, or 12.1.3.

Impact:
Packet drops.

Workaround:
Turn off IPv6 prefix SPDAG.

678822-3 : Gx/Gy stats display provision pending sessions if there is no route to PCRF or the app is unlicensed

Component: Policy Enforcement Manager

Symptoms:
If the PEM subscribers are brought up with diameter apps (Gx/Gy) configured and the PCRF is not reachable since there is no route or simply because there is no license configured for those apps. The Provision pending for sessions will get incremented and never rollback to zero even after the subscribers are cleaned up.

Conditions:
If the route to PCRF/OCS is missing or not reachable.

Impact:
Non-Zero stats for provision pending sessions

Workaround:
Disable the Gx/Gy profile if not required or configure the route.

Fix:
The system no longer increments the stats for diameter apps if the PCRF/OCS is not reachable, so this issue no longer occurs.

678820-2 : Potential memory leak if PEM Diameter sessions are not created successfully.

Component: Policy Enforcement Manager

Symptoms:
Memory leak resulting in reduction in available memory.

Conditions:
1. PEM configured with Gx.
2. PCRF Gx end point operationally DOWN
3. Subscriber creation attempt.

Impact:
Loss of service

Workaround:
There is no workaround at this time.

Fix:
Diameter context is freed in case of a failed Diameter session creation.

678714-3 : After HA failover, subscriber data has stale session ID information

Component: Policy Enforcement Manager

Symptoms:
After a failover in a high availability (HA) configuration, subscriber local data is populated with stale session id information

Conditions:
-- HA failover.
-- PEM subscriber.

Impact:
Subscriber data with stale session ID information might cause invalid reference to incorrect subscriber data.

Workaround:
None.

Fix:
Subscriber local data is now populated with new, generated session ID information.

678462-2 : after chassis failover: asmlogd cpu 100% on secondary

Component: Application Security Manager

Symptoms:
After a failover in a chassis:

- asmlogd cpu 0% on primary slot (which was secondary before the failover).

- asmlogd cpu 100% on secondary (which was primary before the failover).

Without traffic running through the chassis.

Conditions:
ASM provisioned
Chassis with at least 2 active slots.
Chassis failover after some traffic was passed through the chassis.

Impact:
asmlogd cpu 100% on secondary (which was primary before the failover).

Workaround:
There is no workaround at this time.

Fix:
We have fixed the asmlogd process to better handle chassis failovers during which the chassis slots change roles (Primary/Secondary).

678293-1 : Uncleaned policy history files cause /var disk exhaustion

Component: Application Security Manager

Symptoms:
There are hundreds of policy history files for non-existent policies stored under /ts/dms/policy/policy_versions, which might cause /var disk exhaustion.

Conditions:
There are hundreds of policy history files for non-existent policies stored under /ts/dms/policy/policy_versions.

Two possible causes might explain what caused the history files to be copied:
-- The device was synchronized from itself.
-- There was a UCS loaded on the device.

Impact:
/var disk usage is high.

Workaround:
Use the following one-liner to find unreferenced policy history files that can be deleted:

----------------------------------------------------------------------
perl -MData::Dumper -MF5::DbUtils -MFile::Find -e '$dbh = F5::DbUtils::get_dbh(); $sql = ($dbh->selectrow_array(q{show tables in PLC like ?}, undef, q{PL_POLICY_VERSIONS})) ? q{select policy_version, policy_id from PLC.PL_POLICY_VERSIONS} : q{select revision, policy_id from PLC.PL_POLICY_HISTORY}; %known_history_files = map { (qq{$_->[1]/$_->[0].plc} => 1) } @{$dbh->selectall_arrayref($sql)}; find({ wanted => sub { next unless -f $_; $_ =~ m|/policy_versions/(.*)$|; if (! $known_history_files{$1}) { print qq{$_\n} } }, no_chdir => 1, }, q{/ts/dms/policy/policy_versions});'
----------------------------------------------------------------------

Manually verity the file list output. If it seems correct, you can then delete the files by piping the output into 'xargs rm'.

In addition, you can delete the following file: /var/ts/var/install/recovery_db/conf.tar.gz.

678228-1 : Repeated Errors in ASM Sync

Solution Article: K27568142

Component: Application Security Manager

Symptoms:
If an error is encountered when building a full sync file for an ASM enabled Device Group, any future attempts at building a sync file will continue to fail.

Conditions:
An error such as a full disk or out of memory occurs when attempting to build a sync file for an ASM enabled Device Group

Impact:
Any future attempts at building a sync file will continue to fail.

Workaround:
Restart the ASM Config processes, or clear out /ts/var/sync.

Fix:
Remnants of failed sync files are now correctly cleaned up before building a new one.

677193-2 : ASM BD Daemon Crash.

Solution Article: K38243073

677119 : HTTP2 implementation incorrectly treats SETTINGS_MAX_HEADER_LIST_SIZE

Component: Local Traffic Manager

Symptoms:
When HTTP2 connection's parameters are negotiated, either side may report about its limits in SETTINGS type frame where one of the parameters SETTINGS_MAX_HEADER_LIST_SIZE determines a maximum size of headers list it is willing to accept. BIG-IP incorrectly interchanged this parameter with another one called SETTINGS_HEADER_TABLE_SIZE, limiting value of the former one to 32,768.

Conditions:
HTTP2 is configured and an opposite endpoint (user agent using HTTP2 protocol) tries to set SETTINGS_MAX_HEADER_LIST_SIZE to a value above 32,768.

Impact:
BIG-IP doesn't accept the value and terminates the connection using GOAWAY frame with PROTOCOL_ERROR as a reason.

Fix:
BIG-IP no longer generates an error due to this issue and allows value for SETTINGS_MAX_HEADER_LIST_SIZE to exceed 32,768.

677058-3 : Citrix Logon prompt with two factor auth or Logon Page agent with two password type variables write password in plain text

Component: Access Policy Manager

Symptoms:
Logon page agent with more than one password variable or Citrix logon prompt will log plain text password when debug logging is turned on for access policy.

Conditions:
This occurs when following conditions are met:

- Citrix Logon Prompt with two factor auth or Logon page agent with more than one password variable is added in the Access Policy.
- Access Policy logging is set to debug.

Impact:
APM logs plain text password when debug logging is turned on for access policy.

Workaround:
None.

Fix:
Password values are no longer written in APM logs when debug logging is enabled for access policy.

676982-2 : Active connection count increases over time, long after connections expire

Solution Article: K21958352

Component: Local Traffic Manager

Symptoms:
- Number of active connections is increasing over time.
- Memory used by TMM increases over time.
- Potential TMM restart is possible.

Conditions:
This issue arises only when all the following conditions occur:
- Hardware is chassis type.
- There is more than one blade in service.
- A fastL4 profile is configured (e.g., using bigproto).
- SessionDB is used either by iRules or by native profile
functionality.

Impact:
- Service may be impacted after a period.
- TMM instances may restart.

Workaround:
None.

Fix:
SessionDB-related accesses initiated via iRules are now properly cleaned up and no longer hang.

676808-2 : FPS: tmm may crash on response with large payload from server

Component: Fraud Protection Services

Symptoms:
A request to a unprotected FPS URL may cause tmm crash if response payload is large and the URL was configured via live update.

Conditions:
1. Page is not protected.
2. Large response payload (e.g.,50 KB).
3. FPS registered for response event (this will happen if a global URL (configured via live update) was matched).

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
FPS will check for fast response situation and will act accordingly.

676690-3 : Windows Edge Client sometimes crashes when user signs out from Windows

Component: Access Policy Manager

Symptoms:
In rare cases Windows Edge Client may crash when user signs out from Windows

Conditions:
User signs out from Windows or restarts Windows while EdgeClient is running and VPN is established

Impact:
No functional impact, user see a message box with error block sign out process. When the user closes the message box, sign out process continues.

Fix:
Previously, in some instances, the Edge Client on Windows would crash when the user signed out of Windows. This has been fixed.

676457-3 : TMM may consume excessive resource when processing compressed data

Component: Local Traffic Manager

Symptoms:
Under certain conditions TMM may consume an unusually large amount of system resources while processing compressed data

Conditions:
HTTP compression enabled

Impact:
Reduced system capacity, potentially leading to a failover event

Fix:
Avoid excessive resource consumption while processing compressed data

676416-2 : BD restart when switching FTP profiles

Component: Application Security Manager

Symptoms:
Switching a Virtual Server from an FTP profile with Protocol Security enabled to an FTP profile with Protocol Security disabled, causes causes the BIG-IP to go offline, generates errors in the bd log, and causes bd to restart.

Conditions:
Running FTP traffic with FTP profile with Protocol Security enabled.
On FTP service, change to FTP profile with Protocol Security disabled.

Impact:
BD restart, traffic disrupted, and failover in HA configuration.

Workaround:
There is no workaround at this time.

Fix:
We have fixed the mechanism of switching FTP profiles, so that now there is no BD restart.

676203-1 : Inter-blade mpi connection fails, does not recover, and eventually all memory consumed.

Component: TMOS

Symptoms:
TMM memory usage suddenly increases rapidly.

Conditions:
The inter-blade mpi connection fails and does not recover.

Impact:
Inter-blade mpi requests do not complete and the system eventually exhausts memory.

Workaround:
None.

Fix:
Inter-blade mpi connection now continues as expected, without memory issues.

675928-2 : Periodic content insertion could add too many inserts to multiple flows if http request is outstanding

Component: Policy Enforcement Manager

Symptoms:
Multiple flows of the same subscriber could get insert content enabled frequently, if the requests from those flows are outstanding

Conditions:
If the http request from the subscriber is outstanding when the new flow is triggered

Impact:
PEM insert content pem_acton will be enabled on multiple flows till the first response is received

Fix:
Throttle insert content action on new flows only to periodic interval if the transaction is outstanding.

675921 : Creating 5th vCMP 'ssl-mode dedicated' guest results in an error, but is running

Component: TMOS

Symptoms:
Creating 'ssl-mode dedicated' guests on the BIG-IP i5800, the 5th guest and beyond get an error, however they do become deployed with Status or 'running'.

Conditions:
-- Creating 5 (or more) 'ssl-mode dedicated' vCMP guests.
-- Running on the BIG-IP i5800 platform.

Impact:
5th guest and beyond result in an error.

Workaround:
None.

Fix:
The system now limits the maximum number of 'ssl-mode dedicated' vCMP guests to the number that the BIG-IP i5800 can physically support.

675866-1 : WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO

Component: Access Policy Manager

Symptoms:
Kerberos rejects tickets with 2 minutes left in their ticket lifetime. This causes tickets to be rejected by KDC, causing APM to disable SSO.

Conditions:
This occurs with Kerberos-protected resources using Windows Server 2012-based DC due to issue described in the Microsoft KB: Kerberos authentication fails when the computer tries to request a service ticket from a Windows Server 2012-based DC, https://support.microsoft.com/en-us/help/2877460/kerberos-authentication-fails-when-the-computer-tries-to-request-a-ser.

Impact:
Cannot access the Kerberos-protected resources.

Workaround:
None.

Fix:
Tickets are not used when the remaining lifetime is less than 5 minutes. Existing tickets with more than half the configured lifetime or at least 1 hour of lifetime remaining are used. If there are no such tickets, then new tickets are acquired and used.

675399-3 : Network Access does not work when empty variables are assigned for WINS and DNS

Component: Access Policy Manager

Symptoms:
Network Access does not work when empty variables are assigned for WINS and DNS.

Conditions:
If the admin configures empty values for WINS or DNS in the Variable Assign agent in the VPE.

Impact:
The system does not parse the XML tags correctly. Users may not be able establish VPN tunnel.

Workaround:
Do not leave the DNS or WINS values empty in the Variable assign Agent.

Fix:
APM now correctly handles the condition where an empty string is assigned for WINS and/or DNS in the Variable Assign policy agent.

675232-3 : Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction

Component: Application Security Manager

Symptoms:
Errors encountered -

In TMSH CLI transaction:
----------------
transaction failed: 01020036:3: The requested ASM policy (/Common/<some_policy>) was not found.
----------------

In iApp template implementation:
----------------
script did not successfully complete: (01020036:3: The requested ASM policy (/Common/<some_policy>) was not found.
----------------

Conditions:
In an iApp template implementation or TMSH CLI transaction, create a new ASM policy and then try to modify it's active state.

Impact:
The policy is created but the modify action cannot find the policy.

Workaround:
iApps are built to work with ASM Policy Templates.

A new ASM Policy Template can be created from the desired ASM Policy.

That can be done via GUI and starting from from v13.0 via REST as well.

Then, the newly created ASM Policy Template can be referenced in the iApp template implementation or TMSH CLI transaction as follows:
-----------------
tmsh::create asm policy <some_policy> active policy-template NEWLY_CREATED_POLICY_TEMPLATE
-----------------

Fix:
iApp template implementation and TMSH CLI transaction can now modify a newly created ASM policy.

674931 : FPS modified responses/injections might result in a corrupted response

Component: Fraud Protection Services

Symptoms:
in case a connection was congested and FPS tries to send additional egress (modifying the response, e.g. injections) the order of the response sending might break if this send is successful (i.e congestion just ended). instead of sending the buffered data first (response part that was buffered due to congestion), FPS tries to send the new data first and only than will send the buffered data.

Conditions:
- congested connection
- FPS sends modified response (e.g. injections)
- sending egress succeeded (congestion ended)

Impact:
response is corrupted - order of data has erroneously changed

Workaround:
N/A

Fix:
FPS will handle this case correctly, first sending buffered data then sending the new egress.

674909-3 : Application CSS injection might break when connection is congested

Component: Fraud Protection Services

Symptoms:
Large CSS files configured for phishing protection injection in FPS (not fictive websafe CSS files) may be truncated upon response to client.

Conditions:
Inject into Application CSS enabled in Anti-Fraud Profile » Advanced » Phishing Detection

Large CSS file such as bootstrap files configured for Application CSS Locations.

Network congestion engaging TMM flow control.

Impact:
Pages may display incorrectly in client browser depending on application requirements with specific CSS. May break application functionality.

Workaround:
1) Remove affected large files from Application CSS Locations.

or

2) Disable Inject into Application CSS entirely.

Fix:
FPS now handles the case where injecting to application css was interrupted by congestion.

674686-2 : Periodic content insertion of new flows fails, if an outstanding flow is a long flow

Component: Policy Enforcement Manager

Symptoms:
If an outstanding flow with periodic insertion pem_action is very long, it prevents new flow matching the same rule from adding inert content pem_action even for a new periodic interval

Conditions:
If the outstanding flow with insert content pem_action spans multiple periodic interval.

Impact:
No content insertion during the time the long flow is outstanding for new flows matching the same rule as the long flow.

Workaround:
Long flows and short flows need to have separate rule configured

Fix:
New flows will add content insertion, if the new flow request falls in the new periodic interval.

674593-1 : APM configuration snapshot takes a long time to create

Component: Access Policy Manager

Symptoms:
It takes a long time to create the configuration snapshot for a file. This may be accompanied by MEMCACHED related log message, as shown below.

notice apmd[12928]: 0149016a:5: Initiating snapshot creation: tmm.session.10b9e255c7bb0_28oooooooooooooooo for access profile: /Common/workspace-acess
notice apmd[12928]: 0149016f:5: Waiting for MEMCACHED to be ready
notice apmd[12928]: 01490000:5: ApmD.cpp func: "wait_for_memcached_ready()" line: 1273 Msg: Unable to connect to tmm (sessiondb). Trying again...
notice apmd[12928]: 01490000:5: ApmD.cpp func: "wait_for_memcached_ready()" line: 1280 Msg: Successfully connected to tmm (sessiondb)...
notice apmd[12928]: 0149016b:5: Completed snapshot creation: tmm.session.10b9e255c7bb0_28oooooooooooooooo for access profile: /Common/workspace-acess
notice apmd[12928]: 01490171:5: MEMCACHED is up

Conditions:
The issue happens if an access profile contains many resources, the resulting configuration
snapshot will have even more configuration variables.

Impact:
TMM will run out of memory If the issue persists. User will not be able to log in due to profile not found error similar to the following:

err apmd[13681]: 01490114:3: /Common/workspace-acess2:Common:a6b495ce: process_request(): Profile '/Common/workspace-acess2' was not found

Workaround:
None.

Fix:
APM policy configuration snapshot generation performance for very large configurations has been improved.

674576-4 : Outage may occur with VIP-VIP configurations

Component: Local Traffic Manager

Symptoms:
In some VIP-VIP configurations, TMM may produce a core with a 'no trailing data' assert.

Conditions:
VIP-VIP configuration.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround at this time.

Fix:
TMM no longer produces a core with a 'no trailing data' assert.

674515 : New revoke license feature for VE only implemented

Component: TMOS

Symptoms:
Prior to this version, the license revoke feature was not implemented/available.

Conditions:
With out revoke implemented, the feature is simply not available.

Impact:
Licenses cannot be revoked and hence re-used.

Fix:
With this feature implemented, VE licenses can be revoked and then re-used on different VE.

674494-1 : BD memory leak on specific configuration and specific traffic

Solution Article: K77993010

Component: Application Security Manager

Symptoms:
RSS memory of the bd grows.

Conditions:
-- Remote logger is configured.
-- IP has ignore logging configured.
-- Traffic is coming from the ignored logging IP.

Impact:
Potential memory exhaustion. The kernel might run out of memory and may kill bd, causing traffic disruption.

Workaround:
None.

Fix:
Freeing up the remote loggers data when deciding not to log remotly.

674410-3 : AD auth failures due to invalid Kerberos tickets

Component: Access Policy Manager

Symptoms:
User can not login.

Conditions:
- AAA AD server is configured on BIG-IP.
- AD Auth/Query agent is used in Access Policy.
- Cached Kerberos ticket is invalid or backend AD server is not reachable for some reason

Impact:
AD Auth/Query fails. APM end user won't be able to take successful branch in Access Policy.

Workaround:
None.

Fix:
Invalid Kerberos tickets for AD Query are now automatically renegotiated by APM.

674320-2 : Syncing a large number of folders can prevent the configuration getting saved on the peer systems

Solution Article: K11357182

Component: TMOS

Symptoms:
When syncing a large number of folders (more than 56), the configuration on the peer systems fails to save. An error similar to the following appears in the audit log, possibly followed by garbage characters:

notice tmsh[15819]: 01420002:5: AUDIT - pid=15819 user=root folder=/Common module=(tmos)# status=[Syntax Error: "}" is missing] cmd_data=save / sys config partitions { tf01 tf02 tf03 tf04 tf05 tf06 tf07 tf08 tf09 tf10 tf11 tf12 tf13 tf14 tf15 tf16 tf17 tf18 tf19 tf20 tf21 tf22 tf23 tf24 tf25 tf26 tf27 tf28 tf29 tf30 tf31 tf32 tf33 tf34 tf35 tf36 tf37 tf38 tf39 tf40 tf41 tf42 tf43 tf44 tf45 tf46 tf47 tf48 tf49 tf50 tf51 tf52 tf53 tf54 tf55 tf56 tf57 tf58 tf59

Note: These 'tfnn' folder names are examples. The audit log will contain a list of the actual folder names. (Folders are also called 'partitions'.)

Conditions:
-- System is in a device group.
-- Sync operation occurs on the device group.
-- There are a large number of folders (more than 56).

Impact:
Configuration on peer systems in a device group does not get saved after a sync.

Workaround:
Manually save the configuration on peer systems after a sync.

Fix:
The configuration on peer systems is now saved when a large number of folders are involved in the sync.

674189 : iControl-SOAP exposed to CVE-2016-0718 in Expat 2.2.0

Solution Article: K52320548

673748-1 : ng_export, ng_import might leave security.configpassword in invalid state

Solution Article: K19534801

Component: Access Policy Manager

Symptoms:
If import/export of Access Profile or Access Policy results in an error, security.configpassword may retain temporary not <null> state, which can cause problems when the config is saved or loaded using the sys save config or sys load config commands.

Conditions:
Import or export of Access Profile or Access Policy fails with an error.

Impact:
Passwords in .conf might get mangled.

Workaround:
Set the security.configpassword db variable using the following command:
modify sys db security.configpassword value "<null>"

673683-2 : Periodic content insertion fails, if pem and classification profile are detached and reattached to the Listener

Component: Policy Enforcement Manager

Symptoms:
Periodic content insertion for a subscriber may stop working after one or more insertions.

Conditions:
When a subscriber action list have Insert content added and if pem and classification profiles are detached and re-attached to the Listener, periodic insertion may fail to insert the content. This happens when more than one subscriber is using the same policy rule and the listener.

Impact:
Periodic insert content action will fail to insert the content

Workaround:
Delete and recreate the subscriber for which insert content action no longer working

Fix:
For subscriber content insertion record lookup, use the right session id storage associated with the subscriber

673678-2 : Periodic content insertion fails, if http request/response get interleaved by second subscriber http request

Component: Policy Enforcement Manager

Symptoms:
Periodic content insertion for a subscriber may stop working after one or more insertions.

Conditions:
When a subscriber action list have Insert content added and if the request/response for that http transaction get interleaved by another subscriber request. This happens when more than one subscriber is using the same policy rule

Impact:
Periodic insert content action will fail to insert the content

Workaround:
Delete and recreate the subscriber for which insert content action no longer working

Fix:
For subscriber content insertion record lookup, use the correct session id storage associated with the subscriber.

673621-2 : Chain certificate is still being sent to the client, despite both ca-file and chain certificate being removed from the clientssl profile.

Component: Local Traffic Manager

Symptoms:
Chain certificate is still being sent to the client, despite both ca-file and chain certificate being removed from the clientssl profile.

Conditions:
Set ca-file to 'none' in the clientssl profile.

Impact:
Chain is still sent.

Workaround:
None.

Fix:
Chain certificate is no longer sent to the client when both ca-file and chain certificate are removed from the clientssl profile.

673607-2 : Apache CVE-2017-3169

Solution Article: K83043359

673595-2 : Apache CVE-2017-3167

Solution Article: K34125394

673472-2 : After classification rule is updated, first periodic Insert content action fails for existing subscriber

Component: Policy Enforcement Manager

Symptoms:
Immediately after the classification rule associated with a static subscriber is updated and if the action list has Insert content, the first periodic insert content action fails for the subscribers. Subsequent Insert content action will proceed as expected

Conditions:
Update of the classification rule associated with the subscribers.

Impact:
First periodic Insert content action, immediately succeeding after the update of the classification rule will fail.

Workaround:
bigstart restart tmm, after updating the classification rule with insert content action will fix the issue

Fix:
Update the record count associated with the subscriber during eval.

673129 : New feature: revoke license

Component: TMOS

Symptoms:
A different license is required for each Virtual Edition (VE) instance.

Conditions:
Creating new instances of VE.

Impact:
Cannot reuse an existing VE license.

Workaround:
None.

Fix:
For Virtual Edition (VE) BIG-IP systems, licenses can now reused by other VE instances by revoking an active license on one and installing it on another.

Behavior Change:
Revoke license is a new feature so that licenses can be reused for other virtual edition configurations.

To revoke a license using tmsh, run the following command:
tmsh revoke sys license registration-key <reg-key-number>

The system responds with the following confirmation prompt:
Revoking the license will return this BIG-IP to an unlicensed state. It will stop processing traffic. Are you sure? Y/N:

When you type y, the system revokes the license and returns a response similar to the following:
License successfully revoked
[root@bigip11:LICENSE INOPERATIVE:Standalone] config # Jul 17 12:04:28 bigip11 emerg mcpd[5144]: 01070608:0: License is not operational (expired or digital signature does not match contents).

673078-1 : TMM may crash when processing FastL4 traffic

Solution Article: K62712037

673075-1 : Reduced Issues for Monitors configured with FQDN

Component: Local Traffic Manager

Symptoms:
Monitors configured using FQDN might experience several edge cases in some deployment environments. For example, you might experience issues with FQDN-configured monitors when used in environments with volatile/unstable DNS servers, or when network configuration causes ICMP packets from an unreachable DNS server to be non-routable back to 'bigd'. In such cases, the monitor may experiences delay in rotating to the next available DNS server. This is due to complex edge cases that exist within the initial FQDN monitor implementation, where anomalous behavior is aggravated through some network configurations.

Conditions:
Monitors are configured using FQDN, and one-or-more environment conditions exist such as: Unstable DNS servers (i.e., 'flapping' DNS), or the network configuration causes ICMP packets from an unreachable DNS server to be non-routable back to 'bigd'.

Impact:
The monitor will not be updated with information from the (new) DNS server when the previous DNS server becomes unavailable. Other monitor behavior will continue to function normally.

Workaround:
In some cases network configuration can be changed to avoid these edge cases, such as: Ensuring stable DNS servers with only periodic rollovers to backup DNS servers; ensure network ICMP packets are routable back to 'bigd'. Alternatively, monitors may be configured without using FQDN.

Fix:
Monitors configured using FQDN behave as expected in volatile environments, such as those with flapping DNS servers and where ICMP packets for unreachable DNS servers are non-routable back to 'bigd'.

672988-2 : MCP memory leak when performing incremental ConfigSync

Solution Article: K03433341

Component: TMOS

Symptoms:
MCP will leak memory when performing incremental ConfigSync operations to peers in its device group. The memory leak can be seen tmctl utility to watch the umem_alloc_80 cache over time.

This leak occurs on the device that is sending the configuration.

Conditions:
A device group that has incremental sync enabled. In versions prior to BIG-IP v13.0.0, this is controlled by the 'Full Sync' checkbox. When unchecked, the system attempts to perform incremental sync operations.

Impact:
MCP leaks a small amount of memory during each sync operation, and after an extended period of time, might eventually crash.

Workaround:
None.

Fix:
MCPD no longer leaks when performing incremental ConfigSync operations.

672868-1 : Portal Access: JavaScript application with non-whitespace control characters may be processed incorrectly

Component: Access Policy Manager

Symptoms:
Portal Access server-side JavaScript parser may work incorrectly if JavaScript code includes non-whitespace control characters inside text constants.

Conditions:
JavaScript code with non-whitespace control characters (0x00..0x08, 0x0E..0x1B, 0x7F..0x9F) inside text constants.

Impact:
Web application may not work correctly.

Workaround:
There is no workaround at this time.

Fix:
Now JavaScript code with non-whitespace control characters can be processed by Portal Access.

672815-2 : Incorrect disaggregation on VIPRION B4200 blades

Component: TMOS

Symptoms:
During startup of the bcm56xxd daemon, the LTM log shows BCM SDK errors containing the string 'SDK error Invalid parameter'. IP fragments fail to be reassembled. The reassembly time out triggers and the flow is killed.

Conditions:
-- After startup as long as the SDK errors occur.
-- Running on VIPRION B4200 blades.

Impact:
TCP connections and UDP datagrams which have fragmented packets are killed or dropped.

Workaround:
There is no workaround that will process fragments correctly.

Fix:
Incorrect disaggregation on VIPRION B4200 blades has been corrected.

672695-1 : Internal perl process listening on all interfaces when ASM enabled

Component: Application Security Manager

Symptoms:
ASM configuration processes are available on unprotected network interfaces.

Conditions:
ASM provisioned

Impact:
Connections to the ASM configuration processes may interfere with normal ASM operations, leading to reduced performance

Workaround:
None

Fix:
ASM-config Event Dispatcher now listens only on protected interfaces

672667-4 : CVE-2017-7679: Apache vulnerability

Solution Article: K75429050

672504-1 : Deleting zones from large databases can take excessive amounts of time.

Solution Article: K52325625

Component: Global Traffic Manager (DNS)

Symptoms:
When deleting a zone or large number of Resource Records, zxfrd can reach 100% CPU for large amounts of time.

Conditions:
With a significantly sized database, deletes might be very time-intensive.

Impact:
Because zxfrd takes an excessive amount of time deleting records, it can delay transfer requests

Workaround:
None.

Fix:
Dramatically improved algorithm, to remove significant delay in deletions.

672301-2 : ASM crashes when using a logout object configuration in ASM policy

Component: Application Security Manager

Symptoms:
bd daemon crash and writes a core file in the /shared/core directory.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- Logout object configured in the policy.
-- System receives a POST request.

Impact:
System goes offline for a few seconds, failover occurs.

Workaround:
Remove logout object configuration from ASM policy.

Fix:
The system now handles this condition.

672040-3 : Access Policy Causing Duplicate iRule Event Execution

Component: Access Policy Manager

Symptoms:
iRule event gets triggered twice in clientless mode when access policy is executed.

Conditions:
This only occurs when using iRule in clientless-mode.

Impact:
HTTP_REQUEST event is logged twice in /var/log/ltm.

See below example:

when HTTP_REQUEST {
  HTTP::header insert {clientless-mode} 1
  set myCount [expr {$myCount + 1}]
  log local0. "Count is $myCount"
}

LTM logs:
-----------

Jul 3 12:29:35 BIG-IP10002-vcmp2 info tmm1[23908]: Rule /Common/test_irule <HTTP_REQUEST>: Count is 1
Jul 3 12:29:36 BIG-IP10002-vcmp2 info tmm1[23908]: Rule /Common/test_irule <HTTP_REQUEST>: Count is 2

When this iRule is used, you will see duplicate HTTP_REQUEST with increased count in logs. If this count is used in further calculation, it gives you incorrect result.

Fix:
HTTP_REQUEST iRule event is no longer executed multiple times when using APM clientless-mode.

672008-1 : NUL character inserted into syslog message when system time rolls over to exactly 1000000 microseconds

Solution Article: K22122208

Component: Local Traffic Manager

Symptoms:
Remote syslog logging destinations configured for RFC5424 format might receive malformed timestamp values if the log message is sent when clock rolls over to 1,000,000 microseconds exactly. The resulting log message will have a NUL character appended to the microseconds value in the log's timestamp field.

Example:
Correct timestamp: 2003-08-24T05:14:15.000000-07:00
Malformed timestamp: 2003-08-24T05:14:14.100000\00-07:00

Conditions:
-- syslog destination configured for RFC5424 format.
-- Sending log message when clock rolls over to 1,000,000 microseconds.

Impact:
Some syslog collectors may fail to parse the message, resulting in incorrect log entry or warning.

Workaround:
Change syslog destination format to use RFC3164, which does not include microsecond resolution in timestamp fields.

Fix:
The timestamp field is now formatted correctly for microseconds and seconds values. Seconds now correctly increment when microseconds equal 1,000,000.

671935-2 : Possible ephemeral port reuse.

Solution Article: K64461712

Component: Local Traffic Manager

Symptoms:
When selecting server-side source ports, the BIG-IP system favors ephemeral ports in the upper range.

Conditions:
Source ports, different from the client side, may be reselected. This is always the case when the virtual server's 'source-port change' option is enabled.

Impact:
If server connections are in the TIME_WAIT state and connection recycling is not configured, the server might reset the connection, reusing ports.

Workaround:
Disable the virtual server's 'source-port change' option to use the same source port as the connecting client.

Fix:
Now, even when the virtual server's 'source-port change' option is enabled, the system uses the same source port as the connecting client.

671920-1 : Accessing SNMP over IPv6 on non-default route domains

Component: TMOS

Symptoms:
The SNMP daemon cannot send traps to a non-default route domain destination. However, it can respond to SNMP requests over from a client that is accessed through a non-default route domain path for IPv4. For IPv6 this does not work.

Conditions:
SNMP access over IPv6 on a client accessed through a non-default route domain does not work.

Impact:
Access to SNMP must be through default route domain for IPv6.

Fix:
With this bug fix you can access SNMP from an IPv6 client on a non-default route domain. There is no plan to allow traps to be delivered to destinations on a non-default route domain.

671675-1 : Centralized Management Infrastructure: asm_config_server restart on device group change

Component: Application Security Manager

Symptoms:
If device is moved from one ASM sync enabled device group immediately to another ASM sync enabled device group the ASMConfig relay listener restarts, and artifacts are left over from the previous device group that could cause undesired config synchronization if it returns to the original device group

Conditions:
A device is moved from one ASM sync enabled device group immediately to another ASM sync enabled device group.

Impact:
ASMConfig relay listener restarts, and artifacts are left over from the previous device group that could cause undesired config synchronization if it returns to the original device group

Workaround:
Wait 30 seconds between leaving an ASM enabled device group before joining a different one.

Fix:
Successive changes to ASM sync enabled device group are handled correctly.

671638-4 : TMM crash when load-balancing mptcp traffic

Component: Local Traffic Manager

Symptoms:
Under certain circumstances, TMM may crash while processing mptcp traffic.

Conditions:
TCP profile with mptcp enabled handling mptcp traffic.

Impact:
TMM may crash, leading to a failover event

Fix:
mptcp traffic processed as expected

671627-1 : HTTP responces without body may contain chunked body with empty payload being processed by Portal Access.

Solution Article: K06424790

Component: Access Policy Manager

Symptoms:
Some HTTP responses do not contain any body. For instance, responses with status codes 1xx, 204, or 304 must not include body. Portal Access adds 'Transfer-Encoding: chunked' header and may add chunked body with empty payload to such responses.

Conditions:
HTTP response without body processed by Portal Access

Impact:
Most browsers ignore invalid 'Transfer-Encoding' header and/or body for responses which must not include body at all. And yet, some traffic validators may refuse to pass invalid responses.

Workaround:
Use an iRule to remove 'Transfer-Encoding' header and/or body from HTTP responses with status codes 1xx, 204, and 304.

Fix:
Now Portal Access does not add invalid 'Transfer-Encoding' header and/or body to responses which have no body.

671597-1 : Import, export, copy and delete is taking too long on 1000 entries policy

Component: Access Policy Manager

Symptoms:
Huge policies with 10^3 items are impossible to import, export and copy.

Conditions:
When access policy has 1000+ entires.

Impact:
Import, export and copy are abandoned or fail due to out of memory condition.

Workaround:
Use ng_export, ng_import and ng_profile rather than UI to import/export.

Fix:
ng_export speed has been improved 5 times
ng_import and ng_profile are working 50 times faster because of avoiding denormalisation and optimisation

ng_export is still should be used from the console.

671326-2 : DNS Cache debug logging might cause tmm to crash.

Solution Article: K81052338

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Cache debug logging might cause tmm to crash.

Conditions:
This occurs when the following conditions are met:

-- The dnscacheresolver.loglevel debug value is set to 1 - 5.
-- tmm.verbose is enabled.

Impact:
tmm crashes and restarts. Traffic disrupted while tmm restarts.

Workaround:
Do not enable the DNS Cache debug log when tmm.verbose is enabled.

Fix:
DNS Cache debug logging no longer causes tmm to crash.

671228-1 : Multiple FQDN ephemeral nodes may be created with autopopulate disabled

Component: Local Traffic Manager

Symptoms:
Multiple FQDN ephemeral nodes may be created unexpectedly if an FQDN node is configured with autopopulate disabled, the DNS server returns multiple address records for the FQDN, and bigd is restarted.

Conditions:
This may occur when:
1. An FQDN node is configured with autopopulate disabled.
2. The DNS server returns multiple address records for the FQDN.
3. There is a pool configured to use the FQDN node.
4. bigd is restarted (such as when the system goes offline or tmm restarts).

Impact:
Multiple FQDN ephemeral nodes may be created unexpectedly.

Workaround:
Configure the FQDN node with autopopulate enabled.

Fix:
Multiple FQDN ephemeral nodes are no longer created unexpectedly if an FQDN node is configured with autopopulate disabled, the DNS server returns multiple address records, and bigd is restarted. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.

671082-1 : snmpd constantly restarting

Component: TMOS

Symptoms:
sod is restarting snmpd, which also produces a core.
SNMP clients are unable to walk the ifTable.

Conditions:
snmpd takes too long processing a request for the ifTable because there are a large amount of VLANs or VLAN groups configured.

Impact:
SNMP requests will not receive replies while snmpd is restarting.
SNMP clients are not able to walk the ifTable.

Workaround:
None.

Fix:
Significantly reduced the time it takes snmpd to process requests for the ifTable when the number of VLANs or VLAN groups is high.

671052-3 : AFM NAT security RST the traffic with (FW NAT) dst_trans failed

Solution Article: K50324413

Component: Advanced Firewall Manager

Symptoms:
In certain cases, destination translation fails with the following message: reset cause '(FW NAT) dst_trans failed'.

Conditions:
This issue may be seen with Source/Destination translation.

Impact:
Destination translation failure. In most of the cases, TMM restart resolves the issue. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fix addresses a case where one of the fields was not initialized.

670910-2 : Flash AS3 flash.external.ExternalInterface.call() wrapper can fail when loaderInfo object is undefined

Component: Access Policy Manager

Symptoms:
Flash AS3 flash.external.ExternalInterface.call() wrapper can fail when loaderInfo object is undefined.

Conditions:
This might occur when using the following definition:

<?xml version="1.0" encoding="utf-8"?>
<s:Application xmlns:fx="http://ns.adobe.com/mxml/2009"
<-->xmlns:s="library://ns.adobe.com/flex/spark"
<-->width="100%" height="100%"
<-->minWidth="256" minHeight="64"
<-->creationComplete="initApp()">
<--><s:VGroup width="100%" height="100%" verticalAlign="middle" horizontalAlign="center">
<--><--><s:TextInput id="f_output" text="..." width="100%" />
<--><--><fx:Script><![CDATA[
<--><--><-->import flash.external.ExternalInterface;
<--><--><-->private function initApp():void {
<--><--><--><-->f_output.text = ExternalInterface.call("function(v){window.alert(/a\\dc/.toString());return '\\\\Done: '+v+' URL: '+location.href;}", "\\\\Ok?");
<--><--><-->}
<--><-->]]></fx:Script>
<--></s:VGroup>
</s:Application>

Impact:
Flash application malfunction.

Workaround:
None.

Fix:
APM Portal Access Rewrite now correctly handles flash.external.ExternalInterface.call() when the loaderInfo object is not defined.

670822-3 : TMM may crash when processing SOCKS data

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash when processing SOCKS data

Conditions:
SOCKS profile enabled

Impact:
TMM crash leading to a failover event

Fix:
TMM now processes SOCKS data as expected

670816-2 : HTTP/HTTPS/TCP Monitor response code for 'last fail reason' can include extra characters

Solution Article: K44519487

Component: Local Traffic Manager

Symptoms:
An HTTP/HTTPS/TCP monitor response code may contain extraneous trailing characters, such as: 'Response Code: 200 (OKxxx)' where the server response code 'OK' is appended with unrelated characters 'xxx', when the server does not include a carriage-return/line-feed after the response status line.

Conditions:
An HTTP/HTTPS/TCP monitor is configured with a receive string, and the server does not include a carriage-return/line-feed in the TCP segments that match the receive string.

Impact:
The monitor status code displays the correct server response code, but with extraneous trailing characters appended. The monitor continues to function and respond to status changes as expected.

Workaround:
Configure HTTP/HTTPS/TCP servers to return a response that includes a carriage-return/line-feed after the response status line and before the receive string.

Fix:
HTTP/HTTPS/TCP monitor response code for 'last fail reason' no longer contains extraneous trailing characters when the server does not include a carriage-return/line-feed in the TCP segments that match the receive string.

670405-4 : K20486351: glibc vulnerability CVE-2017-1000366:

Solution Article: K20486351

670400-3 : SSH Proxy public key authentication can be circumvented in some cases

Component: Advanced Firewall Manager

Symptoms:
SSH Proxy public key authentication might be circumvented in some cases, allowing a user without the appropriate private key in to the back-end end SSH server.

Conditions:
Public key authentication is being used to authenticate users.

Note: This issue affects only public key authentication, so if additional forms of authentication are being used, the additional security that they provide will not be impacted.

Impact:
Unauthorized access.

Workaround:
A suggested workaround is to configure the back-end SSH server to require 2-factor authentication, or 3-factor authentication. This can be done by adding both publickey+password and publickey+keyboard-interactive as Required Authentications in the configuration file for the back-end SSH server.

See the list below of supported client method orders. Also, keep in mind that the back-end server must support all 3 authentication methods (public-key, password, and keyboard-interactive), as an existing constraint of the current SSH proxy functionality.

One cosmetic item to note is that, when multi-factor authentication is used, regardless of the result of the validity check of the public-key, the SSH proxy will report a 'failed' authentication to the client. However, the returned 'failed' code is merely cosmetic: the actual result of the validity check is what is used to determine whether or not the authentication succeeded.

-------
Supported client method orders:

publickey,keyboard-interactive
publickey,password
publickey,keyboard-interactive,password
publickey,password,keyboard-interactive

Any other combination of authentication methods will fail.

Fix:
Implemented stricter error handling in authentication checking.

670011-2 : SSL forward proxy does not create the server certchain when ignoring server certificates

Component: Local Traffic Manager

Symptoms:
Forward proxy not working correctly when the server certificates are ignored. SSL forward proxy does not create the server certchain when ignoring server certificates, this prevents the client side from trusting the server cert and the SSL handshake hangs and fails after timeout.

Conditions:
-- SSL forward proxy or SSL intercept is configured.
-- Ignore server certificate configured in the server SSL profile.

Impact:
Client cannot establish SSL connection with server due to SSL handshake always timing out.

Workaround:
None.

Fix:
The system now generates the server certchain (even when the server SSL profile ignores server certificates) and passes it to the client SSL, so that the client SSL can forge the cert and finish the SSL handshake.

669974-1 : Encoding binary data using ASN1::encode may truncate result

Solution Article: K90395411

Component: Local Traffic Manager

Symptoms:
When using ASN1::encode to encode one or more values, and where the encoding of any of these values results in a representation containing a NUL ('\x0') byte, the overall result that is presented to the iRule does not include the entire set of encoded values and is truncated at the first NUL byte.

Conditions:
-- Using ASN1::encode with binary values (e.g., INTEGER).
-- Encoded results contain a NUL ('\x0') byte.

Impact:
Encoding results in the wrong/truncated value.

Workaround:
It is possible to encode the problematic values using an alternative method.

Fix:
ASN1::encode now correctly encodes binary values.

669888-2 : No distinction between IPv4 addresses and IPv6 subnet ::ffff:0:0/96

Component: TMOS

Symptoms:
The BIG-IP does not differentiate between IPv4 addresses (such as 1.2.3.4) and IPv6 addresses in the prefix ::ffff:0:0/96 (such as ::ffff:102:304, also written ::ffff:1.2.3.4). If you enter such an IPv6 address, the equivalent IPv4 address will be rendered and used.

Conditions:
Any attempt to use an IPv6 address in that subnet.

Impact:
The BIG-IP system will operate as if you entered the IPv4 address.

Workaround:
No workaround at this time.

Fix:
The differing addresses now are handled correctly. For most modules, this does not change the functionality at all. AFM is one exception; IPv6 traffic in the ::ffff:0:0/96 subnet will be treated differently than IPv4 traffic.

669818-2 : Higher CPU usage for syslog-ng when a syslog server is down

Component: TMOS

Symptoms:
Higher CPU usage for syslog-ng when a syslog server is down.

Conditions:
A remote log server is added but it is not available.

Impact:
Potentially higher than expected CPU usage.

Workaround:
To mitigate this issue, use either of the following:
-- Ensure that the remote log server is available.
-- Remove the remote log server from the configuration.

669510-2 : When network changes after VPN is established, network access tunnel is closed when network access configuration has 'Allow local DNS servers' and 'Prohibit routing table changes during Network Access connection' options enabled.

Component: Access Policy Manager

Symptoms:
- When network changes after VPN is established, network access tunnel is closed when network access configuration has 'Allow local DNS servers' and 'Prohibit routing table changes during Network Access connection' options enabled.

Conditions:
- Allow local DNS servers' option is enabled in Network Access configuration.
- Prohibit routing table changes during Network Access connection option is enabled in Network Access configuration.
- Network changes after VPN is established.

Impact:
- Network access tunnel is dropped due to routing table changes.

Workaround:
User needs to connect to VPN again.

669462-1 : Error adding /Common/WideIPs as members to GTM Pool in non-Common partition

Component: TMOS

Symptoms:
Unable to use Pool Members from /Common/ when outside of /Common/

Conditions:
Adding /Common/WideIPs as members in non-Common GTM Pool

Impact:
Unable to use pool-members from /Common/ when outside of /Common/

Workaround:
No workaround at this time.

Fix:
Fixed issue preventing users from using GTM pool-members within /Common/ on GTM Pools outside of /Common/

669364-1 : TMM core when server responds fast with server responses such as 404.

Component: Fraud Protection Services

Symptoms:
TMM core when server responds fast with server responses such as 404.

Conditions:
-- FPS gets a request with a WebSafe URL (usually global URL - declared by signatures update).
-- Server response is fast (based on URL/headers).
-- FPS need to take some action on response.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
FPS now handles these conditions without a tmm crash.

669359 : WebSafe might cause connections to hang

Component: Fraud Protection Services

Symptoms:
In a loaded environment, FPS might free a connection context without cleaning up the state.

Conditions:
This occurs in a loaded environment (xoff events present).

Impact:
A connection might stall until abandoned by client.

Workaround:
None.

Fix:
when freeing a connection context, FPS will clear internal egress state.

669341 : Category Lookup by Subject.CN will result in a reset

Component: Access Policy Manager

Symptoms:
Category Lookup Agent is unable to find the Subject.CN, so it initiates an SSL Handshake failure.

==> /var/log/apm <==
crit tmm[11181]: 01790602:2: [C] 10.20.100.1:11980 -> 10.11.10.101:443: (ERR_NOT_FOUND) Error processing URL Classification query from CatEngine

Conditions:
Category Lookup agent configured to use Subject.CN. May also apply if a Category Lookup agent is configured to use SNI, but the client does not send an SNI, resulting in the agent trying to use the Subject.CN.

Impact:
Cannot use Subject.CN as a data source for category lookup agent.

Workaround:
None.

Fix:
The category lookup agent is now able to find the Subject.CN.

669288-3 : Cannot run tmsh utils unix-* commands in Appliance mode when /shared/f5optics/images does not exist.

Solution Article: K76152943

Component: TMOS

Symptoms:
From tmsh, running util unix-ls /var/log fails with the following error:

exception: (Failed to canonicalize "/shared/f5optics/images") (util/RealpathHelper.cpp, line 49), continuing...
Data Input Error: /var/log is not an accessible directory for the current mode.

Conditions:
-- A BIG-IP system configured for Appliance mode.
-- Upgrading from a pre-v12.x to v12.x or later.
-- Using a platform that does not have a /shared/f5optics/images directory.

These include the following BIG-IP blades and appliances:
B4400, i4x00, i10x00, i2x00, i7x00, i5x00

Impact:
There is no shell access to the file system when the BIG-IP system is in Appliance mode. This is the intended purpose of Appliance mode. Therefore, unix-* commands are the only way to list directories, and perform other operations specific to the operating system.

Workaround:
To work around this issue, create the /shared/f5optics/images directory. To do so, do the following:

1. Boot the BIG-IP system into single-user mode.

2. Create the directory /shared/f5optics/images with the following command:
mkdir -m 777 -p /shared/f5optics/images.

3. Reboot the BIG-IP system, and allow it to start up normally.

Fix:
The reported exception does not occur, and unix-* commands commands issued in Appliance mode run as expected.

669255-2 : An enabled sFlow receiver can cause poor TMM performance on certain BIG-IP platforms

Solution Article: K20100613

Component: TMOS

Symptoms:
If the BIG-IP configuration includes at least one enabled sFlow receiver, certain platforms will experience poor TMM performance. Symptoms will include one or more of the following:

- Higher than normal ping latency to the BIG-IP Self-IP addresses.
- Higher than normal latency for applications flowing through BIG-IP virtual servers.
- TMM clock advanced messages in the /var/log/ltm file.
- Continuous activation and then quick deactivation of the idle enforcer for all TMM instances in the /var/log/kern.log file.

Conditions:
The BIG-IP configuration must include at least one enabled sFlow receiver (it doesn't matter whether this is reachable or not) and the platform type must be one of the following:

- BIG-IP i10000 series
- BIG-IP i7000 series
- BIG-IP i5000 series
- BIG-IP i4000 series
- BIG-IP i2000 series
- VIPRION B4450 blade

Impact:
The BIG-IP system operates at a suboptimal performance level.

Workaround:
If the sFlow receiver is not strictly necessary for the correct functioning of your deployment, this can be disabled or removed to work around the issue.

Fix:
Performance is no longer degraded on certain platforms when the configuration includes enabled sFlow receivers.

669154-1 : Creating new invalid SAML IdP configuration object may cause tmm restart in rare cases.

Component: Access Policy Manager

Symptoms:
Adding new SAML IdP configuration object containing empty attribute values via tmsh may cause tmm to restart.

Conditions:
New SSO SAML configuration contains one or more attribute values containing a session variable, following by another empty value "", for example:

multi-values { "%{session.ad.last.attr.name}" "" }

Note: This is not a valid configuration: empty values must not be provided in the list of SAML attributes.

Impact:
TMM may restart when new configuration is added. Traffic disrupted while tmm restarts.

Workaround:
Remove empty attribute values from configuration.

Fix:
SAML object validation has been improved so that empty SAML SSO object attribute values will no longer be accepted.

669025-1 : Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate

Solution Article: K11425420

Component: Local Traffic Manager

Symptoms:
SSL Forward Proxy signs a forged certificate with a hash algorithm. This selected hash algorithm is the weakest algorithm from the certificates in the server certificate chain except the self-signed certificate.

Some of the intermediate CA certificates in the cert chain use the SHA1 hash algorithm. This kind of intermediate CAs usually is are the BIG-IP system's ca-bundle. BIG-IP receives the cert chain including the intermediate CA and forges the cert with SHA1, which is rejected by some web clients.

Conditions:
-- The BIG-IP system is configured to use SSL Forward Proxy or SSL Intercept.
-- Some intermediate CA in the web server's cert chain is using a weak algorithm like SHA1 to sign certificates.
-- The web client rejects the weak-algorithm-signed certificate.

Impact:
Clients cannot access the web server due to SSL handshake failure.

Workaround:
There is no workaround at this time.

Fix:
This fix excludes trusted CA certificates in hash algorithm selection. This may prevent forged certificate from using SHA1 hash algorithm.

668883 : FQDN pool member status may become out-of-sync when enabled/disabled through GUI

Component: Local Traffic Manager

Symptoms:
After toggling enable/disable on an FQDN pool member through the GUI, an FQDN pool member status may become 'out-of-sync', and the pool member might process connections opposite to its status. Specifically: 'disabled' might accept connections, and 'enabled' might not accept connections. In this state, the FQDN pool member appears to be exactly 'one-message-behind' for an enable/disable status change made in the GUI.

The FQDN pool member status for enabled/disabled is always correctly displayed in the GUI and in tmsh, and behavior is correctly restored after a system reboot. Other pool members are unaffected.

Conditions:
-- BIG-IP systems configured for high availability (HA).
-- At least three members within an FQDN pool.
-- Use the GUI to toggle enable/disable state on a FQDN pool member.

Impact:
The FQDN pool member does not correctly participate in receiving connections to the pool when in this error state. Other pool members remain unaffected.

Workaround:
Change FQDN pool to statically assign members.

Fix:
Toggling FQDN pool member between 'enable/disable' correctly changes that member's participation for accepting connections within its parent pool. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.

668802-3 : GTM link graphs fail to display in the GUI

Solution Article: K83392557

Component: Local Traffic Manager

Symptoms:
When a BIG-IP administrator tries to view the GTM link graphs in the GUI, the system reports 'General database error retrieving information'.

statsd reports an error in /var/log/ltm

err statsd[6318]: 011b030d:3: Graph '/Common/Link_AS394043' not found

Conditions:
-- BIG-IP DNS/GTM is licensed and provisioned.
-- BIG-IP DNS/GTM links are configured.
-- Trying to view the GTM link graphs in the GUI.

Impact:
Unable to view BIG-IP DNS/GTM link graphs.

Workaround:
None.

Fix:
The GTM graphs are available as expected.

668623-5 : macOS Edge client fails to detect correct system language for regions other than USA

Solution Article: K85991425

Component: Access Policy Manager

Symptoms:
macOS Edge client fails to detect correct system language for regions other than USA.

Conditions:
-- macOS Sierra.
-- Non-English language (e.g., Korean with different regions).

Impact:
Incorrect customization of Edge client for certain items, such as: logo, banner color, banner text color, and tray icon type.

Workaround:
Run one of the following command on the Terminal and re-launch Edge client:

For English:
$ defaults write -globalDomain AppleLanguages -array "en" "en-US"

For German:
$ defaults write -globalDomain AppleLanguages -array "de" "de-US"

For Korean:
$ defaults write -globalDomain AppleLanguages -array "ko" "ko-US"

For Japanese:
$ defaults write -globalDomain AppleLanguages -array "ja" "ja-US"

For French:
$ defaults write -globalDomain AppleLanguages -array "fr" "fr-US"

For Spanish:
$ defaults write -globalDomain AppleLanguages -array "es" "es-US"

For Chinese traditional:
$ defaults write -globalDomain AppleLanguages -array "zh-Hant" "zh-Hant-TW" "zh-Hant-US"

For Chinese simplified:
$ defaults write -globalDomain AppleLanguages -array "zh-Hans" "zh-Hans-US"

Fix:
Customization of the following items for Edge client now correctly reflect the region's language selection.

-- Edge client logo.
-- Banner color.
-- Banner text color.
-- Tray icon.

668522-1 : bigd might try to read from a file descriptor that is not ready for read

Component: Local Traffic Manager

Symptoms:
The bigd process might consume excessive CPU resources or monitor probes might be erroneously marked as failed.

Conditions:
External monitors are in use. External monitors include user-defined external monitors as well as built-in external monitors (for example, SNMP, LDAP, etc.).

Impact:
The bigd process might consume excessive CPU resources for for various amounts of time.

Single monitor probes might fail. Depending upon the timing of these failures, it might be possible to see monitor flapping when multiple probes for a specific monitored object happen to fail.

Workaround:
None.

Fix:
An issue was resolved where the bigd process might consume excessive CPU resources or monitor probes might be erroneously marked as failed.

668521-2 : Bigd might stall while waiting for an external monitor process to exit

Component: Local Traffic Manager

Symptoms:
The bigd process restarts due to a hearbeat failure. /var/log/ltm will contain a message similar to:
warning sod[5444]: 01140029:4: HA daemon_heartbeat bigd fails action is restart.

Conditions:
External monitors are in use. External monitors include user-defined external monitors as well as built-in external monitors (for example, SNMP, LDAP, etc.)

High system load makes this more likely to occur.

Impact:
bigd will restart due to a heartbeat failure and monitoring will be interrupted.

Workaround:
Mitigations:
-- If possible, reduce the system load on the BIG-IP system.
-- If possible, use a built-in monitor type.

Fix:
bigd no longer stalls while waiting for an external monitor process to exit.

668503-3 : Edge Client fails to reconnect to VS after disabling Network Adapter

Component: Access Policy Manager

Symptoms:
Connect to an APM Virtual Server
Disable Network Adapter
Enable the Network Adapter
Edge Client fails to reconnect

Conditions:
Network Adapter is disabled and re-enabled

Impact:
EdgeClient does not re-establish VPN when Network Adapter is re-enabled.

Workaround:
Disconnect and Connect EdgeClient

Fix:
- Fixed setting the timer when we fail to add ephemeral route.
- Suspend/Resume timer based on the timer flags instead of the ephemeral route list.
- Resume timer even if we fail to remove ephemeral route. Otherwise, start and check connections remain suspended indefinitely.

668501-2 : HTTP2 does not handle some URIs correctly

Component: Local Traffic Manager

Symptoms:
Under some circumstances, the HTTP2 filter does not properly parse URIs

Conditions:
HTTP2 enabled

Impact:
TMM may crash, leading to a failover event

Fix:
HTTP2 correctly parses URIs

668419-1 : ClientHello sent in multiple packets results in TCP connection close

Solution Article: K53322151

Component: Local Traffic Manager

Symptoms:
When the BIG-IP system receives ClientHello messages in multiple fragments, and the first fragment length is smaller than 8 bytes, SSL might process it as a non-SSL packet.

Conditions:
-- The system receives ClientHello messages in multiple fragments.
-- The first fragment length is smaller than 8 bytes.

Impact:
SSL might process the first fragment as a non-SSL packet, and discard it, and then tear down the TCP connection.

Workaround:
None.

Fix:
Now, if the system receives the ClientHello message in multiple fragments, and the first fragment is smaller than 8 bytes, the system waits for the whole SSL packet to arrive before processing it.

668352-2 : High Speed Logging unbalance in log distribution for multiple pool destination.

Component: TMOS

Symptoms:
Remote High Speed Logging may send logs in an imbalance when configured to use multiple logging pools.
The imbalance may occur if the logging destination remained idle for a while (no logs sent) after initial configuration.

Conditions:
-- Remote High Speed Logging destination configured with multiple pools.
-- The logging destination idle after initial configuration for more than 5 seconds.

Impact:
-- Log distribution imbalance.

Workaround:
There is no workaround at this time.

Fix:
Logs distributed equally on destination pools.

668252-2 : TMM crash in PEM_DIAMETER component

Solution Article: K22784428

Component: Policy Enforcement Manager

Symptoms:
TMM crashes when the route to PCRF is lost.

Conditions:
-- PEM establishes connection with the diameter endpoint (Gx / Gy).
-- The route to the diameter endpoint is lost (interface down / route deleted).

Impact:
TMM diameter module tries to communicate, does not handle the error, and crashes. Module reboot. Traffic disrupted while tmm restarts.

Workaround:
Mitigation: Ensure that the network interface configuration routing diameter packet is not manually brought down.

No workaround for externally triggered failures.

Fix:
The system now handles connections established with the diameter endpoint when the route to PCRF is lost.

668184-1 : Huge values are shown in the AVR statistics for ASM violations

Component: Application Security Manager

Symptoms:
Huge values are shown in the AVR statistics for ASM violations.

Conditions:
Out-of memory-condition in the ASM. Some other extreme conditions might also cause this behavior.

Impact:
ASM violation numbers are incorrectly reported.

Workaround:
None.

Fix:
An issue with bd sending wrong numbers to AVR was fixed.

668181-2 : Policy automatic learning mode changes to manual after failover

Component: Application Security Manager

Symptoms:
Policy automatic learning mode changes to manual when a failover occurs.

Conditions:
-- ASM provisioned.
-- Device group with ASM policy sync configured for multi-blade devices.
-- ASM Policy is in automatic learning mode.
-- A failover occurs.

Impact:
The policy changes from automatic learning mode to manual.

Workaround:
None.

Fix:
Policy automatic learning mode no longer changes to manual when a failover occurs. Automatic learning mode will now be disabled only in active/active configurations.

668129-1 : BIG-IP as SAML SP support for multiple signing certificates in SAML metadata from external identity providers.

Component: Access Policy Manager

Symptoms:
Certain SAML implementations support configuration of multiple signing certificates to be used for signing SAML messages. In these deployments different signing certificates could be used when certificate rotation takes place. Until now BIG-IP as SP only supported single signing certificate from external IdPs.
When certificate rotation happens on external IdP, BIG-IP signing verification certificates have to be updated.

Conditions:
External IdP advertises multiple signing certificates in SAML metadata.

Impact:
When external IdP starts using new signing certificate previously advertised in metadata, authentication on BIG-IP as SAML SP will fail until administrator adjusts configuration to specify new signature validation certificate on appropriate SAML IdP connector object.

Workaround:
Signing certificates on BIG-IP as SAML SP can be reconfigured manually.

Fix:
BIG-IP as SP now supports multiple signing certificates advertised by external identity providers.

668048-1 : TMM memory leak when manually enabling/disabling pool member used as HSL destination

Solution Article: K02551403

Component: TMOS

Symptoms:
High Speed Logging fails to free an allocated cache memory resulting in memory leak. A small linear increase in mds_btree_nodes memory utilization may occur.

Conditions:
- Remote High Speed Logging configured.
- Server-side connections dropped or closed. OR
- High Speed Logging pool members removed.

Impact:
Increase in mds_btree_nodes memory utilization.

Workaround:
There is no workaround at this time.

Fix:
High Speed Logging frees allocated memory correctly.

667922 : Alternative unicode encoding in JSON objects not being parsed correctly

Solution Article: K44692860

Component: Application Security Manager

Symptoms:
JSON content might be blocked when unicode encoding is used in one of the JSON nodes.

Conditions:
Configured ASM Policy with JSON profile.

Impact:
False positive blocked request.

Workaround:
Disable metachars checks in JSON profile.

Fix:
The JSON parser now handles unicode sequences correctly.

667892-2 : FPS: BLFN inheritance won't take effect until GUI refresh

Component: Fraud Protection Services

Symptoms:
1. Create fps profile with a "Additional function to be run before JavaScript load" (BLFN) configured.
2. Clone this profile.
3. In the cloned profile choose another profile to defaults from (where there is no BLFN).
4. Save configuration.

Conditions:
- Current profile has a BLFN configured.
- New parent profile has no BLFN.

Impact:
The original BLFN is still configured on the profile (should have inherited the empty BLFN from parent profile).

Workaround:
1. Use tmsh.
2. Refresh before save.

Fix:
Correct BLFN inheritance logic in GUI.

667872-1 : Websafe's 'Apply cookies to base domain' feature doesn't work for non standard ports

Component: Fraud Protection Services

Symptoms:
'Apply cookies to base domain' feature doesn't work for non standard ports.

Conditions:
'Apply cookies to base domain' is enabled and
connection is over non-standard ports (not 80, 443, etc.).

Impact:
Cookies won't be applied to base domain, thus WebSafe functionality will be broken and missing cookie alerts will be sent.

Workaround:
Use only standard ports.

Fix:
FPS now correctly parses base-domain, including port (if exists).

667560-3 : FQDN nodes: Pool members can become unknown (blue) after monitor configuration is changed

Component: Local Traffic Manager

Symptoms:
A pool member configured through an FQDN node and which has multiple associated monitors may become unknown (blue) after a monitor rule change to one of its associated monitors. The expected behavior is that the node should remain 'green' if monitoring is successful with the new rule, but the node may become unknown (blue) until bigd is restarted.

Conditions:
A pool member is configured through an FQDN node, and has multiple associated monitors, and a monitor rule change is made to one of the associated monitors.

Impact:
The pool member status correctly reflects whether monitoring is successful (green) or the pool member is unknown (blue), but the changed monitor rule may not take effect until bigd is restarted.

Workaround:
When making changes to a monitor rule associated with a pool member configured through FQDN, verify the node remains monitored (green or checking), or restart bigd. Alternatively, change monitor rules within the configuration file, and reload the configuration.

Fix:
Pool members configured through FQDN nodes and with multiple associated monitors continue to be monitored after a monitor rule change to one of the associated monitors. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.

667469-1 : Higher than expected CPU usage when using DNS Cache

Solution Article: K35324588

Component: Global Traffic Manager (DNS)

Symptoms:
CPU usage shows higher than expected usage when using the DNS Cache.

Conditions:
Usage of any of the 3 DNS Cache types, particularly on chassis with multiple blades.

Impact:
Higher than expected CPU usage.

Workaround:
No workaround at this time.

Fix:
Improvements have been made to the efficiency of the DNS Cache inter-tmm mirroring. These efficiencies may result in better CPU utilization and/or higher responses per second.

667405-2 : Fragemented IPsec encrypted packets with fragmented original payloads may cause memory leak in the TMM.

Solution Article: K61251939

Component: TMOS

Symptoms:
When the BIG-IP system receives fragmented IPsec encrypted packets that contain fragmented IP packets, memory leaks may occur in the TMM.

Conditions:
The BIG-IP system receives fragmented IPsec encrypted packets that contain fragmented IP packets.

Impact:
Memory leak in the TMM.

Workaround:
None.

Fix:
No memory leak in the TMM.

667404-2 : Fragmented IP over IPsec tunnels might capture mcp flows and provoke restarts

Solution Article: K77576404

Component: TMOS

Symptoms:
If fragmented IP packets match an IPsec policy, then get forwarded to another tmm for actual processing, the flow lookup might accidentally grab a stale flow_key for another connflow, including internal MCP flows. When that happens, if IPsec does tunnel those flows, internal MCP heartbeats later miss and cause tmm restarts.

Conditions:
-- Packet fragmentation.
-- Packets are serviced by IPsec due to a matching policy for those packets.

Impact:
Tmm restarts. Traffic disrupted while tmm restarts.

Workaround:
You can prevent this using either of the following methods:
-- If you can, arrange that fragmented packets are re-assembled before reaching IPsec policy handling.
-- Modify MTU configuration so fragmentation does not happen.

Note: There is no mitigation when fragmented packets reach IPsec and need forwarding from one tmm to another.

Fix:
Now fragmented packets are handled correctly, and other flows cannot experience interference.

667318-3 : BIG-IP DNS/GTM link graphs fail to display in the GUI.

Component: Local Traffic Manager

Conditions:
-- BIG-IP DNS/GTM is licensed and provisioned.
-- BIG-IP DNS/GTM links are configured.

Impact:
Unable to view BIG-IP DNS/GTM link graphs.

Workaround:
None.

Fix:
BIG-IP DNS/GTM link graphs are now available in the GUI.

667304-1 : Logon page shows 'Save Password' checkbox even if 'Allow Password Caching' is not enabled

Solution Article: K68108551

Component: Access Policy Manager

Symptoms:
'Save Password' checkbox is shown even if the feature is not enabled.

Conditions:
-- APM end user tries to authenticate to APM/BIG-IP Server.
-- 'Save Password' is not enabled.

Impact:
APM end user receives the login page with 'Save Password' checkbox. Checking the box has no effect unless 'Save Password' is enabled.

Workaround:
None.

Fix:
'Save Password' checkbox is not shown unless the feature is enabled.

667278-3 : DSC connections between BIG-IP units may fail to establish

Component: TMOS

Symptoms:
The device service clustering (DSC) connection between two BIG-IP units may fail to establish. One unit will log messages similar to the following example:

-- err mcpd[7912]: 01071af4:3: Inbound CMI connection from IP (192.168.100.1) denied because it came from VLAN (v1542), not from expected VLAN (tmm).

While the unit at the other end of the connection will log messages similar to the following example:

-- notice mcpd[5730]: 01071432:5: CMI peer connection established to 192.168.200.1 port 6699 after 0 retries
May 31 20:58:04 BIG-IP-c-sea notice mcpd[5730]: 0107143c:5: Connection to CMI peer 192.168.200.1 has been removed

Conditions:
This issue occurs when the Self-IP addresses used for Config-Sync by the two BIG-IP units are not in the same IP subnet, and special routing is configured between the BIG-IP units. Examples of special routing include a gateway pool or dynamic routing configurations with multiple routes to the same destination (i.e., ECMP routing).

Impact:
Config-Sync and device discovery operations will fail between affected units.

Workaround:
You can work around this issue by using Self-IP addresses for Config-Sync that are on the same IP subnet or rely on simpler routing to achieve connectivity (i.e., a single route).

Fix:
Config-Sync and device discovery operations no longer fail.

667148-1 : Config load or upgrade can fail when loading GTM objects from a non-/Common partition

Solution Article: K02500042

Component: TMOS

Symptoms:
GTM configuration fails to load.

Conditions:
GTM config referencing non-/Common partition objects from /Common.

Impact:
GTM configuration fails to load, which may keep a system from becoming active

Workaround:
No workaround.

Fix:
Fixed issue preventing GTM configurations from loading when non-Common partitioned items present.

667138-1 : LTM 12.1.2 HF1 - Upgrade to 12.1.2 HF1 fails with err "folder does not exist"★

Component: TMOS

Symptoms:
After upgrade from 10.2.4 to 12.1.2, full config load fails.

Conditions:
The pre-upgrade version must be 10.2.4 and the pre-upgrade config must have user-defined partitions.

Impact:
After upgrade, if changes are made to the running config (in memory; not on disk), then the config files on disk from upgrade cannot be restored.

Workaround:
10.2.4 config on upgrade is stored at /config/bigpipe/. So, a workaround is to load defaults, then merge the original config using bigpipe.

/usr/libexec/bigpipe merge /config/bigpipe/*.conf

Fix:
Full load after upgrade from 10.2.4 now succeeds.

667028-1 : DNS Express does not run on i11000 platforms with htsplit disabled.

Component: Global Traffic Manager (DNS)

Symptoms:
tmm processes enter a restart loop when trying to run DNS Express (DNSX) on i11000 platforms with htsplit disabled.

Conditions:
-- i11000 platform.
-- htsplit disabled (sys db scheduler.splitplanes.ltm set to false).
-- Trying to run DNSX.

Impact:
tmm processes enter a restart loop. In this condition, DNSX does not run, though other DNS functions are unaffected.

Workaround:
Enable htsplit using the following command:

modify sys db scheduler.splitplanes.ltm value true

Fix:
tmm no longer cores under these conditions. However, you cannot use DNSX with htsplit disabled; htsplit must be enabled.

Note: DNSX works as expected with htsplit enabled, both before and after the fix.

666986-2 : Filter by Support ID is not working in Request Log

Solution Article: K50320144

Component: Application Security Manager

Symptoms:
In some cases the Support ID of a request might be shorter than 19 digits. In this case filter by Support ID does not work in Request Logs.

Conditions:
-- Support ID is shorter than 19 digits.
-- Trying to filter by Support ID.

Impact:
Filter by Support ID is not displayed in filter bar and does not affect the list.

Workaround:
You can try to filter by last 4 digits of Support ID. Although that does not replace filter by Support ID functionality, it might help.

Fix:
Filter by Support ID works for any length but 4 digits (in this case search uses the last 4 digits; also a 4-digit Support ID is not a realistic occurrence).

666790-2 : Use HSB HiGig MAC reset to recover both FCS errors and link instability

Solution Article: K06619044

Component: TMOS

Symptoms:
In addition to HiGig Link instability, FCS errors can be seen on internal switch and HSB Higig link. This is likely some PHY-related issues and can cause instability in communication links.

One symptom associated with this might be that a blade cannot become active and join the cluster.

Conditions:
FCS errors reported in tmm/hsbe2_internal_lbb_hgm. Traffic failure observed on some VIPs or self IPs.

Impact:
Link unstable, frame loss.
TMOS MPI and CDP packet loss and internal blade communication issues.

HSB lockup and accumulated FCS errors observed from stats and log.

Workaround:
A switch port reset might be used to recover this failure. Note, however: that procedure might cause potential HSB lockups.

Fix:
FCS errors and link instability no longer occur.

666689-1 : Occasional "profile not found" errors following activate access policy

Component: Access Policy Manager

Symptoms:
Immediately following the applying of a modified access policy it is possible for some profiles to disappear.
It is transient and within a minute or two the profiles are available again.

Conditions:
Clicking "apply access policy" in the GUI or using tmsh to increment snapshot ids will clear the list of profiles and policies and then rebuild those lists. Authentication requests using profiles or policies not yet rebuilt returned the "profile not found" error.

Impact:
Some authentication attempts fail while the lists get rebuilt.
Retrying the authentication a minute or two later succeeds.

Workaround:
Retry the authentication.

Fix:
Applying Access Policies in APM is improved to avoid a short dead time between when the old policies are removed and the new policies are activated.

666454-2 : Edge client on Macbook Pro with touch bar cannot connect to VPN after OS X v10.12.5 update

Solution Article: K05520115

Component: Access Policy Manager

Symptoms:
Edge client running on Macbook Pro 2016 with a touch bar interface cannot connect to VPN in a full tunneling configuration with 'Prohibit routing table modification' option selected.

Edge client's svpn.log shows an error entry similar to
2017-05-18,13:55:17:000, 16637,16638,svpn, 1, , 870, CMacOSXRouteTable::UpdateIpForwardEntry2(), EXCEPTION - write failed, 22, Invalid argument.

Conditions:
This occurs when all of the following conditions are met:
1) Edge client is running on Macbook Pro that has the iBridge interface (e.g., one with the touch bar).
2) VPN is configured in full tunneling configuration
3) Mac OS X version is v10.12.5.

Note: You can find the interface on the Macbook Pro in the Network Utility under the Info tab.

Impact:
VPN connection will fail.

Workaround:
Use one of the following workarounds:
- Disable 'Prohibit Routing table change' in the network access configuration.
- Enable 'Allow access to local subnets'.
- Enable a split tunneling configuration.

666315 : Global SNAT sets TTL to 255 instead of decrementing

Component: Local Traffic Manager

Symptoms:
Global SNAT sets the TTL to 255 instead of decrementing.

Conditions:
Global SNAT configured.

Impact:
Possible routing loop.

Workaround:
No workaround.

Fix:
TTL for global SNAT now gets decremented.

666160-1 : L7 Policy reconfiguration causes a slow memory leak

Solution Article: K63132146

Component: Local Traffic Manager

Symptoms:
When a virtual server with a L7 policy is reconfigured, a small amount of memory is leaked.

Conditions:
A virtual server with L7 policies has a configuration change.

Impact:
The memory leak will reduce the amount of resources for the TMM.

Workaround:
None.

Fix:
L7 Policies no longer leak memory when a virtual server using them is reconfigured.

666058-2 : XenApp 6.5 published icons are not displayed on APM Webtop

Solution Article: K86091857

Component: Access Policy Manager

Symptoms:
While publishing XenApp 6.5 resources through APM Webtop, some applications are not displaying the icons correctly.

VDI Error logs are seen as follows:
failed to handle '/f5vdi/citrix/icon/': Incorrect bitmap size"

Conditions:
-- XenApp 6.5 is used with their rollup hotfix 6 or 7.
-- Some of the third-party applications more icon bitmap information than expected.

Impact:
Icons are not displayed on the APM Webtop

Workaround:
None.

Fix:
Now APM Webtop correctly displays Citrix XenApp icons correctly regardless of the size of the bitmap data.

666032-3 : Secure renegotiation is set while data is not available.

Solution Article: K05145506

Component: Local Traffic Manager

Symptoms:
Secure renegotiation is set while data is not available, which causes a crash in certain connections.

Conditions:
This occurs when handling SSL secure renegotiation in certain connections.

Impact:
Crashes happen to certain SSL connections.

Workaround:
None.

Fix:
Secure renegotiation is set while data is not available no longer causes a crash in certain connections.

665924-1 : The HTTP2 and SPDY filters may cause a TMM crash in complicated scenarios

Solution Article: K24847056

Component: Local Traffic Manager

Symptoms:
A TMM crash caused by a double-free of memory within the HTTP2 and SPDY filters. This crash could occur in other TMM sub-systems unrelated to HTTP2 or SPDY.

Conditions:
The HTTP2 or SPDY filter is used, together with many other TMM modules. This situation is difficult to trigger.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The HTTP2 and SPDY filters will no longer double-free memory in rare situations.

665905 : Signature System corruption from specific ASU prevents ASU load after upgrade

Solution Article: K83305000

Component: Application Security Manager

Symptoms:
After loading Attack Signature Update "ASM-SignatureFile_20170403_145743.im" on 11.5.4 HF2 (or later) and upgrading to certain software versions, attempts to perform Signature Update fail.

Conditions:
-- Loading Attack Signature Update "ASM-SignatureFile_20170403_145743.im".
-- Using v11.5.4 HF2 (or later).
-- Upgrading the device to 11.6.1, 12.1.0, 12.1.1, or 12.1.2.

Impact:
Attempts to perform Signature Update fail.

Workaround:
The mistaken Signature System can be deleted using the following SQL:

----------------------------------------------------------------------
UPDATE PLC.NEGSIG_SIGNATURE_SYSTEMS set system_id = 14 where system_id = (select system_id FROM PLC.NEGSIG_SYSTEMS where system_name = 'Apache');
DELETE FROM PLC.NEGSIG_SYSTEMS where system_name = 'Apache';
----------------------------------------------------------------------

Fix:
Database corruption introduced by loading Attack Signature Update 'ASM-SignatureFile_20170403_145743.im' is now corrected upon upgrade.

665778-1 : Non-admin BIG-IP users can now view/re-deploy iApps through TMUI.

Solution Article: K34503519

Component: iApp Technology

Symptoms:
Non-admin BIG-IP users cannot view deployed iApps, so they cannot redeploy the iApp. The system presents an error and does not allow access to the component view or the reconfiguration view. The error shown is 'An error has occurred while trying to process your request.'

Conditions:
-- Login to the BIG-IP system as a non-admin.
-- Try to view components or reconfigure iApps.

Impact:
Cannot view/re-deploy iApps.

Workaround:
Use TMSH to view/re-deploy iApps.

There are two TMUI workarounds to view/re-deploy iApps. Once you employ one of the workarounds, a Manager user can reconfigure the iApp successfully.

Note: After successful submission, the system posts the error described, and the Manager still cannot access the Component list or iApps editing screens.

-- Click on 'app_name' link anywhere in the system where iApp-related objects are listed. For example, if the iApp created a virtual server, click the Application column link on the 'Local Traffic :: Virtual Servers : Virtual Server List' page.

-- Have an Admin user provide the direct link to app. To do so, perform the following procedure:
1. Login as Admin to the BIG-IP system.
2. Navigate to iApps :: Application Services : Applications :: <app_name>.
3. Get the direct link to the app reconfigure page by hovering over the Settings icon and then clicking 'Direct link to this page'. Note: This link will work as long as 'app_name' and template name have not been modified. The URL appears similar to the following:
https://10.10.10.10/tmui/Control/jspmap/tmui/application/reenter.jsp?mode=app&name=/ptn1/abcd.app/abcd&template_name=/Common/f5.microsoft_exchange_2010_2013_cas.v1.6.1
4. Logout as Admin and login as Manager.
5. Paste the app direct link in the browser's address bar and press Enter.

Fix:
Non-admin BIG-IP users can now view/re-deploy iApps through TMUI.

665732-2 : FastHTTP may crash when receiving a fragmented IP packet

Solution Article: K45001711

Component: Local Traffic Manager

Symptoms:
A virtual server configured to use FastHTTP may cause a TMM core if fragmented IP packets are received by the virtual. This can be observed by the following TMM log statement: panic: Assertion 'l4hdr set' failed.

Conditions:
A virtual server configured with a FastHTTP profile receiving fragmented IP packets.

Impact:
Intermittent TMM core, resulting in a TMM restart. Traffic disrupted while tmm restarts.

Workaround:
Use a different profile than FastHTTP, such as a full proxy with TCP/HTTP filters.

Fix:
Force packet reassembly before packet is forwarded to a FastHTTP virtual.

665656-1 : BWC with iSession may memory leak

Component: TMOS

Symptoms:
A memory leak may occur when BWC is configured with iSession.

Conditions:
-- BWC is configured with iSession.
-- The BWC policy is removed or reset.

Impact:
A memory leak.

Workaround:
None.

Fix:
The memory leak is prevented when BWC and iSession are configured together and a BWC policy is removed or reset.

665416-3 : Old versions of APM configuration snapshots need to be reaped more aggressively if not used

Component: Access Policy Manager

Symptoms:
Currently, it takes 24 hrs for old versions of APM config snapshots that are not being used to time out and to release the memory. If access profiles are complex and are updated frequently within 24 hrs, memory resource is likely to be exhausted.

Conditions:
If access profiles are updated frequently within 24 hrs and each version of the configuration snapshot contains many variables.

Impact:
TMM may run out of memory and crash, causing service interruption.

Workaround:
None.

Fix:
Per-session access policy snapshots are now deleted after 60 minutes instead of 24 hours.

665354-2 : Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log

Component: TMOS

Symptoms:
The most common symptom is a reboot of the unit without much detail in the normal tmm or ltm logs. From there, inspect the SEL logs. In the SEL logs, you will see a message about a bad_tlp_status, followed shortly by a message about completion_time_out_status.

Those two messages together indicate this known issue.

Conditions:
-- There are empty 10 GB ports or 10 GB ports that have optics but are not connected to a proper link.
-- Running on one of the following platforms: i2600, i2800, i4600, i4800.

Impact:
The unit intermittently reboots.

Workaround:
To prevent the issue from occurring, you must populate all 10 Gb ports with optic cables and ensure they are connecting to a working peer link. A single 10 Gb empty or improperly connected port can cause a system reboot.

If that is not possible, however, there is no workaround, and you must contact F5 Technical Support to request a software update or engineering hotfix.

Important: A device Return Materials Authorization (RMA) will not prevent this issue.

Fix:
There is a BIG-IP system software update to disable the 10 Gb FPGA mac receiver until a valid link is detected. This eliminates the issue and prevents the ultra jumbo packet from being sent to the FPGA datapath.

665347-2 : GTM listener object cannot be created via tmsh while in non-Common partition

Solution Article: K17060443

Component: Global Traffic Manager (DNS)

Symptoms:
Cannot use tmsh to create a GTM listener in a non-Common partition.

Conditions:
-- In a non-Common partition.
-- Create a listener using a command similar to the following:
(/Common/newpart)(tmos)# create gtm listener new address 10.2.2.2

Impact:
The listener will not be created. The system outputs an error similar to the following:
01020036:3: The requested profile (/Common/newpart/udp_gtm_dns) was not found.

Workaround:
None.

Fix:
GTM Listener parser now correctly handles validation and selections of profiles for GTM listeners.

665330-1 : MSIE 11 should avoid compatibility mode

Component: Access Policy Manager

Symptoms:
MSIE 11 in compatibility mode is causing JS errors because MSIE 7-9 are not good in javascript.

Conditions:
APM Client and MSIE 11 forced to compartibility mode.

Impact:
Certain pages on client UI are not being rendered or being rendered with errors.

Workaround:
Don't push MSIE 11 to compatibility mode with APM
Use browsers that are good with javascript.

Fix:
We've added meta that sets MSIE in native mode. Although group policy in domain still can overwrite it, for most use cases it's enough.

665022-1 : Rateshaper stalls when TSO packet length exceeds max ceiling.

Component: Local Traffic Manager

Symptoms:
If a TCP Segmentation Offload (TSO) packet length exceeds the rateshaper's max ceiling, it causes the flow to stall.

Conditions:
Packet length exceeds rateshaper's configured max ceiling.

Impact:
The flow stalls.

Workaround:
Increase the configured rateshaper's max ceiling value to be larger than the largest packet length.

Fix:
Rateshaper no longer stalls when TSO packet length exceeds max ceiling.

664930-2 : Policy automatic learning mode changes to manual after failover

Component: Application Security Manager

Symptoms:
Policy automatic learning mode changes to manual when a failover occurs.

Conditions:
-- ASM provisioned.
-- Device group with ASM policy sync configured for multi-blade devices.
-- ASM Policy is in automatic learning mode.
-- A failover occurs.

Impact:
The policy changes from automatic learning mode to manual.

Workaround:
None.

Fix:
Policy automatic learning mode no longer changes to manual when a failover occurs. Automatic learning mode will now be disabled only in active/active configurations.

664894-1 : PEM sessions lost when new blade is inserted in chassis

Solution Article: K11070206

Component: TMOS

Symptoms:
Inserting a blade into a chassis that is using high availability (HA) is configured for 'between clusters' can cause data loss in the SessionDB. This includes iRule table command as well as entries stored in the SessionDB from modules.

Conditions:
HA in use 'between clusters'.

Impact:
Data loss of some SessionDB entries.

Workaround:
In order to cleanly add a blade, put the setting from 'between clusters' to 'within cluster'; then add the new blade(s) to both clusters. Wait 60 seconds, then restore the HA connection to 'between clusters'

Fix:
PEM sessions are now retained when new blade is inserted in chassis when using 'between clusters'.

664829-1 : BIG-IP sometimes performs unnecessary reboot on first boot

Component: TMOS

Symptoms:
Some versions of the BIG-IP Virtual Edition (VE) software incorrectly determine that the size of its disk has changed, and re-sizes the partition table and causes a reboot to occur. This is likely to occur only on VE guests.

Conditions:
-- First boot of VE.
-- Software version that exhibits this issue.

Note: A specific software version for a specific cloud environment either always exhibit this, or never does.

Impact:
Additional, unnecessary minor filesystem size adjustment and additional time for a reboot to occur.

Workaround:
None.

Fix:
An additional, unnecessary reboot of a BIG-IP Virtual Edition during its first boot-up should no longer occur.

664769-1 : TMM may restart when using SOCKS profile and an iRule

Solution Article: K33637041

Component: Local Traffic Manager

Symptoms:
TMM restarts when sending traffic through a SOCKS virtual server that has an attached iRule that uses certain blocking commands.

Conditions:
Virtual server has a SOCKS profile, and an iRule which triggers on the SERVER_CONNECTED event. If the iRule uses commands that block, tmm might restart.

Impact:
Unexpected tmm restart. Traffic disrupted while tmm restarts.

Workaround:
Avoid adding iRule on the SERVER_CONNECTED event, or avoid using certain iRule commands which do not complete immediately, such as 'after', 'table', 'session', and others.

Fix:
TMM no longer crashes when using SOCKS profile and serverside iRule parks.

664708-2 : TMM memory leak when DoS profile is attached to VS

Component: Advanced Firewall Manager

Symptoms:
TMM memory leak when DoS profile is attached to VS

Conditions:
1. have DoS profile
2. traffic from search engine is coming to this VS
3. DNS resolver is configured

Impact:
TMM memory use increases over time.

Workaround:
There is no workaround at this time.

Fix:
Free memory periodically.

664535-1 : Diameter failure: load balancing fails when all pool members use same IP Address

Component: Service Provider

Symptoms:
Case1: Run 2 Servers with same IP but different ports. Send 10 request from 1 client.
Result: All 10 requests from client are delivered to 1 server. Same result when use-local-connection is disabled.

Case2: Run 2 Servers with same IP but different ports but this time use MR::message route iRule command to route messages between hosts. Send 10 request from 1 client.
Result: All 10 requests from client are delivered to 1 server.

Conditions:
Load balancing scenario with single client and two pool members. The servers use same IP, different ports.

Impact:
All the requests from the same client are delivered to 1 server only.

Workaround:
Use different IP address in the pool member. Or use different IP address as the client request.

Fix:
Load balancing scenario with single client and two pool members now completes successfully even when all pool members use same IP Address.

664507-3 : When BIG-IP is used as SP with IdP-connector automation, updates to remotely published metadata may remove certificate reference from the local configuration

Component: Access Policy Manager

Symptoms:
IdP-connector automation removes certificate reference when update to metadata file is detected, and metadata file contains multiple signing certificates

Conditions:
- BIG-IP is used as SAML SP with configured IdP-connector automation via remotely published metadata.
- Remotely published SAML metadata contains multiple signing certificates.
- Remotely published SAML metadata is periodically updated.

Impact:
Certificate reference to remotely published metadata is removed from local configuration (saml-idp-connector object). As a result, assertions generated by external IdP will not be accepted until proper certificate is configured on saml-idp-connector object again.

Workaround:
When remote metadata is changed, manually update certificate reference on saml-idp-connector object.

Fix:
When changes to remotely published SAML metadata are detected by IdP-connector automation, certificate is no longer removed from saml-idp-connector object.

664461-3 : Replacing HTTP payload can cause tmm restart

Solution Article: K16804728

Component: Local Traffic Manager

Symptoms:
Under certain conditions, using the [ HTTP::payload replace ... ] iRule can result in the tmm restarting.

Conditions:
Occurs when server response is non-chunked, does not contain a Content-Length header, an iRule adds a Content-Length header and performs an HTTP::payload replace command where the length is shorter than the original body length.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The HTTP::payload replace command no longer causes tmm restarts under certain conditions.

664063-1 : Azure displays failure for deployment of BIG-IP from a Resource Manager template

Solution Article: K03203976

Component: TMOS

Symptoms:
When deploying BIG-IP images through Azure Resource Manager or Marketplace Solution templates, the Azure portal will never display success. A timeout will eventually occur and the deployment will appear to have failed.

Conditions:
Deployment from an Azure Resource Manager or Solution template, including the BIG-IP WAF Solution from the Azure Security Center.

Impact:
A successful deployment will appear to have failed when monitoring the status in the Azure portal.

Workaround:
None.

Fix:
Deployments of BIG-IP from Azure Resource Manager or Marketplace Solution templates, or the BIG-IP WAF Solution from the Azure Security Center, now show the correct deployment status.

664057-2 : Upgrading GTM from pre-12.0.0 to post 12.0.0 no longer removes WideIPs without pools attached if they have an iRule attached

Component: TMOS

Symptoms:
Upgrades from pre-12.0.0 to 12.0.0 or beyond would delete WideIPs without pools attached even if they had an iRule attached.

Conditions:
Pre-12.0.0 configuration with an WideIP without any pools, but with an iRule.

Impact:
Some or all of a post-upgrade "GSLB-typed" wideip would be lost during the upgrade process.

Workaround:
Manually add missing WideIPs after upgrade.

Fix:
Fixed issue that could delete certain types of GTM WideIPs after an upgrade from a pre-12.0.0 version to a post 12.0.0 version.

664017-3 : OCSP may reject valid responses

Component: TMOS

Symptoms:
If OCSP is configured with certain responders, a valid response may be rejected with the following error:

OCSP response: got EOF

Conditions:
This is entirely dependent on the behavior of the server. If a responder sends null or blank data (but does not close the connection) OCSP simply ends the response.

Impact:
Valid OCSP responses may be rejected.

Workaround:
None.

Fix:
These responses are now accepted.

663974-2 : TMM crash when using LSN inbound connections

Component: Carrier-Grade NAT

Symptoms:
TMM might crash when using an LSN pool with inbound connections.

Conditions:
LSN inbound connections configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes when using an LSN pool with inbound connections.

663821-3 : SNAT Stats may not include port FTP traffic

Solution Article: K41344010

Component: Local Traffic Manager

Symptoms:
Using 'tmsh show ltm snat' command or the GUI, SNAT stats are not updated for port 21 traffic (FTP).

Conditions:
-- SNAT is configured.
-- FTP connections transverse the SNAT.

Impact:
Stats are not incremented in tmsh or GUI

Workaround:
None.

Fix:
SNAT Stats now include port FTP traffic, and values are incremented as expected.

663580-1 : logrotate does not automatically run when /var/log reaches 90% usage

Solution Article: K31981624

Component: TMOS

Symptoms:
The alertd daemon does not run logrotate when the diskmonitor utility detects that /var/log has less than 10% free space.

Conditions:
/var/log has less than 10% free space.

Impact:
The /var/log filesystem might become completely full, preventing new log messages from being written.

Note: K8865: Overview of the diskmonitor utility (https://support.f5.com/csp/article/K8865) provides a desription for expected behavior.

Workaround:
None.

Fix:
The alertd daemon now correctly recognizes the log message from diskmonitor to initiate logrotate.

663535-1 : Sending ASM cookies with "secure" attribute even without client-ssl profile

Component: Application Security Manager

Symptoms:
ASM cookies can be set with "secure" attribute on when BIG-IP works on SSL profile.

Conditions:
Enabling ASM, network to BIG-IP without client-ssl.

Impact:
When working with encrypted network in the client side but clear network in the ASM virtual, cookies cannot be set with "secure" attributes.

Workaround:
There is no workaround at this time.

Fix:
Added an internal parameter "assume_https", to decide always setting the "secure" attribute, even when the BIG-IP network is clear.

663521-2 : Intermittent dropping of multicast packets on certain BIG-IP platforms

Component: TMOS

Symptoms:
The switch device on the VIPRION B2250 and B4300 blades and the BIG-IP 10x00, i10x00, i7x00 and i5x00 platforms might drop multicast packets under certain high traffic conditions.

Conditions:
-- Certain high-traffic conditions.
-- Running on the specified blades/platforms.

Note: These dropped packets are counted under the 'drop_out' column from 'show net interface all-properties'.

Impact:
Dropped multicast packets, possibly impacting multicast protocols.

Workaround:
None.

Behavior Change:
Under certain high traffic conditions, multicast and broadcast packets will no longer be dropped.

663506-7 : apmd crash during ldap cache initialization

Solution Article: K30533350

Component: Access Policy Manager

Symptoms:
apmd crashes.

Conditions:
- LDAP module is in use in an access policy,
- APM end-users are logging in, while administrator modifies AAA LDAP Server or LDAP Agent,
- Cache update takes a while (too many groups in domain and/or slow network).

Impact:
BIG-IP cannot process user logon request, until apmd is restarted and LDAP cache is updated

Workaround:
The best practice is to update policy/AAA LDAP Server when BIG-IP is not under load. Then make one logon manually. apmd updates caches on first APM end-user's logon. Once caches update, all the further logons should happen much faster and should not cause any problems

Fix:
APMD now handles the generation of LDAP Query / AD Query nested group cache correctly during high authentication load.

663366-3 : SEGV fault can occur during tmm 'panic' on i4x00 and i2x00 platforms.

Component: TMOS

Symptoms:
On the i4x00 and i2x00 platforms, TMM can encounter a second SEGV fault while crashing from an initial 'panic'.

Conditions:
-- i4x00 and i2x00 platforms.
-- TMM encounters a second SEGV fault while crashing from an initial 'panic'.

Impact:
TMM is crashing due to a 'panic'. No additional impact, as traffic is already disrupted while tmm restarts.

Workaround:
None.

Fix:
This release fixes the driver shutdown code to prevent SEGV during TMM panic.

663333-1 : TMM may core in PBA mode id LSN pool is under provisioned or the utilization is high

Component: Carrier-Grade NAT

Symptoms:
TMM may core while trying to allocate a new block

Conditions:
If LSN pool is under provisioned OR if the utilization is high, TMM may need to send MPI messages to other TMMs to search for other blocks. The TMM may core if these operations time out

Impact:
Traffic disrupted while tmm restarts.

663326-2 : Thales HSM: "fipskey.nethsm --export" fails to make stub keys

Component: Local Traffic Manager

Symptoms:
When using "fipskey.nethsm --export -i /shared/tmp/testkey.pem -o thaleskey" to export a key file from BIG-IP and import into HSM, the HSM fails to generate the stub key at /config/ssl/ssl.key/ on the BIG-IP system.

Conditions:
-- Thales HSM is installed.
-- Running 'fipskey.nethsm --export' to export a key file from BIG-IP and import it to the Thales HSM.

Impact:
Even the key has been stored in HSM, the BIG-IP is still unable to use it because of its lacking stub key to be configured on the BIG-IP system.

Workaround:
This can be worked around by directly using the Thales command, for example:

[root@localhost:Active:Standalone] config # generatekey --import pkcs11 certreq=yes
type: Key type? (DES3, RSA, DES2) [RSA] >
pemreadfile: PEM file containing RSA key? []
> /shared/tmp/testkey.pem
embedsavefile: Filename to write key to? []
> /config/ssl/ssl.key/thales2
plainname: Key name? [] > thales2
x509country: Country code? [] > US
x509province: State or province? [] > WA
x509locality: City or locality? [] >
x509org: Organisation? [] > F5
x509orgunit: Organisation unit? [] > AS
x509dnscommon: Domain name? [] >
x509email: Email address? [] > test@test.com
nvram: Blob in NVRAM (needs ACS)? (yes/no) [no] >
digest: Digest to sign cert req with? (md5, sha1, sha256, sha384, sha512)
[default sha1] >

Fix:
When using 'fipskey.nethsm --export -i /shared/tmp/testkey.pem -o thaleskey' to export a key file from BIG-IP and import into HSM, the HSM now generates a stub key and stores it at /config/ssl/ssl.key/ on the BIG-IP system, as expected.

663127-1 : Empty attribute values in SAML Identity Provider configuration may cause error when loading configuration.

Component: Access Policy Manager

Symptoms:
Symptom will show as an error log in /var/log/apm similar to the one below:

Internal error processing sso config /Common/idp_obj_name
sso_tmconf_string_parse_list

When this error message is logged, subsequent authentication attempt using this BIG-IP as IdP object will fail.

Conditions:
SAML Identity Provider configuration is invalid: attribute contains empty value(s), for example:

apm sso saml /Common/idp_obj {
    attributes {
        {
            multi-values { "" user@f5.com }
            name User.Email
        }
    }

Impact:
Authentication will fail for users using affected SAML IdP object.

Workaround:
Manually edit bigip.conf configuration fail and remove empty value(s) in SAML attribute, e.g.:

apm sso saml /Common/idp_obj {
    attributes {
        {
            multi-values { user@f5.com }
            name User.Email
        }
    }

Fix:
Empty values in SAML attributes will no longer be accepted by validation logic.

663073-1 : GSLB Pool member Manage page combo box has an issue that can cause the wrong pool member to be removed from the available list when adding a member to the selected list.

Component: Global Traffic Manager (DNS)

Symptoms:
GSLB Pool member Manage page combo box has an issue that can cause the wrong pool member to be removed from the available list when adding a member to the selected list.

Conditions:
When adding a pool member via the combo box, if you click the arrow to expand the dropdown list and select a member by clicking on it, that member name is added to the text box.

If you then mouse over other members in the dropdown list, and then click the Add button, the system adds the selected member to the list, but also removes the wrong member from the combo box: more specifically, it removes the member that was last highlighted by the mouse over.

Impact:
Available pool members might be potentially lost from the combo box until a page reload.

Note: The pool members are not gone from the system; they are still present, just not displayed.

Workaround:
Either use TMSH or place the mouse cursor away from the combo box, and use the text box to narrow down the content in the dropdown list. Then use the arrow keys and the Enter key to select the desired pool member.

Fix:
Changed the behavior of the combo box when a member is selected by clicking on it in the dropdown list. Adding a selected pool member as described above will cause the combo box to correctly remove that pool member from the combo box.

663063-2 : Disabling pool member used in busy HSL TCP destination can result service disruption.

Component: TMOS

Symptoms:
Manually disabling an otherwise available pool member from a pool used as HSL TCP destination can result in tmm crash and service disruption.

This is more likely to occur when HSL destination is using 'balanced' distribution.

Conditions:
-- Busy HSL destination configured with TCP protocol, balanced distribution, and using pool.
-- Manually disabling a pool member.

Impact:
Service disruption while tmm recovers. HA fail-over event. Traffic disrupted while tmm restarts.

Workaround:
You can avoid the issue in either of these ways:
-- Do not manually disable busy pool members that can still respond to TCP handshake.
-- Disable the service on the pool member first.

Fix:
TMM crash no longer occurs when HSL TCP pool member with pending connection is manually disabled.

662881-2 : L7 mirrored packets from standby to active might cause tmm core when it goes active.

Solution Article: K10443875

Component: Local Traffic Manager

Symptoms:
L7 mirrored packets from standby to active might cause tmm core when it goes active.

Conditions:
-- Spurious ACK sent to the standby unit that is mirrored over to the active unit for processing.
-- Matching connection on the active has not been fully initialized.

Impact:
tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Spurious ACK no longer causes outage, instead the packet is dropped.

662850-2 : Expat XML library vulnerability CVE-2015-2716

Solution Article: K50459349

662844 : TMM crashes if Diameter MRF mirroring is enabled in v12.x.x. Diameter MRF mirroring is not implemented in v12.x.x.

Solution Article: K87735013

Component: Service Provider

Symptoms:
Mirroring for Diameter MRF was not implemented in v12.x.x. However, there is a option that allows the user to enable it. When enabled, tmm crashes.

Conditions:
-- Connection mirroring is enabled for Diameter MRF virtual server's router profile.
-- Using v12.x.x.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Note: Mirroring for Diameter MRF was implemented in v13.0.0. The presence of the option to enable the unimplemented functionality is erroneous.

Workaround:
Do not enable Diameter MRF router profile's connection mirroring setting for v12.x.x.

Fix:
Diameter MRF mirroring for Diameter MR has been implemented beginning with v13.0.0. Enabling this option in v12.x.x results in a tmm crash.

662663-6 : Decryption failure Nitrox platforms in vCMP mode

Component: Local Traffic Manager

Symptoms:
Under certain circumstances, Nitrox devices cannot correctly decrypt records from established SSL sessions

Conditions:
-- Cavium Nitrox PX (VIPRION Blade 2100, 4200, and 4300).
-- vCMP active.
-- Small MTU.

Impact:
SSL connections are terminated unexpectedly.

Workaround:
Increase MSS (maximum segment size).

Fix:
SSL records are now decrypted as expected.

662639-2 : Policy Sync fails when policy object include FIPS key

Component: Access Policy Manager

Symptoms:
Policy sync failed with a vague error:

err mcpd[5597]: 01071600:3: APM PSync: Atom attribute (fips_exported_key) data type (blob) in class (certificate_key_file_object) object name (/Common/fips1.key) blob value is not empty - no handler for blob Object dump: **certificate_key_file_object:/Common/fips1.key ...

Conditions:
-- Sync-only device group configuration.
-- FIPS cards in use.
-- On one device:
   + Create FIPS key and certificate:
     1. Go to System::Certificate Management::Traffic Certificate Management::SSL Certificate List::Create.
     2. For 'Security Type' field of 'Key Properties' section, select 'FIPS'.
   + Create a rewrite profile:
     1. Go to Access Policy :: Portal Access :: Rewrite :: Create New Profile.
     2. Under 'JavaPatcher Settings' select 'Signer' and 'Signer Key' to the one created above (e.g., 'fips1.crt' and 'fips1.key', respectively).
   + Create an access profile.
   + Create a virtual server and attach the access profile and rewrite profile to it.
     (Note: You must also include other dependent settings, such as a connectivity profile.)
3. Start a policy sync from the device.

Impact:
Feature failure for specific configurations.

Workaround:
None.

Fix:
Now APM policy sync succeeds even when policy includes FIPS key.

662364-2 : MRF DIAMETER: IP ToS not passing through with DIAMETER

Component: Service Provider

Symptoms:
IP layer's ToS is not passing through MRF Diameter.

Conditions:
-- The IP ToS bit is received in the clientside connection.
-- ip-tos-to-client is set as pass-through.

Impact:
The ToS from the client does not reach the server.

Workaround:
Use an iRule to preserve the ToS from the client and set it to serverside's connection.

Fix:
The ToS bit that arrives from the clientside connection is able to pass-through with Diameter MRF.

662331-1 : BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.

Solution Article: K24331010

Component: TMOS

Symptoms:
The BIG-IP system logs INVALID-SPI messages but does not remove the associated Security Associations (SAs) corresponding to the message.

Note: There are three parts to this issue, as recorded in the following bugs: 569236, 583285, and 662331.

Conditions:
This can occur if an IPsec peer deletes a phase2 (IPsec) SA and does not send a 'notify delete' message to the other peer. The INVALID-SPI message is most likely to be seen when the peer deletes an SA before the SA's agreed lifetime.

Impact:
If the BIG-IP is always the Initiator, the Responder will not initiate a new tunnel if the Responder only handles responses to the BIG-IP clients' traffic. The BIG-IP system continues to use the IPsec SA it believes to be still up. When an SA expires prematurely, some IPsec peers will reject an inbound SPI packet with an ISAKMP INVALID-SPI notify message. If the INVALID-SPI message does not cause new SAs to be created, there will be a tunnel outage until the SA lifetime expires on the defunct SA held on the BIG-IP system.

Workaround:
Manually remove the invalid SA on the BIG-IP system by running the following command:
delete /net ipsec ipsec-sa spi <invalid_spi>

Fix:
Now, when the BIG-IP system receives INVALID-SPI messages, it deletes the invalid Security Association as well as logging the INVALID-SPI message, so the tunnel can initiate again.

Note: There is a three-part fix provided for this issue, as provided in the following bugs: 569236, 583285, and 662331.

662281-2 : Inconsistencies in Automatic sync ASM Device Group

Component: Application Security Manager

Symptoms:
Some ASM calls are not propagated correctly across an automatic sync device group.

This can cause any of the following depending on the change:
A) Superfluous full syncs
B) Updating the wrong element on the remote devices
C) Missing changes on the remote devices

Conditions:
Automatic Sync is configured for a Device Group with ASM enabled.

Impact:
Any of the following depending on the change:
A) Superfluous full syncs
B) Updating the wrong element on the remote devices
C) Missing changes on the remote devices

Workaround:
Disable automatic sync on the device group, and periodically push changes manually.

Fix:
Calls are correctly propagated across Automatic sync Device Groups

662085-1 : iRules LX Workspace editor in TMUI fails to display all workspace contents after install of large Node.js packages

Component: Local Traffic Manager

Symptoms:
Using Node.js package manager (NPM) to install a large Node.js package in the TMUI results in truncated contents in the workspace.

Conditions:
Installing large Node.js packages using the TMUI.

Impact:
The workspace contents will be truncated. Some of the package contents will be missing, or boilerplate F5 elements (f5-nodejs, package.json, etc.) will not be shown.

Workaround:
None.

Note: TMSH recognizes the entire file structure of node_modules (e.g., package.json and module folders of f5-nodejs and async), but TMUI does not.

Fix:
All contents from the workspace filesystem are now shown and are editable from the TMUI.

662022-5 : The URI normalization functionality within the TMM may mishandle some malformed URIs.

Solution Article: K34514540

661881-2 : Memory and performance issues when using certain ASN.1 decoding formats in iRules

Solution Article: K00030614

Component: Local Traffic Manager

Symptoms:
Memory and performance issues when using calls to ASN1::decode with "a" or "B" characters in the format string. This occurs because these calls do not correctly free memory allocated by those functions.

Conditions:
iRules that contain calls to ASN1::decode with "a" or "B" characters in the format string.

Impact:
Memory leak, degraded performance, potential eventual out-of-memory crash.

Workaround:
None.

Note: Because of the memory leak associated with this issue, using calls to ASN1::decode with "a" or "B" characters in the format string should be avoided.

Fix:
Prevented memory leak when using calls to ASN1::decode with "a" or "B" characters in the format string.

661764-2 : It is possible to configure a number of CPUs that exceeds the licensed throughput

Solution Article: K53762147

Component: TMOS

Symptoms:
The system does not prevent you from selecting a number of CPUs that exceeds the license's throughput limit.

Conditions:
Configure a number of CPUs that exceeds the licensed throughput, for example, configuring 4 CPUs on a 2Mbps license on a VE system.

Impact:
Depending on the operations performed, it is possible for tmm to core.

Workaround:
None, other than configuring only the available number of CPUs.

Fix:
The system now detects when a configuration invalid for the license is in use and fails gracefully, presenting an error message explaining the failure.

660711-1 : MCPd might crash when user trying to import a access policy

Solution Article: K05265457

Component: Access Policy Manager

Symptoms:
MCPd restarts during importing an access policy; other daemon might also restart because of MCPd restart.

Conditions:
This occurs when an access policy uses the same agent more than once.
Importing that access policy causes MCPd to crash.

this can happen when you don’t use GUI/VPE to manage access policy but directly modify the config file in exported access policy.

Only use the GUI/VPE to manage access policies.

You should not modify the config file for an exported access policy.

Impact:
MCPd and some other daemons restart. GUI unresponsive for a while.

Workaround:
Only use the GUI/VPE to manage access policies.

You should not modify the config file for an exported access policy.

Fix:
MCP now applies appropriate validation to avoid importing invalid access policies.

660532-2 : Cannot specify the event parameter for redirects on the policy rule screen.

Solution Article: K21050223

Component: TMOS

Symptoms:
Cannot specify the event parameter for redirects on the policy rule screen.

System presents the following error: An error occurred: transaction failed:010716e2:3: Policy '/Common/Drafts/test', rule 'test-rule3'; an action precedes its conditions.

Conditions:
This occurs when setting a policy rule action's "event" parameter in the GUI when configuring redirects.

Impact:
Cannot specify the event parameter.

Workaround:
None.

Fix:
This release has an option for choosing event for redirect action.

660239-3 : When accessing the dashboard, invalid HTTP headers may be present

Component: TMOS

Symptoms:
When accessing parts of the BIG-IP dashboard via the GUI, there might be invalid HTTP headers in the responses.

Conditions:
Access the dashboard via Statistics :: Dashboard.

Impact:
The invalid HTTP headers might cause issues with the dashboard if there are intervening proxies between the browser and the BIG-IP.

You may see such errors in the http error logs

Feb 20 08:47:58 myBIG-IP err httpd[13777]: [error] [client 10.20.30.40] Response header name '<PostData><![CDATA[table=log%5Fstat]]></PostData>Cache-Control' contains invalid characters, aborting request, referer: https://mybigip.com/tmui/dashboard/MonitorDashboardModule.swf

Workaround:
There is no workaround at this time.

Fix:
Eliminated invalid header data.

660187-3 : TMM core after intra-chassis failover for some instances of subscriber creation

Component: Policy Enforcement Manager

Symptoms:
If intra-chassis failover is triggered in a loaded chassis, the tmm crashes in some cases of subscriber creation.

Conditions:
-- The chassis is loaded with many blades.
-- The high availability (HA) configuration is intra-chassis.
-- RADIUS subscriber is added with custom attributes.
-- The subscriber attributes are corrupted or erased.

Impact:
TMM crashes. The slot reboots, potentially triggering further daglib hash changes. May result in cascading core under load. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Verify the validity of the AVPs before copying the attributes

660170-1 : tmm may crash at ~75% of VLAN failsafe timeout expiration

Solution Article: K28505910

Component: Local Traffic Manager

Symptoms:
When VLAN failsafe is configured, and the VLAN failsafe timeout is 3/4 expired, tmm wants to generate ICMP traffic to evoke a network response. When this occurs, the system might experience a crash.

Conditions:
- VLAN failsafe is configured on a VLAN, for example with the recommended VLAN failsafe timeout of 90 sec.
- The VLAN does not observe ARP/ndp traffic for 3/4 of the timeout, 67.5 seconds.
- ICMP traffic generated to provoke a network response can under certain circumstances cause a TMM crash.

Impact:
TMM crashes, failover is triggered, as it would with a fully expired VLAN-failsafe-timeout condition (note that failover with a fully expired VLAN failsafe is correct behavior).

Traffic on other VLANs might be disrupted while TMM restarts. (Traffic on the VLAN-failsafe-triggered VLAN is already disrupted, causing the timeout to expire.)

Workaround:
1. To allow for VLAN failsafe to be updated for any frame, run the following command with VLAN failsafe enabled, run the following command:
tmsh modify failover.vlanfailsafe.resettimeronanyframe enable

This configuration increases the confidence that in the case of a timeout expiry a real traffic disruption is detected.

2. Set the timeout of VLAN failsafe to 4/3 of the setting you want, for example, to have a timeout setting of 90, specify 120. With this setting, failover occurs at 90 seconds for a fully quiescent network.

Note: Having a fully quiescent network is a rare occurrence and likely indicates that another issue is occurring anyway.

Fix:
Generating ICMP traffic from TMM is no longer exposed to a potential crash in an invalid configuration or a completely quiet network, when generating ICMP traffic to provoke a network response on an expiring timer of VLAN failsafe, assuming the following configuration:

- VLAN failsafe is configured.
- VLAN failsafe expired 3/4 of the configured timeout (e.g., 67.5 seconds of 90 seconds ).

659969-1 : tmsh command for gtm-application disabled contexts does not work with none and replace-all-with

Component: Global Traffic Manager (DNS)

Symptoms:
The command for distributed-app's disabled-contexts does not work with the options 'none' and 'replace-all-with'.

Conditions:
Issuing gtm-application disabled contexts commands including the options 'none' and 'replace-all-with'.

Impact:
Command does not complete successfully. This is an internal validation issue.

Workaround:
None.

659912-1 : GSLB Pool Member Manage page display issues and error message

Component: Global Traffic Manager (DNS)

Symptoms:
The GSLB Pool Member Manage page displays an error message 'Entry could not be matched against existing objects' when using the static-target checkbox to add a member that does not exist on the BIG-IP config.

Also when editing a pool member, the pool member's name will not be auto-selected in the combo box.

Conditions:
-- GSLB pool configured.
-- Members available for addition to the pool.

Note: This issue can happen when creating a pool in the members section as well as on the pool members manage page.

Impact:
Degraded usability.

Workaround:
Use TMSH to add a static-target and to edit pool members.

Fix:
Fixed issue with the edit button and issue that prevented adding as a static-target a GSLB pool member that was not part of the GTM config. Now, if static target is enabled, you can type the name of the target without the target being configured on the system.

659899-1 : Rare, intermittent system instability observed in dynamic load-balancing modes

Solution Article: K10589537

Component: Local Traffic Manager

Symptoms:
The dynamic pool member load-balancing modes require a precision measurement of active connection counts and/or rates. Rare, intermittent system instability has been observed in dynamic pool member selection when a new connection arrives. TMM may restart, leaving a core file.

Conditions:
LTM pool configured to use a dynamic load-balancing mode ('ltm pool NAME load-balancing-mode MODE' where MODE is one of the dynamic load-balancing modes, such as dynamic-ratio-member, least-connections-node, predictive-node, etc.). The dynamic modes use the session database to share data among all TMM instances, and under extremely rare conditions, the session database may become unreliable.

Impact:
TMM restarts and leaves a core file. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The dynamic load-balancing modes are now more tolerant of errors from the underlying session database.

659791-2 : TFO and TLP could produce a core file under specific circumstances

Solution Article: K81137982

659648-2 : LTM Policy rule name migration doesn't properly handle whitespace

Component: Local Traffic Manager

Symptoms:
LTM Policy validation does not allow rule names to begin or end with whitespace characters. When migrating configuration to the next version, the migration process attempts to trim off any leading and trailing whitespace. However, this process does not handle leading and trailing whitespace when such characters occur within a double quoted string.

Conditions:
LTM policy with a rule name that contains leading and/or trailing whitespace characters. These will typically occur within a double-quoted string. Here is an example that one might find in bigip.conf:

ltm policy example1 {
    rules {
        " leading and trailing spaces " {
            ...
        }
        ...
    }

Impact:
Policy rules are migrated incorrectly, then fail validation because there of remaining leading and/or trailing whitespace characters.

Workaround:
Prior to migration, LTM Policy rule name can be renamed to remove leading and trailing whitespace. After a failed migration, bigip.conf can be manually edited to remove offending characters and then the configuration can be manually loaded.

Fix:
LTM Policy migration properly handles whitespace in rule names in a quoted string.

659567-1 : iRule command PEM::session functions differently in 12.1.x and 13.0.0 than it did in prior versions

Solution Article: K94685557

Component: Policy Enforcement Manager

Symptoms:
When the RADIUS discovery virtual server and the traffic listener virtual server sit in two different route domains, the iRule command 'PEM::session info $sub subscriber-id' may not be able to fetch the subscriber-id.

Conditions:
-- Running v12.1.x or v13.0.0.
-- RADIUS server.
-- Use of iRule command PEM::session.

Impact:
'PEM::session info state/subscriber-id' commands might not return the expected session info.

Workaround:
None.

Fix:
iRule command PEM::session functions differently in 12.1.x and 13.0.0 than it did in prior versions. The commands now consider route domains.

659371-2 : apmd crashes executing iRule policy evaluate

Component: Access Policy Manager

Symptoms:
Following a restart, if apmd executes an iRule policy evaluate before its reinitialization is complete, apmd can crash.

Conditions:
If apmd restarts due to a crash or explicit restart command but tmm remains active, then iRule policy evaluate commands can reach apmd before it completes initialization and it will crash.

Impact:
apmd crashes and restarts, preventing end users from logging in.

Workaround:
NOne.

Fix:
Now APMD has a more robust initialization process to ensure that it does not execute access policies from iRule commands before it is ready.

659057-1 : BIG-IP iSeries: Retrieving the gateway from the Host via REST through the LCD

Component: TMOS

Symptoms:
The LCD on BIG-IP iSeries appliances must detect whether the system is in IPv4 or IPv6 context before retrieving the gateway from the Host via REST. If two gateways are configured (IPv4 and IPv6) only whichever is first in the list is returned via REST and will be set on the Host.

Conditions:
If two gateways are configured (IPv4 and IPv6).

Impact:
Incorrect gateway retrieval can create bad configs which would impact traffic resulting in failed ping attempts, destination unreachable errors, request timeouts, etc.

Workaround:
No workaround at this time.

Fix:
LCD code now retrieves the correct gateway when switching between IPV4 and IPV6 context.

658989-2 : Memory leak when connection terminates in iRule process

Component: Local Traffic Manager

Symptoms:
Memory leak eventually leading to alloc failure and TMM crash.

Conditions:
Connection is aborted/terminated when iRule processing is suspended for the current connection.

Impact:
Memory leak and eventual TMM restart. Traffic disrupted while tmm restarts.

Workaround:
Avoid suspend/park commands in iRule processing.

Fix:
Memory no longer leaks when connection is aborted/terminated when iRule processing is suspended.

658852-5 : Empty User-Agent in iSessions requests from APM client on Windows

Component: Access Policy Manager

Symptoms:
'User-Agent' might be empty in some '/isession' requests from APM client on Microsoft Windows. Having empty User-Agent headers is not in RFC compliance and forces some firewall to block the connection. This might result in failure to establish a VPN tunnel.

Conditions:
'/isession' requests from APM client on Windows.

Impact:
Failure to establish a VPN tunnel.

Workaround:
None.

Fix:
Now all connections from Windows APM VPN client contain 'User-Agent' headers, as expected.

658636-2 : When creating LTM or DNS monitors through batch/transaction mode newlines are improperly escaped.

Solution Article: K51355172

Component: TMOS

Symptoms:
- LTM/DNS monitors created via tmsh batch/transactions improperly escape newline characters.
- Expected escaping: \r\n
- Actual escaping: \\r\\n
- Impact: The URI sent is not correct,

Conditions:
When creating LTM or DNS monitors through batch/transaction mode when strings contain newline characters. For example, using the following commands to batch-create:

create gtm monitor http one_test_mon { send "GET / HTTP/1.0\r\nHost: abc.example.com\r\nUser-Agent: slb-healthcheck\r\nConnection: Close\r\n\r\n" recv "200"}
submit cli transaction
list gtm monitor http one_test_mon

The system creates the following monitor:

gtm monitor http one_test_mon {
    defaults-from http
    destination *:*
    interval 30
    probe-timeout 5
    recv 200
    send "GET / HTTP/1.0\\r\\nHost: abc.example.com\\r\\nUser-Agent: slb-healthcheck\\r\\nConnection: Close\\r\\n\\r\\n"

Impact:
Cannot use batch/transaction mode in TMSH to create LTM or DNS monitors. Cannot use LTM or DNS monitors created using batch/transaction mode in tmsh.

Workaround:
Create the monitor directly in tmsh without using batch/transaction mode.

Fix:
When creating LTM or DNS monitors through batch/transaction mode newlines are now properly escaped.

658574-2 : An accelerated flow transmits packets to a stale (incorrect) destination MAC address.

Solution Article: K61847644

Component: TMOS

Symptoms:
An accelerated flow can send to a stale destination MAC address after the ARP packet with the updated MAC address is received.

Warning: disabling auto-lasthop is not enough when they want BIG-IP to use updated destination MAC address.

Conditions:
A flow is accelerated with a destination MAC address that changes while the flow is accelerated.

Impact:
The BIG-IP system sends packets to a stale (incorrect) destination MAC address. In this case, the new MAC address is not updated for the accelerated flow and the flow will continue to send traffic using the original MAC address.

Workaround:
Disable HW acceleration. Prevent the downstream destination MAC address from changing. For example, if the downstream unit is a BIG-IP active/standby configuration, then use MAC masquerading to prevent the MAC address from changing.

658343-2 : AVR tcp-analytics: per-host RTT average may show incorrect values

Solution Article: K33043439

Component: Application Visibility and Reporting

Symptoms:
When viewing the Statistics :: Analytics :: TCP :: RTT, then selecting (in the table below the graph), View By: "Remote Host IP Address", the values presented RTT Avg (ms) may be incorrect (they could even be larger than the RTT Max column).

As values are aggregated through the data tables, the reported rtt average value becomes larger and larger.

Conditions:
AVR is provisioned, and a tcp-analytics profile is attached to a virtual server.

Impact:
The values reported in the RTT Avg column when viewing by Remote Host IP Address may be incorrect.

Workaround:
None.

Fix:
The rtt_count, rtt_max, rtt_avg, rtt_sum metrics after day aggregation and week aggregations are now correct in the day, week, month reports. The rtt_sum is now aggregated with correct value (exceed max int), as expected.

658321-2 : Websafe features might break in IE8

Component: Fraud Protection Services

Symptoms:
IE8 transform all custom HTTP headers names to lowercase
in case header name configured with upper-case characters, WebSafe feature might break.

Conditions:
custom HTTP header configured with upper case characters
client is IE8.

Impact:
FPS plugin will not find the header, as it received lower-case but configured with upper-case characters
as a result, WebSafe functionality is broken (functionality which involve the custom HTTP header, e.g. ajax username header)

Workaround:
Set custom HTTP header name to lower case only.

Fix:
FPS now performs case-insensitive matches for custom HTTP headers.

658261-2 : TMM core after HA during GY reporting

Component: Policy Enforcement Manager

Symptoms:
If intra-chassis failover is triggered in a loaded chassis, the tmm crashes in some cases of GY reporting

Conditions:
-- Failover is triggered,
-- The daglib hash redistributes the subscriber DATA to different slots.
-- Existing flows continue on the slots that were allocated using the old hash of daglib.

Note: This is a rarely encountered issue that occurred in a setup with 8 slots and 750 thousand subscribers.

Impact:
Slot reboots. May trigger more hash rearrangement. Traffic disrupted while tmm restarts.

Workaround:
None.

658214-2 : TCP connection fail intermittently for mirrored fastl4 virtual server

Solution Article: K20228504

Component: Local Traffic Manager

Symptoms:
In some cases, a mirrored FastL4 virtual server may fail to forward the SYN on the server-side after receiving the context-ack from the peer. Note: This is a connection-failure through the active system, not simply a failure to mirror to the peer.

Symptoms include:
-- TCP connection failures.
-- Possibly other packets lost.

Conditions:
-- FastL4 virtual server.
-- Mirroring is enabled.
-- Certain traffic interleaving might be necessary for this intermittent problem to occur.

Impact:
FastL4 mirroring does not always forward SYN to server after receiving context ACK. Connections fail.

Workaround:
Set the tm.fastl4_ack_mirror dv variable using the following command: tmsh modify sys db tm.fastl4_ack_mirror value disable.

Fix:
In this release, mirrored FastL4 virtual server now forward the SYN on the server-side after receiving the context-ack from the peer as expected.

658148-2 : TMM core after intra-chassis failover for some instances of subscriber creation

Solution Article: K23150504

Component: Policy Enforcement Manager

Symptoms:
If intra-chassis failover is triggered in a loaded chassis, the tmm crashes in some cases of subscriber creation.

Conditions:
-- The chassis is loaded with many blades.
-- The HA configuration is intra-chassis.
-- RADIUS subscriber is added with custom attributes.
-- The subscriber attributes are corrupted or erased.

Impact:
TMM crashes. The slot reboots, potentially triggering further daglib hash changes. May result in cascading core under load. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
If intra-chassis failover is triggered in a loaded chassis, the tmm no longer crashes in some cases of subscriber creation.

657795-1 : Possible performance impact on some SSL connections

Solution Article: K51498984

Component: Local Traffic Manager

Symptoms:
Some SSL connections may be delayed by almost exactly 5 seconds. The delay occurs between the SSL client hello and the server hello response from the BIG-IP system.

Conditions:
-- SSL configured on a Virtual Server. Affects VIPRION/vCMP Guests.

-- Client connects with an SSL session ID that is not in the cache, and in a very specific format that causes tmm to associate the session ID to a blade that does not exist.

Impact:
Performance may be impacted on those SSL connections.

Workaround:
Disable SSL session cache by setting cache-size to zero in the clientssl profile.

Fix:
This release fixes an issue that might cause performance impact on certain SSL connections.

657713-5 : Gateway pool action may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart.

Solution Article: K05052273

Component: Local Traffic Manager

Symptoms:
As a result of this issue, you may encounter one or more of the following symptoms:

-- TMM generates a core file in the /shared/core directory.
-- Your BIG-IP system logs a SIGFPE to the /var/log/tmm file at the same time TMM produces a core file and restarts.
-- In one of the /var/log/tmm log files, you may observe error messages similar to the following example:

notice panic: ../modules/hudfilter/hudfilter.c:1063: Assertion "valid node" failed.
notice ** SIGFPE **

Conditions:
This issue occurs when all of the following conditions are met:

-- Your BIG-IP system is configured to route traffic using a gateway pool.
-- The gateway pool is configured with Action On Service Down = Reject.
-- The pool monitor marks all members of the gateway pool as unavailable.
-- A connection is rejected by the gateway pool.

Impact:
The BIG-IP system temporarily fails to process traffic while the TMM process restarts. If the BIG-IP system is configured for high availability (HA), the system fails over to a peer system.

Workaround:
Set service-down-action to none or reselect.

Fix:
Gateway pool action no longer triggers TMM to produce a core file and restart.

657632-4 : Rarely if a subscriber delete is performed following HA switchover, tmm may crash

Component: Policy Enforcement Manager

Symptoms:
If a subscriber delete is performed following a HA switchover, tmm may coredump. The probability of this scenario is rare, where a subscriber may have been freed during switchover and a subsequent forced delete command quickly follows.

Conditions:
-- A subscriber delete command followed by a HA switchover.
-- During the switchover, the subscriber was freed.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now removes the subscriber index from the table if present in these cases.

657502-2 : JS error when leaving page opened for several minutes

Component: Fraud Protection Services

Symptoms:
Google Chrome delays JS execution when the tab is not active.
Therefore anti-debug module acts as if someone is trying to debug JS code.

Conditions:
-- JS runs in hidden tab in Google Chrome.
-- Anti-debug functionality is active.
-- Page is left open for several minutes.

Impact:
Errors in console and JS logic is incorrectly executed.

Workaround:
Identify hidden tab and pause anti-debug functionality.

Fix:
The system now correctly handles JS code running in a hidden tab and pauses anti-debug check.

656912-4 : Various NTP vulnerabilities

Solution Article: K32262483

656900-1 : Blade family migration may fail

Component: TMOS

Symptoms:
Migrating the configuration from a B2100 blade to a newer variant, as documented in the "Migrating the Configuration on B2000 Series Blades" page in the "VIPRION Systems: Blade Migration" manual, may show output indicating a failure.

Conditions:
All such blade upgrades.

Impact:
The line 'load ucs failed!' should be ignored. If the line '/var/local/ucs/upgradeConfig-your-serial-number.ucs is loaded.' is present, then the UCS load was in fact successful and you can proceed with the instructions.

Workaround:
The line 'load ucs failed!' should be ignored. If the line '/var/local/ucs/upgradeConfig-your-serial-number.ucs is loaded.' is present, then the UCS load was in fact successful and you can proceed with the instructions.

655807-5 : With QoS LB, packet rate score is calculated incorrectly and dominates the QoS score

Solution Article: K40341291

Component: Global Traffic Manager (DNS)

Symptoms:
When choosing QoS Load balance, packet rate is dominating the score.

Conditions:
QoS load balance.

Impact:
Load balance decision is mostly impacted by packet rate.

Workaround:
None.

Fix:
Corrected a calculation error for QoS score involving packet rate.

655793-1 : SSL persistence parsing issues due to SSL / TCP boundary mismatch

Solution Article: K04178391

Component: Local Traffic Manager

Symptoms:
When the SSL client or server system is set up to send SSL messages whose boundaries do not align with underlying TCP boundaries, the parser fails when SSL persistence is enabled.

So, any SSL record spanning over multiple TCP segments (in this case it's ServerHello, Certificate, and ServerHelloDone) triggers the issue with the SSID error RST cause.

This can also result from a message size exceeding the maximum configured size (default is 32K).

Conditions:
[1] SSL persistence is enabled.
[2a] SSL message boundary does not align with underlying TCP segment boundary. One example of boundary mismatch is when the TCP MTU size is changed to a lower value (around 1200 bytes). Even then there may be specific values for which the boundaries match and parsing succeeds.
[2b] The message size is greater than the maximum configured size (default 32k).

Impact:
When the parsing fails, the SSL client or server hangs and times out. In other words, SSL traffic is affected.

The SSL parsing should succeed regardless of a match or mismatch between SSL message boundary and TCP segment boundary.

Workaround:
Disable SSL persistence.

Fix:
The system now switches the state of the SSL persistence to pass through all remaining messages, since no further parsing is needed.

655671-1 : Polling time waiting for I2C bus transactions in the bcm56xxd daemon needs to be reduced

Component: TMOS

Symptoms:
On platforms that run the bcm56xxd daemon, the polling time that the system waits for I2C bus transactions to complete runs too long. On systems with I2C bus issues, this can lead to bcm56xxd core files, because the bcm56xxd daemon doesn't reset the watchdog so the watchdog timer kills the process.

Conditions:
This is an issue only when there is a stuck I2C bus, which occurs rarely.

Impact:
bcm56xxd process may core and restart. That typically resets the I2C bus, which resolves any issues.

Workaround:
None. Typically, the issue resolves itself.

Fix:
The number of times the bcm56xxd process polls for an I2C bus transaction to complete is reduced to prevent bcm56xxd core files.

655649-2 : BGP last update timer incorrectly resets to 0

Component: TMOS

Symptoms:
In ZebOS, every time the scan timer resets it also incorrectly resets the BGP last update timer as shown under the imish command 'sh ip route'.

Output from 'sh ip route':

4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:32
               [20/0] via 10.10.1.6, eno33554952, 00:00:32
...
4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:33
               [20/0] via 10.10.1.6, eno33554952, 00:00:33
...
4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:00 <<<< shouldn't reset
               [20/0] via 10.10.1.6, eno33554952, 00:00:00

Conditions:
Once ZebOS has learned a route from a BGP peer the route will show up under 'sh ip route' and the BGP last update timer will incorrectly reset.

Impact:
If BGP routes are being redistributed into other protocols, the route may flap in the destination process.

Workaround:
None.

Fix:
BIG-IP no longer resets the last update time of learned routes via BGP and BGP routes redistributed into other protocols no longer flap.

655628-1 : TCP analytics does not release resources under specific sequence of packets

Component: Local Traffic Manager

Symptoms:
TCP analytics does not release memory when a specific sequence of packets is observed, and memory usage increases as more such flows occur.

Conditions:
-- A TCP analytics profile is configured to collect clientside/serverside analytics data.
-- AVR is provisioned.
-- FastL4 and HTTP profiles are configured.
-- A specific sequence of packets (on the serverside) occurs.

Impact:
Main memory occupied by TCP analytics is not released which might lead to memory exhaustion on the BIG-IP system.

Workaround:
Turn off collecting TCP analytics data for the virtual server.

Fix:
TCP analytics now releases resources properly.

655617-1 : Safari, Firefox in incognito mode on iOS device cannot pass persistent client identification challenge

Solution Article: K36442669

Component: Application Security Manager

Symptoms:
When running Safari or Firefox in incognito mode on iOS devices, browser gets TCP RST and will not be able to pass client-side challenge. The system posts the following error in tmm log: failed parsing header 3.

Conditions:
1. Web scraping is configured.
2. Persistent client identification is enabled.
3. Using Safari or Firefox on iOS devices.

Impact:
Browser cannot access the site.

Workaround:
Turn off persistent client identification.

Fix:
Safari, Firefox in incognito mode on iOS device can now pass persistent client identification challenge.

655500 : Rekey SSH sessions after one hour

Component: TMOS

Symptoms:
Common Criteria requires that SSH session be rekeyed at least every hour

Conditions:
SSH connections to or from the BIG-IP system.

Impact:
SSH sessions are rekeyed in response to the quantity of data transferred, or on user demand, but not on the basis of elapsed time

Workaround:
If time-based rekeying is required in your environment, edit the SSH configuration to include a RekeyLimit with both data and time parameters using a command similar to the following:
tmsh modify sys sshd include 'RekeyLimit 256M 3600s'

Outbound SSH client connections can be modified by adding the same RekeyLimit configuration to /config/ssh/ssh_config or by including that option on the command line when calling the ssh client.

Fix:
SSH sessions are now rekeyed every hour regardless of the quantity of data transferred.

655470 : IP Intelligence logging publisher removal can cause tmm crash

Solution Article: K79924625

Component: Advanced Firewall Manager

Symptoms:
TMM restart immediately after removing global ip-intelligence logging publisher.

Conditions:
1) Global IP Intelligence logging enabled.
2) While new incoming connections are handled by the system, delete the global logging publisher using the following command:
modify security log profile global-network ip-intelligence { log-publisher none }

Impact:
Traffic disrupted while tmm restarts. This is an intermittent, timing-related issue.

Note: Because deleting the global ip-intelligence logging configuration publisher is uncommon, and might occur once, at setup, this issue is unlikely to manifest.

Workaround:
There is no workaround, other than to not delete the ip-intelligence global logging publisher when heavy traffic is being handled.

Fix:
Error handling now checks for NULL publisher and prevents the TMM restart.

655445-2 : Provide the ability to globally specifiy a DSCP value.

Component: Global Traffic Manager (DNS)

Symptoms:
The DSCP value is not configurable for some types of traffic, which can lead to dropped traffic during adverse network conditions.

Conditions:
Under adverse network conditions, monitor traffic can be dropped by the network.

Impact:
BIG-IP DNS incorrectly reports resources as unavailable because monitor traffic is dropped by the network due to congestion with unrelated traffic.

Workaround:
None.

Fix:
Setting the new db variable tm.egressdscp to a value other than the default value of 0, results in the system setting the DSCP value for outgoing traffic to the configured value.

655432-7 : SSL renegotiation failed intermittently with AES-GCM cipher

Solution Article: K85522235

Component: Local Traffic Manager

Symptoms:
SSL failed to renegotiate intermittently with AES-GCM cipher because IV is not properly updated when a change cipher spec message is received.

Conditions:
This failure is more likely to occur during mutual authentication.

Impact:
Some servers authenticate client using renegotiation. This issue prevents their clients from properly connecting to the servers.

Workaround:
Disable AES-GCM cipher.

Fix:
The system now properly updates AES-GCM IV when a change cipher spec message is received.

655364-1 : Portal access rewriting window.opener causes JS exception

Component: Access Policy Manager

Symptoms:
Portal access engine rewriting window.opener causes JavaScript exception error.

Conditions:
When rewriting window.opener.

Impact:
JavaScript exception error generated.

Workaround:
None.

Fix:
The rewriting window.opener operation now completes with Message 'null', which is correct behavior. No JavaScript exception error is generated.

655357-2 : Corrupted L2 FDB entries on B4450 blades might result in dropped traffic

Solution Article: K06245820

Component: TMOS

Symptoms:
ARP replies reach front panel port of B4450 blades but fail to reach TMMs.

This occurs because the switch in the B4450 blade has an L2 learning issue in the switch fabric that requires the system to correct the new L2 FDB entries learned on Higig trunks. The L2 module runs in poll mode by default, which is exposed to a 3-second race window in software, during which learning events in the switch hardware for a given L2 FDB entry can be lost. That can lead to corrupted L2 FDB entries and cause traffic hitting the corrupted L2 FDB entries to fail.

Conditions:
-- An L2 FDB entry is learned on Higig trunk.
-- Multiple L2 learning events happen on the L2 FDB entry during the 3-second race window in software.

Impact:
The traffic hitting the corrupted L2 FDB entry will be dropped by the switch.

Workaround:
Delete the corrupted L2 FDB entries and cause the switch to re-learn them.

To do so, identify the affected VLAN and flush L2 FDB entries on that VLAN using the following command: tmsh delete net fdb vlan {vlan_name}.

Fix:
A db variable switchboard.l2.mitigation was introduced to configure this feature.

-- A value of "enable" allows packets to be forwarded in the case of corrupted L2 FDB entries. Packets will be hashed on source and destination addresses. Enabling forwarding this way is only a temporary measure.

-- A value of "monitor" does not forward packets but will count packets which were affected by corrupted L2 FDB entries. The stat table switch/l2_mitgation, updated every 11 seconds, reports packet counts. Differences in packet counts are logged to /var/log/ltm.

-- A value of "disable" disables both forwarding and packet counting. Packet counts are reset.

655314 : When failing to load a UCS, the hostname is still changed, only in 12.1.2 or 13.0.0★

Component: TMOS

Symptoms:
The platform-migrate option to the UCS load command is supposed to reject UCS archives generated on BIG-IP software v10.x. It does this; however, the hostname of the BIG-IP system changes to the one in the UCS.

Conditions:
You are trying to do a platform-migrate load to 12.1.2 or 13.0.0 of a UCS originating on a system running v10.x.

Impact:
The hostname is changed, but no other configuration is modified.

Workaround:
Set the hostname back to its old value.

Fix:
The hostname is now left unmodified.

655233-1 : DNS Express using wrong TTL for SOA RRSIG record in NoData response

Solution Article: K93338593

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Express returns an incorrect TTL for the SOA RRSIG record in a NoData response.

Conditions:
-- DNS Express configured.
-- A query that results in a NoData response and DNSSEC signing requested.

Impact:
This brings the behavior in line with RFC2308. There is no known functional impact.

Workaround:
There is no workaround.

Fix:
The TTL of the RRSIG record now matches the TTL of the covered SOA record.

655211-1 : bigd crash (SIGSEGV) when running FQDN node monitors

Solution Article: K25384206

Component: Local Traffic Manager

Symptoms:
bigd processing FQDN node monitors may crash due to a timing issue when processing probe responses.

Conditions:
bigd is configured for FQDN node monitors.

Impact:
bigd crashes (SIGSEGV). The system restarts bigd automatically, and monitoring resumes. No other action is needed.

Workaround:
Although no workaround is available for bigd configured for FQDN node monitors, this crash occurs due to a timing issue, and should be rare.

Fix:
bigd no longer crashes (SIGSEGV) when running FQDN node monitors due to a timing issue.

655159-1 : Wrong XML profile name Request Log details for XML violation

Solution Article: K84550544

Component: Application Security Manager

Symptoms:
After system upgrade, Request Log details for XML violation show XML profile name as 'N/A'.

Conditions:
System upgrade.
Request Log details for XML violation.

Impact:
System upgrade does not synchronize properly between policy and already existing XML profiles. System functions properly on existing XML profiles, but violation report reference to the XML profile is wrong.

Workaround:
No workaround for already existing violation records.

For new violation reports, run apply policy.

Fix:
The system now uses the correct XML profile name in the Request Log details for XML violation.

655146-2 : APM Profile access stats are not updated correctly

Component: Access Policy Manager

Symptoms:
The active and established sessions counts in the output of 'tmsh show apm profile access' command are not getting updated as sessions are established and terminated. At the same time, the following errors are showing up in the APM log:

err tmm1[19902]: 01490574:3: (null):Common:00000000: Could not find tmstat. (/Common/Google_vsstats_key)

Conditions:
-- When session is established and terminated.
-- Running the command: tmsh show apm profile access to view stats.

Impact:
APM profile access stats are not accurate.

Workaround:
None.

Fix:
Now the tmsh command "tmsh show apm profile access" displays the correct profile access stats.

655085-2 : While one chassis in a DSC is being rebooted, other members report spurious HA Group configuration errors

Component: TMOS

Symptoms:
Message of the form

"notice sod[nnnn]: 010c006e:5: All devices in traffic group traffic-group-1(1 of 2) should have a HA group."

is logged on peer devices when a Viprion chassis is being rebooted.

Conditions:
Multiple Viprion chassis are configured in a sync-failover device group, using HA Group scores.

Impact:
Log message indicates a configuration error that does not exist.

Workaround:
If these messages occur during a peer reboot, they should be ignored.

Fix:
Viprion chassis does not report HA Group configuration errors during peer reboot.

655059-3 : TMM Crash

Solution Article: K37404773

655021-2 : BIND vulnerability CVE-2017-3138

Solution Article: K23598445

654925-1 : Memory Leak in ASM Sync Listener Process

Solution Article: K25952033

Component: Application Security Manager

Symptoms:
Following several sync errors, a memory leak occurs in the ASM sync listener process (asm_config_server.pl).

Conditions:
-- asm-sync is enabled on an auto-sync Device Group.

-- Errors occur during attempts to sync, either due to full disk or in response to one or more of the following uses in GUI or REST API:
+ Creating/importing/deleting policies.
+ Accepting many suggestions at once.
+ Adjusting Policy Building Settings.

Impact:
RAM is increasing consumed leading to swap usage until the device reaches a panic state.

Workaround:
Restart asm_config_server on all devices using the following command:
killall asm_config_server.pl

Fix:
Hard limits for memory size are now enforced for ASM processes. The sync listener process now shuts down and restarts after an hour of failed repeated attempts to synchronize the device group state.

654873-2 : ASM Auto-Sync Device Group

Component: Application Security Manager

Symptoms:
Some messages that were meant to be sent to peers in a device group are not successfully sent.

Conditions:
A mix of the following uses in GUI or REST API:
1) Creating/importing/deleting policies.
2) Accepting many suggestions at once.
3) Adjusting Policy Building Settings.

Impact:
1) Overuse of full sync between devices.
2) Possible inconsistencies between devices.
3) Possibility of memory leak in rare cases.

Workaround:
Use manual sync groups for ASM sync.

Fix:
Communication for auto-sync groups repaired.

654599-1 : The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed

Solution Article: K74132601

Component: Global Traffic Manager (DNS)

Symptoms:
Tomcat can potentially drop requests made by the client via the Web GUI on the GSLB Pool Members Manage page.

Conditions:
The config contains a large amount (in the thousands) of GSLB virtual servers or wide IP's, resulting in the action not being completed.

Impact:
The "Finished" button on that page does not save the changes made on that page.

Workaround:
Use TMSH.

Fix:
Fixed an issue with saving GSLB data via the GUI in large configurations.

654549-1 : PVA support for uncommon protocols DoS vector

Component: TMOS

Symptoms:
A new HSB bitstream for VIPRION B4450 blades is needed to support IP uncommon protocols for DoS Vector.

Conditions:
Using the B4450 blade.

Impact:
No support for IP uncommon protocols for DoS Vector.

Workaround:
None.

Fix:
HSB v3.2.13.0 bitsteam for VIPRION B4450 blades now provides support for IP uncommon protocols for DoS Vector.

Behavior Change:
This bitstream now supports IP uncommon protocols for DoS Vector. Any number of protocols with values between 0-255 can be simultaneously enabled.

654513-6 : APM daemon crashes when the LDAP query agent returns empty in its search results.

Solution Article: K11003951

Component: Access Policy Manager

Symptoms:
APM daemon crashes when the LDAP query agent returns no search results.

Conditions:
This issue occurs when all of the following conditions are met:

-- Your BIG-IP access profile access policy is configured with an AD Auth agent.
-- The access policy is configured with an LDAP query agent.
-- A user successfully authenticates to the access profile.
-- The LDAP query agent returns no query results.

Impact:
APM daemon crashes, need to restart RBA and WebSSO. This is a very rarely encountered issue.

Workaround:
Add LDAP Auth agent before the LDAP query to the existing policy.

Note: Adding the extra agent, LDAP Auth agent, in the policy will preserve the functionality and features, enabling the policy to fail in LDAP Auth agent, instead of crash in LDAP Query agent.

Fix:
Now APM daemon no longer crashes when the LDAP query agent returns a specific type of null result from its search.

654508-2 : SharePoint MS-OFBA browser window displays Javascript errors

Component: Access Policy Manager

Symptoms:
SharePoint MS-OFBA browser window displays Javascript errors while doing authentication.

Conditions:
-- SharePoint Access through LTM and APM.
-- MS-OFBA iRule is used.

Impact:
JavaScript errors shown on the MS-OFBA browser window

Workaround:
None.

Fix:
Now the SharePoint MS-OFBA browser window no longer displays Javascript errors while doing authentication from Microsoft applications.

654109-2 : Configuration loading may fail when iRules calling procs in other iRules are deleted

Solution Article: K01102467

Component: Local Traffic Manager

Symptoms:
Loading of the configuration fail with a message indicating a previously deleted iRule cannot be found:

01020036:3: The requested rule (/Common/rule_uses_procs) was not found.

Conditions:
- iRule A is calling another iRule B using proc calls
- iRule A is attached to a virtual server.
- Detaching and deleting iRule A.
- Loading the config (or performing config sync).

Impact:
iRules are still referenced after implicit deletion (via load).
Configuration does not load.

Workaround:
Force reloading of the MCP binary database.

For specific steps, see K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).

Fix:
Configuration loading no longer fails when iRules calling procs in other iRules are deleted.

654046-1 : BIG-IP as SAML IdP may fail to process signed authentication requests from some external SPs.

Component: Access Policy Manager

Symptoms:
When an external Service Provider (SP) canonicalizes authentication requests with the use of inclusive namespaces, a BIG-IP system used as SAML IdP may fail to process such requests. User's SSO will fail with following errors contained in /var/log/tmm:

err tmm1[13063]: 014d0002:3: 9c7802e1: SSOv2 Digest from SAML message is invalid
err tmm1[13063]: 014d0002:3: 9c7802e1: SSOv2 Error(12) Signature verification failed for SAML Authentication

Conditions:
- BIG-IP is used as SAML IdP.
- User performs SP-initiated SAML SSO.
- External SAML SP sends signed authentication request, in which canonicalization was done with use of inclusive namespaces.

Impact:
Users are unable to perform SAML SSO with certain external service providers.

Workaround:
None.

Fix:
Now BIG-IP APM as IdP SAML canonicalized authentication requests containing inclusive namespaces can be processed successfully.

654011-2 : Pool member's health monitors set to Member Specific does not display the active monitors

Solution Article: K33210520

Component: TMOS

Symptoms:
When you configure a pool to have member-specific health monitoring, the active monitor no longer displays in the GUI.

Conditions:
Have a pool member with Health Monitors set to Member Specific.

Impact:
The specified active monitors will be saved but won't be displayed as active.

Workaround:
Use tmsh to view a pool member's active monitors.

Fix:
Pool member's Health Monitors set to Member Specific now display active monitors.

653993-3 : A specific sequence of packets to the HA listener may cause tmm to produce a core file

Solution Article: K12044607

653880 : Kernel Vulnerability: CVE-2017-6214

Solution Article: K81211720

653772-2 : fastL4 fails to evict flows from the ePVA

Component: TMOS

Symptoms:
An accelerated flow is in the ePVA with no corresponding software connection.

Conditions:
-- FastL4.
-- ePVA.
-- The other conditions under which this occurs are not well defined.

Impact:
ePVA can continuously send a packet. This might eventually result in a network outage.

Workaround:
Disable HW acceleration.

Fix:
There are now no unknown accelerated flows.

Behavior Change:
The default behavior is to ignore unknown HW accelerated flows (connections). This change will proactively evict unknown HW accelerated flows from the HW (ePVA).

653771-2 : tmm crash after per-request policy error

Component: Access Policy Manager

Symptoms:
TMM core is seen when reject ending in per-request policy encounters error.

Conditions:
The conditions which trigger this are unknown at this time, it was seen once on a per-request policy error.

Impact:
Traffic disrupted while tmm restarts.

Fix:
TMM no longer cores when reject ending encounters error in per-request policy

653729-2 : Support IP Uncommon Protocol

Component: Advanced Firewall Manager

Symptoms:
A BIG-IP system can have CPU usage be non-uniformly distributed across the datapath (tmm) threads, such that the overall CPU usage is low, but individual datapath threads may show high usage of a subset of the CPUs on the system. This can be observed by viewing the per-CPU usage, and can manifest as spuriously dropped packets/flows.

Conditions:
A BIG-IP system receives packets that have uncommon IP protocols – those not parsed by the BIG-IP system.

Impact:
The packets are eventually dropped but may drive a subset of the CPUs in the system to very high usage. As CPU increases, potentially reaching 100%, then the BIG-IP system will start dropping packets and the system might eventually fail.

Workaround:
None.

Fix:
The system now supports packets that have uncommon IP protocols.

Behavior Change:
This change adds the capability of specifying various IP protocols as 'uncommon' protocols. Using this list of uncommon protocols can have the system mitigate an attack from uncommon protocols.

To do so, perform the following procedure:
1. Set the sys db tunable dos.uncommon.replace.illegal to true (it is false by default).
2. Set the 8 sys db tunables dos.uncommon.protocols[0-7] to specify which protocols should be considered uncommon (by default all protocols except TCP/UDP/ICMPv4/ICMPv6/SCTP - bits 1/6/17/58/132 are uncommon).
- dos.uncommon.protocols0 represents bits 31:0 of a 256-bit vector
- dos.uncommon.protocols1 represents bits 63:32 of a 256-bit vector
- dos.uncommon.protocols2 represents bits 95:64 of a 256-bit vector
- dos.uncommon.protocols3 represents bits 127:96 of a 256-bit vector
- dos.uncommon.protocols4 represents bits 159:128 of a 256-bit vector
- dos.uncommon.protocols5 represents bits 191:160 of a 256-bit vector
- dos.uncommon.protocols6 represents bits 223:192 of a 256-bit vector
- dos.uncommon.protocols7 represents bits 255:224 of a 256-bit vector

Setting the specific bit to '1' means that the specified protocol is considered 'uncommon', and setting the specific bit to '0' means that the specified protocol is not considered 'uncommon'.

Then the DoS vector IP Unknown Protocol can be used to mitigate an attack from the above-specified 'Uncommon Protocols'.

653511-2 : Intermittent connection failure with SNAT/automap, SP-DAG and virtual server source-port=preserve

Solution Article: K45770397

Component: Local Traffic Manager

Symptoms:
Connections can fail intermittently when multiple clients use the same ephemeral port to connect to BIG-IP and are SNATted to the same address.

Conditions:
When SNAT/Automap is configured with SP-DAG and virtual server source-port setting is "preserve".

Impact:
Service interruption due to intermittent connection failures.

Workaround:
None.

Fix:
Connections no longer fail intermittently with SNAT/automap, SP-DAG and virtual server source-port=preserve.

653453 : ARP replies reach front panel port of the B4450 blade, but fail to reach TMMs.

Component: TMOS

Symptoms:
ARP replies reach the front panel port of the B4450 blade, but fail to reach TMMs. This is caused by a L2 defect in the Broadcom Trident2+ switch B4450 blade uses.

Conditions:
The switch learned a corrupted L2 FDB entry on internal HiGig trunk.

Impact:
The traffic hitting the corrupted L2 FDB entry will be dropped by the switch.

Workaround:
Identify the affected VLAN and flush L2 FDB entries on that VLAN using the following command: tmsh delete net fdb vlan {vlan_name}.

Fix:
Resolved an issue on Broadcom Trident2+ switch B4450 blades use in which ARP replies reached the front panel port, but failed to reach TMMs.

Behavior Change:
A new BigDB variable is added to control in which mode the l2xmsg module in Broadcom SDK should run.

bcm56xxd.l2xmsg.mode: poll/fifo (default)

The BIG-IP system used to always run l2xmsg module in poll mode. Now, the BIG-IP system will run l2xmsg mode in fifo by default.

653376-5 : bgpd may crash on receiving a BGP update with >= 32 extended communities

Component: TMOS

Symptoms:
bgpd may crash when receiving a BGP update with >= 32 extended communities

Conditions:
A configured BGP peer sends a route update including and attribute containing 32 or more extended communities.

Impact:
bgpd may crash causing the BGP peering to reset

Workaround:
Ensure that peers do not send 32 or more extended communities to the BIG-IP in BGP routing updates.

Fix:
bgpd no longer crashes on receiving a BGP update with >= 32 extended communities

653324-3 : On macOS Sierra (10.12), Edge client shows customized icon of size 48x48 pixels scaled incorrectly

Solution Article: K87979026

Component: Access Policy Manager

Symptoms:
On macOS Sierra (10.12), Edge client shows customized icon of size 48x48 pixels scaled incorrectly; it appears very small.

Conditions:
On macOS Sierra (10.12), edge client, customized icon of size 48x48 pixels.

Impact:
This is a display issue only. There is no functional impact to the system.

Workaround:
Use a custom logo image with the pixel dimensions of 100x121 pixels.

Fix:
On macOS Sierra (10.12), Edge client now shows the customized icon of size 48x48 pixels that is now scaled correctly.

653285-1 : PEM rule deletion with HSL reporting may cause tmm coredump

Component: Policy Enforcement Manager

Symptoms:
tmm coredump caused by deletion of a PEM policy rule with HSL reporting configured and passing active traffic. tmm crash.

Conditions:
PEM policy rule with HSL reporting is deleted while passing subscriber traffic.

Impact:
tmm coredump causes traffic disruption and restart of tmm.

Workaround:
None.

Fix:
PEM rule deletion with HSL reporting no longer causes tmm coredump.

653234 : Many objects must be reconfigured before use when loading a UCS from another device.★

Component: TMOS

Symptoms:
Many objects are ignored by the platform-migrate option, and must be reconfigured before use when loading a UCS from another device.

Conditions:
UCS is being loaded from another device, using the platform-migrate option.

Impact:
Risk of configuration load failures.

Workaround:
None, other than reconfiguring for the destination device.

Fix:
The platform-migrate option for UCS loading has been modified so that nearly all configuration is loaded. Now, the only things you must configure are the management IP and license, then you can load the UCS. The end result should be a successfully loaded configuration, but with empty VLANs and trunks. You should be able to pass traffic once you reconnect these VLANs to interfaces.

Behavior Change:
The platform-migrate option for UCS loading has been modified so that nearly all configuration is loaded. Now, the only things you must configure are the management IP and license, then you can load the UCS. The end result should be a successfully loaded configuration, but with empty VLANs and trunks. You should be able to pass traffic once you reconnect these VLANs to interfaces.

653225-1 : coreutils security and bug fix update

Component: TMOS

Symptoms:
A race condition was found in the way su handled the management of child processes.

Impact:
A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions. (CVE-2017-2616)

Workaround:
install latest hotfix

Fix:
fixed in coreutils-8.4-46.el6

653224-1 : Multiple GnuTLS Vulnerabilities

Solution Article: K59836191

653217-2 : Multiple Samba Vulnerabilities

Solution Article: K03644631

653014-1 : Apply Policy failure if an custom Blocking Page is configured with an underscore in the header name

Component: Application Security Manager

Symptoms:
An issue was introduced when dealing with custom Blocking pages containing an HTTP Header that has an underscore in the name.

Conditions:
A custom Blocking page is defined containing an HTTP Header that has an underscore in the name.

Impact:
Set Active fails

Workaround:
Use hyphens instead of underscores in the header name.

Fix:
Underscores in HTTP Headers in Blocking Response pages are handled correctly.

652973-2 : Coredump observed at system bootup time when many DHCP packets arrive

Component: Policy Enforcement Manager

Symptoms:
During system bootup, system coredump is observed when many DHCP packets arrive before system is fully ready and many flow entry creation failures are observed

Conditions:
-- BIG-IP DHCP proxy is in forwarding mode.
-- DHCP relay agent in front of BIG-IP modifies giaddr field of DHCP packets to its own IP address.
-- DHCP packets arrive during system bootup and before system is fully ready (i.e., some VLANs, interfaces and routes are not fully up).

Impact:
System crash and coredump.

Workaround:
Make sure system has come up completely before sending DHCP packets to the system.

Fix:
Coredump no longer occurs under these conditions.

652968-2 : IKEv2 PFS CREATE_CHILD_SA in rekey does not negotiate new keys

Solution Article: K88825548

Component: TMOS

Symptoms:
During negotiations that use CREATE_CHILD_SA, IKEv2 will fail to send a KE in the payload when PFS (perfect forward security) is used in config.

Rekey in IKEv2 does not negotiate new keys; the PFS value in phase1-perfect-forward-secrecy is used in the first exchange, then this first key is re-used in later rekey negotiation. Vendor interop problems exist when PFS is required by the other peer.

Conditions:
Define phase1-perfect-forward-secrecy with value other than none. After IPsec SAs expire or are manually deleted, the CREATE_CHILD_SA phase to negotiate new keys has no KEi payload from the BIG-IP Initiator and so no new encryption key.

Impact:
PFS settings apply only to first negotiation and not to subsequent SA rekeys. PFS is therefore absent. When the BIG-IP enters CREATE_CHILD_SA with a third party IPsec peer, negotiation will fail if the peer requires PFS. Under the same conditions, BIG-IP to BIG-IP tunnels will not fail.

Workaround:
To resolve vendor interop problems, disable PFS in the IPsec policy of both peers.

Fix:
When phase1-perfect-forward-secrecy is configured with a value other than none, the BIG-IP will now perform PFS negotiation correctly. Now rekey with CREATE_CHILD_SA generates a new key using the same DH Group as the first exchange that creates the first SA.

Note: In the ipsec-policy configuration object, the ike-phase2-perfect-forward-secrecy option is relevant only to IKEv1 and has no influence on IKEv2 PFS rekeying.

652848-2 : TCP DNS profile may impact performance

Solution Article: K44200194

652796-1 : When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled.

Component: Access Policy Manager

Symptoms:
ECA may be constantly restarting on BIG-IP appliance that has over 24 CPU cores.

Conditions:
-- BIG-IP appliance has over 24 CPU cores or BIG-IP Virtual Edition (VE) platform has over 24 CPU cores.
-- APM is provisioned.

Impact:
ECA NTLM functionality will not be accessible to the users.

Workaround:
If ECA functionality is not required - disable process by running 'bigstart stop eca'.

If ECA functionality is needed:

1. Stop eca by running "bigstart stop eca'.

2. Modify file '/etc/bigstart/scripts/eca' as follows:

a) Replace line:
cpu_count=$(get_number_cpu)

with line:
tmm_count=$(get_tmm_count)

b) Replace line:
exec /usr/sbin/${service} -n ${cpu_count}

with line:
exec /usr/sbin/${service} -n ${tmm_count}

3. Save the file, and restart the process by running 'bigstart start eca'.

Fix:
ECA no longer restarts when used on a platform with over 24 CPU cores and under 64 CPU cores.

652792-1 : When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled.

Component: Access Policy Manager

Symptoms:
urldb may be constantly restarting on a BIG-IP appliance that has over 24 CPU cores.

Conditions:
-- BIG-IP appliance has over 24 CPU cores or BIG-IP Virtual Edition (VE) platform has over 24 CPU cores.
-- APM is provisioned.

Impact:
URLDB functionality will not be accessible to the users.

Workaround:
If URLDB functionality is not required - disable process by running 'bigstart stop urldb'.

If urldb functionality is needed:

1. Stop urldb by running "bigstart stop urldb'.

2. Modify file '/etc/bigstart/scripts/urldb' as follows:

a) Replace line:
cpu_count=$(get_number_cpu)

with line:
tmm_count=$(get_tmm_count)

b) Replace line:
exec /usr/sbin/${service} -n ${cpu_count}

with line:
exec /usr/sbin/${service} -n ${tmm_count}

3. Save the file, and restart the process by running 'bigstart start urldb'.

Fix:
urldb no longer restarts when used on a platform with over 24 CPU cores and under 64 CPU cores.

652691-1 : Installation fails if only .iso.384.sig (new format signature file) is present★

Component: TMOS

Symptoms:
Tab completion only will complete the names of ISO images that have an old style signature format ("BIG-IP-version-build.iso.sig"), not the new style ("BIG-IP-version-build.iso.384.sig"). Then, installation will fail even if you type out the full name.

Conditions:
This only happens when signature checking is enabled for ISO images. You can determine this by looking at the value of the DB variable "liveinstall.checksig".

Impact:
Tab completion will not show the ISO image, and even if you type out the full name, the installation will fail. An error message will appear in "show sys software status" and /var/log/liveinstall.log .

Workaround:
Put both types of signature file (.iso.sig and .iso.384.sig) on the device.

Fix:
Tab completion and installation will now work if the old signature file format (.iso.sig) is missing, and only the new signature format (.iso.384.sig) is present.

652689-2 : Displaying 100G interfaces

Solution Article: K14243280

Component: TMOS

Symptoms:
Interfaces' Active Media Type and Media Speed rows display none.

Conditions:
Having a server with 100G interfaces.

Impact:
Cannot use GUI to determine interfaces' Active Media Type and Media Speed.

Workaround:
Use tmsh to see the affected interface.

Fix:
100G interfaces now display correctly.

652638-2 : php - Fix DOS vulnerability in gdImageCreateFromGd2Ctx()

Component: TMOS

Symptoms:
The gdImageCreateFromGd2Ctx function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted image file.

Impact:
The gdImageCreateFromGd2Ctx function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted image file.

Fix:
install latest hotfix/image

652539 : Multiple Bash Vulnerabilities

Solution Article: K73705133

652535-1 : HTTP/2 stream reset with PROTOCOL_ERROR when frame header is fragmented.

Solution Article: K54443700

Component: Local Traffic Manager

Symptoms:
HTTP/2 RST_STREAM is seen with PROTOCOL_ERROR when frame header is fragmented.

Conditions:
HTTP/2 profile is enabled on the virtual. The frame header gets fragmented because of TCP segmentation.

Impact:
HTTP/2 stream is reset.

Workaround:
None.

Fix:
HTTP/2 parser changed to handle header splitting across multiple buffers.

652516 : Multiple Linux Kernel Vulnerabilities

Solution Article: K31603170

652484-2 : tmsh show net f5optics shows information for only 1 chassis slot in a cluster

Component: TMOS

Symptoms:
When you run tmsh show net f5optics, f5optics version information is displayed for one blade of a multi-blade chassis.

Conditions:
This occurs when running the tmsh show net f5optics command on VIPRION.

Impact:
The f5optics version is not displayed for all of the blades.

Fix:
f5optics version information for all blades within a chsasis is displayed when the user issues tmsh show net f5optics from the primary blade.

652445-2 : SAN with uppercase names result in case-sensitive match or will not match

Solution Article: K87541959

Component: Local Traffic Manager

Symptoms:
SSL certificates with SAN domain names with uppercase characters will fail to match SNI requests for that domain name.

Conditions:
Multiple client-ssl profiles configured with SNI associated with a single virtual where the SAN (Subject Alternative Name) contains DNS names with uppercase characters.

Impact:
SNI does not match, resulting in the wrong certificate being returned to the client, which potentially results in a security warning in the client application due to a non-matching domain.

Workaround:
Use lowercase characters for SAN domain names in SSL certificates.

Fix:
SNI match is now case-insensitive.

652200-1 : Failure to update ASM enforcer about account change.

Solution Article: K81349220

Component: Application Security Manager

Symptoms:
There is an error updating BD with the following information:
Errors:
------------
  bd_agent|ERR|...|F5::BdAgent::handle_bd_pipe_message,,Some records sent to enforcer were not handled

  ECARD|ERR |...|account_id_table_management.cpp:0222|Failed to PUT table
  ECARD|ERR |...|temp_func.c:0850|CONFIG_TYPE_ACCOUNTS message had errors in block_index: 0. status=9
-------------

Conditions:
In a high availability environment (with manual failover and ASM) with a UCS load that contains policies with the same names.

Impact:
Traffic is blocked due to Unknown HTTP selector

Workaround:
Use one of the following Workaround:
A) Deactivate and reactivate the affected policy.
B) Restart ASM on the affected device.

Fix:
The system now correctly handles a UCS containing policies with the same names in a high availability environment (with manual failover and ASM).

652151-1 : Azure VE: Initialization improvement

Solution Article: K61757346

652094-2 : Improve traffic disaggregation for uncommon IP protocols

Solution Article: K49190243

Component: TMOS

Symptoms:
The traffic of uncommon IP protocols on VLAN running default DAG is sent to one TMM by default.

Conditions:
Traffic of uncommon IP protocols on VLAN configured with default DAG.

Impact:
Traffic for uncommon IP protocols not distributed evenly among available processing units.

Workaround:
None.

Fix:
The system now correctly distributes traffic for uncommon IP protocols based on src IP and dest IP.

The traffic of uncommon IP protocols on VLAN running default DAG is sent to one TMM by default. This DAG enhancement allows the default DAG to disaggregate traffic of uncommon IP protocols based on src IP and dest IP. Two more DB variables are added to control DAG behavior for uncommon IP protocols.

ipproto.lookupip: enable/disable (default)
ah.lookupip: enable/disable (default)

Setting ipproto.lookupip to enable will disaggregate uncommon IP protocols based on src IP and dest IP. DB ipproto.lookupip applies to all IP protocols except for TCP, UDP, SCTP, IGMP, AH, ESP, GRE, ICMP, ICMPv6.

Setting ah.lookupip to enable will disaggregate AH traffic based on src IP and dest IP.

Behavior Change:
The traffic of uncommon IP protocols on VLAN running default DAG is sent to one TMM by default. This DAG enhancement allows the default DAG to disaggregate traffic of uncommon IP protocols based on src IP and dest IP. Two more DB variables are added to control DAG behavior for uncommon IP protocols.

ipproto.lookupip: enable/disable (default)
ah.lookupip: enable/disable (default)

Setting ipproto.lookupip to enable will disaggregate uncommon IP protocols based on src IP and dest IP. DB ipproto.lookupip applies to all IP protocols except for TCP, UDP, SCTP, IGMP, AH, ESP, GRE, ICMP, ICMPv6.

Setting ah.lookupip to enable will disaggregate AH traffic based on src IP and dest IP.

652052-3 : PEM:sessions iRule made the order of parameters strict

Component: Policy Enforcement Manager

Symptoms:
In the versions before 12.0, the order of parameters for "PEM::SESSIONS" rule was flexible. It was made strict because of the new validation infrastructure in 12.0. This breaks some existing iRules.

The system will report a validation error such as:

01070151:3: Rule [/Common/test_irule] error: /Common/test_irule:2: error: ["invalid argument subscriber-type"][PEM::session create $ip subscriber-type e164 user-name $user imsi $imsi subscriber-id $callingstationid]

Conditions:
Some parameters, for example, subscriber-id come before the parameter user-name.

Impact:
Configuration that was valid in earlier versions is not accepted in newer versions. This may result in the configuration failing to load during an upgrade and return an MCP validation error.

Workaround:
Change the order of the parameters.

652004-2 : Show /apm access-info all-properties causes memory leaks in tmm

Solution Article: K45320415

Component: Access Policy Manager

Symptoms:
When tmsh is used to view session information, memory will leak on each request to pull the session information from tmm. This is a small leak but can be significant issue when all sessions are examined or the sessions are examined multiple times in a short time interval.

Conditions:
when using show /apm access-info all-properties

Impact:
Memory will leak in tmm daemons. This affects all modules that use tmm.

Workaround:
The only workaround is not to use the mcp interface by tmm daemon, or to restart the tmms periodically after using the interface multiple times.

Fix:
Accessing APM session variables via tmsh (e.g., 'tmsh show /apm access-info all-properties') no longer causes a small TMM memory leak.

651910-2 : When we upgrade from 12.* to 13.0+ you cannot change the "Enable Access System Logs" and "Enable URL Request Logs" properties via the UI

Component: Access Policy Manager

Symptoms:
You cannot change the "Enable Access System Logs" and "Enable URL Request Logs" properties via the UI.

Conditions:
After upgrade from 12.* to 13.0+

Impact:
You cannot change the "Enable Access System Logs" and "Enable URL Request Logs" properties via the UI.

Workaround:
Manually add the properties via tmsh:
(assuming affected log setting is abc)

modify log-setting abc access add { general-log { publisher sys-db-access-publisher } }
modify log-setting abc url-filters add { test_logsetting_swg { enabled true publisher sys-db-access-publisher }}

Fix:
Now it is possible to use the GUI to successfully use and configure log-setting objects that were created with tmsh.

651772-3 : IPv6 host traffic may use incorrect IPv6 and MAC address after route updates

Component: Local Traffic Manager

Symptoms:
IPv6 traffic generated from the host, either from a host daemon, monitors, or from the command line, may use an MAC and IPv6 source address from a different VLAN.

Conditions:
- Multiple vlans with IPv6 configured addresses.
- Multiple routes to the same destination, either the same or more specific, default routes, etc. that cover the traffic destination.
- Changes in routes that will cause the traffic to the destination to shift from one vlan and gateway to another. This can be typically observed with dynamic routing updates.

Impact:
Traffic to the destination may fail due to using incorrect source IPv6/MAC address.
This may cause monitor traffic to fail.

Workaround:
Continuous traffic to the IPv6 link-local nexthops can avoid this issue.
This may be achieved by a script or an external monitor pinging the nexthop link-local address using the specific vlan.

Fix:
IPv6 host traffic no longer use incorrect IPv6 and MAC address after route updates.

Behavior Change:
Introduction of sys db ipv6.host.router_probe_interval, to control sysctl net.ipv6.conf.default.router_probe_interval value. This value is default to 5s.

651681-4 : Orphaned bigd instances may exist (within multi-process bigd)

Solution Article: K49562354

Component: Local Traffic Manager

Symptoms:
When multi-process 'bigd' is configured, orphaned 'bigd' instances may be exit; such as an orphaned 'bigd.1' alongside the active 'bigd.1'.

Conditions:
-- db variable Bigd.NumProcs to 2 or higher.
-- System monitors with long timeouts (such as ~183 seconds or longer), might also be relevant.

When 'bigd' manages monitor configurations that results in no monitoring activity for a long time (such as due to long monitor timeouts), the operating system may temporarily suspend (and later resume) the 'bigd' process. The system might treat the 'bigd' process as if it were "hung", and start another 'bigd' instance without explicitly terminating the suspended 'bigd' process.

Impact:
The suspended 'bigd' process consumes process memory. The process might be suspended (consuming no CPU resources), or running, which might result in "double-monitoring" the resources assigned to that 'bigd' process.

Note: If double-monitoring occurs, monitor status should be correct, but the double-monitoring unnecessarily consumes extra resources.

Workaround:
Configure 'bigd' to run as a single process. To do so, set the db variable Bigd.NumProcs to 1.

Shortening monitor timeouts can reduce the possibility of a 'bigd' process being (temporarily) suspended by the operating system.

Fix:
Multi-process 'bigd' no longer produces orphaned (suspended) process instances.

651651-3 : bigd can crash when a DNS response does not match the expected value

Solution Article: K54604320

Component: Local Traffic Manager

Symptoms:
bigd can crash when a response returned from a DNS request does not match the expected value.

Conditions:
Monitoring DNS server(s), or using FQDN.

Impact:
Potential bigd core and restart; may cause endless restart loop as long as DNS monitor instance is configured.

Workaround:
No workaround at this time.

Fix:
Prevented bigd from crashing when a response returned from a DNS request does not match the expected value.

651640-3 : queue full dropped messages incorrectly counted as responses

Component: Service Provider

Symptoms:
negative number of active response messages reported on sipsession profile stats

Conditions:
If a request message is dropped because the sip filter's ingress message queue is full, the wrong stats is incremented

Impact:
Counting the dropped request messages as response messages causes the calculation of the accepted response messages to be incorrectly calculated, thus producing a negative value.

Fix:
correct stats fields are incremented

651476 : bigd may core on non-primary bigd when FQDN in use

Component: Local Traffic Manager

Symptoms:
When using FQDN node/pool member resolution, a non-primary bigd process may core under certain circumstances. A non-primary bigd is any process instance other than zero in a multi-bigd scenario, or any bigd process on a non-primary blade in a chassis.

Conditions:
FQDN is in use.

Impact:
bigd may core and be restarted in a loop, causing some monitor instances to not be serviced. This may cause node/pool member flapping, or may cause certain nodes or pool members to be effectively not monitored.

Workaround:
Use static IPs instead of FQDN for node/pool member address assignment.

Fix:
Known causes of the bug have been fixed.

651362 : eventd crashes during boot

Component: TMOS

Symptoms:
eventd may crash during boot due to heap corruption.

Conditions:
This happens during subscription and unsubscription of events.

Impact:
eventd crashes.

Workaround:
None.

Fix:
Race condition has been resolved, so eventd no longer crashes.

651221-2 : Parsing certain URIs may cause the TMM to produce a core file.

Solution Article: K25033460

651155-1 : HSB continually logs 'loopback ring 0 tx not active'

Component: TMOS

Symptoms:
In the TMM log files, HSB reports that 'loopback ring 0 tx not active'.

Conditions:
Unknown.

Impact:
Excessive logging. This may also cause an HSB lockup to not be detected.

Workaround:
None.

651135-4 : LTM Policy error when rule names contain slash (/) character★

Solution Article: K41685444

Component: Local Traffic Manager

Symptoms:
Beginning with v12.0.0, there has been additional validation for LTM Policy rule names to allow only certain valid characters. Prior to v13.1.0, the slash (/) character was included in the set of valid characters.

But because the slash character is used as a delimiter in the BIG-IP virtual path hierarchy (e.g., /Common/my_policy/my_rule), extra slashes in a rule name causes validation problems because the rule appears to the system as having additional path segments.

Conditions:
LTM Policy rule contains the slash (/) character.

Impact:
Configuration will not load.
Configuration may load, but admin GUI may not show policy rule.

Workaround:
In the bigip.conf file, the LTM Policy rule names can be manually edited to either remove the illegal character or to substitute a valid character.

For example, the following policy won't load because the rule name contains a slash (/) character:

    ltm policy mypolicy {
    ...
       rules {
          /testperson/a {
    ...
    }

But it will load when the slash (/) characters are changed to a legal character, such as underscores (_):
    ltm policy mypolicy {
    ...
       rules {
          _testperson_a {
    ...
    }

Fix:
For upgraded configurations, the roll-forward process will automatically translate slash (/) to underscore (_) in LTM Policy rule names. When creating new rules, validation will not succeed if a rule name contains an illegal character, such as a slash, so the issue will be prevented.

651106 : memory leak on non-primary bigd with changing node IPs

Component: Local Traffic Manager

Symptoms:
On BIG-IP systems with the multiple blades, or a BIG-IP system with multiple bigd processes running (bigd.1, bigd.2, etc.), if the system has FQDN nodes configured, all secondary bigd processes will consume an unusually high amount of memory, and bigd cores may exist when the FQDN node IP addresses change frequently.

Conditions:
FQDN nodes configured on a system, and the system (as a whole) has multiple bigd processes running, either across multiple blades or multiple bigd instances on a single blade. As configuration changes are made to FQDN nodes causing IP addresses to change, bigd on the non-primary places memory consumption may be unusually high.

Impact:
bigd memory leak; possible bigd crash.

Workaround:
Mitigation: use static IP nodes and pool members rather than FQDN.

651001-1 : massive prints in tmm log: "could not find conf for profile crc"

Component: Advanced Firewall Manager

Symptoms:
Massive messages in tmm log:
"could not find conf for profile crc"

messages are shown while traffic is passing.

Conditions:
1. Have dos profile attached to vs. dos profile does not have dos application enabled.
2. Have ASM policy attached to VS with Web Scraping on/session hijacking/session awarness with DID collection/brute force with DID collection.

Impact:
Massive prints in tmm log that can cause tmm to abort. Traffic disrupted while tmm restarts.

Workaround:
Have DOS application enabled (even if doing nothing).

Fix:
disable prints.

650422-2 : TMM core after a switchover involving GY quota reporting

Component: Policy Enforcement Manager

Symptoms:
Core dump in the code path for async subscriber lookup causes core-dump.

Conditions:
This core happens in an intra-chassis HA configuration, if GY is configured & HA switchover is forced.

Impact:
An initial coredump (or HA switchover) forces multiple core dumps. Traffic disrupted while tmm restarts.

650349 : Creation or reconfiguration of iApps will fail if logging is configured

Solution Article: K50168519

Component: TMOS

Symptoms:
If logging destination of any type is configured (ArcSight, IPFIX, remote high speed logging, etc.), creation or reconfiguration of iApps will fail. The following error will be reported in /var/log/webui.log and displayed in the GUI: The connection to mcpd has been lost, try again.

Conditions:
Logging is configured: filter, destination, and publisher.

Impact:
Cannot create new iApps or reconfigure existing ones.

Workaround:
Remove logging configuration.

Fix:
Can now create or reconfigure iApps if logging is configured.

650317-3 : The TMM on the next-active panics with message: "Missing oneconnect HA context"

Component: Local Traffic Manager

Symptoms:
The next-active TMM panics with message: "Missing oneconnect HA context" on a virtual which doesn't have one-connect on the active.

Conditions:
A mirrored virtual is configured with one-connect on the next-active but no one-connect profile is present on the active. This can occur when the config-sync connection between peers is down or auto-sync on the device group is disabled. The next-active expects a one-connect HA context but the active does not send it.

Impact:
Connections on the active are not mirrored while the next-active restarts.

Workaround:
Resolving configuration differences between the active and next-active will prevent this panic.

Fix:
Mirrored connections which fail to find an HA context on the next-active are not established on the next-active.

650292-2 : DNS transparent cache can return non-recursive results for recursive queries

Component: Local Traffic Manager

Symptoms:
If a non recursive query is cached by the DNS transparent cache, subsequent recursive queries provide the non-recursive answer.

Conditions:
DNS transparent cache that receives a non-recursive query whose result is stored in the cache.

Impact:
Non recursive responses for recursive requests.

Workaround:
An iRule can be attached to the listener to disable the cache if the "rd bit" is not set in the DNS request.

Fix:
The RD bit is now handled as expected. If a recursive request is received, a non-recursive cached entry is ignored, and replaced, when the recursive request is answered.

650286-2 : REST asynchronous tasks permissions issues

Solution Article: K24465120

650152-1 : Support AES-GCM acceleration in Nitrox PX wlite VCMP platforms

Component: Local Traffic Manager

Symptoms:
In Nitrox PX platforms, vCMP guests can't accelerate AES-GCM traffic, which might cause high CPU usage.

Conditions:
For those vCMP guests deployed on Nitrox PX-based platforms, and SSL cipher is configured to use AES-GCM.

The following blades support the Nitrox PX and vCMP combination: VIPRION B4200, B4300, B2100, and B2150 blades.

Impact:
High CPU usage.

Workaround:
No workaround.

Fix:
Added AES-GCM hardware acceleration support for Nitrox PX-based vCMP.

650081-1 : FP feature causes the blank page/delay on IE11

Solution Article: K53010710

Component: Advanced Firewall Manager

Symptoms:
When PBD and FP are both enabled, there is a very high client-side latency, especially on Microsoft Internet Explorer (IE).
On IE, sometimes the challenge remains on a blank page, never moving on to the site from the back-end server.

Conditions:
If you use ASM dos with fingerprint, but it causes the delay/blank page on browser Microsoft Internet Explorer v11 (IE11).

Impact:
Delay or blank page when clients access the page using IE11.

Workaround:
None

Fix:
Improved the client-side run-time of the JavaScript challenge and prevented it from getting stuck on Internet Explorer.

650074-1 : Changed Format of RAM Cache REST Status output.

Component: Local Traffic Manager

Symptoms:
The REST API returned cache contents in displayable form, not tagged field form.

Conditions:
Using REST API.

Impact:
Text must be parsed as if the caller plans to post-process it.

Workaround:
To present the data in some other format, the text can be displayed as is, but must be parsed as if the caller plans to post-process it.

Fix:
Now RAM Cache REST Status output is returned in field format, and must be parsed by a JSON parser and formatted for display. If you were using the previous format, you must now parse the JSON and re-format the data for display.

Behavior Change:
REST API calls for ramcache stats now returns data as formatted JSON.

650059-1 : TMM may crash when processing VPN traffic

Solution Article: K20087443

650002-1 : tzdata bug fix and enhancement update

Component: TMOS

Symptoms:
There have been changes to timezone data that impact tzdata packages:

* Mongolia no longer observes Daylight Saving Time (DST).

* The Magallanes Region of Chile has moved from a UTC-04/-03 scheme to UTC-03 all year. Starting 2017-05-13 at 23:00, the clocks for the Magallanes Region will differ from America/Santiago.

Conditions:
-- Mongolia during DST portion of the year.
-- Comparing clock times in the America/Santiago zone with those in the Magallanes Region.

Impact:
Timezone data provided in tzdata will not match the area's time. Clocks for the Magallanes Region will differ from America/Santiago (its current timezone).

Workaround:
None.

Fix:
To accommodate for Mongolia no longer observing DST, the new America/Punta_Arenas zone was created. Changes were also made to support other timezone changes.

* The zone1970.tab file has been added to the list of files to be installed with the tzdata packages installation.

Note: Users of tzdata are advised to upgrade tzdata to zdata-2017b-1.el6

649949-1 : Intermittent failure to do a clean install on iSeries platforms from USB DVD-ROM★

Component: TMOS

Symptoms:
Following the instructions at https://support.f5.com/csp/article/K13117 will occasionally fail on iSeries platforms, with the system being unable to find the installation media.

If this happens, running the following command will fail.

image2disk --instslot=HD1.1 --setdefault --nosaveconfig

Conditions:
This can occur on iSeries platforms while performing a clean installation.

Impact:
The /dev/cdrom softlink points to the virtual CD-ROM drive in iSeries platforms instead of the physical USB DVD-ROM drive. This prevents image2disk from automatically finding the installation media.

Workaround:
After the failure, while in MOS, determine USB CDROM device name, mount it, and tell image2disk specifically where it is:

bash (try 'info') / > dmesg | grep "sr0\|sr1"
sr0: scsi3-mmc drive: 62x/62x writer dvd-ram cd/rw xa/form2 cdda tray <-- cdrom name
sr 6:0:0:0: Attached scsi CD-ROM sr0
sr1: scsi-1 drive
sr 7:0:0:0: Attached scsi CD-ROM sr1

bash (try 'info') / > mount -r -t iso9660 /dev/srX /cdserver
bash (try 'info') / > image2disk --instslot=HD1.1 --nosaveconfig /cdserver

In the mount command, replace "/dev/srX" with whichever device is the physical drive.

649933-1 : Fragmented RADIUS messages may be dropped

Component: Service Provider

Symptoms:
Large RADIUS messages may be dropped when processed by iRules.

Conditions:
This occurs when a RADIUS message that exceeds 2048 bytes is processed by an iRule containing the RADIUS::avp command.

Impact:
The RADIUS message will be dropped, and an error will be logged that resembles:

Illegal argument (line 1) (line 1) invoked from within "RADIUS::avp 61 "integer""

Workaround:
Remove RADIUS::avp commands from iRules processing large messages, or ensure that no RADIUS client or server will send large messages.

649929-1 : saml_sp_connector not properly deleted in a transaction that removes the saml resource and servers referring to it

Component: Access Policy Manager

Symptoms:
Cannot delete saml_sp_connector from a transaction even when all related objects are specified.

Conditions:
When deleting saml_sp_connector from a transaction along their associated objects.

Impact:
Cannot delete saml_sp_connector and associated objects.

Workaround:
Delete objects in the following order:
SSOResource
SSOSAMLConfig
SPConnector

Fix:
The apm sso saml_sp_connector object can now be deleted from a transaction involving all the related objects regardless of the order in which the objects are specified.

649907-2 : BIND vulnerability CVE-2017-3137

Solution Article: K30164784

649904-2 : BIND vulnerability CVE-2017-3136

Solution Article: K23598445

649866-1 : fsck should not run during first boot on public clouds

Component: TMOS

Symptoms:
Although it is not needed, filesystem check runs during the first boot. This increases the boot time, especially for images that were created more than 180 days before the first boot, because twice year, booting up runs a more comprehensive fsck operation.

Conditions:
This occurs when booting up public cloud configurations of Virtual Edition (VE).

Impact:
Potentially unacceptable long boot times.

Workaround:
None.

Fix:
fsck does not run during first boot on public cloud configurations of VE. Running fsck is postponed until the second boot. If the more comprehensive fsck operation is required, it runs during the second boot as well.

649617-2 : qkview improvement for OVSDB management

Component: TMOS

Symptoms:
The user can configure ovsdb-server in the BIG-IP system to communicate with an OVSDB-capable controller.

If the user wants the BIG-IP system to connect to an OVSDB-capable controller via a SSL connection, the user needs to configure a certificate and a certificate key in the TMSH command "sys management-ovsdb". Later on, if the user invokes qkview to collect system information, the configured certificate key can be collected in qkview.

Conditions:
The following conditions need to be met:

- BIG-IP has the SDN services license.

- The TMSH command "sys management-ovsdb" is set to "enabled". Note that this is set to "disabled" by default.

- The TMSH command "sys management-ovsdb cert-key-file" is set to a certificate key. Note that this is set to "none" by default.

Impact:
If the user invokes qkview to collect system information, the certificate key configured in the command "sys management-ovsdb cert-key-file" will be collected in qkview.

Workaround:
If OVSDB management is currently set to "enabled" in the BIG-IP system, then the user can reset "sys management-ovsdb cert-file" and "sys management-ovsdb cert-key-file" to "none" before calling qkview to collect system information.

In general, if OVSDB management has ever been set to "enabled", the user with the bash shell access can check if the file /var/run/openvswitch/BIG-IP_ovs_cert_key exists and delete it before calling qkview to collect system information.

Fix:
The certificate key configured in the "sys management-ovsdb" will not be collected when invoking qkview.

649613-3 : Multiple UDP/TCP packets packed into one DTLS Record

Component: Access Policy Manager

Symptoms:
The system converts the server provided packet into PPP buffers. These PPP packets are used to pack into DTLS records. Currently there is a limit of about 14 KB of DTLS records, such that the system can pack multiple PPP records into one DTLS record.

However, creating bigger DTLS record can cause server IP Fragmentation. In the lossy environment, losing one IP fragment can cause the complete DTLS record to be lost, resulting in poor performance.

Conditions:
Multiple UDP/TCP packets packed into one DTLS Record.

Impact:
In networks with packet losses, the APM end-user application might suffer poor network performance.

Workaround:
None.

Fix:
DTLS performance has been improved in lossy or high latency networks by optimizing the number of encoded ppp records inside of DTLS records.

649571-1 : Limits set in Server SSL Profile are not enforced if the server ignores BIG-IP's renegotiation ClientHello

Component: Local Traffic Manager

Symptoms:
The BIG-IP system does not act on the absence of renegotiation.

Conditions:
A BIG-IP system acts as TLS client, a TLS server ignores renegotiation request. Finite TLS session data or time limits are configured in Server SSL Profile on the BIG-IP system.

An example of such a TLS server is Apache/2.4.10 on Fedora Linux.

Impact:
Limits, such as data limits ("Renegotiate Size" in Server SSL) or time limits ("Renegotiate Period" in Server SSL) are not enforced with finite "Handshake Timeout".

Workaround:
None.

Fix:
BIG-IP system acting as TLS client (Server SSL Profile) now shuts down the connection if a TLS server did not continue with TLS renegotiation within "Handshake Timeout" seconds after the ClientHello, corresponding to the renegotiation initiation, was sent by the BIG-IP system.

649564-2 : Crash related to GTM monitors with long RECV strings

Component: Global Traffic Manager (DNS)

Symptoms:
gtmd core dump related to GTM monitors with long RECV strings.

Conditions:
Sufficiently large RECV (receive) string on a GTM Monitor.

Impact:
Core dump. Traffic might be disrupted while gtmd restarts.

Workaround:
None.

Fix:
Fixed an issue relating to a crash when a GTM monitor has a sufficiently large receive string configured.

649465-1 : SELinux warning messages regarding nsm daemon

Component: TMOS

Symptoms:
Receiving SELinux warning messages regarding nsm daemon when BFD is enabled, and deleting VLANs.

Conditions:
-- BFD enabled for any route-domain.
-- Deleting VLANs.

Impact:
None. This warning message references actions that are extraneous for the nsm daemon.

Workaround:
None.

Fix:
nsm no longer triggers SELinux warning messages with BFD enabled, and deleting VLANs

649234-3 : TMM crash from a possible memory corruption.

Component: Access Policy Manager

Symptoms:
When APM resumes an iRule event from an asynchronous session data lookup, the resumption fails due to a bad memory access resulting in a crash.

Conditions:
The following must be true for this to happen:
- APM provisioned and licensed.
- Use of APM iRule events.
- Session data lookup from iRule events.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Access to an invalid or stale Access session result from custom iRules no longer causes TMM crash.

649171-4 : tmm core in iRule with unreachable remote address

Component: Local Traffic Manager

Symptoms:
TCP::unused_port <remote_addr> <remote_port> <local_addr> [<hint_port>] with a non reachable remote_addr, tmm cores

Conditions:
This occurs when using TCP::unused_port in an iRule and the remote address is not reachable

Impact:
Traffic disrupted while tmm restarts.

Workaround:
create faux route for the destination address

649161-1 : AVR caching mechanism not working properly

Solution Article: K42340304

Component: Application Visibility and Reporting

Symptoms:
The AVR caching mechanism fails to store dimension-based queries properly, which leads to incorrect reports.

Conditions:
Using AVR caching mechanism (turned-on by default).

Impact:
Reports will be incorrect.

Workaround:
Using the following TMSH command should solve the problem:
tmsh modify sys db avr.requestcache value disable

* NOTE: the above might cause AVR to perform a bit slower.

Fix:
The system no longer stores the dimension-based queries in the AVR cache.

648990 : Serverside SSL renegotiation does not occur after block cipher data limit is exceeded

Component: Local Traffic Manager

Symptoms:
If you have a virtual server with a serverssl profile configured that serves large (>2GB) files, you may see these errors in /var/log/ltm:

info tmm[17859]: 01260034:6: Block cipher data limit exceeded.

Conditions:
This occurs when a serverssl profile is in use, and the server-side traffic exceeds 2GB.

Impact:
Serverssl renegotiation does not occur, log message is displayed.

648954-5 : Configuration validation (e.g., ConfigSync) may fail after an iRule is deleted, if the iRule made procedure calls

Solution Article: K01102467

Component: Local Traffic Manager

Symptoms:
Configuration validation fails spuriously, including potentially as a result of a ConfigSync or modifying an iRule, with an error similar to the following:

01020036:3: The requested rule (/Common/rule_uses_procs) was not found.

Referencing an iRule that previously existed, but has been deleted (or is being deleted as a result of a ConfigSync).

Conditions:
-- iRule using procedures in a different iRule.
-- iRule attached to virtual server.

Impact:
iRule procs are still referenced after deletion. Configuration validation fails spuriously.

Workaround:
Force reloading of the MCP binary database.

For specific steps, see K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).

648879-2 : Linux kernel vulnerabilities: CVE-2016-6136 CVE-2016-9555

Solution Article: K90803619

648865-2 : Linux kernel vulnerability: CVE-2017-6074

Solution Article: K82508682

648786-5 : TMM crashes when categorizing long URLs

Solution Article: K31404801

648766-1 : DNS Express responses missing SOA record in NoData responses if CNAMEs present

Solution Article: K57853542

Component: Global Traffic Manager (DNS)

Symptoms:
A valid NoData response can contain CNAMEs if a partial chase occurred without final resolution. DNS Express is not including the expected SOA record in this scenario.

Conditions:
-- DNS Express configured.
-- Partial CNAME chase resulting in incomplete resolution.

Impact:
A valid DNS response with a a partial chase but missing the SOA record may not be considered authoritative due to the missing record.

Workaround:
None.

Fix:
The SOA record is now included as appropriate.

648715-2 : BIG-IP i2x00 and ix4x00 platforms send LLDP, STP, and LACP PDUs with a VLAN tag of 0

Component: Local Traffic Manager

Symptoms:
LACP, STP, and LLDP PDUs sent from either of the i2x00 or i4x00 platforms have a VLAN tag added to the PDU when they shouldn't.

Conditions:
Provision any of the three protocols: LLDP, STP, or LACP and the PDU sent by the BIG-IP will incorrectly have a VLAN tag with a tag-id of 0 added to the PDU.

Impact:
Some 3rd party devices may reject the packet. This will adversely affect operation of the affected protocol.

Workaround:
None.

Fix:
This release ensures that the VLAN tag is stripped before the PDU is sent onto the wire.

648617 : JavaScript challenge repeating in loop when URL has path parameters

Component: Advanced Firewall Manager

Symptoms:
The JavaScript challenge is repeating in a loop on URLs which have path parameters (when the URL contains the ';' character). The request never reaches the back-end server.
This happens in the following challenges:
* Proactive Bot Defense with Suspicious Browsers enabled
* Client-Side Integrity Defense
In the rest of the challenges, the challenges will succeed, but POST requests will not be reconstructed correctly and sent as a multipart message to the back-end server.

Conditions:
URLs contain the ';' character, AND:
Either:
* Proactive Bot Defense with Suspicious Browsers enabled, OR
* Client-Side Integrity Defense is enabled and is used as a DoSL7 mitigation during an attack.

Impact:
Requests with ';' character will be blocked and the browser will repeat the challenge in a loop.

Workaround:
None

Fix:
The JavaScript challenge no longer gets stuck in a loop on URLs which have path parameters.

648544-5 : HSB transmitter failure may occur when global COS queues enabled

Solution Article: K75510491

Component: TMOS

Symptoms:
An HSB transmitter failure may occur if global COS queues enabled. The HSB transmitter failure is logged in the TMM log files.

Conditions:
With global COS queues enabled, the HSB's watchdog loopback packets are sent on HSB ring 2, instead of ring 0. If HSB ring 2 is heavily utilized, this could cause the loopback packets to be dropped. If this occurs, then the watchdog may trigger an HSB transmitter failure.

Impact:
If this issue occurs then the BIG-IP is rebooted.

Workaround:
Do not use global COS queues.

Fix:
Loopback packet priority is now set during runtime to guarantee transmit on mgmt ring 0.

648286-2 : GSLB Pool Member Manage page fails to auto-select next available VS/WiP after pressing the add button.

Component: Global Traffic Manager (DNS)

Symptoms:
The combobox does not auto-select the next entry in the list of virtual servers/wide IPs after pressing the Add button and successfully adding an entry to the member list.

Conditions:
-- Have at least two entries in the combobox.
-- Add one of the entries to the member list.

Impact:
The other entry is not selected automatically (as it was in BIG-IP versions 12.1 and earlier). Must manually select each entry to add to the member list.

Loss of functionality from earlier releases.

Workaround:
Manually select each entry to add to the member list.

Fix:
Restored behavior that selects the next available entry in list after pressing the Add button on GSLB Pool's Member manage page.

648242 : Administrator users unable to access all partition via TMSH for AVR reports

Component: Application Visibility and Reporting

Symptoms:
Using the TMSH for AVR reports can fail if it contains partition based entities, even with an administrator user (which should have permissions to all partitions).

Conditions:
Using the TMSH for querying partitioned based stats with an administrator user.

Impact:
AVR reports via TMSH will fail when using partition based entities.

Workaround:
None.

Fix:
Allowing for administrator users to get all partitions available on query.

648056-2 : bcm56xxd core when configuring QinQ VLAN with vCMP provisioned.

Solution Article: K16503454

Component: TMOS

Symptoms:
bcm56xxd constantly crashes, device goes off-line.

Conditions:
Reboot the system with QinQ VLANs configured and vCMP provisioned.

Impact:
Device goes off-line.

Workaround:
None.

Fix:
bcm56xxd no longer crashes when QinQ VLANs are configured and vCMP provisioned.

648053-1 : Rewrite plugin may crash on some JavaScript files

Component: Access Policy Manager

Symptoms:
Rewrite plugin may crash parsing JavaScript files in US ASCII encoding.

Conditions:
JavaScript file in US ASCII encoding (not in UTF-8).

Impact:
Rewrite plugin may crash parsing this file. No response is sent to client.

Workaround:
It is possible to change/add 'charset' parameter in response header 'Content-type' to 'UTF-8' by iRule.

Fix:
Now Portal Access rewrite correctly handles JavaScript data if the web page uses US ASCII encoding.

648037-2 : LB::reselect iRule on a virtual with the HTTP profile can cause a tmm crash

Component: Local Traffic Manager

Symptoms:
tmm crashes after the LB::reselect iRule fails to connect to the server.

Conditions:
This issue can occur when a virtual server is configured with HTTP and the LB::reselect iRule. If the LB::reselect fails to connect to the server and there is not a monitor on the pool, tmm will crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure a monitor for the pool.

Fix:
Fixed a tmm crash related to LB::reselect

647988-3 : HSL Balanced distribution to Two-member pool may not be balanced correctly.

Solution Article: K15331432

Component: TMOS

Symptoms:
When configuring a two-member pool as HSL destination and using "balanced" distribution, logs from iRule HSL::send may end up balanced to a single pool member.

Conditions:
- Two-member pool configured as remote-high-speed-log destination.
- The remote-high-speed-log distribution is set to "balanced"
- Data-Plane logging using for example but not limited to: iRule HSL::send.

Impact:
Log message may not be distributed correctly resulting in more load on a single pool member.

Workaround:
None.

Fix:
Logs are distributed more equally on pool members in "balanced" distribution HSL.

647944-2 : MCP may crash when making specific changes to a FIX profile attached to more than one virtual server

Component: TMOS

Symptoms:
When a FIX profile is attached to more than one virtual server, making specific edits to the profile may result in MCP crashing and restarting.

Conditions:
A FIX profile is be in use and attached to more than one virtual server. You then edit the profile (and click "Update") in this order:

- Change the Error Action from "Don't Forward" to "Drop Connection"
- Add a new mapping to the Sender and Tag Substitution Data Group Mapping.

Impact:
Traffic disrupted while mcpd restarts.

Fix:
Prevented MCP from crashing when the FIX profile is edited.

647137 : bigd/tmm con vCMP guests

Component: Local Traffic Manager

Symptoms:
bigd/tmm con vCMP guests.

Conditions:
Set up vCMP guest on VIPRION B2100, B4200, or B4300 blades.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround.

Fix:
This release corrects this issue so the crash no longer occurs.

647108-1 : Deletion of saml-idp-connector may fail depending on the order in which related objects are deleted within a transaction

Component: Access Policy Manager

Symptoms:
The system posts messages similar to the following even when the server associated to the connector is also being deleted in the same transaction:
01070734:3: Configuration error: apm aaa saml-idp-connector: Cannot delete saml-idp-connector /Common/saml_connector because it is being used by aaa-saml-server (/Common/saml_server_test1

Conditions:
When deleting saml-idp-connector first then the associated saml server.

Impact:
Cannot delete saml-idp-connector and associated server in that specific order.

Workaround:
Delete saml server first and then delete the saml connector.

Fix:
Now saml-idp-connector can be deleted with associated objects in any order from a transaction.

646928-1 : Landing URI incorrect when changing URI

Component: Access Policy Manager

Symptoms:
User accesses resource1, and an access policy starts. Before the policy completes, the user changes to resource2. There is a warning page that the session already exists, and the user clicks to create a new session. After the policy completes, the user is directed to the landing URI of the resource1.

Conditions:
Attempting to change landing URI in the middle of an access policy

Impact:
End-user is inconveniently directed to the first resource instead of the second.

Fix:
Now the "To open a new session, please click here." link on the APM logout page reflects the last used landing URI rather than the first used landing URI.

646760 : Common Criteria Mode Disrupts Administrative SSH Access

Component: TMOS

Symptoms:
If Common Criteria mode is enabled the administrative SSH interface on BIG-IP may become unavailable.

Conditions:
CC-mode enabled.

Impact:
SSH interface not available, sshd may fail to start.

Workaround:
There is no workaround at this time.

Fix:
Correct SSH configuration when in CC mode

646643-2 : HA standby virtual server with non-default lasthop settings may crash.

Solution Article: K43005132

Component: Local Traffic Manager

Symptoms:
A long-running high availability (HA) Standby Virtual Server with non-default lasthop settings may crash TMM.

Conditions:
-- HA standby virtual server is configured on the system with non-default lasthop configurations (e.g., lasthop pools or autolasthop disabled, etc).

-- That virtual server receives more than 2 billion connections (2 billion is the maximum value of a 32-bit integer).

Impact:
TMM on the next-active device crashes. The Active device is not affected. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
HA standby virtual server configured with non-default lasthop configurations no longer crashes.

646615-1 : Improved default storage size for DNS Express database

Component: Global Traffic Manager (DNS)

Symptoms:
A tweak has been made to the DNS Express database to improve the initial database size.

Conditions:
DNS Express with configured zones.

Impact:
Possibly reduced database size.

Workaround:
N/A as this is an improvement.

Fix:
A tweak has been made to the DNS Express database to improve the initial database size.

646604-5 : Client connection may hang when NTLM and OneConnect profiles used together

Solution Article: K21005334

Component: Local Traffic Manager

Symptoms:
In deployments where a NT LanManager (NTLM) authentication profile and a OneConnect profile are used together in a LTM virtual server to label an authenticated connection to a Domain Controller (DC); if the persisted connection to the DC is re-used, the connection may hang. A connection in this state may not be cleaned up by the sweeper, resulting in a memory leak.

Conditions:
The NTLM and OneConnect profiles are associated with a LTM virtual server.

Impact:
A client connection won't be serviced and TMM memory will leak. Over a long time period, this may result in more widespread service disruptions.

Workaround:
Avoid the use of OneConnect profiles on virtual servers that use NTLM profiles. The connections to the Domain Controller won't be pooled, but all other features will be retained.

Fix:
Fixed a problem that prevented NTLM and OneConnect profiles from working properly on the same LTM virtual server.

646511-1 : BD crashes repeatedly after interrupted roll-forward upgrade★

Component: Application Security Manager

Symptoms:
After roll-forward upgrade of version 12.1.x with ASM traffic data is interrupted, BD crashes repeatedly.

Conditions:
Roll-forward upgrade with ASM traffic data from version 12.1.x (with or without hotfixes) to any 12.1.x or later is interrupted by restart/reboot.

Impact:
BD crashes repeatedly on subsequent attempts to start ASM.

Workaround:
Disable roll-forward upgrade of ASM traffic data before upgrade:

tmsh modify sys db ucs.asm.traffic_data.save value disable

Fix:
ASM completes roll-forward upgrade with traffic data correctly, even after upgrade process is interrupted.

646443-1 : Ephemeral Node may be errantly created in bigd, causing crash

Component: Local Traffic Manager

Symptoms:
When FQDN Ephemeral Nodes are being used at the same time as static Node objects, and there is change in those objects, either via DNS resolver changes or manual changes to static nodes, there exists a chance where one may be misidentified as the other during an update, causing a crash in bigd.

Conditions:
FQDN Nodes and Static Nodes being used. Change in node settings or creation/deletion of nodes.

Impact:
Bigd crashes, causing interruption in monitoring.

Workaround:
Avoid use of FQDN Nodes and Pool Members; use only static-IP Nodes/Members instead.

Fix:
Fixed case where misidentification may occur, resulting in bigd running without crashing.

645805 : LACP PDUs generated by lacpd on i4x00/i2x00 platforms contain bad ethernet src mac address

Component: TMOS

Symptoms:
LACP PDUs generated by the 'lacpd' on the i4x00 & i2x00 platforms contain the wrong Ethernet source MAC address.

Conditions:
LACP configured on an trunk interface on i4x00 or i2x00 platforms.

Impact:
Some Cisco and Juniper switches discard these PDUs. They send PDUs as if the BIG-IP is not transmitting with a all-zeros 'Partner' section System ID. This renders LACP inoperable, and simply does nothing if the far end is configured for 'Passive'.

Fix:
Insure correct Source MAC address is inserted into the PDU.

645723-2 : Dynamic routing update can delete admin ip route from the kernel

Solution Article: K74371937

Component: TMOS

Symptoms:
Routes obtained from dynamic routing (BGP, etc.) can replace existing management route for the admin IP address, making the BIG-IP lose its management route. Static routes created via TMSH can replace management route.

Conditions:
Using TMSH to create "net route" that matches management network, or dynamic routing accepts a route that matches the management network.

Impact:
Losing the management network route, and potential loss of access to the BIG-IP via the management network.

Workaround:
Don't accept route updates for the management network. Don't create static routes for the management network.

Fix:
Management network admin IP address is now protected from being overwritten.

645717 : UCS load does not set directory owner

Component: TMOS

Symptoms:
When loading a UCS file the directory /etc/ssh will become owned by the first user in the UCS with an .authorized_keys file.

Conditions:
UCS loaded that contains users with .authorized_key files

Impact:
Ownership of /etc/ssh is set to a non-root user after UCS load. This does not interfere with normal system operation or SSH authentication but does not follow secure coding practices

Workaround:
Ownership of on /etc/ssh can be restored with the command: chown root /etc/ssh

Fix:
UCS load now explicitly sets ownership of the /etc/ssh directory to root.

645684-2 : Flash application components are loaded into wrong ApplicationDomain after Portal Access rewriting.

Component: Access Policy Manager

Symptoms:
Flash ActionScript3 application components are loaded into incorrect ApplicationDomain and in some rare cases this may cause errors in application.

Conditions:
This can occur when viewing Flash video while connected to APM.

Impact:
Flash applications might fail to render through Portal Access.

Workaround:
None

Fix:
Flash files accessed through Portal Access are now loading components into correct Application Domain. This improves compatibility with Flash apps.

645663 : Crypto traffic failure for vCMP guests provisioned with more than 12 vcpus.

Component: Local Traffic Manager

Symptoms:
Accelerated crypto and compression traffic may fail; stuck queue reports appear in logs.

Conditions:
Guests provisioned with more than 12 vcpus, and crypto or compression traffic passed through hardware acceleration.

Impact:
Can cause the hardware accelerator to fail and require host reboot.

Workaround:
Limit guest provisioning to 12 vcpus.

Fix:
Allow guests provisioned with more than 12 vcpus to operate without stalling hardware accelerators.

645615-2 : zxfrd may fail and restart after multiple failovers between blades in a chassis.

Solution Article: K70543226

Component: Global Traffic Manager (DNS)

Symptoms:
zxfrd may fail and restart after multiple failovers between blades in a single chassis.

Conditions:
DNS Express must be configured in a multi-blade chassis. If a blade transitions from active to backup to active states and the DNS Express (tmmdns.bin) database has been re-created while the blade was in backup status, zxfrd may fail when attempting to reference old data.

Impact:
zxfrd will create a core file and restart, picking up where it left off.

Workaround:
None.

Fix:
The cause of the failure is now addressed.

645480-3 : Unexpected APM response

Solution Article: K45432295

645339-2 : TMM may crash when processing APM data

Component: Access Policy Manager

Symptoms:
Under certain conditions TMM may crash while processing APM data

Conditions:
APM enabled

Impact:
TMM crash leading to a failover event

Fix:
TMM processes APM data as expected

645220-2 : bigd identified as username "(user %-P)" or "(user %-S)" in mcpd debug logs

Component: Local Traffic Manager

Symptoms:
When mcpd debug logging is enabled, mcp messages sent to or received from the bigd daemon are logged with a username of "(user %-P)" or "(user %-S)" instead of "(user %bigd.#)" [where # is the bigd process index] or "(user %bigd)".

Conditions:
mcpd debug messages with the "(user %-P)" identifier are logged on affected BIG-IP versions when mcpd debug logging is enabled and multiple instances of bigd are running.
mcpd debug messages with the "(user %-S)" identifier are logged on affected BIG-IP versions when mcpd debug logging is enabled and a single instance of bigd is running.

Impact:
Confusion about which daemon is referenced in mcpd debug logs with username "(user %-S)" or "(user %-P)".

Fix:
mcpd debug messages sent to or received from the bigd daemon are correctly logged with a username of "(user %bigd.#)" [where # is the bigd process index] or "(user %bigd)".

645197-3 : Monitors receiving unique HTTP "success" response codes may stop monitoring after status change

Component: Local Traffic Manager

Symptoms:
Monitors that return unique HTTP/1.1 200 codes (indicating success) will accumulate in the monitor history; upon monitor status change (such as to "fail"), this history is sent (from 'bigd' to 'mcpd') to indicate that monitor's new-status, plus historical context. This history may grow too large if no monitor status is detected for an extended time (such as days or weeks) when unique status codes are returned from the web server and accumulated in the history. Upon a monitor status change (such as from "success" to "fail"), notification from 'bigd' to 'mcpd' will fail due to this too-large history, resulting in the monitor remaining in its previous state (i.e., "success"). 'bigd' properly records the monitor status and continues to monitor; but 'mcpd' was not notified of that status change (due to message-send failure from the history being too large).

This is typically not an issue when the web server returns the same HTTP/1.1 200 code (indicating "success"), as 'bigd' will elide/merge the response-value into the monitor history (so the history does not continue to grow). However, for web servers generating a unique value for each success code (for example, by appending an always-unique transaction ID to the end of the HTTP/1.1 200 response), the history will continue to grow for that monitor until a status-change is detected.

Conditions:
Web server returns unique HTTP/1.1 200 (success) codes, such as an included date/time stamp; and success history is accumulated for that monitor without status-change for extended time (typically days-or-weeks); followed by a monitor status change (such as from "success" to "fail").

Impact:
The monitor will remain in the "success" state, as the status-change will be "lost" ('bigd' properly recognizes the changed monitor status, but 'mcpd' is not notified of the change). The system may eventually self-correct, such as when 'bigd' detects further monitor status changes, and again forwards status-change notifications for that monitor to 'mcpd'.

Workaround:
Modify the web server configuration to not respond with unique HTTP/1.1 200 codes; thus, receiving the same return-code will elide/merge with previously accumulated values in the monitor history.

Fix:
HTTP/1.1 200 codes with unique values accumulate for limited history, rather than unbounded history, such that monitor status change notifications are always recorded.

645179-6 : Traffic group becomes active on more than one BIG-IP after a long uptime

Component: TMOS

Symptoms:
Traffic-groups become active/active for 30 seconds after a long uptime interval.

Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime.

For example:

-- For 7 traffic groups, the interval is ~710 days.
-- For 15 traffic groups, the interval is ~331 days.

Conditions:
-- Two or more BIG-IP systems defined in a device group for sync/failover.
-- There is one or more traffic groups configured.
-- The BIG-IP systems have a long uptime.

Impact:
Outage due to traffic-group members being active on both systems at the same time.

Workaround:
There is no workaround.

The only option is to reboot all the BIG-IP units in the device group on a regular interval. The interval is directly dependent on the number of traffic groups.

Fix:
Traffic groups no longer becomes active on more than one BIG-IP system in a device group after a long uptime interval.

645101-2 : OpenSSL vulnerability CVE-2017-3732

Solution Article: K44512851

645058-3 : Modifying SSL profiles in GUI may fail when key is protected by passphrase

Component: Local Traffic Manager

Symptoms:
When a client SSL profile has a Certificate Key Chain (CKC) entry with a passphrase-protected key, attempting to modify/update the profile via the GUI may fail, and produce an error similar to the following:

01070313:3: Error reading key PEM file <Key_File_Path> for profile <Profile_Name>: error:0906A068:PEM routines:PEM_do_header:bad password read.

This can occur even when the passphrase already in the SSL profile is correct.

Conditions:
Upgrading a BIG-IP system from a version prior to BIG-IP v11.5.0 to v11.5.0 or later, while having a passphrase-protected key specified in the profile.

Alternately, creating an SSL profile with a custom cert-key-chain name that references a passphrase-protected key, e.g.:

tmsh create ltm profile client-ssl example-profile defaults-from clientssl cert-key-chain replace-all-with { no { cert protected.crt key protected.key passphrase password } }

Impact:
User cannot update client SSL profile via the GUI.

Workaround:
Modifications to the profile can be made from tmsh. Alternately, delete the CKC and recreate it.

Fix:
User can now update client SSL profile after upgrading a BIG-IP system from a version prior to BIG-IP v11.5.0 to v11.5.0 or later, while having a passphrase-protected key specified in the profile.

645036-3 : Removing pool from virtual server does not update its status

Solution Article: K85772089

Component: Local Traffic Manager

Symptoms:
Removing a pool from a virtual server does not update the virtual server's status.

Conditions:
1) Create a pool and assign a monitor to it.
2) Ensure the pool goes green.
3) Create a virtual server without assigning the pool to it.
4) Ensure the virtual server stays blue (unknown).
5) Associate the pool to the virtual server.
6) Ensure the virtual server goes green (available).
7) Remove the pool from the virtual server.
8) The virtual server should go back to blue (unknown); however, it doesn't and stays green.

Impact:
The virtual will appear to be associated with a monitored pool when it is not. This should have no functional impact on the virtual server, since a virtual server without a pool has no traffic to pass, and associating a pool with the virtual server will reflect the pool status.

Workaround:
Restart the BIG-IP system. The status should be blue/unchecked once again after the BIG-IP is restarted.

Note: Restarting the BIG-IP system might have an impact on existing traffic. Because this issue is cosmetic, this workaround is not recommended for BIG-IP systems in production.

Fix:
Associating a pool with the virtual server now correctly updates the virtual server status.

644975-4 : /var/log/maillog contains errors when ssmtp is not configured to use a valid mailhost

Component: TMOS

Symptoms:
Entries in /var/log/maillog similar to the following:
err sSMTP[25793]: Unable to connect to "localhost" port 25.

Conditions:
This happens when certain crontab configuration files do not specify MAILTO="" at the top, and some of the scripts appearing in those files output something to STDOUT or STDERR. This causes the system to try to send an email with that output, which will fail when ssmtp is not configured to use a valid mailhost.

Impact:
Error messages logged to /var/log/maillog. Note that the maillog file is rotated so it doesn't fill up the /var/log volume.

Workaround:
1) Run the "crontab -e -u root" command; this will open the root user's crontab configuration in your default text editor.

2) Move the MAILTO="" line to the top of the file, right under the "# cron tab for root" banner.

3) Save the file and exit the text editor to install the root user's new crontab configuration.

4) Using a text editor of your choice, replace MAILTO=root with MAILTO="" in the /etc/crontab file.

5) Using a text editor of your choice, replace MAILTO=root with MAILTO="" in the /etc/cron.d/0hourly file.

6) To verify that MAILTO=root does not appear anywhere else, run the following command: grep -i -r mailto /etc/cron*.

7) If the previous command shows MAILTO=root still appears in some files, also modify those file so that MAILTO=root becomes MAILTO="".

Fix:
The crontab configuration files now specify MAILTO="" at the top, so the /var/log/maillog errors no longer occur.

644970-1 : Editing a virtual server config loses SSL encryption on iSession connections

Component: Wan Optimization Manager

Symptoms:
Editing a virtual server configuration causes iSession connection resets or unencrypted iSession connections to be established, because the virtual server's dynamically configured default server-ssl profile has been deleted.

Conditions:
A virtual server has a server-side iSession profile with data-encrypt enabled. This virtual server also lacks client-ssl and server-ssl profiles.

Impact:
After editing the virtual server, iSession connections fail to be established if the destination iSession listener has a client-ssl profile with allow-non-ssl disabled. If the destination iSession listener has allow-non-ssl enabled, unencrypted iSession connections are established.

Workaround:
Modify the virtual server's configured server-side iSession profile. For example toggle the iSession profile from A to B and then back to A.

Fix:
Editing a virtual server configuration no longer deletes
an iSession dynamically configured default server-ssl profile.

644946-2 : Enabling mirroring on SIP or DIAMETER router profile effects per-client connection mode operation

Solution Article: K05053251

Component: Service Provider

Symptoms:
When the mirror flag is enabled in the siprouter and diameterrouter profiles, outgoing per-client create connection will be usable by any client connection from the same IP address.

Conditions:
This occurs when the mirror flag is enabled in the siprouter and diameterrouter profiles.

Impact:
In the siprouter and diameterrouter profiles, enabling mirroring incorrectly enables the internal ignore_peer_port flag, which causes the router to not consider the remote port of the client side connection when determining which of an outgoing per-client connection can be used for forwarding messages.

Workaround:
None.

Fix:
The ignore_peer_port flag is no longer affected by the setting of the mirror flag, which is correct functionality.

644904-5 : tcpdump 4.9

Solution Article: K55129614

644873-2 : ssldump can fail to decrypt captures with certain TCP segmenting

Solution Article: K97237310

Component: Local Traffic Manager

Symptoms:
ssldump fails to decrypt a capture. In rare circumstances, ssldump can crash.

The ssldump might display output similar to the following:
1 25 0.4781 (0.0000) S>CShort record
Unknown SSL content type 224
1 26 0.4781 (0.0000) S>CShort record
Unknown SSL content type 142
...
1 30 0.4781 (0.0000) S>CShort record
1 31 0.6141 (0.1359) S>CV231.213(45857) application_data

Conditions:
ssldump is decrypting traffic where an SSL record header spans TCP segments.

Impact:
ssldump can fail to fully decrypt the capture starting at the frame where the SSL record spans a TCP segment. Depending on the remaining data in the TCP stream, ssldump can crash.

Workaround:
None.

Fix:
ssldump now successfully decrypt a capture, so ssldump no longer crashes.

644855-2 : irules with commands which may suspend processing cannot be used with proactive bot defense

Component: Advanced Firewall Manager

Symptoms:
A request is dropped.

Conditions:
1. The proactive bot defense is assigned to the virtual.
2. An iRule which suspends processing is assigned to the virtual. (includes a command like the "after" commands")

For more information on which TCL commands park, see K12962: Some iRule commands temporarily suspend iRule processing, available at https://support.f5.com/csp/article/K12962

Impact:
All requests which issue the proactive bot defense and the iRule will get dropped.

Workaround:
N/A

Fix:
irules which suspends the execution won't cause a request drop when the proactive bot defense is assigned.

644851-2 : Websockets closes connection on receiving a close frame from one of the peers

Component: Local Traffic Manager

Symptoms:
Websocket connection should be closed once an endpoint has both sent and received a Close control frame. BIG-IP closes connection on receiving a close frame from peer and does not wait for close frame from other endpoint. This results in data sent in the other direction to be dropped.

Conditions:
Websocket and HTTP profile are attached to the virtual.

Impact:
One endpoint sends a Websocket Close control frame. Other endpoint continues sending data which is dropped by BIG-IP.

Fix:
Half-close of connection will be triggered instead of closing the connection entirely.

644822-2 : FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned

Solution Article: K19245372

Component: Advanced Firewall Manager

Symptoms:
If AFM provisioned, a FastL4 virtual server with enabled loose-init option drops all RST packets that do not relate to any existing flows.

This behavior does not match the BIG-IP behavior when AFM is not provisioned.

Conditions:
AFM provisioned.
-- FastL4 virtual server.
-- Loose-init option enabled.

Impact:
RST packets that do not relate to any existing flows are dropped, while they should not be dropped if the loose-init option enabled.

Workaround:
No workaround.

Fix:
Fixed, so FastL4 virtual servers with enabled loose-init option will forward any RST packets.

644799-1 : TMM may crash when the BIG-IP system processes CGNAT traffic.

Solution Article: K42882011

Component: TMOS

Symptoms:
TMM may crash when the BIG-IP system processes CGNAT traffic.

Conditions:
A TMM connflow related to CGNAT traffic is expired.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes when the BIG-IP system processes CGNAT traffic.

644723-1 : cm56xxd logs link 'DOWN' message when an interface is admin DISABLED

Component: TMOS

Symptoms:
If you disable an interface, the interface is erroneously logged as DOWN:

Feb 12 23:14:09 i5800-R18-S30 info bcm56xxd[8210]: 012c0015:6: Link: 1.1 is DOWN

Conditions:
This is logged when disabling an interface.

Impact:
Log message says the interface is DOWN, it should say DISABLED.

644694 : FPS security update check ends up with an empty page when error occurs.

Component: Fraud Protection Services

Symptoms:
While checking for security updates in FPS, GUI may display an empty page caused by internal errors, such as network errors or temporary downtime.

Conditions:
-- Provision and license FPS.
-- Check for security updates.

Impact:
Empty page is presented, with no indication of what error occurred.

Workaround:
Use TMSH or REST API to perform an update check.

Fix:
Now, when an error occurs, the error will be displayed.

644693-3 : Fix for multiple CVE for openjdk-1.7.0

Solution Article: K15518610

644565-1 : MRF Message metadata lost when routing message to a connection on a different TMM

Component: Service Provider

Symptoms:
The system might choose to create a new outgoing connection when there is an available exiting connection that can be used.

Conditions:
When a message is forwarded to another TMM for delivery, an internal state might be lost.

Impact:
Messages should be delivered correctly as the metadata is lost after routing. There might be an impact if routing is retried and the ignore-peer-port setting is lost. This might cause a new connection to be created when an available existing connection exists.

Workaround:
None.

Fix:
The system now ensures that the ignore-peer-port flag is preserved when forwarding a message to a connection on another TMM.

644490-1 : Finisar 100G LR4 values need to be revised in f5optics

Component: TMOS

Symptoms:
The original tuning values for the Finisar 100G LR4 optics don't support module tuning. You might see FCS errors.

Conditions:
FCS errors can be observed with the shipping Finisar 100G LR4 tuning values.

Impact:
Occasional packet loss at the 100G physical layer.

Workaround:
Use 100G SR4 optics modules on the link if possible.

Fix:
FCS errors no longer occur using the latest Finisar 100G LR4 tuning values.

For information on installing and using the latest f5optics package (build 48.0 or later) that contains these tuning values, see F5 Platforms: Accessories (https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/f5-plat-accessories.html).

644489-1 : Unencrypted iSession connection established even though data-encrypt configured in profile

Solution Article: K14899014

Component: Wan Optimization Manager

Symptoms:
iSession connections may be intermittently established as unencrypted even though they are configured to be secure.

Conditions:
Either of two scenarios can result in an unencrypted iSession connection being established:
1) An error occurs during dynamic server-ssl profile replacement.
2) Both the WOM local-endpoint and destination WOM remote-endpoint lack server-ssl profiles.

In both cases the virtual server must have a server-side iSession profile with data-encrypt enabled and the remote virtual must have a client-ssl profile with allow-non-ssl enabled.

Impact:
An unencrypted iSession connection may be established which is inconsistent with configuring data-encrypt as enabled in the sever-side iSession profile.

Workaround:
Configure the client-ssl profile with allow-non-ssl disabled (the default value) to reject non-SSL connections.

Fix:
The outgoing connection is aborted if the server-side iSession profile is configured with data-encrypt enabled and either of the two following scenarios occurs:
1) The destination remote-endpoint and the local-endpoint lack server-ssl profiles.
2) An error occurs during dynamic server-ssl profile replacement.

644447-2 : sync_zones script increasingly consumes memory when there is network connectivity failure

Component: Global Traffic Manager (DNS)

Symptoms:
sync_zones memory usage exponentially increases during network disruption

Conditions:
Network interruption occurs during the "Retrieving remote DNS/named configuration" stage of a gtm_add operation.

Impact:
Memory increases exponentially, potentially resulting in an eventual out-of-memory condition.

Workaround:
None.

Fix:
sync_zones script now exits successfully at network failure.

644418-2 : Do not consider self-signed certificate in hash algorithm selection when Forward Proxy forges a certificate

Component: Local Traffic Manager

Symptoms:
SSL Forward Proxy signs a forged certificate with a hash algorithm. This selected hash algorithm is the weakest algorithm from the certificates in the server certificate chain including the self-signed certificate.
Many of the self-signed certificates use the SHA1 hash algorithm, which is not acceptable to many sites. The SSL handshake may be rejected.

Conditions:
This may occur when SSL Forward Proxy is in use.

Impact:
Forged certificate with SHA1 hash algorithm may be rejected during SSL handshake and the SSL handshake will then fail.

Workaround:
None.

Fix:
In this release, the system excludes self-signed certificates in hash algorithm selection (which is correct behavior). This may prevent forged certificate from using SHA1 hash algorithm

644404-1 : Extracting SSD from system leads to Emergency LCD alert★

Component: TMOS

Symptoms:
When an SSD in a dual-SSD system configuration is extracted, an emergency alert may be issued on the LCD. This does not match the actual severity (Warning) as reported in the LTM log.

Conditions:
Dual SSDs in any BIG-IP system where one has been selected for removal.

Impact:
LCD reports an Emergency-level alert, which does not match the actual Warning severity reported in the LTM log.

Workaround:
Clear the Emergency alert from the LCD.

Fix:
The classification for SSD removal has been changed to 'Warning' to match the LTM log level.

644220-3 : Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page

Solution Article: K37049259

Component: Global Traffic Manager (DNS)

Symptoms:
Under LTM :: Virtual Servers :: Properties, the "Link" value sometimes displays "none" when it should display an actual link name.

Conditions:
This happens under certain configuration of Self IP / GTM Servers / GTM Links / LTM Virtual Servers.

Impact:
When conditions are met, the Virtual Server's link information displayed is not correct.

Workaround:
None.

Fix:
Virtual Server's assigned Link on the LTM Virtual Server Properties page is now displayed correctly.

644184-4 : ZebOS daemons hang while AgentX SNMP daemon is waiting.

Solution Article: K36427438

Component: TMOS

Symptoms:
ZebOS daemons hang while AgentX SNMP daemon is unresponsive.

Conditions:
- Dynamic routing is enabled.
- SNMP is enabled.
- SNMP is unresponsive which could be caused by several issues such as snmpd calling an external script that takes several moments to return or mcpd is slow to respond to snmpd queries.

Impact:
Dynamic routing may be halted for the duration of AgentX daemon being busy.

Workaround:
If snmpd is calling external scripts that take several moments to return, then stop using the external script.

Fix:
ZebOS daemons no longer hangs while AgentX is waiting.

644112-2 : Permanent connections may be expired when endpoint becomes unreachable

Solution Article: K56150996

Component: Local Traffic Manager

Symptoms:
Permanent connections, such as those used between tunnel endpoints, can be deleted when the route to the remote endpoint is removed.

Conditions:
-- Permanent connection, such as a tunnel.
-- Routing updates, either from explicit static or dynamic routes, or modifying self IP addresses.

Impact:
Tunnel, or other affected connection, will not pass traffic.

Workaround:
Remove and re-add the affected connection: e.g., delete and re-configure tunnel.

Fix:
Routing updates can no longer lead to expired permanent connections.

643785-3 : diadb crashes if it cannot find pool name

Component: Service Provider

Symptoms:
diadb utility crashes if it cannot find pool name.

Conditions:
-- diadb utility is running.
-- Pool name is not available in the Diameter persistence record.

Impact:
diadb utility crashes.

Workaround:
None.

Fix:
diadb will not crash even if it cannot find the pool name in the Diameter persistence record.

643777-2 : LTM policies with more than one IP address in TCP address match may fail

Solution Article: K27629542

Component: Local Traffic Manager

Symptoms:
An LTM policy using a rule that attempts to match based on a list of IP addresses may fail if more than one IP address is used.

Conditions:
LTM policy rule with a 'tcp match address' statement that attempts to match against more than one IP address.

Impact:
The action configured with the match may not be taken.

Workaround:
Use one of the following workarounds:
- Use a subnet instead of single IP addresses.
- Use a datagroup with the list of IP addresses to match.
* Datagroup option available beginning in v13.0.0.

Fix:
The BIG-IP system now correctly matches several IP addresses in LTM policies.

643631 : Serverside connections on virtual servers using VDI may become zombies.

Solution Article: K70938130

Component: Local Traffic Manager

Symptoms:
Listing connections with "tmsh show sys connection all-properties" (please be cautious executing this command as it could have performance impact) will show connections with only a server side whose age is greater than the configured idle timeout. As more zombie connections accumulate, the BIG-IP may run out of memory.

Conditions:
APM provisioned and VDI (Virtual Desktop Infrastructure) is configured on the affected virtual.

Impact:
Zombie connections consume memory that cannot be reclaimed. Potential out-of-memory condition.

Workaround:
None.

Fix:
Expired serverside connections are properly torn down.

643602-2 : 'Select All' checkbox selects items on hidden pages

Component: Fraud Protection Services

Symptoms:
In FPS GUI, clicking 'Select All' when the list contains more than 10 items, selects all items and not just the items on the current page, as expected.

Conditions:
-- FPS provisioned and licensed.
-- Check 'Select All' and click Delete on a list page containing enough items to span more than one page, for example:

On the Security :: Fraud Protection Service :: Anti-Fraud Profile :: Mobile Security :: Man in the Middle Detection page, add 20 domains. This creates two pages of domains on the list page. When you then check 'Select all' and click Delete, all 20 domains are deleted instead of the expected 10 visible on the page.

Impact:
Unexpected behavior: items are deleted from pages that are not visible.

Workaround:
Check one or more items individually for deletion.

Fix:
Clicking the 'Select All' checkbox now selects all items on the currently visible page.

643582-2 : Config load with large ssl profile configuration may cause tmm restart

Component: Local Traffic Manager

Symptoms:
When doing a config load with a large number of ssl profiles tmm may become busy enough to cause mcp tcp connection to go down and cause tmm restart.

Conditions:
Doing a full config load with large number of ssl profiles.

Impact:
Possible tmm restart.

Workaround:
Doing incremental sync of changes can avoid this issue.

Fix:
A full configuration reload with large number of ssl profiles may cause tmm restart.

643547-1 : APMD initialization may fail when large number of access policy agents are configured in access policies installed on BIG-IP

Solution Article: K43036745

Component: Access Policy Manager

Symptoms:
Requests to /my.policy are not getting HTTP responses.

Log file '/var/log/apm' contains large number of error messages about failed XML data creation:

err apmd[5076]: 01490207:3: SAML Agent XML thread specific data creation error: ERR_FAIL.

Conditions:
This issue occurs when all of the following conditions are met:

-- Your BIG-IP APM system is configured with a large number of access policy agents.
-- You are performing an operation that requires the apmd process to start.
-- For example, your BIG-IP APM system is reloaded, you install a new image, or you manually restart the apmd process.

Impact:
APMD will not able to process any requests.

Workaround:
For some configurations and platforms, you can use the following steps to recover:

- Remove all unused access policies (if applicable).
- Restart apmd.

Fix:
Now APMD initialization will no longer fail at XML initialization when a large number of access policies/agents are present in the configuration.

643404-2 : 'tmsh system software status' does not display properly in a specific cc-mode situation★

Solution Article: K30014507

Component: TMOS

Symptoms:
If software image verification is enabled, the system must first verify a software archive with a cryptographic signature file before using it. If that file is not available, the software change will (intentionally) not proceed. It is also intended that 'tmsh system software status' will explain the condition. But instead, it shows 'failed (reason unknown)'.

Conditions:
Trying to initiate a software change, but there is no signature file available that corresponds to the selected software archive if any of the following is also true:
-- The system is in Common Criteria mode (db var Security.CommonCriteria).
-- The system is in FIPS compliance mode (db var security.fips140.compliance).
-- Signature checking is manually enabled (db var LiveInstall.CheckSig).

Impact:
It is difficult to ascertain why the software change cannot be made.

Workaround:
The installation logs a more detailed explanation for the failure. In the case of Common Criteria mode, it is essential to have the signature file in the same images directory as the .iso image you intend to install.

To do so, copy the .sig file from the F5 Downloads site to the image location, and try the installation again.

Fix:
The 'tmsh show system software status' now displays the relevant issue, for example:
failed (No signature verification possible for image /shared/images/BIG-IP-12.1.2.0.0.249.iso).

Although you must still download the .sig file from F5 Downloads, it's clear what the failure is and what to do next.

643396-2 : Using FLOW_INIT iRule may lead to TMM memory leak or crash

Solution Article: K34553627

Component: Local Traffic Manager

Symptoms:
Memory leak in TMM or even crash may be observed if using FLOW_INIT event in iRules.

Conditions:
iRule triggered by FLOW_INIT event is in use. Note: The leak is difficult to observe, and the crash requires specific steps, so encountering this issue is relatively uncommon.

Impact:
TMM memory leak or crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a memory leak in the FLOW_INIT iRule event.

643375-1 : TMM may crash when processing compressed data

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash when processing compressed data.

Impact:
TMM crash, leading to a failover event

Workaround:
None.

Fix:
Compressed data is now processed as expected

643294 : IGMP and PIM not in self-allow default list when upgrading from 10.2.x★

Component: TMOS

Symptoms:
IGMP or PIM not in self-allow by default after upgrade.

Conditions:
Upgrade from 10.2.x.

Impact:
Advance routing with multicast or PIM does not work, when configured after upgrade with default self-allow.

Workaround:
Manually add PIM or IGMP to self-allow default.

643210-2 : Restarting MCPD on Secondary Slot of Chassis causes deletion of netHSM keys on SafeNet HSM

Solution Article: K45444280

Component: Local Traffic Manager

Symptoms:
When mcpd (re)starts on a secondary slot, part of the initialization process triggers the delete of any netHSM keys on the SafeNet HSM.

Conditions:
This occurs on a chassis that is configured to use a SafeNet netHSM.

Impact:
The key is removed from the HSM and must be reimported to the HSM from a backup, if it exists.

Workaround:
When rebooting a secondary blade, temporarily remove the BIG-IP from the network it uses to connect to the SafeNet HSM. Once the BIG-IP is Active, it is safe to reconnect it to the network.

Fix:
The BIG-IP no longer deletes keys from the Safenet HSM when the key is deleted from the BIG-IP system. Now, you must manually delete keys using fipskey.nethsm or 'cmu delete'.

Important! Delete operations cannot be undone. Before deleting keys on the HSM using one of these commands, make sure that the key is not used by any BIG-IP, because the key deletion on the HSM is irreversible.

Behavior Change:
Beginning with this release, the BIG-IP system will not delete a key from the SafeNet HSM when you delete the corresponding key on the BIG-IP system: You must manually delete the key on the HSM using either fipskey.nethsm or 'cmu delete'.

Important! Delete operations cannot be undone. Before deleting keys on the HSM using one of these commands, make sure that the key is not used by any BIG-IP, because the key deletion on the HSM is irreversible.

643187-2 : BIND vulnerability CVE-2017-3135

Solution Article: K80533167

643143-2 : ARP and NDP packets should be QoS/DSCP marked on egress

Component: Local Traffic Manager

Symptoms:
There is currently no way to prioritize ARP/NDP traffic on BIG-IP or configure QoS on TMM-originated ARP/NDP packets.

Conditions:
ARP and/or NDP is in use.

Impact:
When the BIG-IP system's CPU is saturated, there is a possibility that ARP and NDP packets might be dropped.

Workaround:
N/A

Fix:
You can now configure QoS on TMM-originated ARP/NDP packets.

To have ARP and NDP packets be treated with high priority internally within the BIG-IP system, set the following database keys to 'high':
-- arp.priority
-- ipv6.nbr.priority

To explicitly assign the 802.1p/q priority (QoS bits), set the following database keys:
-- arp.vlanpriority
-- ipv6.nbr.vlanpriority

Note: The 802.1q/p QoS priority applies to queries that originate on the BIG-IP system. Replies generated by BIG-IP will preserve the QoS value received in the request.

These variables are set with the following commands:

tmsh modify sys db arp.priority value (normal|high)
tmsh modify sys db arp.vlanpriority value [-1-7]
tmsh modify sys db ipv6.nbr.priority value (normal|high)
tmsh modify sys db ipv6.nbr.vlanpriority value [-1-7]

Behavior Change:
You can now configure QoS on TMM-originated ARP/NDP packets.

To have ARP and NDP packets be treated with high priority internally within the BIG-IP system, set the following database keys to 'high':
-- arp.priority
-- ipv6.nbr.priority

To explicitly assign the 802.1p/q priority (QoS bits), set the following database keys:
-- arp.vlanpriority
-- ipv6.nbr.vlanpriority

Note: The 802.1q/p QoS priority applies to queries that originate on the BIG-IP system. Replies generated by BIG-IP will preserve the QoS value received in the request.

These variables are set with the following commands:

tmsh modify sys db arp.priority value (normal|high)
tmsh modify sys db arp.vlanpriority value [-1-7]
tmsh modify sys db ipv6.nbr.priority value (normal|high)
tmsh modify sys db ipv6.nbr.vlanpriority value [-1-7]

643121-1 : Failed installation volumes cannot be deleted in the GUI.

Component: TMOS

Symptoms:
Failed installation volumes aren't displayed under Disk Management and, therefore, cannot be deleted.

Conditions:
Have a failed installation volume.

Impact:
Cannot use the GUI to delete

Workaround:
Use tmsh to delete failed installation volumes using a command similar to the following:
tmsh delete /sys software volume <HDx.y>.

For example, to delete software volume HD1.0, use the following command:
tmsh delete /sys software volume HD1.0.

Fix:
Failed installation volumes can now be deleted in the GUI.

643054-2 : ARP and NDP packets should be CoS marked by the swtich on ingress

Component: Local Traffic Manager

Symptoms:
When ARP and NDP requests are dropped, ARP caches can time out, and peer nodes may fail to resolve the BIG-IP system's self-IP addresses or virtual servers.

Conditions:
TMM0 is saturated and dropping packets.

Impact:
ARP requests can be dropped, and peer devices, such as routers and monitored devices, can fail to resolve the BIG-IP system's address.

Workaround:
None.

Fix:
You can now use db variables to control internal traffic priority for ingress ARP/NDP packets in the switch.

-- arp.priority : high/normal (default)
-- ipv6.nbr.priority : high/normal (default)

The 'normal' value is the default.

-- Setting arp.priority to high raises ARP packet priority.
-- Setting ipv6.nbr.priority to high raises NDP packet priority.

Behavior Change:
You can now use db variables to raise the internal traffic priority for ingress ARP/NDP packets in switch.

arp.priority : high/normal(default)
ipv6.nbr.priority : high/normal(default)

Setting arp.priority to high raises ARP packet priority.
Setting ipv6.nbr.priority to high raises NDP packet priority.

643013 : DAGv2 introduced on i5600, i5800, i7600, i7800, i10600, i10800 platforms in v12.1.3

Component: TMOS

Symptoms:
DAGv2 is a new DAG type and is designed to run on new platforms, including i5600, i5800, i7600, i7800, i10600, i10800 platforms. DAGv2 was not ready when these platforms were first released. DAGv2 is enabled on these platforms in v12.1.3.

Conditions:
i5600, i5800, i7600, i7800, i10600, i10800 platforms.

Impact:
No functional impact. This is simply an announcement of a change in the DAG version.

Workaround:
None.

Fix:
DAGv2 introduced on i5600, i5800, i7600, i7800, i10600, i10800 platforms in v12.1.3.

642983-1 : Update to max message size limit doesn't work sometimes

Solution Article: K94534313

Component: Device Management

Symptoms:
There is a cap on all REST request/response message size. By default it is set to 32 MB, and you can modify it to higher limit using /mgmt/shared/server/messaging/settings/8100 REST endpoint. But the REST framework may not apply this change.

When this occurs, you will see 501 Bad Gateway error from Apache and error message link "java.lang.IllegalArgumentException: 47177925 is more than 33554432" in restjavad log (/var/log/restjavad.0.log).

Conditions:
This can occur when requesting or receiving more than 32 MB of data via iControl REST.

Impact:
REST framework applies message body limit only on incoming request and response. If incoming request results in requests to iControl REST or restnoded, the same settings (message body limit) are not applied.

Workaround:
None.

Fix:
Messaging settings are applied on requests/responses, rather than on RestServer as forwarded outgoing requests/responses will not have server instance attached to request.

642982-3 : tmrouted may continually restart after upgrade, adding or renaming an interface★

Solution Article: K23241518

Component: TMOS

Symptoms:
tmrouted continually restarts when it fails to resolve the interface index for a VLAN, VLAN group, or tunnel.

Conditions:
-- Dynamic routing configured.
-- Non-default partition name or VLAN names greater than 15 characters.

Impact:
Dynamic routing does not function. This may include monitors not functioning properly and marking pool members down incorrectly.

Workaround:
Shorten VLAN, VLAN group, or tunnel name, or move the interface into the Common partition.

Fix:
tmrouted no longer restarts when using long VLAN, VLAN group, or tunnel names in a non-default partition.

642952 : platform_check doesn't run PCI check on i11800

Component: TMOS

Symptoms:
When "platform_check misc" is run, it will return

Miscellaneous Tests
PCI: NOT RUN
Test not available on this platform

Conditions:
This always happens.

Impact:
No platform check for PCI is executed.

Workaround:
There is no workaround.

Fix:
It is fixed, platform check for PCI is executed.

642874-1 : Ready to be Enforced filter for Policy Signatures returns too many signatures

Solution Article: K15329152

Component: Application Security Manager

Symptoms:
Signatures that have not passed the staging period are shown when the filter is set to only show those that are ready to be enforced.

Conditions:
Signatures exist on a policy that have not passed their staging period and have no learning suggestions for them.

Impact:
Incorrect results are shown as a result of the filter.

Workaround:
The result should be inspected to see if the staging period has passed for each individual signature.

Fix:
The "Ready to be Enforced" filter works correctly.

642723-3 : Western Digital WD1600YS-01SHB1 hard drives not recognized by pendsect

Component: TMOS

Symptoms:
In version 11.4.0, when pendsect was introduced, the Western Digital WD1600YS-01SHB1 hard drive was not supported. This drive was used in very early shipments of the 1600/3600 products.

If you are running 11.4.0 and have a WD1600YS-01SHB1, you might see the following errors in /var/log/ltm:

-- notice pendsect[1662]: skipping drive -- Model: WDC WD1600YS-01SHB1
-- notice pendsect[1662]: No known drives detected for pending sector check. Exiting

Conditions:
-- Running 11.4.0.
-- Using WD1600YS-01SHB1 hard drives.

Impact:
The only impact is a pendsect notice in /var/log/ltm. The hard drive operates as expected.

Workaround:
There is no mitigation or workaround for this issue.

Fix:
The WD1600YS-01SHB1 hard drive was added to the supported list of hard drives in versions 11.5.x, 11.6.x, and 12.1.3.

642703-2 : Formatting installation using software v12.1.2 or v13.0.0 fails for i5000, i7000, i10000, i11000, i12000 platforms.★

Component: TMOS

Symptoms:
Installation from external media (PXE or USB) fails with error:

error: status 768 returned by command: /sbin/lvcreate -L -4719088K -n dat.share vg-db-cpmirror
info: >++++ result:
info: Negative size is invalid
info: Run `lvcreate --help' for more information.
info: >----
error: MultiVolume_add cpmirror.dat.share failed.

Conditions:
-- i5000, i7000, i10000, i11000, and i12000 platforms.
-- Installation from external media (PXE or USB).
-- Running software v12.1.2 or v13.0.0.

Impact:
System is non-functional. It will not work at all, until an 'installation from external media' is performed. There is no software on the system because the operation failed during the early stages of a formatting installation.

Workaround:
Use an earlier version for the formatting installation, such as 12.1.1, and then upgrade to the target version.

Fix:
The error no longer occurs; the formatting installation succeeds.

642659-2 : Multiple LibTIFF Vulnerabilities

Solution Article: K34527393

642400-2 : Path MTU discovery occasionally fails

Component: Local Traffic Manager

Symptoms:
Connections using a TCP profile that receive an ICMP needsfrag message may incorrectly ignore the message. This may cause Path MTU discovery to fail.

Conditions:
TCP profile assigned to VIP. Smaller MTU on data path than on TCP endpoints.

Impact:
The connection may stall as large TCP segments are continually retransmitted.

Workaround:
Configure the MSS in the TCP profile to match the lowest MSS. Use or disable Path MTU discovery with the tm.pathmtudiscovery database key.

Fix:
Path MTU discovery functions correctly with the TCP profile.

642330-2 : GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.★

Component: Global Traffic Manager (DNS)

Symptoms:
When you upgrade from an affected version, the config gets saved before moving to the new version, thus dropping the enclosing quotes and causing a load failure when booting into the new version.

Conditions:
Configuration where monitor string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.

Impact:
Configuration fails to load.

Workaround:
Manually edit each string in the BIG-IP_gtm.conf to include enclosing quotes in order to get the config to load the first time.

Fix:
Configs load successfully after upgrade. Surrounding quotes, if missing, are added to strings in the BIG-IP_gtm.conf file after upgrade. For example:
\"service_status\":\"on\".+\"maintenance\":\"off\" in the recv, send recv-disable and username fields. Output of list gtm monitor and bigip.conf match. Reloading the same config via tmsh does not cause unintentional changes, such as losing a level of escape in monitor strings.

642314-2 : CNAME ending with dot in pool causes validation problems after upgrade from 11.x to 12.x or v13.x★

Solution Article: K24276198

Component: TMOS

Symptoms:
gtm config load failure after upgrade from v11.x to v12.x or v13.x.

Conditions:
Create GTM pool with canonical-name ending with dot - for example "cname-with-dot.com." in v11.x and then upgrade to v12.x or v13.x.

Impact:
gtm config load failure after upgrade.

Workaround:
Remove trailing dots or set "Domain Validation" to "none".

Fix:
Upgrading from 11.x to 12.x or 13.x with GTM Pool with canonical-name removes trailing FQDN dot.

642284 : Closing a PCP connection while an asynchronous mapping request is in progress may result in memory corruption.

Component: Carrier-Grade NAT

Symptoms:
Memory corruption caused by closing a PCP connection while requests are being processed.

Conditions:
This can occur when a PCP client sends multiple requests and closes before receiving the replies. When the client OS receives a reply it will send an ICMP destination unreachable message which causes the BIG-IP to close the PCP connection. If the PCP connection is closed while a request is being processed, memory corruption may occur when the request completes.

Impact:
When memory corruption occurs, TMM may crash or assert. Traffic disrupted while tmm restarts.

Fix:
Closing the PCP connection will not cause memory corruption.

642221-2 : Incorrect entity is used when exporting TCP analytics from GUI

Component: Application Visibility and Reporting

Symptoms:
When exporting statistics from the TCP Analytics page, the resulted data is for the default "view by" entity rather than the one that's actually selected

Conditions:
This occurs in Statistics :: Analytics : TCP, when you are viewing any dimension other than the default, and clicking Export.

Impact:
Incorrect data is being exported.

Workaround:
Use tmsh.

Fix:
The correct entity is now used when exporting TCP analytics from GUI, so the correct data is being exported.

642068-1 : PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens

Component: Policy Enforcement Manager

Symptoms:
PEM sessions stay in the marked-for-delete state if CCR-T times out.

Conditions:
This occurs if PCRF does not respond to CCR-T packets from the BIG-IP system during session termination.

Impact:
PEM sessions remain in the marked-for-delete state.

Workaround:
Configure the required timeout value in the sys db variable tmm.pem.session.timeout.endpointdeleteresponse.

Note: The value must be greater than 0 (zero).

Fix:
PEM sessions no longer stay in the marked-for-delete state if CCR-T times out.

642058-1 : CBL-0138-01 Active Copper does not work on i2000/i4000/HRC-i2800 Series appliances

Component: TMOS

Symptoms:
CBL-0138-01 will not come up or show link on i2000/i4000/HRC-i2800 series appliances.

The following message will appear on the LCD:
0 01/30/17 09:02:59 error 0x1660016 Interface 5.0 detected a non 10GbE optic

The following message will appear in /var/log/ltm:
err pfmand[7630]: 01660016:3: Interface 5.0 detected a non 10GbE optic

The interface will report in tmsh as down:
tmsh show net interface 5.0

--------------------------------------------------------
Net::Interface
Name Status Bits Bits Pkts Pkts Drops Errs Media
In Out In Out
--------------------------------------------------------
5.0 down 0 0 0 0 0 0 none

Conditions:
i2000/i4000/HRC-i2800 series appliances and CBL-0138-01.

Impact:
The CBL-0138-01 will not work.

Workaround:
None.

Fix:
CBL-0138-01 Active Copper now works correctly on i2000/i4000/HRC-i2800 Series appliances.

642039-2 : TMM core when persist is enabled for wideip with certain iRule commands triggered.

Component: Global Traffic Manager (DNS)

Symptoms:
tmm cores with SIGSEGV.

Conditions:
This occurs when persist is enabled for wideip, and an iRule with the following commands triggered:
forward
reject
drop
discard
noerror
host

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable persist on wideip.

Note: Although this is not an ideal workaround, it provides a way that to use those iRule commands without causing a tmm core.

Fix:
TMM no longer coreswhen persist is enabled for wideip with certain iRule commands triggered.

642015-2 : SSD Manufacturer "unavailable"

Component: TMOS

Symptoms:
On systems with an SSD, the manufacturer displayed in 'tmsh show sys hardware' may appear as "unavailable"..

Conditions:
BIG-IP system with SSD installed.

Impact:
No functional impact, cosmetic only.

Workaround:
No workaround but the issue is only cosmetic and does not indicate an issue with the system.

Fix:
SSD Manufacturer now displays "Samsung" as expected.

641612-2 : APM crash

Solution Article: K87141725

641574 : AVR doesn't report on virtual and client IP in DNS statistics

Solution Article: K06503033

Component: Application Visibility and Reporting

Symptoms:
On the analytics DNS page, the virtual and client IP stats will be shown as "Aggregated".

Conditions:
This can be seen in DNS analytics, when view-by virtual or client-ip is selected.

Impact:
DNS statistics show incomplete results.

Workaround:
None.

Fix:
AVR now provides the complete report results on virtual and client IP in DNS statistics.

641512-4 : DNSSEC key generations fail with lots of invalid SSL traffic

Solution Article: K51064420

Component: Local Traffic Manager

Symptoms:
DNSSEC keys can rollover periodically. This will fail, leading to no keys to sign DNSSEC queries (no RRSIG records) when the BIG-IP is handling a lot of SSL traffic with invalid certificates.

The system posts the following log signature in /var/log/ltm:
err tmm1[12393]: 01010228:3: DNSSEC: Could not initialize cipher context for key /Common/x1-zsk.

Conditions:
DNSSEC keys configured with periodic rollover. The certificate path queues an error (situations include but not limited to lots of SSL traffic with invalid certificates).

Impact:
DNSSEC key generations fail to be accepted by the TMM so that when the prior generation expires there is no valid certificate to sign DNSSEC queries.

Workaround:
Restart the TMM after the new key generation is created.

Fix:
DNSSEC key generations now complete successfully, even with a lot of SSL traffic with invalid certificates.

641491-2 : TMM core while running iRule LB::status pool poolname member ip port

Solution Article: K37551222

Component: Local Traffic Manager

Symptoms:
An iRule response to a DNS request may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart. As a result of this issue, you may encounter one or more of the following symptoms:

-- The BIG-IP system may temporarily fail to process traffic as it recovers from the TMM restart, and devices configured as an HA pair may fail over.
-- The BIG-IP system generates a TMM core file to the /shared/core directory.

Conditions:
This issue occurs when all of the following conditions are met:

-- Your BIG-IP DNS system is configured with a wide IP that utilizes an iRule.
-- The iRule uses the DNS_REQUEST event command LB::status to check a pool member status.
-- The iRule pool address and port are separated by white space.

Example iRule syntax:

gtm rule pool_member_selection {
    when DNS_REQUEST {
        LB::status pool pool-one member 10.0.0.10 80
    }
}

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use format 'ip:port' or vsname instead of 'ip port. Following are two examples:
1.
gtm rule rule_crash_test {
    when DNS_REQUEST {
        LB::status pool pool-one member 10.2.108.100:80
    }
}

2.
gtm rule rule_crash_test {
    when DNS_REQUEST {
        LB::status pool pool-one member pool_vs_name
    }
}

Fix:
An iRule response to a DNS request no longer triggers TMM to produce a core file and restart.

641482-2 : Subscriber remains in delete pending state until CCR-t ack has success as result code is received

Component: Policy Enforcement Manager

Symptoms:
BIG-IP subscriber session will remain in delete pending (stale) state if the Result-code received Acknowledgement from Gx or Gy and is marked as Failure for CCR-T request.

Conditions:
The stale session happens, during subscriber termination and if any CCR-T request for Gx or Gy receives an acknowledgement with non-SUCCESS in Result-code AVP

Impact:
The subscriber session in BIG-IP will stay in delete pending state (stale)

Workaround:
A tmm restart will cleanup all the stale sessions

Fix:
Fix will cleanup the session if a CCR-T acknowledgement is received irrespective of the Result-code AVP

641445-1 : iControl improvements

Solution Article: K22317030

641390-5 : Backslash removal in LTM monitors after upgrade

Component: TMOS

Symptoms:
After upgrading, BIG-IP fails to load the configuration and reports that a monitor failed to load.

Conditions:
-- Specific backslash escaping in LTM monitors.
-- Upgrading from 11.5.x, 11.6.0, 11.6.1, 11.6.2, or 11.6.3 to 12.0.0, 12.1.0, 12.1.1, 12.1.2, or 13.0.0.

Note: This issue is specific to LTM monitors. It does not occur in BIG-IP DNS/GTM monitors.

For example, to have two backslashes in the value, you specify three backslashes. The first backslash is the 'escape' character.

ltm monitor https /Common/my_https {
    adaptive disabled
    cipherlist DEFAULT:+SHA:+3DES:+kEDH
    compatibility enabled
    defaults-from /Common/https
    destination *:*
    interval 5
    ip-dscp 0
    recv "Test string"
    recv-disable \\\"Test\\\"me\\\" <-- pertinent string value (can be in recv, send or username attributes too).
    send Test
    time-until-up 0
    timeout 16
    username test\\\"me
}

Impact:
The monitor fails to load.

Workaround:
Manually correct the string to be the way it was before upgrade, then the configuration will load.

Fix:
Upgrade no longer results in incorrectly removing backslashes for some LTM monitor attributes.

641360-2 : SOCKS proxy protocol error

Solution Article: K30201296

641256-1 : APM access reports display error

Solution Article: K43523962

641248 : IPsec-related tmm segfault

Component: TMOS

Symptoms:
The tmm cores and all connections are reset.

Conditions:
Race condition during IPsec tunnel tear down.

Impact:
The tmm restarts and all connections reset. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The IPsec-related tmm segfault has been corrected.

641013-5 : GRE tunnel traffic pinned to one TMM

Component: TMOS

Symptoms:
GRE tunnel traffic can be sent to one TMM if BIG-IP doesn't proxy the GRE tunnel and uses forwarding virtual to handle GRE tunnel traffic.

Conditions:
Use forwarding virtual to handle GRE tunnel traffic.

Impact:
GRE tunnel traffic can overwhelm the one TMM and cause performance degradation.

Workaround:
None.

Fix:
Improved GRE tunnel traffic handling so traffic does not overwhelm one TMM and cause performance degradation.

640903-1 : Inbound WideIP list page on Link Controller takes a long time to load when displaying 50+ records per screen

Component: Global Traffic Manager (DNS)

Symptoms:
Extremely long page load on Link Controller Inbound Wide IP list page.

Conditions:
The preference settings "Records per screen" must be a high value. 50 or more will start causing the page to load very slowly.

Impact:
Extremely long page load time.

Workaround:
Prior to the fix, the workaround is to set the preference settings "Records per screen" to a low value. The default value of 10 is fine.

Fix:
The page can now load hundreds of records on a single screen under 3 seconds.

640824-1 : Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★

Solution Article: K20770267

Component: Application Security Manager

Symptoms:
Upon first start after upgrade, the following error messages appear in asm log:
-------------------------
notice boot_marker : ---===[ HD1.2 - BIG-IP 12.1.1 Build 0.0.184 <HD1.2> ]===---
info set_ibdata1_size.pl[18523]: Setting ibdata1 size finished successfully, a new size is: 8466M
info tsconfig.pl[21351]: ASM initial configration script launched
info tsconfig.pl[21351]: ASM initial configration script finished
info asm_start[19802]: ASM config loaded

crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined

crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Cannot remove all partitions, use DROP TABLE instead

crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::ConfigSync::load_traffic_data): Could not import table data PRX.REQUEST_LOG - ASM configuration save aborted

info perl[21860]: 01310053:6: ASM starting
-------------------------

Conditions:
-- ASM provisioned.
-- Local request logging enabled.
-- Upgrade of a maintenance release, hotfix, or engineering hotfix.

Impact:
Upgrade fails.

Workaround:
Upgrade by the means of saving a UCS, performing a clean install and then loading the UCS.

In the manual save/load UCS process, the upgrade of the Request Log can be disabled, which will workaround the error and the UCS will load fine.

There are two options to disable the upgrade of the Request Log, when upgrading by the means of a UCS:
-------------------
1) Do not load a Request Log, when loading a UCS:
# tmsh modify sys db ucs.asm.traffic_data.load value never

2) Do not save a Request Log, when saving a UCS:
# tmsh modify sys db ucs.asm.traffic_data.save value disable
-------------------

Fix:
Roll-forward upgrade including traffic data now works correctly.

640768 : Kernel vulnerability: CVE-2016-10088

Solution Article: K05513373

640636-3 : F5 Optics seen as unsupported instead of misconfigured when inserted into wrong port on B4450 Blade

Component: TMOS

Symptoms:
Inserting a 40G optic into a 100G port, or inserting a 100G optic into a 40G shows the optic as "Unsuported Optic". That is not correct, it may be a supported optic, just inserted in the wrong port.

Conditions:
B4450 Blades with 100G or 40G optics inserted in a port that does not support that speed optic.

Impact:
The user may be confused on why the optic is not working, the error message is misleading when the optic is inserted in the wrong port.

Workaround:
If the optic shows up in "tmsh list net interface" as "Unsuported Optic" remove the optic and verify that the optic speed matches the port.

Fix:
The "tmsh list net interface" will now show:

module-description "F5 Qualified Optic in invalid port"

And the LCD warning message will show:
Optic OPT-XXXX not valid in Interface <InterfaceNumber>.

640565-1 : Incorrect packet size sent to clone pool member

Solution Article: K11564859

Component: Local Traffic Manager

Symptoms:
Cloned packets do not obey the egress interface MTU, and clone pool members may get traffic exceeding the link MTU.

Conditions:
Clone pool is configured on a virtual server.

Impact:
Clone pool members may get traffic exceeding the link MTU.

Workaround:
Disable TSO using the following tmsh command:
tmsh modify sys db tm.tcpsegmentationoffload value disable.

640521-1 : EdgeClient does not render Captive Portal login page which uses jQuery library for mobile devices

Component: Access Policy Manager

Symptoms:
Connect to a public network which has Captive Portal and the Captive Portal uses jQuery library for mobile devices. EdgeClient does not render login page for such Captive Portal.

Conditions:
Use public network with Captive Portal that uses jQuery library for mobile devices.

Impact:
EdgeClient can not establish VPN connection.

Workaround:
Use a browser to authenticate to Captive Portal. For locked client, there is no suitable workaround.

Fix:
Now Edge Client can successfully interact with a greater number of wifi captive portals.

640510-3 : BWC policy category attachment may fail during a PEM policy update for a subscriber.

Component: Policy Enforcement Manager

Symptoms:
The correct BWC category is not applied resulting in incorrect BWC handling of subscriber traffic.

Conditions:
PEM policies against a subscriber should be modified such that the BWC policy stays the same while the BWC category changes.

Impact:
Use cases dependent on BWC can be impacted.

Fix:
Code changes were added such that BWC policy and category changes through PEM are handled correctly.

640457-2 : Session Creation failure after HA

Component: Policy Enforcement Manager

Symptoms:
Under some HA scenarios, the subscriber session will be lost. If such a deleted session is added (the same subscriber-id), the addition attempt fails.

Conditions:
Intra-chassis HA is configured. One of the blades goes down & comes back up very rapidly & some subscriber sessions are lost.
An attempt to add the lost subscriber again fails.

Impact:
A set of subscribers lost during HA will never be added back.

Workaround:
No workaround.

640407-1 : Usage of iRule commands that try to get or set connection state during CLIENT_CLOSED iRule event may core with MRF

Solution Article: K41344483

Component: Service Provider

Symptoms:
A core may occur with message routing framework (MRF) virtuals or transport-config connections if trying to use certain iRule commands during CLIENT_CLOSED event.

Conditions:
Use of an iRule command that gets or sets state in a MRF protocol filter or MR proxy during CLIENT_CLOSED iRule event may core. This is because CLIENT_CLOSED event is raised after all state has been freed for the current connection.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use iRule command to get or set state during CLIENT_CLOSED iRule event.

640376-3 : STPD leaks memory on 2000/4000/i2000/i4000 series

Component: Local Traffic Manager

Symptoms:
STPD process on any 2000/4000/i2000/i4000 series platform that sends BPDUs will grow in physical memory usage indefinitely so long as its role in the tree results in sending BPDU packets. The memory usage will be faster for each interface that is sending BPDUs.

Conditions:
Spanning tree is enabled on any 2000/4000/i2000/i4000 series platform and the device has a role in the tree that results in sending BPDUs on one or more interfaces. Memory can be seen to increase when tracking with Linux top commands.

ex. top -b -n 1 | grep stpd

The 5th and 6th columns 'VIRT' and 'RES' slowly increase over time, indicating the memory leak.

Impact:
Memory leak resulting in indefinite consumption of available physical memory over time.

Workaround:
While the memory leak itself cannot be mitigated without a hotfix, the problem can be avoided if the tree can be configured in such a way that the defect affected platforms don't generate BPDUs. This can be done by choosing a root such that the defect affected platforms will have its interfaces to be in blocking mode, or if possible, to be in passthrough mode.

Fix:
BPDU process source code fixed to release memory allocated for each BPDU packet created and sent.

640352-2 : Connflow can be leaked when DHCP proxy in forwarding mode with giaddr set in DHCP renewal packet

Solution Article: K01000259

Component: Local Traffic Manager

Symptoms:
Connflow entry memory are leaked when BIG-IP DHCP proxy is configured in forwarding mode and the DHCP relay agent between
the DHCP client and the BIG-IP system sets giaddr field to itself after connflows created are aged out in a particular order.

Conditions:
1) BIG-IP DHCP proxy is configured in forwarding mode.
2) DHCP relay agent sits between the DHCP client and the BIG-IP system sets giaddr field in DHCP renewal packet to itself (this has been observed in Cisco devices), so that DHCP renewal packet will be sent to a relay agent by DHCP servers.
3) Connflow created to giaddr(relay agent) ages out before
connflows created to DHCP clients.

Impact:
Some connflows are not freed. Memory leak occurs. Eventually memory is exhausted.

Workaround:
None.

Fix:
Ref count handing for giaddr connflows are now decremented when the client side connflow is removed, preventing the memory leak.

639929-2 : Session variable replace with value containing these characters ' " & < > = may case tmm crash

Component: Access Policy Manager

Symptoms:
TMM crash with session variable replace with value containing these characters ' " & < > =

Conditions:
Session variable replace with value containing these characters ' " & < > =

Impact:
Traffic disrupted while tmm restarts.

Workaround:
avoid session variable values containing ' " & < > = if possible. Otherwise, there is no workaround.

Fix:
Session variable overwrite operation with value containing special characters now works correctly

639750-1 : username aliases are not supported

Component: Fraud Protection Services

Symptoms:
in is a common practice to use aliases for username. for example, an app might allow users to login with either their ID, cell number, or nickname.
WebSafe doesn't support username aliases.

Conditions:
This is encountered when your application uses username aliases.

Impact:
You are unable to use username aliases in your applications.

Workaround:
None.

Fix:
providing new ANTIFRAUD irule command for setting username (replace username alias with the "real" username)

639744-1 : Memory leak in STREAM::expression iRule

Solution Article: K84228882

Component: Local Traffic Manager

Symptoms:
If you are using the STREAM::expression iRule with APM, the stream filter can leak memory.

Conditions:
This can occur when using the STREAM::expression iRule with an APM virtual.

Impact:
This causes a memory leak in tmm.

Workaround:
None.

Fix:
This release fixes a memory leak in STREAM::expression iRule.

639729-2 : Request validation failure in AFM UI Policy Editor

Solution Article: K39428424

639505-3 : BGP may not send all configured aggregate routes

Component: TMOS

Symptoms:
As a result of a known issue, BGP may not send all configured Aggregate routes if one is a supernet of another.

Conditions:
- BGP established sessions.
- BGP configuration contains several aggregate routes, one or more being a supernet of others.

Impact:
The smaller prefix aggregate (least specific), may not be sent to the BGP peer.

Fix:
BGP now sends all configured aggregates

Behavior Change:
BGP now sends all configured aggregates, even if one is supernetwork of another.

639486-4 : TMM crash due to PEM usage reporting after a CMP state change.

Component: Policy Enforcement Manager

Symptoms:
TMM crash due to a code assertion resulting in potential loss of service.

Conditions:
A CMP state change due to a card reboot, disable, enable, insert or remove should have occurred while or right before a PEM usage reporting action.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Instead of asserting, handled the error condition gracefully.

639395-2 : AVR does not display 'Max read latency' units.

Solution Article: K91614278

Component: Application Visibility and Reporting

Symptoms:
AVR does not display units for 'Max Read Latency'.

Conditions:
AVR, ASM, DoS, or AFM are provisioned.

Impact:
No units are displayed.

Workaround:
1. Edit the following file: /etc/avr/monpd/monp_disk_info_measures.cfg.
2. Add the following line at line 63: units=microsecond.
3. Restart monpd.

Fix:
Added units (microsecond) to AVR report.

639236-1 : Parser doesn't accept Contact header with expires value set to 0 that is not the last attribute

Solution Article: K66947004

Component: Service Provider

Symptoms:
Incoming SIP REGISTER messages are rejected by the SIP MRF parser when they contain Contact header expires value set to 0 that is not the last attribute

Conditions:
If the Contact header has an expires value of 0 and it's not the last attribute, for example:
Contact: <sip:+414000400@10.0.0.42:5060>;expires=0;q=0.1.

Impact:
REGISTER is rejected with a '400 Bad request' error message

Workaround:
None.

Fix:
Updated SIP parser to handle a Contact header with an expires value set to 0 that is not the last attribute.

639193-1 : BIG-IP devices configured with Manual Sync, deleting parent policy causes sync to fail.

Solution Article: K03453591

Component: Advanced Firewall Manager

Symptoms:
In high availability (HA) environment where BIG-IP devices are configured for Manual Sync, deleting parent policy causes sync to fail.

Conditions:
This occurs when you delete the parent of a policy that was used as the parent of another policy. For example:
1. Clone Policy A and create Policy B.
2. Clone Policy B and create Policy C.
3. Delete Policy B.

Impact:
Manual sync operation fails.

Workaround:
Use one of the following Workarounds:
A. Enable automatic sync for HA configurations.
B. Run the following commands:
   tmsh save sys config partitions all
   tmsh load sys config partitions all
   Sync

Fix:
In HA environments containing BIG-IP devices configured for Manual Sync, deleting parent policy no longer causes sync to fail.

639039-4 : Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons

Solution Article: K33754014

Component: Local Traffic Manager

Symptoms:
Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons.

Conditions:
Dynamic routing in use, and you change the host name of the BIG-IP.

Impact:
Dynamic routing information is lost and must be relearned.

Workaround:
When using dynamic routing, only change the host name during a maintenance window.

638997-2 : Reboot required after disk size modification in a running BIG-IP VE instance.

Component: TMOS

Symptoms:
- BIG-IP VE supports disk size modification during the lifetime of a running instance to expand or reduce the disk size that was allocated at the time of deployment.

- A reboot is required after any such modification in the disk size for the changes to take effect. In previous versions, the reboot happened automatically but an affected BIG-IP VE will not have the reboot happening automatically.

- Due to the lack of reboot, changes in disk size do not take effect on the BIG-IP system.

Conditions:
Modifying disk size in a running BIG-IP VE instance.

Impact:
Changes in the disk size do not take effect till BIG-IP system is rebooted.

Workaround:
Manually reboot the running BIG-IP VE instance after making changes in disk size.

Fix:
Reboot required after disk size modification in a BIG-IP VE instance.

638935-3 : Monitor with send/receive string containing double-quote may cause upgrade to fail.★

Component: TMOS

Impact:
Configuration fails to load.

Workaround:
Manually edit each string in the bigip.conf to include enclosing quotes in order to get the config to load the first time.

Fix:
Configs load successfully after upgrade. Surrounding quotes, if missing, are added to strings in the bigip.conf file after upgrade. For example:
\"service_status\":\"on\".+\"maintenance\":\"off\" in the recv, send recv-disable and username fields. Output of list ltm monitor and bigip.conf match. Reloading the same config via tmsh does not cause unintentional changes, such as losing a level of escape in monitor strings.

If you have an escaped quote in your configuration, and are moving to a configuration with this the dependency of this fix, you cannot reload the configuration or the license which also reloads the configuration. Doing so, will cause the config load to fail.

638881-1 : Incorrect fan status displayed when fan tray is removed on BIG-IP iSeries appliances

Component: TMOS

Symptoms:
When the fan tray is removed, the fan status in tmctl tables and 'tmsh show sys hardware' are not updated correctly to reflect the current status of the fan tray i.e. not-present.

Conditions:
When the fan tray is physically removed.

Impact:
It is important to be aware of the fan status since malfunctioning of the fan tray can result in thermal shutdown when temperature thresholds are reached. Having incorrect/incomplete status would result in delayed corrective actions if a problem should arise.

Workaround:
No workaround at this time.

638825-2 : SNMP Get of sysInterfaceMediaActiveSpeed returns wrong value for 100000SR4-FD

Component: TMOS

Symptoms:
Value returned for sysInterfaceMediaActiveSpeed OID has value of 80 for interface with type 100000SR4-FD instead of value of 100000.

Conditions:
This always occurs for this type of interface.

Impact:
User sees wrong value for this interface in SNMP get. Value is correct in tmsh 'show net interface'.

Workaround:
Use tmsh to obtain the value by running the following command: show net interface. Note: There is no workaround in SNMP.

638799-1 : Per-request policy branch expression evaluation fails

Component: Access Policy Manager

Symptoms:
Per-request policy branch expression evaluation fails and you see the following in /var/log/ltm:

info tmm[20278]: 01870007:6: /Common/<policy>:Common:640446c9: Executed expression (expr { [mcget {perflow.category_lookup.failure}] == 1 || [mcget {perflow.response_analytics.failure}] == 1 }) from policy item (Category Lookup) with return value (Failed)

Conditions:
Per-request policy branch expression evaluation fails for any non-Access (non-APM) iRule events that are attached to the virtual server.

The evaluation does not trigger for some requests when, in the same connection, the virtual server gets a request for an internal Access whitelisted URL, and then request for backend resource URIs.

Impact:
Per-request policy branch expression evaluation fails. If Access gets a request for whitelisted URL, the system disables all iRule events except the following:

   #define ACCESS_ALLOWED_IRULE_EVENTS ( \
       ((UINT64)1 << TCLRULE_ACCESS_SESSION_STARTED) | \
       ((UINT64)1 << TCLRULE_ACCESS_SESSION_CLOSED) | \
       ((UINT64)1 << TCLRULE_ACCESS_POLICY_AGENT_EVENT) | \
       ((UINT64)1 << TCLRULE_ACCESS_POLICY_COMPLETED))

Workaround:
None.

Fix:
Per-request policy branch expression evaluation now complete successfully for non-Access (non-APM) iRule events that are attached to the virtual server.

638780-3 : Handle 302 redirects for VMware Horizon View HTML5 client

Component: Access Policy Manager

Symptoms:
Starting from v4.4, Horizon View HTML5 client is using new URI for launching remote sessions, and supports 302 redirect from old URI for backward compatibility.

Conditions:
APM webtop with a VMware View resource assigned.
HTML5 client installed on backend is of version 4.4 or later.

Impact:
This fix allows for VMware HTML5 clients v4.4 or later to work properly through APM.

Workaround:
For versions 11.6.x and 12.x:
===============================

priority 2
when HTTP_REQUEST {
    regexp {(/f5vdifwd/vmview/[0-9a-f\-]{36})/} [HTTP::uri] vmview_html5_prefix dummy
}

when HTTP_RESPONSE {
    if { ([HTTP::status] == "302") && ([HTTP::header exists "Location"]) } {
        if { [info exists vmview_html5_prefix] } {
            set location [HTTP::header "Location"]
            set location_path [URI::path $location]
            if { $location_path starts_with "/portal/" } {
                set path_index [string first $location_path $location]
                set new_location [substr $location $path_index]
                regsub "/portal/" $new_location $vmview_html5_prefix new_location
                HTTP::header replace "Location" $new_location
            }
            unset vmview_html5_prefix
        }
    }
}

======================
For version 13.0:
priority 2
when HTTP_REQUEST {
    regexp {(/f5vdifwd/vmview/[0-9a-f\-]{36})/} [HTTP::uri] dummy vmview_html5_prefix
}

when HTTP_RESPONSE {
    if { ([HTTP::status] == "302") && ([HTTP::header exists "Location"]) } {
        if { [info exists vmview_html5_prefix] } {
            set location [HTTP::header "Location"]
            set location_path [URI::path $location]
            if { $location_path starts_with "/portal/" } {
                set path_index [string first $location_path $location]
                set new_location "$vmview_html5_prefix[substr $location $path_index]"
                HTTP::header replace "Location" $new_location
            }
            unset vmview_html5_prefix
        }
    }
}

Fix:
Handle 302 redirects for VMware View HTML5 client are now handled properly.

638715-3 : Multiple Diameter monitors to same server ip/port may race on PID file

Solution Article: K77010072

Component: Local Traffic Manager

Symptoms:
Two 'Diameter_monitor' instances probing the same server (IP/port) from different pools may interfere with each other, causing one of the monitor instances to fail. This is caused by a possible race in creating a PID file for this 'Diameter_monitor' configuration.

Conditions:
Configuration with multiple Diameter monitors probing the same server IP/port.

Impact:
One Diameter monitor may fail, while the other Diameter monitor to the same server IP/port succeeds. On subsequent probe-retry, the failed monitor may now succeed.

Workaround:
A possible work-around is to establish different monitor periods for the two pools (such as 28 seconds and 31 seconds), so a simultaneous probe-collision will fail one monitor once, which upon retry will succeed (as three monitor failures are required for a virtual server to be marked down).

Fix:
The fix includes the monitor-template name in the generation of the PID file, which ensures multiple Diameter monitor instances probing the same server (IP/port) do not interfere with each other.

638629-2 : Bot can be classified as human

Component: Application Security Manager

Symptoms:
A bot is classified as human in a rare case.

Conditions:
Web scraping is turned on. The CSHUI is tried on the user.

Impact:
Bot traffic gets classified as human by ASM.

Workaround:
N/a

Fix:
Fixed the CSHUI algorithm to have better bot detection.

638594-3 : TMM crash when handling unknown Gx messages.

Component: Policy Enforcement Manager

Symptoms:
TMM crash resulting in potential loss of service.

Conditions:
PCRF sends unsupported Gx messages to PEM.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Add support for identifying unknown messages types and handle them gracefully.

638556-2 : PHP Vulnerability: CVE-2016-10045

Solution Article: K73926196

638137 : CVE-2016-7117 CVE-2016-4998 CVE-2016-6828

Solution Article: K51201255

637666-2 : PHP Vulnerability: CVE-2016-10033

Solution Article: K74977440

637561-1 : Wildcard wideips not handling matching queries after tmsh load sys from gtm conf file twice

Component: TMOS

Symptoms:
The wildcard wideip is not functioning as a wildcard wideip, but as a regular wideip.

Conditions:
Run tmsh load after the wildcard wideip is created:
# tmsh load sys conf gtm-only.

Impact:
Wildcard wideips are not returning wildcard requests correctly.

Workaround:
reload mcpdb using commands:
# touch /service/mcpd/forceload
# bigstart restart mcpd

Fix:
Wildcard wideips now handle matching queries after tmsh load sys from gtm conf file twice.

637559-1 : Modifying iRule online could cause TMM to be killed by SIGABRT

Component: TMOS

Symptoms:
If iRule is used by several virtual servers, and you edit the iRule online, it could cause TMM to be eventually killed by SOD (watchdog).

Conditions:
This can occur under the following conditions:
1. The iRule is used by large number of virtual servers.
2. You edit the iRule and save changes.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
If iRule is used by several virtual servers, and you edit the iRule online, it no longer causes TMM to be eventually killed by SOD (watchdog).

637308-8 : apmd may crash when HTTP Auth agent is used in an Access Policy

Solution Article: K41542530

Component: Access Policy Manager

Symptoms:
apmd may crash when HTTP Auth agent is used in an Access Policy.

Conditions:
This might occur on heavy load, when AAA HTTP Server is configured in 'Form based' or 'Custom body' mode.

The probability of occurrence is greater if there are session variables specified in the AAA HTTP Server configuration.

Impact:
apmd daemon crash. APM cannot process requests until apmd starts up again.

Workaround:
Use basic auth, or do not use HTTP Auth.

Fix:
apmd no longer crashes when HTTP Auth agent is used in an Access Policy.

637252-1 : Rest worker becomes unreliable after processing a call that generated an error

Solution Article: K73107660

Component: Application Security Manager

Symptoms:
Unreliable behavior from ASM REST API.
1) REST API tasks (like apply-policy) sometimes do not execute.
2) Calls that end in error are not correctly rolled back on the system.

Conditions:
A REST worker can enter this state if it processes specific calls that ended in error, such as creating a new active Policy.

Note: Policies are meant to be created inactive and then activated through the apply-policy task.

Impact:
1) REST API tasks (like apply-policy) sometimes do not execute.
2) Calls that end in error are not correctly rolled back on the system.

Workaround:
1) Do not create 'active' policies. Create them with 'active': false, and then use the apply-policy task to set them active.

2) To recover a device that has reached this state, restart restjavad using the following command:
bigstart restart restjavad

Fix:
REST workers maintain correct state and behavior after calls with errors.

637181-4 : VIP-on-VIP traffic may stall after routing updates

Component: Local Traffic Manager

Symptoms:
After a routing update traffic for an existing connection sent to a VIP-on-VIP virtual server may be sent directly to the destination address instead of to the inner virtual server.

Conditions:
VIP-on-VIP configuration and static or dynamic routing changes.

Impact:
Existing connections to the outer VIP may stall.

Workaround:
None.

Fix:
Connections to VIP-on-VIP virtual servers no longer stall after routing updates.

636918-2 : Fix for crash when multiple tunnels use the same traffic selector

Component: TMOS

Symptoms:
Given multiple tunnels with the same traffic selector, a crash could sometimes occur.

Conditions:
Same traffic selector used with more than one tunnel.

Impact:
Possible tmm restart if problem happens. Traffic disrupted while tmm restarts.

Workaround:
Use different traffic selectors for different tunnels.

Fix:
Fixed a tmm crash related to traffic selectors used with more than one tunnel.

636853-2 : Under some conditions, a change in the order of GTM topology records does not take effect.

Component: Global Traffic Manager (DNS)

Symptoms:
A change in the order of topology records does not take effect in GTM until the configuration is reloaded or a topology record is added or deleted.

Conditions:
This occurs only when Longest Match is disabled and the order of topology records is changed without adding or deleting records.

Impact:
In certain configurations, the topology load balancing decision may not be made correctly.

Workaround:
Reload the GTM configuration or add/delete a topology record.

Fix:
Changes in the order of topology records now take effect immediately.

636744-1 : IKEv1 phase 2 SAs not deleted

Solution Article: K16918340

Component: TMOS

Symptoms:
The BIG-IP system will not start phase 1 or phase 2 ISAKMP negotiation after an Active -> Standby -> Active failover within a short period of time.

Conditions:
The HA Active BIG-IP system goes Standby and then becomes Active again within the phase 2 lifetime.

Impact:
IPsec tunnel(s) is/are not initiated by the BIG-IP system. Network connectivity is broken between the private networks.

Workaround:
Option 1: Switch to IKEv2 and 12.x, which skips the problem altogether. This combination will mirror the SAs and so deleting existing SAs upon failover is not required.

Option 2: Edit /config/failover/active and add the following two lines at the end:

logger -p local0.notice "Employ ID636744 workaround. Purge IPsec phase2 SAs."
tmsh delete net ipsec ipsec-sa

636702-3 : BIND vulnerability CVE-2016-9444

Solution Article: K40181790

636699-5 : BIND vulnerability CVE-2016-9131

Solution Article: K86272821

636541-3 : DNS Rapid Response filters large datagrams

Component: Global Traffic Manager (DNS)

Symptoms:
Assigning a profile with DNS rapid response enabled to a virtual server on a P8 chassis might result in problems with blades and the cluster.

Depending on the timing of operations (config is loaded and tmm restarts), blades might never join the cluster properly and you will see errors similar to the following looping in /var/log/tmm:
notice CDP: exceeded 1/2 timeout for PG 0
notice CDP: PG 0 timed out
notice CDP: New pending state ff -> fe
notice CDP: New pending state fe -> ff
notice CDP: Selected DAG state from PG 0 for CMP state ff with clock 2445394
notice CDP: exceeded 1/2 timeout for PG 0
notice CDP: PG 0 timed out
notice CDP: New pending state ff -> fe
notice CDP: New pending state fe -> ff
notice CDP: Selected DAG state from PG 0 for CMP state ff with clock 2445416

Conditions:
-- Assigning a profile with DNS rapid response enabled to a virtual server.
-- P8 chassis.
-- Large datagrams being passed.

Impact:
DNS Rapid Response filters large datagrams. Blades might never join the cluster.

Workaround:
There is no workaround at this time.

Fix:
The system now passes through any datagrams too big for DNS rapid response.

636535 : HSB lockup in vCMP guest doesn't generate core file

Solution Article: K24844444

Component: TMOS

Symptoms:
If an HSB lockup occurs in a vCMP guest, the system does not generate a core file.

Conditions:
HSB lockup, which occur rarely.

Impact:
Limited ability to diagnose failures due to HSB lockups.

Workaround:
None.

Fix:
Whenever an HSB lockup occurs in a vCMP guest, the system generates a core file.

636520-3 : Detail missing from power supply 'Bad' status log messages

Solution Article: K88813435

Component: TMOS

Symptoms:
When an internal hardware sensor alert is received indicating a 'Bad' power supply status, no detail is included which indicates which characteristic of the power supply's state is resulting in a 'Bad' overall status for the power supply.
In this scenario, the message logged at default logging level contains information similar to the following:
... crit chmand[...]: 012a0013:2: Blade 0 hardware sensor critical alarm: Power Supply 2 GPIO status(SPAFFIV03G): Bad

Conditions:
This occurs when the system posts an internal hardware sensor alert.

Impact:
Unable to diagnose cause of 'Bad' power supply status at default logging level to determine whether the probable cause is due to a power supply hardware fault or a possible external power source issue.

Workaround:
If power supply errors continue to be logged:

1. Set the libhal logging level to 'Debug':
tmsh mod sys db log.libhal.level { value "Debug" }

2. Let the system run in this configuration for at least a few minutes to collect a number of chmand error logs, such as:
... debug chmand[...]: 012a0007:7: Power Supply 1 alert objid:0x16f local:1 status:0x3 pin:0x2 action:0xd
... debug chmand[...]: 012a0007:7: Received Sensor Alert: sensor id 0x16f slot 0xff
... debug chmand[...]: 012a0007:7: Power Supply 1 alert objid:0x16f local:1 status:0x1 pin:0x2 action:0x3.

3. Set the libhal logging level back to 'Notice':
tmsh mod sys db log.libhal.level { value "Notice" }

4. Take a qkview or an archive of /var/log/ltm, and engage F5 Professional Services for further analysis.

Fix:
When an internal hardware sensor alert is received indicating a 'Bad' power supply status, additional detail is now logged to help identify the cause of the 'Bad' overall status for the power supply.

636397-1 : bd cores when persistent storage configuration and under some memory conditions.

Component: Application Security Manager

Symptoms:
bd cores. Log signature in /var/log/bd looks similar to the following:

BD_MISC|ERR |Jan 02 14:24:06.422|27867|io_manager_init.c:0395|internal_keep_alive: BD shrinking...,going down - BD will be right back.
ptr BD_MISC|CRIT |Jan 02 14:24:06.422|27867|signals.c:0073|Received SIGSEGV - Core Dumping.

Conditions:
There is persistent storage configuration. There is high memory usage.

Impact:
bd crash. Traffic resets and/or failover

Workaround:
None.

Fix:
This release fixes a bd crash due to specific memory conditions and persistent storage.

636370 : Application Layer Encryption AJAX support

Component: Fraud Protection Services

Symptoms:
WebSafe doesn't support parameters encryption in Single Page Applications (using AJAX)

Conditions:
Application uses AJAX for sending parameters to web server

Impact:
Encryption won't work for Single Page Applications

Workaround:
N/A

Fix:
Adding AJAX encryption support (full payload encryption)

for 12.1.2-hf, enabling this feature requires:

tmsh modify sys db antifraud.internalconfig.string1 value <AJAX-HEADER-NAME>

AJAX-HEADER-NAME existence will enable AJAX support for current request and its value may contain the username used in current request (if configured and exists)

Note that activating AJAX support in releases > 12.1.2-hf is done differently (configured in profile, not in db)

636290 : vCMP support for B4450 blade

Component: TMOS

Symptoms:
vCMP is not supported in the B4450 blade

Conditions:
This occurs on the B4450 blade on specific BIG-IP software versions, for more information on supported vCMP versions see K14088: vCMP host and compatible guest version matrix, available at https://support.f5.com/csp/article/K14088

Impact:
You are unable to configure vCMP on the B4450 blade.

Fix:
vCMP is supported on the B4450 blade in this version.

636254-2 : Cannot reinitiate a sync on a target device when sync is completed

Component: Access Policy Manager

Symptoms:
After a policy sync is successful, re-initating a sync fails with the following error:
"PolicySyncMgr: Sync already in progress for policy xxx"

Conditions:
This occurs rarely when performing a sync after a successful sync.

Impact:
You cannot re-sync a policy. This is a rare occurrence, and after waiting a small amount of time sync should start working again.

Fix:
Now APM Policy Sync no longer hangs in rare cases with the message: "PolicySyncMgr: Sync already in progress for policy xxx"

636149-3 : Multiple monitor response codes to single monitor probe failure

Component: Local Traffic Manager

Symptoms:
A monitor probe failure to a monitor (such as HTTP) will be logged to '/var/log/ltm' when the probed resource is unavailable. In some cases for a probe resulting in an 'Unable to connect' error, multiple log entries will be made, with the *last* log entry being the error that triggered the log entry. The other monitor entries made during this event are not specifically relevant, as they are "stale" and due to previous monitor probe behavior that was previously logged.

This is due to an error where the 'Could not connect' event appends a previous error message, rather than overwriting a possibly-present previous error message.

Conditions:
A monitor probe to a monitor is attempted (such as over HTTP), resulting in an "Unable to connect" failure; and where that specific monitor previously reported an error (which is now appended).

Impact:
No system behavior is affected, but multiple log entries are made. The *final* log entry of "Could not connect" or "Unable to connect" is relevant, while the possible multiple log entries immediately above are "stale" and not relevant (as they are due to a previous issue that was previously successfully logged).

Workaround:
For an external monitor that generates a 'Could not connect' or 'Unable to connect' error, user should consider only the last-line for the '/var/log/ltm' log entry, and ignore possibly-present log entries associated with that specific monitor that might be appear immediately above the 'Could not connect' line.

Fix:
The code fix is to "clear" previous monitor-log errors when reporting a 'Could not connect' error, rather than appending a previous error that might be present.

636044-1 : Large number of glob patterns affects custom category lookup performance

Solution Article: K68018520

Component: Access Policy Manager

Symptoms:
The number of glob patterns in a custom category linearly affects custom category lookup compute times. For example, twice as many glob patterns will roughly double the CPU resources required to compute a match.

Conditions:
A large number of custom category glob patterns. The precise number is not so important as the observed effect of slow response times. However, more than 1000 glob patterns is known to cause a significant observed performance degradation.

Impact:
Slow response times to HTTP requests.

Workaround:
It may be possible to compress the large collection of glob patterns into fewer patterns.

Fix:
Glob pattern matching has been extended to be context sensitive. If the pattern includes the marker "://", a glob immediately before it is restricted to the scheme, and a glob immediately after it is restricted to the hostname. If the match can be satisfied with prefix matching, the pattern will be processed with a prefix comparison rather than as a glob. Also, multiple glob patterns are combined together to create a more optimal match pattern. If custom categories patterns use the context sensitive feature, custom category lookup will be optimized.

635961-1 : gzipped and truncated files may be saved in qkview

Component: TMOS

Symptoms:
When looking at the files in the qkview, some files might be both gzipped and truncated, when only one or the other is expected.

Conditions:
This occurs for certain files that are large enough to require truncation and gzipping.

Impact:
Minimal impact, as the extra file can be ignored. This is primarily an issue of wasting image space.

Workaround:
Ignore the extra copy of the file.

Fix:
Files are no longer both gzipped and truncated.

635933-3 : The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable

Solution Article: K23440942 K13361021

635754-1 : Wildcard URL pattern match works inncorectly in Traffic Learning

Solution Article: K65531575

Component: Application Security Manager

Symptoms:
In the policy with URL learning mode set to ALWAYS, wildcard URL matching for *.[Pp][Nn][Gg]", "*.[Jj][Pp][Gg]", "*.[Gg][Ii][Ff]" will prevent you from adding other wildcard destinations using policy builder.

Conditions:
Policy builder enabled. PolicyBuilder creates the wildcard urls "*.[Pp][Nn][Gg]", "*.[Jj][Pp][Gg]", "*.[Gg][Ii][Ff]".
If you need to manually create another wildcard url "/polo/images/*", the pattern match will be incorrect and you will not be able to accept the learning suggestion.

Impact:
You will not be able to accept the learning suggestion to the correct wildcard URL.

Workaround:
In order to get suggestions on the correct wildcard match, remove "png" from the URL list in the policy: To do so, navigate to Security :: Application Security :: Policy Building :: Learning and Blocking Settings :: URLs :: File types for which wildcard HTTP URLs will be configured (e.g., *.jpg).

Also make sure that you have correct wildcard order. Go to
Security :: Application Security :: URLs :: Wildcards Order :: HTTP URLs.

"/polo/images/*" should be above "*.[Pp][Nn][Gg]" in the list. If it is not, move it using "Up" button".

Fix:
Wildcard URL pattern match now works as expected in Traffic Learning

635561-1 : Heavy URLs statistics are not shown after upgrade.

Component: Application Visibility and Reporting

Symptoms:
Heavy URLs statistics are not shown after upgrade.

Conditions:
Upgrading to newer version

Impact:
Missing statistics.

Workaround:
No workaround

Fix:
Upgrade and verify all heavy URLs statistics are shown.

635541 : "Application CSS Locations" is not inherited if changing parent profile

Component: Fraud Protection Services

Symptoms:
"Application CSS Locations" is not inherited if changing parent profile, which can cause to the following error while saving: Application CSS Locations cannot be empty.

Conditions:
This occurs in the GUI when FPS provisioned when the system is configured with phishing detection license.

Impact:
Cannot use FPS GUI to configure Application CSS Locations.

Workaround:
Use tmsh or the REST API to configure Application CSS Locations.

Fix:
"Application CSS Locations" is inherited if parent profile is changed. No errors are shown while saving.

635412 : Invalid mss with fast flow forwarding and software syn cookies

Solution Article: K82851041

635314-5 : vim Vulnerability: CVE-2016-1248

Solution Article: K22183127

635274-1 : SSL::sessionid command may return invalid values

Solution Article: K21514205

Component: Local Traffic Manager

Symptoms:
The SSL::sessionid iRule command might return random, invalid values. This also causes high CPU usage on TMM. This occurs when the SSL ID retrieved from SSL is on the stack and gets overwritten prior to use, resulting in a persist lookup loop which causes the high CPU. The issue is also associated with the SSL::sessionid iRule command because SSL::sessionid and SSL persistence use the same internal mechanism to retrieve the SSL session ID.

Conditions:
This issue occurs when either of the following conditions exists:
-- An iRule exists that queries the SSL::sessionid.
-- An SSL persist profile is configured on the virtual server.

Impact:
The iRule might not work as expected.
High CPU usage.

Workaround:
Do not use the SSL:sessionid iRule.

Fix:
The SSL::sessionid iRule returns the session ID as expected.

635257-2 : Inconsistencies in Gx usage record creation.

Solution Article: K41151808

Component: Policy Enforcement Manager

Symptoms:
Duplicate usage records may be created or expected usage records may be missing.

Conditions:
A subscriber session is associated with the following policies:

1. At least 1 PEM policy with multiple rules containing the same usage monitoring key and applicationId or URLcat filter will result in the creation of duplicate usage records.

2. At least 2 PEM policies containing one or more rules with the same MK across policies will result in failure to create expected usage records.

Impact:
Failure to create usage records. Duplicate usage records will reduce the effective usage records supported per session. Both can result in inconsistencies with billing use cases.

Workaround:
To prevent duplicate usage records, do not create PEM policies with multiple rules that have the same usage monitoring key and applicationId or UrlCat filter.

To make sure all expected usage records are created, do not use the same monitoring key across multiple policies for the same subscriber.

Fix:
Checks to create usage records are now done using the same keys that are used to create them, so there are no duplicate usage records created or expected usage records missing.

635252-1 : CVE-2016-9256

Solution Article: K47284724

635233-3 : Missing some Custom AVPs in CCRu for non-existent policy and CCRt messages

Component: Policy Enforcement Manager

Symptoms:
CCR-u or CCR-t sent in response to a non-existent policy may be missing some of the custom AVPs such as IMSI, E164, etc., even if the AVPs are marked mandatory.

Conditions:
This occurs when the BIG-IP system sends a CCR-u or CCR-t when the specified policy received from PCRF does not exist.

Impact:
CCR-u and CCR-t may miss some of the subscriber attributes such as IMSI, E164.

Workaround:
None.

Fix:
Added the custom AVPs in the case of CCR-u and CCR-t, if those attributes are enabled for reporting in the protocol profile.

635129 : Chassis systems in HA configuration become Active/Active during upgrade★

Component: TMOS

Symptoms:
When devices in a Device Service Cluster are upgraded, multiple devices will become Active simultaneously.

The affected versions erroneously clear their management-ip during reboot and synchronize this to other members of the Device Service Cluster. If the system is not performing an upgrade, the error is repaired as the device starts up, and has no visible effect. If an upgrade is being performed, the management-ip cannot be repaired, and the Device Service Cluster members lose contact with each other, and all become Active.

Conditions:
This problem occurs on VIPRION chassis systems, either running natively, or as a VCMP guest, when upgrading from the affected versions (12.1.0, 12.1.1, 12.1.2), to any other version. The problem occurs on any upgrade, whether on the list of affected versions, or a later version.

Impact:
When multiple devices become Active simultaneously, traffic is disrupted.

Workaround:
There is no workaround other than to remain in Active/Active state until all Chassis are finished upgrade. See https://support.f5.com/csp/article/K43990943 for more information on how to mitigate this issue.

Fix:
The erroneous management-ip change is not made, and the HA failover mechanism operates correctly across upgrade.

635116-1 : Memory leak when using replicated remote high-speed logging.

Solution Article: K34100550

Component: TMOS

Symptoms:
As a result of a known issue when a system uses a High Speed Logging (HSL) configuration with replication across the HSL pool TMM may leak memory.

Conditions:
Remote HSL setup with distribution set to replicated in the log destination configuration.
More than one poolmember, and one of them becomes unavailable.

Impact:
TMM will leak memory at a rate proportional to the amount of logging.
Over time this may cause an outage should TMM run out of memory.

Workaround:
Do not use replication in the HSL destination configuration.

Fix:
TMM no longer leaks memory when using a replicated HSL setup.

634779-1 : In SSL Forward Proxy, an uninitialized variable may overflow a buffer and cause TMM to produce a core file

Solution Article: K43945001

634576 : TMM core in per-request policy

Solution Article: K48181045

Component: Access Policy Manager

Symptoms:
TMM might core in cases when per-request policy encounters a reject ending and the server-side flow is not available.

Conditions:
APM or SWG per-request policy with reject ending.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer cores when per-request policy encounters reject ending.

634371-2 : Cisco ethernet NIC driver

Component: TMOS

Symptoms:
The Cisco Ethernet NIC driver is version 2.1.1.67

Conditions:
N/A

Impact:
Cisco recommends using the updated version 2.3.0.12

Fix:
Cisco VIC Ethernet NIC Driver 2.3.0.12 is now used.

634265-2 : Using route pools whose members aren't directly connected may crash the TMM.

Solution Article: K34688632

Component: Local Traffic Manager

Symptoms:
The TMM crashes when trying to resolve routes using route pools whose members are not directly connected.

Conditions:
A configuration has route pools whose members aren't directly connected. Additionally, this is an issue only in configurations where the TMM doesn't proxy traffic but sources traffic. An example is an sFLOW configuration.

Impact:
Traffic disrupted while tmm restarts. The TMM crashes whenever a connection tries to resolve such a route.

Workaround:
Create route pools with directly connected members.

Fix:
Using route pools whose members aren't directly connected no longer crashes the TMM.

634252 : TMM crash with per-request policy in SWG explicit

Solution Article: K99114539

Component: Access Policy Manager

Symptoms:
TMM crash is seen intermittently when evaluating per-request access policies for SWG-explicit use cases.

Conditions:
Although the exact conditions required for this issue are unknown, evaluating per-request access policies for SWG-explicit use cases might be related.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM crash is no longer seen when evaluating per-request access policies for SWG-explicit use cases.

634215-1 : False detection of attack after restarting dosl7d

Component: Application Visibility and Reporting

Symptoms:
False detection of an attack.

Conditions:
Restarting dosl7d during traffic.

Impact:
False attack is reported.

Workaround:
No workaround

Fix:
Restart dosl7d during moderate traffic and verify no false attack is reported.

634115-1 : Not all topology records may sync.

Solution Article: K10608314

Component: TMOS

Symptoms:
Some GTM topology records may silently not be synchronized to other devices in the sync group.

Conditions:
One known case occurs when topology records have overlapping subnet specifiers (such as 1.0.0.0/8 and 1.0.0.0/9). It is possible that there are other conditions that might cause this issue.

Impact:
Other devices in the GTM sync group will have an incomplete set of topology records, so the returned DNS answers may differ from the expected values.

Workaround:
After updating topology records, run the following command to force a push of all GTM objects: run cm config-sync force-full-load-push to-group gtm.

Fix:
Some GTM topology records may have silently not been synchronized to other devices in the sync group. This is now resolved; all topology objects will be synchronized to all expected devices.

634078-2 : MRF: Routing using a virtual with SNAT set to none may select a source port of zero

Component: Service Provider

Symptoms:
If a virtual server has a SNAT setting of none and the 'source-port' attribute set to 'preserve' or 'preserve-strict', the outgoing connection will be created with a source port of zero (0) instead of the remote port of the originating connection.

Conditions:
This occurs when a message routing SIP profile is in use.

Impact:
Source port is set to 0.

Workaround:
None.

Fix:
Source port is now set to the source port of the client when SNAT is set to none. This is correct behavior.

634015-3 : Potential TMM crash due to a PEM policy content triggered buffer overflow

Component: Policy Enforcement Manager

Symptoms:
Failure to add a PEM policy to a subscriber session in addition to a TMM crash.

Conditions:
PEM configured with a large number of policy rules that goes beyond the maximum supported PEM resources.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Buffer allocation checks have been added in that result in an error log along in case of a buffer overflow.

634001-2 : ASM restarts after deleting a VS that has an ASM security policy assigned to it

Component: Application Security Manager

Symptoms:
ASM restarts with the following errors:

'ltm' log error:
--------
err mcpd[9458]: 0107102e:3: gtm_vs_score refers to nonexistent virtual server (/<partition>/<app>/<vsname>).
--------

'ts_debug.log' error:
--------
asm|INFO|0107102e:3: gtm_vs_score refers to nonexistent virtual server (/<partition>/<app>/<vsname>).
--------

Conditions:
ASM provisioned
Deleting a virtual server that has an ASM security policy assigned to it.

Impact:
ASM restart

Workaround:
None.

Fix:
ASM no longer restarts when deleting a virtual server that has an ASM security policy assigned to it.

633879-1 : Fix IKEv1 md5 phase1 hash algorithm so config takes effect

Solution Article: K52833014

Component: TMOS

Symptoms:
BIG-IP does not recognize the choice of md5 as hash algorithm in phase1 negotiation for IKEv1, but the GUI indicates it is available and configured.

Conditions:
Using either the command line or web UI to change hash algorithm to md5 in IKEv1 phase1.

Impact:
You are unable to configure md5 as hash algorithm in IKEv1, despite the UI and command line indicating this as an option.

Workaround:
You may be able to select md5, then save and then restart, this would set up the daemon from a config file instead of via incremental config parsing. So while it would not work right after being changed in the UI, the md5 option may work after a restart.

Fix:
The choice of md5 for hash algorithm now works correctly and immediately for an IKEv1 peer. The message causing this is now parsed correctly so md5 is recognized and used.

633723-3 : New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot

Component: Local Traffic Manager

Symptoms:
A new db variable has been added to print diagnostic information when Cavium Nitrox devices encounter a 'request queue stuck' error. When this occurs, the system posts a log message such as:
crit tmm1[19936]: 01010260:2: Hardware Error(Co-Processor): cn1 request queue stuck.

Conditions:
-- A Cavium Nitrox 'request queue stuck' error occurs.
-- The db variable 'crypto.ha.action' is set to reboot.

Impact:
The system will automatically run 'nitrox_diag' to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.

The system immediately fails over to the standby system, but will then spend approximately one minute gathering diagnostic information before rebooting.

See https://support.f5.com/csp/article/K95944198 for more information about nitrox_diag.

Workaround:
None.

Fix:
The system now automatically gathers nitrox data collection when request queue stuck errors occur.

Behavior Change:
Under rare conditions, the system will take approximately one additional minute to reboot.

If a Cavium Nitrox 'request queue stuck' error occurs and the db variable 'crypto.ha.action' is set to reboot, the system will automatically run 'nitrox_diag' to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.

When the error happens, failover to the standby system will still happen immediately. The delay occurs only on rebooting the system that has already gone to standby mode.

633512-1 : HA Auto-failback will cause an Active/Active overlap, or flapping, on VIPRION.

Component: TMOS

Symptoms:
When a preferred device becomes available and takes over due to an Auto-Failback configuration, the takeover is not performed as a smooth handoff, but instead results in both devices becoming Active for the network failover timeout period (3 seconds).

Conditions:
This problem affects traffic groups on VIPRION systems configured with HA Order and Auto-Failback enabled.

Impact:
Since both nodes are Active for (by default) 3 seconds, this may cause network traffic to be dropped or interrupted during the overlap interval. In addition, the Active/Active overlap may not resolve in favor of the preferred device. When this happens, the preferred device attempts to Auto-Failback again after the Auto-Failback expires, and the process repeats forever.

Workaround:
Do not configure Auto-Failback on VIPRION.

Fix:
The devices perform a clean handoff during Auto-Failback, with no Active/Active overlap.

633413-1 : IPv6 addr can't be deleted; not able to add ports to addr in DataGroup object in GUI

Component: TMOS

Symptoms:
IPv6 addr can't be deleted; not able to add ports to addr in a data-group using the GUI. System posts an error similar to the following:
err mcpd[31438]: 01070378:3: The requested data group IP member network address (10.10.12.184) does match the netmask (ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff).

Conditions:
Modify IPv6 data-group in the GUI on the Local Traffic :: iRules :: Data Group List.

Impact:
Get error with unrelated IPv4 address.

Workaround:
Use tmsh to delete data group IP addresses in an iRules data group.

Fix:
You can now add/remove/edit IPv6 and IPv4 within an existing iRules data group.

633391-1 : GUI Error trying to modify IP Data-Group

Component: TMOS

Symptoms:
While trying to add/remove/edit IPv6&IPv4 within an existing data group list for iRules, the properties page throws a parsing error.

Conditions:
Try to modify the value field under Address Records Row whether string/int, and click Update

Impact:
There is an "Error parsing IP address" messave at the top of the page. You cannot modify internal data groups using GUI. You can delete and re-create the entry, but cannot modify it.

Workaround:
Use tmsh to modify the record field of the data groups.

Fix:
You can now modify the IPv6&IPv4 value within an existing data group.

Behavior Change:
users would be able to modify and update data groups

633181-1 : A CSR generated from Configuration Utility or tmsh may have an empty 'Attributes' or 'Requested Extensions' section

Component: TMOS

Symptoms:
Certificate signing requests generated from the Configuration Utility or in tmsh on affected versions may have an empty 'Attributes' or 'Requested Extensions' section if no data was supplied for these fields during CSR generation. The correct behavior is to supply an empty set (a0:00) for the Attributes section and to omit the 'Requested Extensions' section if no data were supplied for these fields.

Conditions:
- Running an affected version of BIG-IP software
- Using tmsh or the Configuration Utility to generate the CSR
- Not filling in 'E-mail Address' and/or 'Subject Alternative Name' sections while generating the CSR

Impact:
Impact varies according to the CA signing the request. An empty attribute section is generally well-tolerated but may be incompatible with some CA's.

Workaround:
Use openssl from the bash command line to generate CSR's.
Solution article K14534 contains the appropriate procedure.

633070-1 : Sync Inconsistencies when using Autosync ASM Group between Chassis devices

Component: Application Security Manager

Symptoms:
When at least two Bladed Devices are in two autosync device groups together, where one device group is the failover device group, and the other device group has ASM sync enabled on it, Devices may go out of sync and may end up with incorrect ASM configuration

Conditions:
At least two Bladed Devices are in two autosync device groups together, where one device group is the failover device group, and the other device group has ASM sync enabled on it.

An ASM policy is created.

Impact:
Devices may go out of sync and may end up with incorrect ASM configuration

Workaround:
Enable ASM sync on the failover device group, or use manual sync for the ASM device group.

Fix:
Bladed devices (chassis) handle ASM autosync device groups correctly

632875-3 : Non-Administrator TMSH users no longer allowed to run dig

Component: Global Traffic Manager (DNS)

Symptoms:
TMSH users without the Administrator role are allowed to run dig, which may allow access to files in the local filesystem.

Conditions:
Execute dig via TMSH

Impact:
File access restrictions for TMSH users without the Administrator role are not properly enforced when executing the dig command.

Fix:
TMSH users who are do not have Administrator roles can no longer run the dig utility through TMSH.

Behavior Change:
dig command is no longer allowed to be run through TMSH by non-admin users.

632731-2 : specific external logging configuration can cause TMM service restart

Component: Advanced Firewall Manager

Symptoms:
When external logging is configured for ACL rule hits, and the logging server connection is routed through a Forwarding Virtual, the ACL logging causes a TMM crash and service disruption.

Conditions:
The problem is seen when all the following conditions match:

1. External Logging server configured for ACL rule match.

2. External logging server is routed through a Forwarding Virtual (the destination IP of the external logging server matches a Forwarding Virtual's destination address/mask and hence gets routed through the Forwarding VIP).

3. The forwarded logging destination connection causes a crash in TMM.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use one of the following workarounds:
--Avoid configuring remote logging to be forwarded through a Forwarding Virtual.
-- Do not have logging enabled on the forwarding Virtual.

Fix:
Connections originated from the BIG-IP to the remote logging server are not subjected to ACL checks, which prevents generation of logs for log server connection, which prevents the error conditions.

632685 : bigd memory leak for FQDN nodes on non-primary bigd instance

Component: Local Traffic Manager

Conditions:
FQDN nodes configured on a system, and the system (as a whole) has multiple bigd processes running, either across multiple blades or multiple bigd instances on a single blade. As configuration changes are made to FQDN nodes, bigd on the non-primary places memory consumption may be unusually high.

Impact:
bigd memory leak; possible bigd crash.

Workaround:
None.

632668-5 : When a BIG-IP using BFD sessions is forced offline, the system continues to send "State Up" BFD packets for ~30 seconds

Component: TMOS

Symptoms:
When a BIG-IP using statically configured BFD sessions (i.e. "bfd session <IP> <IP>" in the ZebOS configuration) is forced offline, it continues to send "State Up" BFD packets for an additional ~30 seconds.

Conditions:
System is using statically configured BFD sessions. System is forced offline.

Impact:
The BFD peer thinks the BIG-IP is still online and may send packets to it.

Fix:
Ensure BFD "State Up" packets are not sent when the BIG-IP is forced offline.

632646-4 : APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server.

Component: Access Policy Manager

Symptoms:
APM - OAM login with invalid ObSSOCookie results in error page instead of redirecting to login page.

Conditions:
This happens occasionally if a session cookie (ObSSOCookie) is deleted from OAM server, or an OAM session is deleted from server.

Impact:
OAM login with invalid ObSSOCookie results in error page. However, expected behavior is that user is redirected to login page if login with ObSSOCokkie fails.

Workaround:
No Workaround

Fix:
Issue is fixed - On authenticate with ObSSOCookie, read getStatus() API call to check the ObSSOCookie status and redirect to IDP if it is not 1 (LOGGEDIN, AWAITINGLOGIN). With this fix user will be redirected to IDP on logging with cookie that is deleted manually from the OAM server.

632552-2 : tmm crashes when CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event

Solution Article: K08634156

Component: Local Traffic Manager

Symptoms:
tmm crashes.

Conditions:
When CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event which is fired before either event.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Move the script in _CLOSED events to another events.

Fix:
tmm no longer crashes when CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event.

632504-1 : APM Policy Sync: Non-LSO resources such as webtop are listed under dynamic resource list

Solution Article: K31277424

Component: Access Policy Manager

Symptoms:
Non-LSO resources such as webtop, even they are assigned via a normal resource assign agent, are listed under dynamic resource as opposed to static one.

Conditions:
- Create a webtop resource.
- Create an access profile.
- Launch VPE to assign webtop resource via a normal resource assign agent ("Advanced Resource Assign").
- Click on "Sync policy" button to bring up the policy sync dialog, click on "Advanced Settings" drop-down button and select "Static resources".

Impact:
No impact when default settings are configured for policy sync. Only in advanced setting is it confusing that a static resource is only listed in the dynamic resource list, with a prompt to include it as dynamic resource. Doing so does not cause any harm, but is unnecessary.

Workaround:
If it is a static resource, do not select it as dynamic resource.

Fix:
Static non-LSO resources such as webtop will be listed in static resource list in the advanced setting dialog for policy sync.

632499-1 : APM Policy Sync: Resources under webtop section are not sync'ed automatically

Solution Article: K70551821

Component: Access Policy Manager

Symptoms:
Resources put under webtop section such as webtop link, portal access requires to be included as dynamic resource or else sync will fail.

Conditions:
- Create a webtop section source such as portal access.
- Create a webtop section and add the above-create portal access to it.
- Create an access profile and add the webtop section resource via a resource assign agent in VPE.
- Sync the profile.

Impact:
Sync will fail and some configured resources will not be available on the other devices.

Workaround:
Includes those resources as dynamic resources in Policy Sync advanced settings.

Fix:
Now administrators can sync access profiles with resources under webtop sections without including them manually as dynamic resources.

632472-1 : Frequently logged "Silent flag set - fail" messages

Component: Access Policy Manager

Symptoms:
APM logs excessive messages similar to the following:

2016-12-07,21:46:10:864, 1740,884,APPCTRL, 2, \UBindSecurityMgr.h, 119, UBindSecurityMgrImpl::GetWindow, Silent flag set - fail

Conditions:
This can occur when connecting to APM via the Edge Client.

Impact:
Excessive messages are logged. These messages can be ignored.

632423-4 : DNS::query can cause tmm crash if AXFR/IXFR types specified.

Component: Global Traffic Manager (DNS)

Symptoms:
Passing "AXFR" or "IXFR" as the type to the DNS::query iRule command can cause a tmm crash.

Conditions:
DNS Express must be enabled when one of the XFR types is used in the DNS::query iRule command.

Impact:
tmm will crash and restart every time this command is issued. Traffic disrupted while tmm restarts.

Workaround:
Do not explicitly use AXFR or IXFR query types.

If the [DNS::question type] command is being used to dynamically pass in the type, add a preceding check similar to the following:

if { not [DNS::question type] ends_with "XFR" } {
set rrs [DNS::query dnsx [DNS::question name] [DNS::question type]]
}

Fix:
The iRule now provides an error message in /var/log/ltm indicating that AXFR and IXFR are not valid types to use with the DNS::query command, and no tmm crash occurs as a result.

632386-1 : EdgeClient cannot establish iClient control connection to BIG-IP if another control connection exists

Component: Access Policy Manager

Symptoms:
When a iClient control connection, between Edge Client and BIG-IP, exists for a given session id, a new iClient control connection for the same session id cannot be established until the existing connection is torn down. When the client interface is down or the client changes networks, it takes time for the BIG-IP to detect that the existing control connection is down. During this time, if the client attempts to establish a new control connection (interface up or different network), BIG-IP rejects the new connection request.

Conditions:
EdgeClient attempts to open a new iClient control connection with the same session id as that of an existing control connection and without explicitly closing the current connection. This could happen when the client interface is down or clients changes the network it is on.

Impact:
Edge Client cannot establish a iClient control connection and hence a tunnel to the BIG-IP.

Fix:
When BIG-IP sees a new iClient control connection request for a session id for which another iClient control connection exists, the existing connection is closed and the new connection request is attempted to be accepted.

632366-1 : Prevent a spurious Broadcom switch driver failure.

Component: TMOS

Symptoms:
When a high volume traffic is sent to a BIG-IP system, the Broadcom network switch driver might fail. The failure occurs because the switch driver is preempted (by tmm) from completing a long chip reprogramming routine and touching a watchdog. Sod, which monitors the watchdog, thinks the switch driver has become nonfunctional and kills it.

Conditions:
A very high volume traffic is sent to a BIG-IP system under certain circumstances.

Impact:
Potential eventual system outage if the Broadcom switch driver fails.

Workaround:
None.

Fix:
A spurious Broadcom switch driver failure is not possible anymore.

632344-2 : POP DIRECTIONAL FORMATTING causes false positive

Component: Application Security Manager

Symptoms:
ASM reports false positive violation for the XML request.

Conditions:
This occurs when using "%E2%80%AC" POP DIRECTIONAL FORMATTING as a input in the XML request.

Impact:
When one of the following 3 byte chars arrives to the XML parser, the payload considered as malformed XML:
LEFT-TO-RIGHT EMBEDDING (202a).
RIGHT-TO-LEFT EMBEDDING (202b).
POP DIRECTIONAL FORMATTING(202c).

Workaround:
None.

Fix:
This release now supports the following 3 byte chars within the XML parser:
LEFT-TO-RIGHT EMBEDDING (202a).
RIGHT-TO-LEFT EMBEDDING (202b).
POP DIRECTIONAL FORMATTING(202c).

632326-2 : relax_unicode_in_xml/json internal may still trigger a false positive Malformed XML violation

Solution Article: K52814351

Component: Application Security Manager

Symptoms:
You observe Malformed XML violations on valid XML, even with the relax_unicode_in_xml flag set. The same can apply to JSON with the relax_unicode_in_json flag.

Conditions:
Valid XML containing unicode characters is passed through ASM, and the relax_unicode_in_xml flag is enabled.

Impact:
False positive Malformed XML violations may still be reported.

Workaround:
N/A

Fix:
XML and JSON unicode now operates as expected when using the relax_unicode_in_xml or relax_unicode_in_json internal parameter.
To set these parameters, run the following commands:
/usr/share/ts/bin/add_del_internal add relax_unicode_in_xml 1.
/usr/share/ts/bin/add_del_internal add relax_unicode_in_json 1.
bigstart restart asm.

632324-2 : PVA stats does not show correct connection number

Component: Local Traffic Manager

Symptoms:
do command tmsh show sys pva-traffic global

The current connection number showed up may not be correct

Conditions:
This occurs when there is PVA Traffic

Impact:
Wrong stats number for current PVA connections

Fix:
Fixed incorrect statistics for PVA Traffic

632178-1 : LDAP Query agent creates only two session variables when required attributes list is empty

Component: Access Policy Manager

Symptoms:
When required attributes list is empty, LDAP Query agent produces only two session variables.
in previous releases, the default behavior was - to get all user's attributes and populate those as session variables

Conditions:
LDAP Query agent configured in an Access Policy.
Required attributes list is empty (not any attr is configured)

Impact:
LDAP Query agent failed if branch rule expects to get user's attributes.
any other agent in the policy that relies on user's LDAP attributes will also fail.

Workaround:
As a workaround you can configure required attributes to be retrieved by LDAP Query agent explicitly

Fix:
The default behavior is back; when the required attributes list is empty, the LDAP Query Agent will retrieve all user's attributes and populate them as session variables.

632069-3 : Sudo vulnerabilities: CVE-2016-7032, CVE-2016-7076

Component: TMOS

Symptoms:
On VE platforms, under certain conditions, the sudo utility does not correctly enforce all restrictions specified in its configuration file.

Conditions:
VE platform
Authenticated user with advanced shell access

Impact:
BIG-IP does not depend on the restrictions related to these vulnerabilities, and sudo is only present on VE platforms. Only VE users who have modified the sudo configuration by editing its configuration file directly are impacted.

Fix:
Update sudo package to improve security

632060-1 : restjavad is unable to read the dtca.key files resulting in Error: Failed to read key: invalid header★

Component: iApp Technology

Symptoms:
when upgrading to 12.1.1, 12.1.2 or 13.0 releases, executing a command similar to

curl -k -u admin:admin https://127.0.0.1:443/mgmt/shared/device-discovery-tasks causes the following error:

"errorMessage": "Could not connect to host 10.0.0.160. Please ensure there are no licensing, firewall, port lockdown or network connectivity issues. Error: Failed to read key /config/filestore/files_d/Common_d/trust_certificate_key_d/:Common:dtca.key_12100_2: invalid header",

Conditions:
Upgrading from releases prior to 12.1.1 to 12.1.1 or 12.1.2 or 13.0

Impact:
if your device has an iApps LX application, then that application sill not synchronize to the standby device. So if a failover occurs, then the iApps LX application will seem to disappear, and traffic will not pass through the application.

Workaround:
If you have upgraded and are in this condition, and you need to use iAppsLX, you can perform the following procedure to recover.

Impact of procedure: this procedure disables HA and requires you to rebuild your HA environment. You only need to use this procedure if you absolutely need to run an iAppLX.

1. Reset device trust, then re-establish device trust, your device group(s), and your traffic group(s)
2. At the BIG-IP command line for each of the devices, run the following command:
clear-rest-storage

Fix:
Upgrade to 13.1 or 13.0.x hot fix

632005-1 : BIG-IP as SAML SP: Objects created by IdP connector automation may not be updated when remote metadata changes

Component: Access Policy Manager

Symptoms:
When BIG-IP is used as SAML Service provider (SP), IdP connector creation can be automated using list of URIs containing IdP metadata.

Symptom for this issue:
When remotely published metadata changes - BIG-IP will not be able to modify previously created idp-connector object(s) to reflect the changes.

When issue happens, the error similar to following is logged in /var/log/saml_automation.log :

"apm aaa saml-idp-connector *NAME* import-metadata only supports create operations."

Conditions:
BIG-IP is used as SP. IdP connector creation is automated. Metadata published on automation URIs changes.

Impact:
BIG-IP configuration will not contain the latest changes reflected in published IdP metadata.

This may have different impact based on how metadata is changed.
Impact can be from none to user authentication failure (e.g. when IdP signing certificate is changed).

Workaround:
When error is encountered:
- Manually remove affected idp-connector configuration object
- Restart samlidpd service : "bigstart restart samlidpd"

As a result, SAML connector automation will re-create new idp-connector objects will current up-to-date metadata files.

Fix:
BIG-IP is able to modify previously created idp-connector object(s) to reflect the changes when connector automation is deployed.

632001-1 : For Thales net-HSMs, fipskey.nethsm now defaults to module protected keys

Component: Local Traffic Manager

Symptoms:
fipskey.nethsm uses a Thales utility to actually generate/export keys. This utility looks at files in .../kmdata/local to determine what type of protection to use. If there are any softcard or OCS files, then the key will be token protected. If there aren't any files then the key will be module protected.

This can be a problem for BIG-IP since that entire folder is synced down to it, so OCS or softcard files unrelated to the BIG-IP operation will change fipskey.nethsm's behavior.

Conditions:
Use fipskey.nethsm to generate/export a nethsm-protected key while there are OCS or softcard files in the BIG-IP system's .../kmdata/localfolder.

Impact:
Key protection type changes based on the presence of softcard or OCS files in .../kmdata/local.

Workaround:
Explicitly use the -c or --protect option to define the protection type when generating/exporting keys.

Fix:
fipskey.nethsm will now default to making a module-protected key regardless of the presence of OCS or softcard files in .../kmdata/local.

Scripts that export or generate token or softcard protected keys will now need to explicitly set the protection type via the -c or the --protect option in all situations.

631866-2 : Cannot access LTM policy rules in the web UI when the name contains certain characters

Component: TMOS

Symptoms:
Access LTM policy rules in the web UI when the name contains percent (%) or slash (/) displays an empty page.

Conditions:
The LTM policy rule name being accessed contains the characters percent (%) or slash (/).

Impact:
The policy rule properties page displays an empty page.

Workaround:
Update the LTM policy rule using tmsh.

Fix:
LTM policy rules can be accessed as expected in the web UI regardless of their names.

631862-1 : Stream is not finalized when OWS response has Transfer-Encoding header with zero-size chunk

Solution Article: K32107573

Component: Local Traffic Manager

Symptoms:
When OWS sends a chunked response and the only chunk has a zero size, HTTP2 profile receives neither the response's body nor indication that the response has zero size.

Conditions:
A virtual server must have HTTP2 profile, and OWS must serve a response with Transfer-Encoding: chunked and a zero size chunk (empty body).

Impact:
On a stream with such response, BIG-IP doesn't generate a frame which would have END_STREAM flag. Some browsers may not handle the response properly. For example, a redirect may not be performed when the stream is not finalized. It results in incorrect page rendering on a client.

Workaround:
Use following iRule for broken URLs:

when HTTP_RESPONSE {
  if {[HTTP::header exists "Transfer-Encoding"] && [HTTP::status] eq 301} {
    HTTP::respond 301 -version 1.1 noserver Location [HTTP::header Location] Date [HTTP::header Date] Content-Type [HTTP::header Content-Type] Connection [HTTP::header Connection]
  }
}

A condition may be changed to narrow the iRule for specific URLs.
HTTP::respond may be modified to include other important headers and serve a proper status code.

Fix:
When OWS serves Transfer-Encoding chunked with zero size chuck, BIG-IP properly handles the response and sends END_STREAM flag finalizing the response.

631841-7 : NTP vulnerability CVE-2016-9311

Solution Article: K55405388

631737-1 : ArcSight cs4 (attack_type) is N/A for certain HTTP Compliance sub-violations

Solution Article: K61367823

Component: Application Security Manager

Symptoms:
ArcSight cs4 (attack_type) is reported as "N/A" for a violation whose sub-violation does not have a specific attack_type_code.

Conditions:
This occurs when there are HTTP Compliance sub-violations such as "Header name with no header value" that do not correlate to any attack_type. Other attack types are as follows:
-- HTTP Protocol Compliance/ High ASCII characters in headers.
-- HTTP Protocol Compliance/ Host header contains IP address.
-- HTTP Protocol Compliance/ CRLF characters before request start.
-- HTTP Protocol Compliance/ Header without header value.
-- HTTP Protocol Compliance/ Body in GET/HEAD requests.
-- Evasion technique/ directories traversals.

Impact:
When one of these violations occurs, the system does not assign the appropriate attack type to the logged request in the log or in the remote logger. The system reports the ArcSight remote logger message as attack_type="N/A". (If no other violation was found.)

Workaround:
None.

Fix:
Now, when ArcSight cs4 (attack_type) HTTP Compliance sub-violations do not correlate to any attack_type, the system assigns the parent violation's attack type when reporting the violation.

631722 : Some HTTP statistics not displayed after upgrade

Component: Application Visibility and Reporting

Symptoms:
Some statistics will disappear after upgrade due to bug in HTTP statistics backup.

Conditions:
Upgrading to newer version

Impact:
Not all statistics are shown.

Workaround:
No workaround

Fix:
Fixed an issue where some ASM HTTP statistics would disappear after upgrade.

631700-1 : sod may kill bcm56xxd under heavy load

Component: TMOS

Symptoms:
Under heavy load, bcm56xxd may not get enough CPU cycles to finish some of its operations and activate the watchdog process. In that case, sod will suspect that bcm56xxd has halted and terminate the process.

Conditions:
When the system is very busy, tmm has higher execute priority, and bcm56xxd does not have enough CPU cycles.

Impact:
The switch will not operate during the restart, and traffic might be interrupted.

Workaround:
Reduce the traffic to make the system less busy.

Fix:
The system now has bcm56xxd activate the watchdog so that sod does not terminate the bcm56xxd process.

631688-7 : Multiple NTP vulnerabilities

Solution Article: K55405388 K87922456 K63326092 K51444934 K80996302

631627-4 : Applying BWC over route domain sometimes results in tmm not becoming ready on system start

Component: TMOS

Symptoms:
Rebooting after applying BWC to route domain stops vlan traffic on VCMP guest. You will experience connection failures when bandwidth Controller (bwc) and Web Accelerator are enabled.

Running the tmsh show sys ha-status all-properties command will indicate that tmm is in "ready-for-world", but the Fail status will read "Yes" when this is triggered.

Conditions:
BWC enabled and associated with a route domain, Web Accelerator is enabled, and the system is rebooted.

Impact:
The system does not comes up fully. TMM does not reach a ready state and will not pass traffic.

Workaround:
Remove BWC from route domain and then reapply the BWC back.

Fix:
BWC enabled and associated with a route domain, Web Accelerator enabled, and the system is rebooted, now results in the system and TMM coming up fully and passing traffic.

631609-1 : ASM Centralized Management Infrastructure Sync issues

Component: Application Security Manager

Symptoms:
Devices in a multiple Automatic sync device-groups may extraneously request a full sync after initial device sync creation, or after a full sync event.

Conditions:
Devices are in an autosync failover group and an autosync sync-only group with ASM sync enabled.

Impact:
A device may extraneously request additional full syncs after receiving a full sync from its peer or after adding an ASM policy.

Workaround:
No workaround.

Fix:
Extraneous full sync requests are no longer sent.

631582 : Administrative interface enhancement

Solution Article: K55792317

631472-1 : Reseting classification signatures to default may result in non-working configuration

Component: Traffic Classification Engine

Symptoms:
Configuration will not load when running "tmsh load ltm classification signature default" or clicking Reset to Defaults button on Traffic Intelligence :: Applications : Signature Update page.

Conditions:
1. You upgrade classification signatures to an IM package, and reference one of the newly added applications / categories in your configuration (e.g., PEM classification filter).
2. You reset classification signatures back to default by running "tmsh load ltm classification signature default" or selecting "Reset To Defaults" on the Traffic Intelligence :: Applications : Signature Update page.

Impact:
Configuration will not load.

Workaround:
Remove application that came with the new IM from the configuration.

Fix:
The release solves the problem of potentially non-working configurations after classification signatures were reset to default.

631444-2 : Bot Name for ASM Search Engines is case sensitive

Component: Application Security Manager

Symptoms:
CS challenge is returned for request with known search engine which is sent with different case than configured.

Conditions:
ASM profile is configured on the VS; DoS profile is not configured on the VS.

Impact:
Known search engines will get CS challenge.

Workaround:
Have DoS profile on the VS, in which the only feature turned on is Bot Signature, in report only, where only search engine category is turned on.

Fix:
making the ASM Search Engines case insensitive

631316 : Unable to load config with client-SSL profile error★

Solution Article: K62532020

Component: TMOS

Symptoms:
Config loading fails with an error similar to the following: 'Client SSL profile cannot contain more than one set of same certificate/key type.'

Conditions:
This occurs when both of the following conditions are met:
-- The system is loading config.
-- The config contains a client SSL profile which has an RSA cert-key-chain whose key is default (/Common/default.key), but whose chain is non-empty, or the cert is different from /Common/default.crt. For example:

    cert-key-chain {
        cert /Common/default.crt <==== default cert
        chain /Common/chainCA.crt <==== non-empty
        key /Common/default.key <==== default key
        rsa {
            cert /Common/default.crt <==== default cert
            chain /Common/chainCA.crt <==== non-empty
            key /Common/default.key <==== default key
        }
    }

Impact:
Configuration can not be loaded.

Workaround:
Remove or adjust the problematic client SSL profile by editing the appropriate bigip.conf file (/config/bigip.conf or /config/partitions/<name>/bigip.conf, depending on the partition the profile resides in), and then load the configuration again.

Steps:
1. Open the configuration file in a text editor.
2. Load the file /config/bigip.conf (or /config/partitions/<name>/bigip.conf, if the client SSL profile is in a partition).

3. Update the client SSL profile by setting .crt and .key to non-default, as shown in the following example:

    cert-key-chain {
        cert /Common/kc.crt <==== changed to non-default
        chain /Common/chainCA.crt
        key /Common/kc.key <==== changed to non-default
        rsa {
            cert /Common/kc.crt <==== changed to non-default
            chain /Common/chainCA.crt
            key /Common/kc.key <==== changed to non-default
        }
    }

4. Save your changes, and then run the following command:
tmsh load sys conf

631204-1 : GeoIP lookups incorrectly parse IP addresses

Component: Application Security Manager

Symptoms:
Under certain circumstances, GeoIP lookups may not correctly parse IP addresses.

Conditions:
GeoIP lookups enabled

Impact:
Unintended responses to GeoIP lookups

Workaround:
N/A

Fix:
Improve parsing of IP address in GeoIP lookups

631172-4 : GUI user logged off when idle for 30 minutes, even when longer timeout is set

Component: TMOS

Symptoms:
GUI user is auto-logged off when idle for 30 minutes, even though the configured idle timeout is longer.

Conditions:
User logged in to gui and idle for 20-30 minutes

Impact:
User is logged out of the GUI.

Workaround:
None.

Fix:
GUI user is no longer auto-logged off when idle for 30 minutes when the configured idle timeout is longer.

631131-3 : Some tmstat-adapters based reports stats are incorrect

Component: Application Visibility and Reporting

Symptoms:
Stats are being collected in a wrong way for tmstat tables that are using partial-key. This leads to wrong values on reports.

Conditions:
Using partial key from tmstat-table on tmstat-adapter

Impact:
Wrong stats values for some reports.

Fix:
Tmstat-Adapters is now using the correct API from tmstat-framework which simulate a 'group-by' function on the query, and thus provide the correct result-set.

631025-1 : 500 internal error on inline rule editor for certain firewall policies

Component: Advanced Firewall Manager

Symptoms:
While attempting to use the inline rule editor on a firewall policy, the system returns a 500 internal error. Viewing and editing the same policy in tmsh works as expected.

Conditions:
-- This occurs when editing certain firewall policies in the GUI.
-- The issue is specific to policies with rules that meet the following criteria:

a) At least two addresses with the same first three octets.
b) Addresses should have non-default partition.

141.146.155.40%1 { }
141.146.155.41%1 { }

Impact:
Unable to view or edit the policy, page returns an error

Workaround:
You can view these rules in the GUI by disabling the inline rule editor.

Fix:
Fixed an issue with certain AFM rules generating a 500 internal error in the GUI.

630929-1 : Attack signature exception list upload times-out and fails

Solution Article: K69767100

Component: Application Security Manager

Symptoms:
httpd_errors log:
------------
err httpd[<PID>]: [error] [client <client_IP>] PHP Fatal error: Maximum execution time of 30 seconds exceeded in /var/ts/dms/common/classes/Thrift/packages/asmconfig/f5_thrift.php on line <line_ID>, referer: https://<BIG-IP_MGMT_IP>/dms/policy/pl_header_normalization.php
------------

Conditions:
ASM provisioned.
Attack signature exception list uploaded.

Impact:
Attack signature exception list upload times-out and fails.

Workaround:
N/A

Fix:
Improved the Attack signature exception list upload process to take much less time.

630661-2 : WAM may leak memory when a WAM policy node has multiple variation header rules

Solution Article: K30241432

Component: WebAccelerator

Symptoms:
When a WAM policy node has multiple variation header rules, a memory leak occurs upon evaluation of each request.

Conditions:
WAM policy with node utilizing multiple variation header rules.

Impact:
Potential per-request memory leakage driven by client traffic.

Workaround:
The only workaround is to ensure that individual WAM policy nodes have fewer than two header variation rules.

Fix:
WAM no longer leaks memory when evaluation policy nodes which utilize two or more header variation rules.

630622-1 : tmm crash possible if high-speed logging pool member is deleted and reused

Component: TMOS

Symptoms:
When deleting and then re-using a high-speed logging pool member that is in use, a rare tmm crash may occur.

Conditions:
High-speed logging profile configured, high-speed logging pool configured, and a pool member is removed and re-added while the pool is in use.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Rare tmm crash no longer occurs if high-speed logging pool member is deleted and reused.

630611-1 : PEM module crash when subscriber not fund

Solution Article: K84324392

Component: Policy Enforcement Manager

Symptoms:
Under rare circumstances, PEM usage reporting for a subscriber will cause a crash.

Conditions:
PEM subscriber info is missing for the current tmm, e.g., after a CMP state change.

Impact:
PEM/TMM SIGSEV.

Workaround:
None.

Fix:
PEM usage reporting for a subscriber no longer causes a crash when PEM subscriber info is missing for the current tmm.

630610-5 : BFD session interface configuration may not be stored on unit state transition

Solution Article: K43762031

Component: TMOS

Symptoms:
'bfd session' statements missing in ZebOS 'running-config'.

Conditions:
State transitions from online to offline.

Impact:
BFD configuration will become missing in ZebOS running config and no BFD sessions will be established.

Workaround:
Re-add statements manually.

Fix:
BFD session interface configuration is now stored on unit state transition.

630571-1 : Edge Client on Mac OSX Sierra stuck in a reconnect loop

Solution Article: K35254214

Component: Access Policy Manager

Symptoms:
Upon waking laptop Edge Client stuck in a reconnect loop.

Conditions:
Full-Tunnel, no Local LAN Access profile; when opening the device lid, which attempts to reconnect to the VPN service. This occurs only with MAC OS X 10.12.1.

Impact:
Cannot connect to VPN, and the Edge Client gets stuck in a reconnect loop.

Workaround:
Allow local subnet access set to enabled.

Fix:
In this release, using MAC OS X 10.12.1 now resumes a connection to VPN using the Edge Client.

630546-1 : Very large core files may cause corrupted qkviews

Component: TMOS

Symptoms:
If a core file is found on a slave blade in a chassis, that is too large for qkview to include, this can cause the qkview file for the blade to be corrupted.

Conditions:
qkview is run when core files greater than 2.4 GB exist in /var/core.

Impact:
iHealth will not parse the qkview.

Workaround:
Copy the core files on the slave blade from /etc/core to a back up location and delete the original files before creating the qkview.

Fix:
qkview files run when core files greater than 2.4 GB exist in /var/core now complete as expected.

630475-5 : TMM Crash

Component: Local Traffic Manager

Symptoms:
In some cases TMM may crash when processing TCP traffic.

Conditions:
In some cases TMM may crash when processing TCP traffic.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Enable Verified Accept.

Fix:
TMM no longer produces a core.

630446-1 : Expat vulnerability CVE-2016-0718

Solution Article: K52320548

630356-1 : JavaScript challenge follow-up to POST is sent as GET in iframe from IE/Edge

Component: Advanced Firewall Manager

Symptoms:
The JavaScript challenge that is sent to a POST request within an iframe will have a follow-up request of GET when coming from Microsoft Internet Explorer or Edge browser. The request reconstruction is incorrect, and the back-end server does not receive the request payload.
This is relevant to all types JavaScript challenges: Proactive Bot Defense, DoSL7 Client-Side Integrity Defense, Device-ID Challenge, or CAPTCHA Challenge.

Conditions:
JavaScript challenge is used in a POST request, when one of the following features in enabled: Proactive Bot Defense, DoSL7 Client-Side Integrity Defense, Device-ID Challenge, or CAPTCHA Challenge.

Impact:
POST requests will be sent as GET and the request payload will not reach the back-end server.

Workaround:
None.

Fix:
JavaScript challenges to POST requests are sent correctly to the back-end server when coming from iframe in Microsoft Internet Explorer/Edge browsers.

630306-1 : TMM crash in DNS processing on UDP virtual server with no available pool members

Component: Local Traffic Manager

Symptoms:
TMM crash when processing requests to a DNS virtual server.

Conditions:
The issue can occur if a UDP DNS virtual receives a request when no pool members are available to service the request and a DNS iRule is suspended due to previous requests.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Mitigation is to ensure at least one pool member is available whenever the DNS virtual is processing traffic, or to avoid iRule commands that can suspend processing.

Ensure datagram LB mode is enabled on UDP DNS virtuals.

Fix:
This release prevents a crash in DNS processing on UDP virtual server with no available pool members.

630150-1 : Websockets processing error

Solution Article: K51351360

629921-4 : [[SWG]-NTLM 407 based front end auth and passthrough 401 based NTLM backend auth does not work.

Component: Access Policy Manager

Symptoms:
With SWG client side NTLM auth configuration while doing the NTLM auth for backend, ECA plugin is trapping the Authorization credentials (NTLMSSP_NEGOTIATE) sent by the client, it sinks the request and generates the 407 to the client to do proxy authentication.

Conditions:
Set-up SWG for auth with ntlm credentials
Access a proxied resource which also requires ntlm auth

Impact:
Backend server access is restricted.

Workaround:
None

Fix:
Now when using SWG in explicit proxy mode with NTLM authentication with the Proxy-Authenticate header, BIG-IP allows NTLM authentication to proceed simultaneously to protected resource servers that also use NTLM authentication with the Authenticate header.

629871-2 : FTP ALG deployment should not rewrite PASV response 464 XLAT cases

Component: Carrier-Grade NAT

Symptoms:
Deploying NAT64 part of a 464 XLAT solution may overwrite PASV response 464 XLAT cases.

Conditions:
FTP ALG deployment.

Impact:
PASV response 464 XLAT cases overwritten.

Workaround:
None.

Fix:
Deploying NAT64 part of a 464 XLAT solution no longer overwrites PASV response 464 XLAT cases.

629845-2 : Disallowing TLSv1 connections to HTTP causes iControl/REST issues

Component: Device Management

Symptoms:
When HTTP disallows TLSv1 connections, UCS via iControl/REST fails with the following in the logs:

[SEVERE][86][08 Nov 2016 16:47:20 UTC][com.f5.rest.icontrol.IControlRunnable] (iControl execution) AxisFault[; nested exception is:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure]:
[WARNING][87][08 Nov 2016 16:47:20 UTC][8100/tm/shared/sys/backup/52d67805-3aab-4260-8770-a690154c698e/worker UcsBackupTaskWorker] Failed to restore from backup: backup_test.ucs

Conditions:
This occurs when TLSv1 is explicitly disallowed in the HTTP profile.

Impact:
iControl REST clients are unable to connect.

Workaround:
None.

Fix:
Explicitly disallowing TLSv1 in the HTTP profile no longer causes iControl/REST issues.

629801-2 : Access policy is applied automatically on target device after policy sync, when there is a also a FODG in the trust domain.

Component: Access Policy Manager

Symptoms:
After syncing an access policy, the access policy change on the other device should be prompting you to apply the policy, but instead it applies the policy automatically.

Conditions:
Two or more devices configured in a trust group, one device group is a failover device group, and one device group is a sync-only device group with automatic sync enabled.

A key component that triggers this symptom is that the failover device group is listed first in the configuration. When this occurs, the policy will be applied automatically, which shouldn't occur.

Impact:
Policy changes are automatically applied, when they should only be synced with a prompt to apply after the sync.

Workaround:
None.

Fix:
After syncing an access policy, the access policy change on the other device in the trust group now prompts you to apply the policy, which is correct behavior.

629698-1 : Edge client stuck on "Initializing" state

Component: Access Policy Manager

Symptoms:
It takes a lot of time to reestablish the VPN connection when the Edge Client switches to network with Captive Portal authentication. Edge client freezes on "Initializing" state for around 1 minute.

Conditions:
This can occur on the Edge Client with Captive Portal configured.

Impact:
Edge client is stuck on "Initializing" for an excessive amount of time.

629663-1 : CGNAT SIP ALG will drop SIP INVITE

Solution Article: K23210890

Component: Service Provider

Symptoms:
SIP INVITE message is dropped.

Conditions:
Subscriber registers and then attempts to call out.

Impact:
Subscriber not able to make calls.

Workaround:
None.

Fix:
The system now uses the expiration value from the SIP message i.e. either from expires parameter or the Expire header to update the timeout of the registration record.

629627-1 : FPS Log Publisher is not grouped nor filtered by partition

Component: Fraud Protection Services

Symptoms:
If there are several log publishers assigned to different partitions, it is not clear which log publisher is assigned to which partition.

All log publishers are displayed regardless of the partition selected.

Conditions:
Provision FPS.
Two or more partitions
Two or more log publishers assigned to different partitions

Impact:
All log publishers are displayed regardless of partition.

Workaround:
None.

Fix:
Log publishers are now grouped in GUI and filtered by the currently selected partition.

629573-1 : No drill-down filter for virtual-servers is mentioned on exported reports when using partition

Component: Application Visibility and Reporting

Symptoms:
The selected filters will not appear in exported reports for virtual servers created under non 'Common' partitions.

Conditions:
When using virtual-servers and ASM policies under a non 'Common' partition, exported reports will not display the the selected drill-down filters.

Impact:
Exported reports will be displayed without the filters.

Workaround:
None.

Fix:
Exported reports will take into consideration partitions which will make the drill-down filters appear as expected.

629530-2 : Under certain conditions, monitors do not time out.

Solution Article: K53675033

Component: Global Traffic Manager (DNS)

Symptoms:
Some monitored resources are marked as "Unknown" when the actual status is "offline".

Conditions:
This can rarely occur when the monitor timeout period elapses when either no response has been received, or a response has been received indicating that the resource is "down" and the monitor is configured to ignore down responses. It is more likely to occur when many monitor timeout periods elapse at the same time, and the monitor timeout value is evenly divisible by the monitor's monitor interval.

Impact:
The status of the monitored resource is incorrect. This does not materially affect the operation of the system since resources marked "Unknown" will not be used.

Workaround:
Disable the affected resources, and then enable them again.

Fix:
The resource status is now correct under all monitor timeout conditions.

629499-9 : tmsh show sys perf command gives an error "011b030d:3: Graph 'dnsx' not found"

Component: TMOS

Symptoms:
When you run the command tmsh show sys perf, you get an error:
011b030d:3: Graph 'dnsx' not found

This can also occur with other tmsh commands related to performance statistics, like show sys perf dnssec and show sys perf dnsexpress.

Conditions:
It is not known what exactly triggers this, it is caused by a timing issue that occurs during system initialization of multi-blade chassis.

Impact:
Certain tmsh sys perf commands fail to work and give an error.

Workaround:
Restart statsd on all blades once the chassis is up.

e.g.

"bigstart restart statsd" on each blade.

Fix:
statsd has been updated to reparse the statsd config file before rebuild it's config so that it doesn't lose the unsupported tables in it's list.

629412-3 : BIG-IP closes a connection when a maximum size window is attempted

Component: Local Traffic Manager

Symptoms:
HTTP2 provides flow control options which allow you to limit the amount of data on flight. A client can send an increment for a window size to an initial value set by standard to 65,535 bytes. BIG-IP used 64K value inherited from SPDY, causing overflow when the client tried to increment the value to its maximum.

Conditions:
HTTP2 profile is configured on a virtual, and client sends a WINDOW_UPDATE frame to increment the value to its maximum.

Impact:
BIG-IP considers the window size overflow as a protocol violation thus it shuts the connection down not serving any request.

Workaround:
None.

Fix:
With a correct value for initial window size (for both a connection and a stream) BIG-IP correctly processes an increment request of the window size to its maximum.

629178-1 : Incorrect initial size of connection flow-control window

Solution Article: K42206046

Component: Local Traffic Manager

Symptoms:
When a client establishes an HTTP2 connection, both endpoints can update their flow-control windows for the connection but their initial sizes of connection flow-control windows must be 65,535. BIG-IP erroneously sets it immediately to a configured value instead. Discrepancy in the window size calculation can result in cancelling of the client's requests.

Conditions:
A virtual server that has an HTTP2 profile with a custom value for receive-window exceeding 79 (Kilobytes).

Impact:
BIG-IP updates another endpoint with a WINDOW_UPDATE frame for the connection once it reaches a certain threshold. It doesn't happen when receive-window is set above 79 (Kilobytes). If a client has a large request (e.g., POST with a large amount of data), it resets the stream with HTTP2 RST_STREAM frame, canceling the request.

Workaround:
Configure receive-window attribute in HTTP2 profile to a value below 80 (Kilobytes).

Fix:
The fix in this release allows BIG-IP to behave according to RFC and send WINDOW_UPDATE frames, preventing the connection flow-control window from exhaustion on a remote endpoint.

629145-1 : External datagroups with no metadata can crash tmm

Component: Local Traffic Manager

Symptoms:
If a large data group exists or the db variable tmm.classallocatemetadata is set to disabled, tmm may crash if the class match iRule matches 9 or more items in the datagroup.

Conditions:
External datagroups in use, a class match iRule will produce at least 9 matches, and the datagroup is extremely large or the db variable tmm.classallocatemetadata is set to disabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a tmm crash related to large datagroups.

629127-1 : Parent profiles cannot be saved using FPS GUI

Component: Fraud Protection Services

Symptoms:
Any parent profile (profile that has bee inherited) cannot be saved in FPS GUI.

Conditions:
Provision FPS
License FPS.
1 or more child profiles.

Impact:
User configurations may not be saved.

Workaround:
Can use TMSH or REST.

629085-1 : Any CSS content truncated at a quoted value leads to a segfault

Solution Article: K55278069

Component: TMOS

Symptoms:
Any CSS content truncated at a quoted value leads to a segfault.

Example:
...
.c1 {background-image: url('some

Conditions:
CSS ends without closing quote in value.

Example:
...
.c1 {background-image: url('some

Impact:
TMM or rewrite segfault. Traffic disrupted while tmm restarts.

Workaround:
Use a particular iRule.

Fix:
CSS content truncated at a quoted value no longer leads to a segfault.

629069-2 : Portal Access may delete scripts from HTML page in some cases

Component: Access Policy Manager

Symptoms:
If JavaScript uses Range.createContextualFragment() call to insert new scripts into HTML document, in some cases Portal Access may delete one of the scripts in the page.

Conditions:
JavaScript with Range.createContextualFragment() call which is used to add new scripts by subsequent insertBefore()/insertAfter() calls.

Impact:
Web application may not work correctly.

Workaround:
None.

Fix:
Now web apps delivered via APM Portal Access can use Range.createContextualFragment(), insertBefore(), and insertAfter() javascript properly.

628972-2 : BMC version 2.51.7 for iSeries appliances

Component: TMOS

Symptoms:
Firmware on BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx needs to be upgraded to BMC version 2.51.7.

Conditions:
-- BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.
-- Upgrading firmware.

Impact:
This is a firmware upgrade.

Workaround:
None.

Fix:
This release contains BMC version 2.51.7 which includes the fix for a BMC firmware update failure on the following BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.

Behavior Change:
This release contains BMC version 2.51.7 which includes the fix for a BMC firmware update failure on the following BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.

628897-1 : Add Hyperlink to gslb server and vs on the Pool Member List Page

Component: Global Traffic Manager (DNS)

Symptoms:
Hyperlinks to the GSLB Server and Virtual-server are missing from the GSLB Pool Member list page.

Conditions:
This can be seen in the DNS :: GSLB : Pools : Pick a pool : Members tab

Impact:
You are unable to to quickly get to the server and virtual server from this page.

Workaround:
Manually navigate to associated server and Virtual Server.

Fix:
Hyperlinks for associated server and VS are not showing on the Pool Member list page.

628890-1 : Memory leak when modifying large datagroups

Component: Local Traffic Manager

Symptoms:
When modifying large external datagroups, a significant memory leak may occur.

Conditions:
This can occur when a large datagroup is in use and is modified.

Impact:
Memory is leaked, and the amount of memory leaked can be significant.

Workaround:
None.

Fix:
Fixed a memory leak related to modifying large datagroups.

628869-4 : Unconditional logs seen due to the presence of a PEM iRule.

Component: Policy Enforcement Manager

Symptoms:
TMM log files will fill up.

Impact:
Limits the gathering and traversal of relevant data from the TMM logs if the condition is encountered several times.

Workaround:
Do not use an iRule containing the following iRule command: PEM::subscriber config policy get.

Fix:
Unconditional logs are no longer seen in response to the presence of a PEM iRule.

628836-4 : TMM crash during request normalization

Solution Article: K22216037

628832-4 : libgd vulnerability CVE-2016-6161

Solution Article: K71581599

628739-1 : BIG-IP iSeries does not disallow configuring of management IP outside the management subnet using the LCD

Component: TMOS

Symptoms:
Configuring the management IP outside the management subnet succeeds without error.

Conditions:
On the LCD, navigate to the 'Setup' tab, and select 'Management'.
1. Set the default Gateway for the network.
2. Now set an IP address outside the Gateway subnet.
3. Notice no errors and commit is successful.

Impact:
Admin IP and Gateway for management route (/Common/default) not in a connected network.

Workaround:
Do not configure the IP and Gateway outside the management route.

Fix:
LCD no longer allows invalid configuration of mgmt IP (with gateway IP outside mgmt subnet).

628735-1 : Displaying Hardware SYN Cookie Protection field in TCP/FastL4/FastHTTP profiles

Component: TMOS

Symptoms:
The Hardware SYN Cookie Protection field is not displayed in the GUI configuration screen for TCP/FastL4/FastHTTP profiles, despite hardware support for the feature existing on the
platform.

Conditions:
Configuring TCP/FastL4/FastHTTP profiles in the BIG-IP GUI.

This occurs on vCMP guests, on the 10350N, i5600, i5800, i7600, i7800, i10600, i10800 platforms, and on VIPRION systems using the B4450 or B4450N blades.

Impact:
The Hardware SYN Cookie Protection field is not displayed.

Workaround:
Use tmsh to set the Hardware SYN Cookie Protection field.

Fix:
The system no longer uses a static list of platforms that have an HSB as a basis for displaying the Hardware SYN Cookie Protection option in the GUI, so the field is shown as expected.

628721-1 : In rare conditions, DNS cache resolver outbound TCP connections fail to expire.

Component: Local Traffic Manager

Symptoms:
If a TCP connection is initiated by the DNS cache resolver but fails to be fully created, it may be leaked until the next restart of tmm.

Conditions:
This is only known to occur when other internal issues are affecting the tmm's functionality. If there are ongoing log messages in the tmm logs of the form: "hud_msg_queue is full," and a DNS cache resolver is attempting new outbound TCP connections, then it is possible to leak these connections.

Impact:
If enough connections are leaked, the tmm will not be able to create new connections even if the conditions causing the "hud_msg_queue" log messages resolve.

Workaround:
Restarting tmm will clear the leaked connections.

Fix:
The connections are now properly cleaned up if they are unsuccessfully created.

628687-2 : Edge Client reconnection issues with captive portal

Component: Access Policy Manager

Symptoms:
Edge Client stuck at 'Reconnecting' when losing connection to Captive Portal with certificate warning.

Conditions:
Connect to APM through a captive portal.

Impact:
EdgeClient stuck at "Reconnecting".

Workaround:
None.

Fix:
Edge Client no longer hangs at 'Reconnecting' when losing connection to Captive Portal with certificate warning.

628685-2 : Edge Client shows several security warnings after roaming to a network with Captive Portal

Solution Article: K79361498

Component: Access Policy Manager

Symptoms:
Network is blocked by a captive portal. Captive portal uses HTTPS. Periodic-session-check reports SSL certificate is not trusted because access to APM is redirected (to captive portal).

Conditions:
Create a VPN tunnel over WiFi.
Place the computer in sleep/hibernate.
Move to a new network with Captive Portal with SSL and resume from sleep/hibernate.

Impact:
Numerous security warnings.

Workaround:
None.

Fix:
Edge Client no longer shows several security warnings after roaming to a network with Captive Portal.

628623-1 : tmm core with AFM provisioned

Component: Advanced Firewall Manager

Symptoms:
tmm cores on the secondary blade while passing traffic.

Conditions:
This can occur intermittently with AFM provisioned while passing traffic, even if AFM is not in use.

Impact:
Traffic disrupted while tmm restarts.

628351-1 : Redirect loops on URLs with Path Parameters when Proactive Bot Defense is enabled

Component: Advanced Firewall Manager

Symptoms:
When Proactive Bot Defense is enabled, requests to URLs with Path Parameters (URLs containing a semicolon ;) may get stuck on a redirect loop. This typically applies to URLs which do not respond with HTML content or to URLs with low traffic.

Conditions:
-- Proactive Bot Defense is enabled.
-- URLs use Path Parameters (containing the semicolon ; character).

Impact:
Clients cannot access the web server, getting caught in an infinite redirect loop.

Workaround:
None.

Fix:
Requests to URLs with ";" no longer get stuck in a redirect loop when Proactive Bot Defense is enabled.

628348-1 : Cannot configure any Mobile Security list having 11 records or more via the GUI

Component: Fraud Protection Services

Symptoms:
Any item added to a list with more than 10 records in Mobile Security section is ignored.

Conditions:
Provision FPS
License mobilesafe
add 11 records to a list

Impact:
User configuration may not be saved.

Workaround:
Use TMSH or Rest.

Fix:
GUI allows adding items to lists with more than 10 records.

628337-1 : Forcing a single injected tag configuration is restrictive

Component: Fraud Protection Services

Symptoms:
Injected tags configuration in profile is globally controlled from the db variable antifraud.injecttags, and forces all protected pages to have a common set of HTML tags. If your web application has pages that do not work with the injected tags, then this will cause the application to work improperly.

Conditions:
This occurs when the injected tags db variable (antifraud.injecttags) is configured.

Impact:
Your web application may have pages that do not handle the tags properly and may malfunction.

Workaround:
Configure injected tags in a way which can applied to all URLs protected in a profile. If it is not possible due to some URL HTML structure, HTML must be modified.

Fix:
Injected tags configuration has been moved to the URL level.

628311-3 : Potential TMM crash due to duplicate installed PEM policies by the PCRF

Solution Article: K87863112

Component: Policy Enforcement Manager

Symptoms:
Potential TMM crash due to duplicate installed PEM policies by the PCRF.

Conditions:
- PEM enabled with Gx and Gy.
- PEM policies configured with Gy quota management.
- PCRF installs an already-installed policy against a subscriber.

Impact:
Loss of service. Traffic disrupted while tmm restarts.

Workaround:
Configure the PCRF to not install an already-installed policy against a subscriber.

Fix:
PEM now prevents PCRF from installing an already-installed policy against a subscriber.

628202-4 : Audit-forwarder can take up an excessive amount of memory during a high volume of logging

Component: TMOS

Symptoms:
During a period where a lot of data is logged (such as the loading of a large configuration), audit_forwarder can use up a large amount of memory.

Conditions:
audit_forwarder is used with config.auditing.forward.type set to either "none" or "radius" and config.auditing set to "verbose" or "all".

Impact:
The excessive memory usage may result in processes getting restarted. Once the logging is done, audit_forwarder will not release all of the used memory.

Workaround:
Setting config.auditing value to "enable" or "disable" will slow or stop the excessive memory usage.

Fix:
Prevented audit_forwarder from using more memory than it needs.

628164-3 : OSPF with multiple processes may incorrectly redistribute routes

Solution Article: K20766432

Component: TMOS

Symptoms:
When OSPF is configured with multiple processes that each redistribute different type routes, LSAs may be created in a process for a route of the type other than the one configured for redistribution into that process.

Conditions:
OSPF routing with multiple processes configured. Each OSPF process configured with a different route type redistributed.

Impact:
Incorrect routing information in the network when OSPF converges.

Workaround:
Redistribute the leaked route type into the affected OSPF process and use a route map that filters out all routes.

Fix:
OSPF no longer leaks LSAs between processes redistributing different types of routes.

OSPF routes are now created synchronously when the LSA database is updated. If routes are rapidly deleted and re-added, OSPF will send maxage LSAs followed by new LSAs. This is potentially a behavior change where, previously, only a single updated LSA would have been sent.

628009-1 : f5optics not enabled on Herculon iSeries variants HRC-i2800, HRC-i5800, HRC-i10800

Component: TMOS

Symptoms:
The f5optics functionality is not initialized on Herculon iSeries variants.

Conditions:
This occurs on the following Herculon iSeries platforms: HRC-i2800, HRC-i5800, HRC-i10800.

Impact:
None. No f5optics optics module database is presently provided for Herculon platforms. Herculon uses no optics modules that require tuning (e.g., 100G).

Workaround:
None.

Fix:
With the fix, if an optics module data base is provided via an f5optics install, f5optics will become operational on Herculon. An f5optics database will be provided if optics modules requiring tuning are ever used with Herculon.

627972-2 : Unable to save advanced customization when using Exchange iApp

Solution Article: K11327511

Component: Access Policy Manager

Symptoms:
When Policy created using Microsoft Exchange iApp script, Advanced Customization (usually of logon page) might fail with error similar to the following: 01020066:3: The requested Customization Template File (/Common/Exchange.app/exch_custom_logon_ag logon.inc) already exists in partition Common.

Conditions:
Usually: HA Pair, iApp exchange created profile, in general any advanced customization where name not equals customization_group_name:filename is affected.

Impact:
Unable to edit advanced customization, functionality is unaffected.

Workaround:
edit bigip.conf
apm policy customization-group /Common/Exchange_2010.app/exch_custom_logon_ag {
    templates {
        logon.inc {
            name /Common/Exchange_2010.app/exch_custom_logon:logon.inc
        }
    }
}
change
name /Common/Exchange_2010.app/exch_custom_logon:logon.inc
to customizaton_group_name:filename i.e.

name /Common/Exchange_2010.app/exch_custom_logon_ag:logon.inc

Fix:
Can now save advanced customization when using Microsoft Exchange iApp.

627961-3 : nic_failsafe reboot doesn't trigger if HSB fails to disable interface

Solution Article: K15130343

Component: TMOS

Symptoms:
The HSB driver attempts a nic_failsafe in the case of failing to disable the interface.

Conditions:
The driver disables nic_failsafe prior to triggering the nic_failsafe. This is in hsb_ifdown_go_dead.

Impact:
TMM may restart continuously resulting in interfaces bouncing constantly.

Workaround:
Reboot the device.

Fix:
This release fixes issues where nic_failsafe reboot did not happen on HSB failures.

627926-1 : Retrieving a server-side SSL session ID in iRules does not work

Solution Article: K21211001

Component: Local Traffic Manager

Symptoms:
Retrieving the server-side SSL session ID using iRule does not work.

Conditions:
Retrieve server-side SSL Session ID using an iRule.

Impact:
iRules that try to log or capture an SSL session ID will not work properly.

Workaround:
None.

Fix:
The server-side SSL session ID can now be retrieved with an iRule.

627916-1 : Improve cURL Usage

Solution Article: K81601350

627914-1 : Unbundled 40GbE optics reporting as Unsupported Optic

Component: TMOS

Symptoms:
When a 40G interface is configured "bundle disabled" the optic module in use on the interface will be declared as an "Unsupported optic" module even though the optic module is F5 branded.

Conditions:
Using unbundled 40GbE optics.

Impact:
This is a cosmetic problem. The interface is able to function as intended.

Workaround:
No workaround, problem is cosmetic.

Fix:
The fix for the defect results in no longer declaring an otherwise supported optics module as unsupported when bundling is configured disabled on the interface.

627907-1 : Improve cURL usage

Component: Advanced Firewall Manager

Symptoms:
In some cases, cURL usage within AFM does not comply with standards.

Conditions:
AFM active and configured to use external credentials.

Impact:
Non-compliant cURL usage.

Fix:
Improve cURL usage.

627898-2 : TMM leaks memory in the ECM subsystem

Component: TMOS

Symptoms:
TMM leaks memory in the ECM subsystem.

Conditions:
This issue occurs when the user has imported one or more SSL certificates onto the system and named them in such a way that the "ca-bundle.crt" string appears in their names. For example, "my-ca-bundle.crt". With this configuration in place, TMM leaks memory each time the configuration is modified.

Impact:
TMM will run out of free memory. This will initially impact traffic and could eventually lead to TMM crashing. Traffic disrupted while tmm restarts.

Workaround:
You can work around this issue by renaming your SSL certificates so that their names don't contain the "ca-bundle.crt" string.

Fix:
TMM no longer leaks memory in the ECM subsystem.

627798-3 : Buffer length check for quota bucket objects

Component: Policy Enforcement Manager

Symptoms:
For quota bucket (Rating Groups) object, BIG-IP allocates a large buffer locally, and doesn't expect it to be over-run as the objects are expected to be smaller

Conditions:
Any quota bucket objects which are being inserted in PEM database

Impact:
For quota bucket objects which are in PEM database, the buffer is usually large enough, so there should not be any impact. But if the quota bucket ever gets larger, then potential corruption of the quota bucket information could occur. This could trigger a tmm core. Traffic disrupted while tmm restarts.

Workaround:
quota bucket with fewer rules

627747-1 : Improve cURL Usage

Solution Article: K20682450

627616-3 : CCR-U missing upon VALIDITY TIMER expiry when quota is zero

Component: Policy Enforcement Manager

Symptoms:
CCR-U is not sent upon VALIDITY TIMER experts.

Conditions:
If PCRF does not grant any GSU (no quota), but only specifies the VALIDITY timer.

Impact:
OCS does not get the CCR-U message and misses the information about quota.

Workaround:
Work around is to set the following timers using sysdb to non-zero value. Here is an example:
sys db tmm.pem.session.quota.bucket.denied.timeout { value "1" }
sys db tmm.pem.session.quota.bucket.depleted.timeout { value "2" }
sys db tmm.pem.session.quota.bucket.idle.timeout { value "3" }

Fix:
CCR-U is now sent upon VALIDITY TIMER experts.

627574-1 : After upgrade to BIG-IP v12.1.x, Local Traffic Policies in partitions other than Common cannot be converted into a draft.

Component: Local Traffic Manager

Symptoms:
If a BIG-IP system has Local Traffic Policies defined in a non-Common partition, and the system is upgraded to version 12.1.0, 12.1.1, or 12.1.2, attempting to create a new draft of the policy by selecting "Create Draft" will fail and give an error message similar to:

err mcpd[8140]: 01070734:3: Configuration error: Can't associate policy rule (/Partition1/Drafts/policy_name policy_name_policy_rule) folder does not exist

Conditions:
A system is upgraded to version v12.1.x with Local Traffic Policies in a non-default partition.

Impact:
You cannot modify existing Local Traffic Policies.

Workaround:
Manually create a 'Drafts' folder in the appropriate partition, e.g.:

tmsh create sys folder /Partition1/Drafts

Alternately, create a new (different) policy in the specified partition, and then delete it. Doing this has a

Subscriptions

Product Usage

Trials

Registration Keys

Downloads

Applies To:

BIG-IP AAM

BIG-IP APM

BIG-IP Analytics

BIG-IP Link Controller

BIG-IP LTM

BIG-IP PEM

BIG-IP AFM

BIG-IP DNS

BIG-IP ASM

Cumulative fix details for BIG-IP v12.1.3.3 that are included in this release

707675 : FQDN nodes or pool members flap when DNS response received

707226-2 : DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations

706086-1 : PAM RADIUS authentication subsystem hardening

704804-2 : The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address

704733-2 : NAS-IP-Address will be sent with the bytes backwards

704490 : CVE-2017-5754 (Meltdown)

704483 : CVE-2017-5753 (Spectre Variant 1)

704073-3 : Repeated "bad transition" OOPS logging may appear in /var/log/ltm and /var/log/tmm

703984-2 : Machine Cert agent improperly matches hostname with CN and SAN

703869-1 : Waagent updated to 2.2.21

703429-1 : Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services

702946-2 : Added option to reset staging period for signatures

701841-1 : Unnecessary file recovery_db/conf.tar.gz consumes /var disk space

701609 : Static member of pool with FQDN members may revert to user-disabled after being re-enabled

701327-1 : failed configuration deletion may cause unwanted bd exit

701249-2 : RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1

700564-2 : JavaScript errors shown when debugging a mobile device with ASM deviceID enabled

700556-2 : TMM may crash when processing WebSockets data

700527-1 : cmp-hash change can hang iRule DNS lookup

700330 : AJAX blocking page isn't shown when a webpage uses jQuery framework.

700143-1 : ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages

699720-3 : ASM crash when configuring remote logger for WebSocket traffic with response-logging:all

699455-3 : SAML export does not follow best practices

699431 : Possible memory leak in MRF under low memory

699346-2 : NetHSM capacity reduces when handling errors

699281 : Version format of hypervisor bundle matches Version format of ISO

699262-2 : FQDN pool member status remains in 'checking' state after full config sync

699147 : Hourly billed cloud images are now pre-licensed

698919-1 : Anti virus false positive detection on long XML uploads

698080-1 : TMM may consume excessive resources when processing with PEM

698000-1 : Connections may stop passing traffic after a route update

697878 : High crypto request completion time under some workload patterns

697303-3 : BD crash

696789-2 : PEM Diameter incomplete flow crashes when TCL resumed

696468 : Active compression requests can become starved from too many queued requests.

696383-2 : PEM Diameter incomplete flow crashes when sweeped

696265-3 : BD crash

695968-3 : Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues.

695117 : bigd cores and sends corrupted MCP messages with many FQDN nodes

694922-4 : ASM Auto-Sync Device Group Does Not Sync

694717-3 : Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup.

694696-3 : On multiblade Viprion, creating a new traffic-group causes the device to go Offline

694319-3 : CCA without a request type AVP cannot be tracked in PEM.

694318-3 : PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP.

694274-2 : [RHSA-2017:3195-01] Important: httpd security update - EL6.7

694073-1 : All signature update details are shown in 'View update history from previous BIG-IP versions' popup

693739-3 : VPN cannot be established on macOS High Sierra 10.13.1 if full tunneling configuration is enabled

693211-3 : CVE-2017-6168

692970-3 : Using UDP port 67 for purposes other than DHCP might cause TMM to crash

692941-3 : GTMD and TMM SIGSEGV when changing wide IP pool in GTMD

692307-1 : User with 'operator' role may not be able to view some session variables

692123-2 : GET parameter is grayed out if MobileSafe is not licensed

692095-3 : bigd logs monitor status unknown for FQDN Node/Pool Member

691670-3 : Rare BD crash in a specific scenario

691504-3 : PEM content insertion in a compressed response may cause a crash.

691498-1 : Connection failure during iRule DNS lookup can crash TMM

691477-1 : ASM standby unit showing future date and high version count for ASM Device Group

691017-1 : Preventing ng_export hangs

690166-3 : ZoneRunner create new stub zone when creating a SRV WIP with more subdomains

689826-2 : Proxy/PAC file generated during VPN tunnel is not updated for Windows 10 (unicode languages like: Japanese/Korean/Chinese)

689577-1 : ospf6d may crash when processing specific LSAs

689089-3 : VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot

688625-2 : PHP Vulnerability CVE-2017-11628

688011-5 : Dig utility does not apply best practices